On 04/24/2015 04:45 AM, Werner Koch wrote:
On Fri, 24 Apr 2015 09:19, openpgp(_at_)brainhub(_dot_)org said:
2. The Iterated S2K is essentially a
M = M1 || M2 || M2 || M2 || ... || M2, where M1 includes the salt.
S2K = Hash( M )
Actually M2 also includes the salt:
| Then the salt, followed by the passphrase data, is repeatedly hashed
| until the number of octets specified by the octet count has been
| hashed. [...]
I stand corrected.
My argument holds with even greater simplifications with the following
adjustment:
M = M1 || M1 || M1 || M1 || ... || M1, where M1 includes the salt.
S2K = Hash( M )
If we use the Hash() which is insecure in this setting, we should expect
troubles in other application of this hash function: e.g. in digital signatures
or MAC.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp