Understanding KDF for symmetric encryption (was: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG)

Bernhard Reiter bernhard at intevation.de
Tue Oct 25 10:57:42 CEST 2022

Hi Tony, 

one way to make progress (here on the mailinglist) is to split up
unrelated topics into single issues, so everyone can dig deeper,
if needed.

From your posts I focus on the KDF for symmetric encryption.
(I believe other concerns have been answered, at least I've seen answers,
if not please open a seperate topic for each question.)

Am Montag 03 Oktober 2022 18:45:48 schrieb Tony Lee via Gnupg-users:
> Werner noted [for Count 1024] For backward compatibility reasons with
> 1.4 the default count value is used in this case [and] You can't compare
> some AES-KDF to the SHAl based KDF of OpenPGP. The --s2k options mention
> "mangling passphrases" which sounds exactly like a KDF, but a default
> SHA-1 was used in one case, at least.

As a far as I've understood, using SHA1 hash in a KDF maybe okay 
(depending on other properties of the KDF).

As mentioned by Werner, the KDF is calibrated dynamically by gpg-agent,
did you check the bottom of
(with --s2k-calibration and --s2k-count )
those have to be given to gpg-agent (e.g. in the gpg-agent.conf).

If you want to increase the difficulty of the KDF used, my understanding
is that a good option to use would be --s2k-calibration to gpg-agent.

> The Spectra Secure YouTube was:
> https://www.youtube.com/watch?v=j-qBChKG15Y "Password Managers: The Case
> Against GNU pass (feat gpg)". Around minute 4:31 it explains very
> clearly that the --s2k settings do not work (when exporting a key),

In the video description, there is a link to
which explains that being able to set a few parameters for the
export of secret key material directly from gpg is a wish and not a defect.
It maybe that the documentation could be improved on this point as
however this would only be a minor thing in my view as gpg-agent does
a dynamic calibration that sounds reasonable.

However T1800 still says that --s2k-count works for symmetric encryption, see 
if it does not, it would be a defect. It would be a minor one, if
the default is gotten from gpg-agent (as stated) and gpg-agent gets it right.

So you can start seeking evidence for it or the contrary,
either by measurements or by following the code. 
Have you compared runs of gpg -c with different --s2k-count values?)

Following the code usually works by building gnupg (its libraries and tools)
and then start at main() with the handling of the arguments
and possibly add some debugging printing or other method
to see if you get to the point where the value is used or or.
It should be possible for a software-engineer without deep knowlede of C.


https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20221025/10320d3c/attachment.sig>

More information about the Gnupg-users mailing list