IETF Logo Mail Archive

Re: Better S2K functions for OpenPGP?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 09 December 2009 20:50 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nB9KocwO018049 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Dec 2009 13:50:39 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id nB9KocsO018047; Wed, 9 Dec 2009 13:50:38 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.37]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nB9Koanl018040 for <ietf-openpgp@imc.org>; Wed, 9 Dec 2009 13:50:37 -0700 (MST) (envelope-from pgut001@wintermute01.cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id EE03C170E1E; Thu, 10 Dec 2009 09:50:34 +1300 (NZDT)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPY31NDEeFIh; Thu, 10 Dec 2009 09:50:34 +1300 (NZDT)
Received: from mf1.fos.auckland.ac.nz (mf1.fos.auckland.ac.nz [130.216.33.150]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 34896483909; Thu, 10 Dec 2009 09:50:31 +1300 (NZDT)
Received: from wintermute01.cs.auckland.ac.nz ([130.216.34.38]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1NITUV-0003ew-JE; Thu, 10 Dec 2009 09:50:31 +1300
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1NITUV-0003Ci-S2; Thu, 10 Dec 2009 09:50:31 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: df@dfranke.us, ietf-openpgp@imc.org
Subject: Re: Better S2K functions for OpenPGP?
In-Reply-To: <20091209151735.2444a67b@feanor.vpn.dfranke.us>
Message-Id: <E1NITUV-0003Ci-S2@wintermute01.cs.auckland.ac.nz>
Date: Thu, 10 Dec 2009 09:50:31 +1300
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Daniel Franke <df@dfranke.us> writes:

>The discussion currently going on gnupg-dev about increasing the
>default iteration count for the S2K prompted me to wonder whether
>OpenPGP couldn't benefit from some more modern key-derivation
>algorithms. PBKDF2[1] is the most standard, while bcrypt[2] is also
>well-tested and popular, and scrypt[3], although new, seems to be
>superior to both of them.  The advantage of scrypt is that it's hard in
>terms of space complexity as well as time complexity, greatly reducing
>the advantage given to an attacker who has the ability to build custom
>cryptographic hardware.

I would support a move to PBKDF2 because it's widely supported, including the 
all-important PKCS #11 for hardware devices.  As for the other two, please, 
not another homebrew format that requires custom implementation support every 
time it's used...

Peter.

v2.23.0 | Report a Bug | By Email