[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openpgp] 4880bis: Update S2K



Hi,

this is about this item from dkg's list: 

> e) update S2K with something more modern (PBKDF2, HKDF, scrypt?),
>    deprecate all the other mechnanisms explicitly

I agree that all options except for iterated+salted should be removed
and if we settle for a new MUST hash algorithm that one should als be a
MUST for S2K.

We may also dicuss whether the float encoded COUNT could be updated with
something simpler.  This is related to a other packet length header
fields.

Why do you think that the S2K thing is worse than PBKDF2?  Is there any
paper comparing these two KDFs?

We have two use cases for KDFs: 

 a) Protection of the secret key.  This is important most mostly a local
    issue.  Sending secret keys over the the wire requires a lot of
    precautions anyway and thus I think there is no need to put strin
    extra protection into it.  It is better to convey secret keys using
    another secure method.

 b) Symmetric-Key Encrypted Session Key Packets.  I don't know how often
    this is used.  I assume that in most use cases the passphrase is
    taken from external key management system and thus we can expect
    that it has full entropy and the KDF does not add to the security.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp