GnuPG private key resilience against off-line brute-force attacks (was: Re: Backup of private key)
David Shaw
dshaw at jabberwocky.com
Sat Nov 28 23:08:38 CET 2009
On Nov 28, 2009, at 11:55 AM, Ciprian Dorin, Craciun wrote:
> Thank you for the quick reply. (This is the kind of answer I was
> hopping to get. :) ) It seems that `s2k-count` escaped me. :)
>
> Maybe there should be an entry in the FAQ about this topic.
>
> Related with my question about the password bit strength there
> still is a vale on my eyes. So I guess (sorry for not being properly
> documented here):
> * the private / public key pair is generated by using whatever
> means (RSA / DSA);
> * my password is taken and fed into "Iterated and Salted S2K" to
> obtain the secret key encryption.
> * the private key data is taken and fed into '????' algorithm that
> uses as password what has been obtained at the previous step.
The "????" is CAST5, by default. You can change it with --s2k-cipher-
algo. The usual s2k rules apply - if you change the s2k-cipher-algo,
it won't take effect until you change the passphrase. Also, be
careful you don't shoot yourself in the foot with setting the
algorithm to something you can't handle. This is less of a danger
than with most algorithm changing tweaks: you only have to guarantee
that *you* (and not all of your correspondents) have the ability to
handle the key.
So if you want your passphrase to be as strong as CAST5, you'd need a
really massive passphrase. The passphrase is almost always the
weakest part of this sort of system, by far.
> P.S.: I'm also aware of the fact that iterations do not help at
> all, if a big-budget agency (NSA and the like), is going to build a
> hardware based brute-force key breaking, as they can build a pipeline
> of iteration functions that would try one key in O(1) time. :) (Or I'm
> wrong here?)
They're more likely to hit you with a wrench, a la http://xkcd.com/
538/ :)
David
More information about the Gnupg-users
mailing list