On May 22, 2014, at 6:48 AM, Brian Gitonga Marete
<marete(_at_)toshnix(_dot_)com> wrote:
Hello all!
What would be the security effect of generating a 32 byte key from a
passphrase using scrypt and then using that as a "passphrase" for openpgp's
symmetric encryption (this 32 byte key will of course then be acted upon by
openpgp's s2k algorithm). Specifically, can one expect that this will make
brute-forcing a symmetric passphrase (theoretically or practically) harder?
(Given the same strong passhrase).
Meh.
Intuitively, yes, it would. However, there's really nothing theoretic that says
it's better. Most things that are intuitively better but unmeasurable turn out
to be far less good than your intuition says. Depressingly often, someone comes
up with a clever attack that reduces the intuitive thing to being no better
than a bit or two, and in the case of passwords, I've rarely seen anything
that's better than adding another character to your password.
Please note that I am asking this from an application point of view and not
calling for the inclusion of scrypt into the openpgp standard.
If you are set on doing it, Dan Gillmor brings up an important point (and a way
one could shoot oneself in the foot). An easy way to protect against that is to
take your scrypt() result and put it into text -- base64, hex, whatever -- and
then use *that* as your input to s2k.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp