ietf-openpgp
[Top] [All Lists]

Re: [openpgp] details of 4880bis work

2015-04-11 14:18:10
Hi,

e) update S2K with something more modern (PBKDF2, HKDF, scrypt?),

My understanding is that the HKDF authors recommend against using HKDF
as a PBKDF. From RFC 5869[0]:
In the case of password-based KDFs, a main goal is
to slow down dictionary attacks using two ingredients: a salt value,
and the intentional slowing of the key derivation computation.  HKDF
naturally accommodates the use of salt; however, a slowing down
mechanism is not part of this specification.  Applications interested
in a password-based KDF should consider whether, for example, [PKCS5]
meets their needs better than HKDF.

scrypt, on the other hand, exhibits collisions with long input values -
something that yescrypt addresses[1].


I think it is worthwhile to wait for the Password Hashing Competition[2]
to conclude in Q2 this year before considering more modern S2K alternatives.


Regards,

Nils



[0] https://tools.ietf.org/html/rfc5869, section 4, paragraph 2

[1]
http://www.openwall.com/presentations/PHDays2014-Yescrypt/mgp00009.html,
last point

[2] https://password-hashing.net/

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp