S2K with MD hashes is a horrible KDF. It is very very much worse than
PBKDF2.
The main reason that there are no papers comparing them is that S2K is so
obviously bad that no-one thinks it is worth the effort of publishing about
it.
Scrypt is okay as a password hash. Lyra2 would be better.
On Fri, Apr 10, 2015 at 12:57 PM Benjamin Kaduk <kaduk(_at_)mit(_dot_)edu>
wrote:
On Fri, 10 Apr 2015, Werner Koch wrote:
b) Symmetric-Key Encrypted Session Key Packets. I don't know how often
this is used. I assume that in most use cases the passphrase is
taken from external key management system and thus we can expect
that it has full entropy and the KDF does not add to the security.
I have used gpg -c to password-encrypt data with a human-generated (i.e.,
not-great) password fairly recently, as a single anecdote.
-Ben
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp