Check that s2k-count has changed

Chris Poole lists at chrispoole.com
Fri Jul 8 22:54:31 CEST 2011


Thanks for the detailed response. I've done some C programming so it's not too alien to me.

I don't know if this would be of any real use (perhaps just for those that are pretty sure of the slowest machine they'll be decrypting their private key on), but a function to calculate how many rounds it takes to run for x.y seconds would be useful. KeePass, for example, automatically calculates how many rounds can be calculated in 1 second, and will set the count accordingly. 

On 8 Jul 2011, at 20:08, David Shaw <dshaw at jabberwocky.com> wrote:

> On Jul 8, 2011, at 2:35 PM, Chris Poole wrote:
> 
>> On 8 Jul 2011, at 17:31, David Shaw <dshaw at jabberwocky.com> wrote:
>>> Yes.  Note that the list-packets output shows the internal packed value: 6553600 should come out to 201.  The default of 65536 would encode to 96.
>> 
>> I do indeed get 201. Out of interest, how is that calculated?
> 
> Brace yourself.  This is not pretty:
> 
> #define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))
> 
> OpenPGP historically has a bit of a phobia about using two or four bytes when it could be squeezed into one.  Or even better, part of one.  That's why the range of valid s2k-count values is 1024 through 65011712, but not all values are actually possible.
> 
>> I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.
> 
> It's using SHA512 for passphrase mangling.  The SHA1 protection it is referencing is a checksum on the while secret key packet itself.  You can see the details in section 5.5.3 of RFC-4880, but basically it was added in response to the Klima-Rosa attack (which involved modifying the secret key in a way that the simple checksum used previously could not detect).
> 
> David
> 



More information about the Gnupg-users mailing list