attached is a patch against RFC 4880bis in
git://git.gnupg.org/gnupg-doc.git to include Argon2i as an S2K method.
* I have made room for 256-bit nonces. The Argon2 paper recommends
16 byte nonces for password hashing with a maximum length of 2^32-1.
My reason for this is to make the nonce size equal to the AES-256
key size so that we enjoy full key strength without relying on the
password to contribute any entropy at all.
* What do others think about the RECOMMENDATION of a parallelism
degree of 1? Are use-cases known where hosts are unable to do
* Argon2 is not final yet, as far as I understand. The reference to it
in template.xml should be checked/updated once it is.
o Is Cryptolux.org considered a stable location to link to?
* Private keys now MUST be protected using a salted S2K scheme
Looking at http://wiki.gnupg.org/rfc4880bis, HKDF should be removed from
the S2K candidates. From the HKDF paper:
typical PBKDFs [...] use [...] salt [...] and (ii) the slowing down of
the KDF operation [...] This makes PBKDFs very different than the
general-purpose KDFs studied here. In particular, while passwords can
be modeled as a source of keying material, this source has too little
entropy to meaningfully apply our extractor approach
So it cannot be used directly and the changes required to make it a
suitable PBKDF would replicate the work done for the Password Hashing
Competition which selected Argon2 as the basis for its winner.
Description: Text Data
openpgp mailing list