IETF Logo Mail Archive

Re: [openpgp] On composing scrypt and openpgp s2k key stretching for symmetric encryption

Jon Callas <jon@callas.org> Thu, 22 May 2014 23:41 UTC

Return-Path: <jon@callas.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D4A1A0256 for <openpgp@ietfa.amsl.com>; Thu, 22 May 2014 16:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onCZoVYUTd0o for <openpgp@ietfa.amsl.com>; Thu, 22 May 2014 16:41:50 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 86C321A0248 for <openpgp@ietf.org>; Thu, 22 May 2014 16:41:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 149C153FF50C; Thu, 22 May 2014 16:41:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-YUhBP+wEBS; Thu, 22 May 2014 16:41:39 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 14B4D53FF4EB; Thu, 22 May 2014 16:41:38 -0700 (PDT)
Received: from [10.0.23.30] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 22 May 2014 16:41:39 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 22 May 2014 16:41:39 -0700
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <CAHVUoiQAFthafuGCjegJQr8WFC-myR2ecHDz7mRggeyBE5KUSQ@mail.gmail.com>
Date: Thu, 22 May 2014 16:41:37 -0700
Message-Id: <5E5B20C2-7647-4437-A489-7321CC8079C6@callas.org>
References: <CAHVUoiQAFthafuGCjegJQr8WFC-myR2ecHDz7mRggeyBE5KUSQ@mail.gmail.com>
To: Brian Gitonga Marete <marete@toshnix.com>
X-Mailer: Apple Mail (2.1878.2)
Content-Type: multipart/alternative; boundary="Apple-Mail=_BEA6228A-3F8F-41FF-81D7-44CE369C2334"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/RjJE6_EZ5FXOmb-MtAmq-RzmB3c
Cc: openpgp@ietf.org, Jon Callas <jon@callas.org>
Subject: Re: [openpgp] On composing scrypt and openpgp s2k key stretching for symmetric encryption
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 23:41:52 -0000

On May 22, 2014, at 6:48 AM, Brian Gitonga Marete <marete@toshnix.com> wrote:

> Hello all!
> 
> What would be the security effect of generating a 32 byte key from a passphrase using scrypt and then using that as a "passphrase" for openpgp's symmetric encryption (this 32 byte key will of course then be acted upon by openpgp's s2k algorithm). Specifically, can one expect that this will make brute-forcing a symmetric passphrase (theoretically or practically) harder? (Given the same strong passhrase).

Meh.

Intuitively, yes, it would. However, there's really nothing theoretic that says it's better. Most things that are intuitively better but unmeasurable turn out to be far less good than your intuition says. Depressingly often, someone comes up with a clever attack that reduces the intuitive thing to being no better than a bit or two, and in the case of passwords, I've rarely seen anything that's better than adding another character to your password.

> Please note that I am asking this from an application point of view and not calling for the inclusion of scrypt into the openpgp standard.

If you are set on doing it, Dan Gillmor brings up an important point (and a way one could shoot oneself in the foot). An easy way to protect against that is to take your scrypt() result and put it into text -- base64, hex, whatever -- and then use *that* as your input to s2k.

	Jon

v2.23.0 | Report a Bug | By Email