Check that s2k-count has changed
dshaw at jabberwocky.com
Fri Jul 8 21:08:02 CEST 2011
On Jul 8, 2011, at 2:35 PM, Chris Poole wrote:
> On 8 Jul 2011, at 17:31, David Shaw <dshaw at jabberwocky.com> wrote:
>> Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
> I do indeed get 201. Out of interest, how is that calculated?
Brace yourself. This is not pretty:
#define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))
OpenPGP historically has a bit of a phobia about using two or four bytes when it could be squeezed into one. Or even better, part of one. That's why the range of valid s2k-count values is 1024 through 65011712, but not all values are actually possible.
> I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.
It's using SHA512 for passphrase mangling. The SHA1 protection it is referencing is a checksum on the while secret key packet itself. You can see the details in section 5.5.3 of RFC-4880, but basically it was added in response to the Klima-Rosa attack (which involved modifying the secret key in a way that the simple checksum used previously could not detect).
More information about the Gnupg-users