Hi Werner,
+Implementations MUST generate S2K specifiers that include salts
+(either type 2, 3 or 4), as simple S2K specifiers are more vulnerable to
Type 2 is not defined but reserved, you probably meant type 1.
Right. Fixed in
https://gitlab.com/ndurner/rfc4880bis-s2k/blob/master/misc/id/rfc4880bis/middle.mkd
I also assume you allow type 1 (Salted S2K) to allow the use of an
entire random passphrase, right? The salt then acts as IV for the SESK.
Should we explain this use of type 1?
Absolutely. What do you think about:
diff --git a/misc/id/rfc4880bis/middle.mkd b/misc/id/rfc4880bis/middle.mkd
index 2ab0100..6987f6e 100644
--- a/misc/id/rfc4880bis/middle.mkd
+++ b/misc/id/rfc4880bis/middle.mkd
@@ -379,7 +379,9 @@ time independently of the memory size.
Implementations MUST generate S2K specifiers that include salts
(either type 1, 3 or 4), as simple S2K specifiers are more vulnerable to
-dictionary attacks. Use of Argon2i is RECOMMENDED as it offers
+dictionary attacks. Type 1 MAY only be generated if the string is
+entirely random and the salt is used as an IV.
+Use of Argon2i is RECOMMENDED as it offers
protection against massive-parallel and side-channel attacks. When
reading S2K specifiers that do not include salts, implementations SHOULD
issue a warning about potentially insecure methods being used. When
?
Regards,
Nils
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp