[Top] [All Lists]

Re: Iterated and Salted S2K - weakness or unclear specification?

2000-11-15 16:09:25
"Michael Young" <mwy-opgp97(_at_)the-youngs(_dot_)org> writes:

I don't find the spec that hard to understand, but I've now seen
postings from several people who did (in different ways).

Conceptually, for segment N (starting with N=0):
    Create a buffer of size (N + min(count,passphrase.length+salt.length)).

Um, this should be max(), not min(), as if count < passphrase.length +
salt.length, you still use all of the passphrase + length

    Fill the first N bytes with zeroes.
    Fill the rest with the salt and passphrase bytes until you run out.
    Hash this entire buffer.
In practice, you use a hashing gadget that lets you feed it incrementally,
and you use as many as you need in parallel.

At no point do you use the hash output as input.  Yes, the hash
function itself may do something similar with hash lines internally,
but that is a carefully-considered aspect of the hash function


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord(_at_)MIT(_dot_)EDU                        PGP key available