On Mon, 19 Jan 1998, John W. Noerenberg wrote:
Here are the long delayed minutes from the IETF meeting in December. Tony
Mione recorded them, and I've annotated them slightly.
40th IETF, Washington, DC
OpenPGP Working Group Meeting Minutes
8-Dec-1997
...
Draft : PGP Message formats (Jon Callas)
Jon discussed the most recent decisions on various open issues
in the PGP Message formats draft
(drafts-ietf-openpgp-formats-00.txt). There was some discussion
on certain points. Some decisions by Jon, et al were reversed
or modified during the discussion.
...
2.5.3.3 Iterated/Salted String-to-key - This is long, hairy and
complicated to implement. We have considered removing it.
The following should do all three variants (0,1,3), but I haven't tested
them all, nor any hashtype not normally used by PGP 5.0b8. The original
is at www.cryptography.org in cipcop09.tgz in the libraries directory.
bp points to a buffer with the key material starting with the crypto type,
and hashpass contains the user typed in password.
cfbinit sets the key and initial IV for the cfb decryption:
void cfbinit(unsigned char *key, unsigned char *iv0, int cipher);
/*------------------------------------*/
/* string to key and initialize conventional encryption */
void getcfbkey(unsigned char **bp, unsigned char *hashpass)
{
unsigned int i = 0, j, k = 0, ca, ha, sa;
unsigned char hbuf[256];
unsigned char hashctx[1024];
ca = *(*bp)++; /* crypto type */
sa = *(*bp)++; /* salt type */
ha = *(*bp)++; /* hash type */
if (sa & 1) {
memcpy(hbuf, *bp, 8); /* salt */
memcpy(&hbuf[8], hashpass, strlen(hashpass));
*bp += 8;
k = 8 + strlen(hashpass);
i = k;
}
if (sa == 3) {
i = *(*bp)++; /* postfix - hash size */
j = i >> 4;
i = (i & 15) + 16;
i <<= j + 6;
} else if (sa == 0) { /* salt-free */
memcpy(hbuf, hashpass, strlen(hashpass));
i = strlen(hashpass);
k = i;
} else if (sa != 1) /* 1 = just salt, else error */
exit(-1);
j = i / k; /* loops over whole text */
i = i % k; /* last loop size */
if (ha < 1 || ha > MAXHASH)
exit(-1);
(*hashinit[--ha]) (hashctx);
while (j--)
(*hashupdate[ha]) (hashctx, hbuf, k);
(*hashupdate[ha]) (hashctx, hbuf, i);
(*hashfinal[ha]) (hbuf, hashctx);
memcpy(&hbuf[hashlen[ha]], hbuf, hashlen[ha]);
memcpy(&hbuf[hashlen[ha] * 2], hbuf, hashlen[ha] * 2);
cfbinit(hbuf, *bp, ca);
*bp += 8;
}
The rationale for its use is that:
1-Salt perturbs encryption of strings (same string
encrypts to different values each time it
is used)
2-Iteration adds compute time for the craker program
running a dictionary attack.
We've seen 3 options mentioned
1) Remove it
2) Change 8-bit float to 32 bit int
3) Change it to a MAY
Request for comments from WG
Comments from WG member: Options add complexity but is useful
and important. The member would not have a problem
with it if the float was changed to a 32-bit
integer (2).
--- reply to tzeruch - at - ceddec - dot - com ---