GnuPG private key resilience against off-line brute-force attacks (was: Re: Backup of private key)

David Shaw dshaw at
Sat Nov 28 23:08:38 CET 2009

On Nov 28, 2009, at 11:55 AM, Ciprian Dorin, Craciun wrote:

>    Thank you for the quick reply. (This is the kind of answer I was
> hopping to get. :) ) It seems that `s2k-count` escaped me. :)
>    Maybe there should be an entry in the FAQ about this topic.
>    Related with my question about the password bit strength there
> still is a vale on my eyes. So I guess (sorry for not being properly
> documented here):
>    * the private / public key pair is generated by using whatever
> means (RSA / DSA);
>    * my password is taken and fed into "Iterated and Salted S2K" to
> obtain the secret key encryption.
>    * the private key data is taken and fed into '????' algorithm that
> uses as password what has been obtained at the previous step.

The "????" is CAST5, by default.  You can change it with --s2k-cipher- 
algo.  The usual s2k rules apply - if you change the s2k-cipher-algo,  
it won't take effect until you change the passphrase.  Also, be  
careful you don't shoot yourself in the foot with setting the  
algorithm to something you can't handle.  This is less of a danger  
than with most algorithm changing tweaks: you only have to guarantee  
that *you* (and not all of your correspondents) have the ability to  
handle the key.

So if you want your passphrase to be as strong as CAST5, you'd need a  
really massive passphrase.  The passphrase is almost always the  
weakest part of this sort of system, by far.

>    P.S.: I'm also aware of the fact that iterations do not help at
> all, if a big-budget agency (NSA and the like), is going to build a
> hardware based brute-force key breaking, as they can build a pipeline
> of iteration functions that would try one key in O(1) time. :) (Or I'm
> wrong here?)

They're more likely to hit you with a wrench, a la 
538/  :)


More information about the Gnupg-users mailing list