ietf-openpgp
[Top] [All Lists]

Klima/Rosa attack (was: Re: Diffs for next draft)

2001-08-24 05:35:05

Werner Koch <wk(_at_)gnupg(_dot_)org> wrote>
The correct solution would be to introduce a version 5 of the secret
key packet - this is a major change as we may also want to also
introduce a v5 public key packet for symmetry reasons.  I guess this
will break a lot of code.

The hackish solution is to define a new S2K type identical to type 3
(iterated and salted) which would then trigger the use of the new
SHA-1 checksum.  It should be made clear that this S2K type is only to
be used for the protection of the secret key and not for conventional
encryption.

I don't like any of these solutions but the latter one is easier to
implement. Any other ideas?

Jon Callas <jon(_at_)callas(_dot_)org> replied:

I think an S2K that includes a hash is only mildly hackish, myself. I'd
support this. I'd even support an additional one that is merely salted
with a hash.


I disagree. As Werner Koch already pointed out, the 'correct' solution is to introduce version 5 of the secret key packet. I however do not think that there is any real reason for introducing a v5 public key packet, given that nothing changed for public key packets.

Keeping v4 public key packets will make sure nothing is broken with regard to exchanging public keys. Exchanging secret keys with older implementations will be broken in both cases anyway, because of the new s2k type.


Edwin