IETF Logo Mail Archive

Re: [openpgp] On composing scrypt and openpgp s2k key stretching for symmetric encryption

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 23 May 2014 14:46 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED441A01D8 for <openpgp@ietfa.amsl.com>; Fri, 23 May 2014 07:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUOuoFfUHJQS for <openpgp@ietfa.amsl.com>; Fri, 23 May 2014 07:46:18 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id B7CD51A0168 for <openpgp@ietf.org>; Fri, 23 May 2014 07:46:18 -0700 (PDT)
Received: from [10.70.10.78] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 350ECF984; Fri, 23 May 2014 10:46:13 -0400 (EDT)
Message-ID: <537F5F36.7000800@fifthhorseman.net>
Date: Fri, 23 May 2014 10:46:14 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: Lutz Donnerhacke <lutz@donnerhacke.de>, Jon Callas <jon@callas.org>
References: <CAHVUoiQAFthafuGCjegJQr8WFC-myR2ecHDz7mRggeyBE5KUSQ@mail.gmail.com> <5E5B20C2-7647-4437-A489-7321CC8079C6@callas.org> <20140523090334.GA25165@belenus.iks-jena.de>
In-Reply-To: <20140523090334.GA25165@belenus.iks-jena.de>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="IRFGfckamJP1qBSnl7A8vkQbJlGLk7nP2"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/ra4cNTgusHP-cIEo8ty131ClROg
Cc: Brian Gitonga Marete <marete@toshnix.com>, openpgp@ietf.org
Subject: Re: [openpgp] On composing scrypt and openpgp s2k key stretching for symmetric encryption
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 14:46:20 -0000

On 05/23/2014 05:03 AM, Lutz Donnerhacke wrote:
> Yep. One aspect was already mentioned "NUL" characters. The obvious counter
> measurement was also mentionen "base64". But this reduces the possible input
> variation.  It might be possible to mount an attack on it. 

The amount of entropy going into a base64 encoding is *exactly* equal to
the amount of entropy coming out of it.  From a brute-force perspective,
nothing is lost.

The only attacks that fit what you're describing would be an attack
based on plaintext patterns of specific bits of the input (e.g. the high
bit of every octet of input is known to be zero), but i have not heard
of any such attack on an s2k transformation.

If the s2k input tends to come directly from the keyboard, the same
patterns are likely to be present as well (and even more, since
human-memorable passwords have much more structure than base64-encoded
scrypt output).

	--dkg

v2.23.0 | Report a Bug | By Email