Daniel Franke <df(_at_)dfranke(_dot_)us> writes:
The discussion currently going on gnupg-dev about increasing the
default iteration count for the S2K prompted me to wonder whether
OpenPGP couldn't benefit from some more modern key-derivation
algorithms. PBKDF2[1] is the most standard, while bcrypt[2] is also
well-tested and popular, and scrypt[3], although new, seems to be
superior to both of them. The advantage of scrypt is that it's hard in
terms of space complexity as well as time complexity, greatly reducing
the advantage given to an attacker who has the ability to build custom
cryptographic hardware.
I would support a move to PBKDF2 because it's widely supported, including the
all-important PKCS #11 for hardware devices. As for the other two, please,
not another homebrew format that requires custom implementation support every
time it's used...
Peter.