Seeking Assurance on Security and Memory Leaks in SuSE GnuPG

Werner Koch wk at
Mon Aug 29 15:17:51 CEST 2022

On Sat, 27 Aug 2022 16:17, Tony Lee said:

> Count			User Time (s)
>     1024		0.237

For backward compatibility reasons with 1.4 the default count value is
used in this case.  The default value is computed by gpg-agent and
depends on your machine (cf. gpg-agent's --s2k-calibration option). See
the first condition in the function below:

  /* Pack an s2k iteration count into the form specified in RFC-4880.
   * If we're in between valid values, round up.  */
  unsigned char
  encode_s2k_iterations (int iterations)
    unsigned char c=0;
    unsigned char result;
    unsigned int count;

    if (iterations <= 1024)
      return 0;  /* Command line arg compatibility.  */

    if (iterations >= 65011712)
      return 255;

    /* Need count to be in the range 16-31 */
    for (count=iterations>>6; count>=32; count>>=1)

    result = (c<<4)|(count-16);

    if (S2K_DECODE_COUNT(result) < iterations)

    return result;

This mapped value is required by the RFC-4880.  When passing an RFC-4800
encoded value to our KDF function, we decode it first.

> We see the cleartext length is not greatly significant, especially at
> higher count values, but the User Time is nowhere near linear with
> count --- which one would expect. For a count of 65,011,712 rounds,
> the Time is around 0.33 seconds. On the same machine, 23,400,000
> AES-KDF rounds were completed in 1.0~s (with a linear relationship),

You can't compare some AES-KDF to the SHA1 based KDF of OpenPGP.  The
increase in speed you see is due to caching effects on modern CPUs and
the highly optimized SHA1 code in Libgcrypt.  Something a cracker would
have also.

The default of GnuPG is to let the system take about 100ms for the S2K
to make brute forcing the password of the private key harder.  Using any
non-full entropy password for symmetric encryption is a Bad Idea.  With
a full entropy password the S2K iterations don't matter at all.

So either use a a full-entropy password or use public key encryption.

If an attacker got access to your private key (encrypted or
non-encrypted) your are anyway in tilt mode.

> If a Yubikey is used to store the User passphrase for gpg, is it

A Yubikey or any other smartcard does not store the password but stores
the private key and only allows operations with that private after
having unlocked the token.  For this you use a PIN where the hardware of
the token allows only 3 to 10 false trees - thus a small number is
sufficient to avoid brute forcing.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list