Sven Wohlgemuth, <sven(_at_)krypt1(_dot_)cs(_dot_)uni-sb(_dot_)de>, writes:
Has a string-to-key specifier to follow the specification of the symmetric
It does, if there was a 255 and then the symmetric algorithm. It must
not, if you just put in the symmetric algorithm and didn't put a 255
Since I can use the MD5 hash value of the passphrase as a symmetric key.
Why should I write
if I just want to use a symmetric algorithm without a s2k-specifier?
You don't have to.
- One octet indicating string-to-key usage conventions. 0
indicates that the secret key data is not encrypted. 255
indicates that a string-to-key specifier is being given. Any
other value is a symmetric-key encryption algorithm specifier.
Isn't it possible to write
1, enc_MPI, ...
1 for the sym. algorithm follwed by the encrypted MPIs, instead?
Almost. There needs to be an IV before the encrypted MPIs start.
The idea is that there are three formats. Unencrypted looks like:
0, MPI, ...
The simpler encrypted case is similar to your last suggestion:
<symmetric-alg>, <IV>, enc_MPI, ...
This uses the default "simple" string-to-key conventions.
The more complex one is:
255, <symmetric-alg>, <string-to-key>, <IV>, enc_MPI, ...
This allows you to specify a different string to key specifier. That is
the reason for the more complex format. The iterated/salted string-to-key
is superior as it makes it harder to guess passphrases for someone who
gets hold of the private key.