ietf-openpgp
[Top] [All Lists]

Re: Iterated and Salted S2K - weakness or unclear specification?

2000-11-15 13:59:13
bo(_dot_)baldersson(_at_)hushmail(_dot_)com writes:

Have I interpreted the spec wrong when I assume that the text ( sec 3.6.1.3)
      
      "Then the salt, followed by the passphrase data is repeatedly hashed
      until the number of octets specified by the octet count has been hashed"
      
means tha exact 'count'  bytes should be hashed? 

The specification is very unclear in this section.

Regards
/Bo

I believe you have interpreted it incorrectly.  The algorithm for each
key-block is, basically:

  HashInit()
  for (i=0; i < key-block#; i++)
    HashUpdate(zero-byte)
  for (i=0; i < byte_count; i += length(salt+passphrase))
    HashUpdate(salt)
    HashUpdate(passphrase)
  HashFinal()

Note that this pseudo-code does not handle the truncation properly for
rounds >= 1.  However, the piece that you are confused about is that
you do NOT finalize the hash at every round through the count.  You
finalize it for each key-block.  So, the whole passphrase is used, and
theoretically can be used many many times in the hash.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord(_at_)MIT(_dot_)EDU                        PGP key available