Hi,
attached is a patch against RFC 4880bis in
git://git.gnupg.org/gnupg-doc.git to include Argon2i as an S2K method.
Notes:
* I have made room for 256-bit nonces. The Argon2 paper[0] recommends
16 byte nonces for password hashing with a maximum length of 2^32-1.
My reason for this is to make the nonce size equal to the AES-256
key size so that we enjoy full key strength without relying on the
password to contribute any entropy at all.
* What do others think about the RECOMMENDATION of a parallelism
degree of 1? Are use-cases known where hosts are unable to do
multi-threading (well)?
* Argon2 is not final yet, as far as I understand. The reference to it
in template.xml should be checked/updated once it is.
o Is Cryptolux.org considered a stable location to link to?
* Private keys now MUST be protected using a salted S2K scheme
Looking at http://wiki.gnupg.org/rfc4880bis, HKDF should be removed from
the S2K candidates. From the HKDF paper[1]:
typical PBKDFs [...] use [...] salt [...] and (ii) the slowing down of
the KDF operation [...] This makes PBKDFs very different than the
general-purpose KDFs studied here. In particular, while passwords can
be modeled as a source of keying material, this source has too little
entropy to meaningfully apply our extractor approach
So it cannot be used directly and the changes required to make it a
suitable PBKDF would replicate the work done for the Password Hashing
Competition[2] which selected Argon2 as the basis for its winner[3].
Regards,
Nils
[0] https://www.cryptolux.org/images/0/0d/Argon2.pdf
[1] https://password-hashing.net/
[2] https://groups.google.com/forum/#!topic/crypto-competitions/3QNdmwBS98o
rfc4880bis-argon2.diff
Description: Text Data
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp