On 05/23/2014 05:03 AM, Lutz Donnerhacke wrote:
Yep. One aspect was already mentioned "NUL" characters. The obvious counter
measurement was also mentionen "base64". But this reduces the possible input
variation. It might be possible to mount an attack on it.
The amount of entropy going into a base64 encoding is *exactly* equal to
the amount of entropy coming out of it. From a brute-force perspective,
nothing is lost.
The only attacks that fit what you're describing would be an attack
based on plaintext patterns of specific bits of the input (e.g. the high
bit of every octet of input is known to be zero), but i have not heard
of any such attack on an s2k transformation.
If the s2k input tends to come directly from the keyboard, the same
patterns are likely to be present as well (and even more, since
human-memorable passwords have much more structure than base64-encoded
scrypt output).
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp