Re: [openpgp] 4880bis: Update S2K

A hash function which is secure on short inputs may not be secure on long inputs. This is, indeed, the case (generically) for the MD and SHA-[12] functions: See papers by Schneier et al. inter alia.

At Apr 24, 2015, 11:06:40 PM, Andrey Jivsov wrote:
On 04/24/2015 04:45 AM, Werner Koch wrote:
> On Fri, 24 Apr 2015 09:19, openpgp(_at_)brainhub(_dot_)org said:
>
>> 2. The Iterated S2K is essentially a
>>
>> M = M1 || M2 || M2 || M2 || ... || M2, where M1 includes the salt.
>> S2K = Hash( M )
> Actually M2 also includes the salt:
>
> | Then the salt, followed by the passphrase data, is repeatedly hashed
> | until the number of octets specified by the octet count has been
> | hashed. [...]
>
>
>
I stand corrected.

My argument holds with even greater simplifications with the following
adjustment:

M = M1 || M1 || M1 || M1 || ... || M1, where M1 includes the salt.
S2K = Hash( M )

If we use the Hash() which is insecure in this setting, we should expect troubles in other application of this hash function: e.g. in digital signatures or MAC.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

Previous by Date:	Re: [openpgp] Fingerprints, Christoph Anton Mitterer
Next by Date:	Re: [openpgp] rfc3880bis - hard expiration time, Christoph Anton Mitterer
Previous by Thread:	Re: [openpgp] 4880bis: Update S2K, Andrey Jivsov
Next by Thread:	Re: [openpgp] 4880bis: Update S2K, Andrey Jivsov
Indexes:	[Date] [Thread] [Top] [All Lists]