As I have interpreted section 3.6.1.3 of rfc2440 the
iterated and salted S2k works as follows (using my
own worlds):
For each hash context:
zeros + salt + passphrase is entered the hash-machine and the
hash is performed. The output of this operation becomes input to
it next time until we have hashed exactly 'count' bytes. (The exactness
does not apply if the length of zeros + salt +passphrase infact is
greater than 'count' though). To achive this, the last time we hash
the input is smaller than the digest-size. It may possibly be of length
1 or 2!!!!!
The attack:
Assume that the output of the hash-algorithm is greater or equal to
the blocksize, hence it will be only one hashcontext. Assume also that
there are passphrases of suitable length for an attacker, i.e. such that
the last round of the iteration has an input of one or two bytes say. This
mean that session keys being a hash (or part of) of these short input
are likely to be used. An attacker could just calculate all hashes of the
one and two bytes words (not too many) and try to use them as session
keys.
Have I interpreted the spec wrong when I assume that the text ( sec 3.6.1.3)
"Then the salt, followed by the passphrase data is repeatedly hashed
until the number of octets specified by the octet count has been hashed"
means tha exact 'count' bytes should be hashed?
The specification is very unclear in this section.
Regards
/Bo