Hi,
e) update S2K with something more modern (PBKDF2, HKDF, scrypt?),
My understanding is that the HKDF authors recommend against using HKDF
as a PBKDF. From RFC 5869[0]:
In the case of password-based KDFs, a main goal is
to slow down dictionary attacks using two ingredients: a salt value,
and the intentional slowing of the key derivation computation. HKDF
naturally accommodates the use of salt; however, a slowing down
mechanism is not part of this specification. Applications interested
in a password-based KDF should consider whether, for example, [PKCS5]
meets their needs better than HKDF.
scrypt, on the other hand, exhibits collisions with long input values -
something that yescrypt addresses[1].
I think it is worthwhile to wait for the Password Hashing Competition[2]
to conclude in Q2 this year before considering more modern S2K alternatives.
Regards,
Nils
[0] https://tools.ietf.org/html/rfc5869, section 4, paragraph 2
[1]
http://www.openwall.com/presentations/PHDays2014-Yescrypt/mgp00009.html,
last point
[2] https://password-hashing.net/
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp