Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
Right now
the secure choice you have is to use a full-entropy passphrase and store
it in a separate symmetric key database.
I agree that this may be the most secure option if it suits your use cases,
bank account and exists.
Anecdotally, I personally like to keep keys in my head - and distribute them
orally face-to-face, if I need. My use cases include backups (kept on other
people’s servers (aka Cloud) and in other people’s homes), proof of prior art
(drafts passed on to a lawyer, non-digitally timestamped) and ad-hoc data
exchange (data stored on other people’s servers or removable media, key passed
on orally and most of the time without even spelling it out). Far more often
than I like, this is accomplished with encrypted ZIP files, something I would
like to see improved as I believe the ZIP key derivation function is not
remotely up to par with the craft & science practiced at PHC. I do not see how
storing a full-entropy passphrase in a database for use with an OpenPGP
implementation would help with this in a way that would justify its operational
and monetary cost.
I doubt that a Argon2i is in any way helpful here
because it convoys the message that a low-entropy passphrase along with
a resource hungry KDF is an alternative for a secure passphrase.
I’ll be happy to extend my patch in way to make this clear(er), recommending
that the UI/UX reinforces the notion of strong passwords/-phrases, best to be
chosen completely at random.
-Implementations SHOULD use salted or iterated-and-salted S2K
-specifiers, as simple S2K specifiers are more vulnerable to dictionary
-attacks.
+Implementations MUST generate S2K specifiers that include salts
+(either type 1, 3 or 4), as simple S2K specifiers are more vulnerable to
The SHOULD is there for a reason: Taking a full-entropy passphrase out
of a database does not require any salt. It even demands the fastest
KDF we can provide. This has been discussed in the past.
Right, my mistake then. But what’s the sense in hashing it prior to using it as
per Type 0 either? I’m currently more inclined to establish another type „5“ to
make raw key use explicit, as Peter Gutmann suggested in 2015.
Any other considerations/opinions/… from others?
+ <reference anchor='Argon2i'
+
target='https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04'>
This is not a useful reference:
It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress.
What do you suggest? Revert back to:
<reference anchor='Argon2i'
target='https://www.cryptolux.org/images/0/0d/Argon2.pdf'>
<front>
<title>Argon2: the memory-hard function for password hashing and other
applications</title>
<author surname="Biryukov" initials="A." />
<author surname="Dinu" initials="D." />
<author surname="Khovratovich" initials="D." />
<date year='2015' month='October'/>
</front>
</reference>
?
Best regards,
Nils
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp