Hi,
this is about this item from dkg's list:
e) update S2K with something more modern (PBKDF2, HKDF, scrypt?),
deprecate all the other mechnanisms explicitly
I agree that all options except for iterated+salted should be removed
and if we settle for a new MUST hash algorithm that one should als be a
MUST for S2K.
We may also dicuss whether the float encoded COUNT could be updated with
something simpler. This is related to a other packet length header
fields.
Why do you think that the S2K thing is worse than PBKDF2? Is there any
paper comparing these two KDFs?
We have two use cases for KDFs:
a) Protection of the secret key. This is important most mostly a local
issue. Sending secret keys over the the wire requires a lot of
precautions anyway and thus I think there is no need to put strin
extra protection into it. It is better to convey secret keys using
another secure method.
b) Symmetric-Key Encrypted Session Key Packets. I don't know how often
this is used. I assume that in most use cases the passphrase is
taken from external key management system and thus we can expect
that it has full entropy and the KDF does not add to the security.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp