"SHA1 Protection" from way to see what cipher/algo was used to create your key?

Thu Jun 21 15:57:28 CEST 2012

On 21/06/12 15:00, Sam Smith wrote:
> when running the command: gpg --list-packets <keyname.asc>
> 
> there is an outputted line that reads:  "SHA1 protection"

First of all, it seems you understand it, but let me emphasize this: the
algorithms you get when using the inspection method vedaal showed you, are /not/
the algorithms used to create your secret key, as you asked. There is no cipher
or hashing involved in creating a key; it's just a random number which must
satisfy some mathematical properties. Key creation is determining random numbers
that satisfy the needed properties.

The symmetric cipher and hash algorithm are used to encrypt and protect the
secret key; protection is via a password.

All the details are in RFC 4880; you could read it at, e.g., [1]. It's a very
technical document.

I'll take the output vedaal gave as an example:

> :secret key packet:
>         version 4, algo 1, created 1201031494, expires 0
>         skey[0]: [4096 bits]
>         skey[1]: [17 bits]
>         iter+salt S2K, algo: 10, SHA1 protection, hash: 8, salt: 

A password is used to protect this key. This password, along with a known, but
random "salting" value, is repeatedly fed through SHA256 hashing (hash: 8). This
is what "iter+salt S2K" means: A String-To-Key method that iteratively hashes,
with a salt. The result of this S2K is a symmetric encryption key.

The actual secret part of the secret key is protected by a symmetric cipher,
TWOFISH (algo: 10). The secret material is encrypted with TWOFISH using the key
the S2K gave.

However, there is the possibility for an attacker to modify this secret
material. If you don't notice, he has an attack vector on you as he can modify
the key you are using to sign and decrypt. To prevent modification, the secret
key material is hashed using the SHA1 algorithm, and this hash is stored in the
encrypted part. If the attacker modifies the encrypted part, the hash won't
check out anymore, and an OpenPGP implementation will reject the key as corrupted.

So that's the purpose of the "SHA1 protection".

The hashing algorithm you can choose is the one used to create a key with the
S2K specifier. The hashing algorithm to protect against modification of the
encrypted material is fixed. Note that since it is all inside the encrypted
part, a lot of attacks that are possible on hashing algorithms won't work
anymore. SHA1 would have to be extremely broken to be problematic for this
application.

Peter.

PS: BTW, the absolute worst possible checksum to use to protect integrity, when
put inside a streaming-mode cipher, is a cyclic redundancy check. Which they
used in WEP wireless LAN protection. My mouth fell open when I learned about
this :).

[1] <https://tools.ietf.org/html/rfc4880>

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt