IETF Logo Mail Archive

Better S2K functions for OpenPGP?

Daniel Franke <df@dfranke.us> Wed, 09 December 2009 20:19 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nB9KJ5t0015636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Dec 2009 13:19:06 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id nB9KJ5Kr015635; Wed, 9 Dec 2009 13:19:05 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from felagund.dfranke.us (felagund.dfranke.us [74.207.241.162]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nB9KJ3un015626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Wed, 9 Dec 2009 13:19:04 -0700 (MST) (envelope-from df@dfranke.us)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dfranke.us; h=date:from :to:subject:message-id:mime-version:content-type; s=default; bh= ikwVsMBCeoHdfnpvSHOpisYz8aIDE5+2jyzwSeIZeok=; b=p/zBJJO4WhrYmGeV +TSIaxPCQHK9EAufnmzMP6+LzhyU/TlnfVeWM2qo9481HkOKx1CKT3ee+6x+kof+ z+GdkqKsr5ycps4WP72t7UVcJPLz+D0b9Kq3YlOR3YlyAvFXSay+2JanSimAp543 LUnPcZNMYEtfsV9uajXPpxfXNnNTD0zOQ8VbvUPintfgAqkNwrsXWyOiF0kBEL9p sk78QoUcFhhhR2J2ar5mFLzoTVBNpTyAfFzqi3ee/s/582DuDtyCc67leagEchtm 81CxVf383g8wk1U4cOKKnotqhYc3ilsrUgALzWXBjHc0yFKbMmXn4ncFcMcP1zLD G/jiyA==
Received: (qmail 8574 invoked from network); 9 Dec 2009 20:18:31 -0000
Received: from unknown (HELO feanor.vpn.dfranke.us) (172.20.17.2) by felagund.dfranke.us with SMTP; 9 Dec 2009 20:18:31 -0000
Date: Wed, 09 Dec 2009 15:17:35 -0500
From: Daniel Franke <df@dfranke.us>
To: ietf-openpgp@imc.org
Subject: Better S2K functions for OpenPGP?
Message-ID: <20091209151735.2444a67b@feanor.vpn.dfranke.us>
X-Mailer: Claws Mail 3.7.2 (GTK+ 2.18.3; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA512"; boundary="Sig_/V7_Eci6P.IPvj.2JKdIn+c_"; protocol="application/pgp-signature"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

The discussion currently going on gnupg-dev about increasing the
default iteration count for the S2K prompted me to wonder whether
OpenPGP couldn't benefit from some more modern key-derivation
algorithms. PBKDF2[1] is the most standard, while bcrypt[2] is also
well-tested and popular, and scrypt[3], although new, seems to be
superior to both of them.  The advantage of scrypt is that it's hard in
terms of space complexity as well as time complexity, greatly reducing
the advantage given to an attacker who has the ability to build custom
cryptographic hardware.

[1] http://www.rsa.com/rsalabs/node.asp?id=2127
[2] http://www.openbsd.org/papers/bcrypt-paper.ps
[3] http://www.tarsnap.com/scrypt.html

-- 
 Daniel Franke         df@dfranke.us         http://www.dfranke.us
 |----| =|\     \\\\    
 || * | -|-\---------   Man is free at the instant he wants to be. 
 -----| =|  \   ///     --Voltaire

v2.23.0 | Report a Bug | By Email