Check that s2k-count has changed

David Shaw dshaw at
Fri Jul 8 21:08:02 CEST 2011

On Jul 8, 2011, at 2:35 PM, Chris Poole wrote:

> On 8 Jul 2011, at 17:31, David Shaw <dshaw at> wrote:
>> Yes.  Note that the list-packets output shows the internal packed value: 6553600 should come out to 201.  The default of 65536 would encode to 96.
> I do indeed get 201. Out of interest, how is that calculated?

Brace yourself.  This is not pretty:

#define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))

OpenPGP historically has a bit of a phobia about using two or four bytes when it could be squeezed into one.  Or even better, part of one.  That's why the range of valid s2k-count values is 1024 through 65011712, but not all values are actually possible.

> I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.

It's using SHA512 for passphrase mangling.  The SHA1 protection it is referencing is a checksum on the while secret key packet itself.  You can see the details in section 5.5.3 of RFC-4880, but basically it was added in response to the Klima-Rosa attack (which involved modifying the secret key in a way that the simple checksum used previously could not detect).


More information about the Gnupg-users mailing list