Date: Fri, 22 Dec 2017 20:52:52 +0100 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Recommendations GnuPG-2 replacement On Sun, Dec 17, 2017 at 09:06:08AM +0000, halfdog wrote: > Solar Designer writes: > > Are you saying "--s2k-count" option to "gpg2" is ignored, and moreover > > that this is documented? gnupg-2.1.23/doc/gpg.texi says (formatted): > > > > `--s2k-count `n'' > > Specify how many times the passphrase mangling is repeated. This > > value may range between 1024 and 65011712 inclusive. The default > > is inquired from gpg-agent. Note that not all values in the > > 1024-65011712 range are legal and if an illegal value is selected, > > GnuPG will round up to the nearest legal value. This option is > > only meaningful if `--s2k-mode' is 3. > > Here is the gpgv2 documentation: > > " --s2k-count n > Specify how many times the passphrases mangling for symmetric > encryption is repeated. This value may range between 1024 and > 65011712 inclusive. The default is inquired from gpg-agent. > Note that not all values in the 1024-65011712 range are legal > and if an illegal value is selected, GnuPG will round up to the > nearest legal value. This option is only meaningful if --s2k- > mode is set to the default of 3." It's actually the same documentation - just a different place in it, which I didn't notice until you pointed it out. So this option is documented differently in different places in the documentation. Some of those refer to different ones of the tools, but others might be just repeats of what's supposed to be the same info yet is not? Confusing. > You noticed the additional "symmetric" word? According to GPG > developer that means, that with gpgv2 this setting is only applied > with symmetric schemes, e.g. the "--symmetric" mode of GPG. For > assymetric mode the parameter is just ignored. Weird. Was this discussion with "GPG developer" anywhere public? Did you test this yourself? You don't need to determine the exact s2k-count to see if the option has effect or not - you can instead set the value to the highest supported and measure whether this increases the delay compared to the default. I think this description is ambiguous: "symmetric" might refer only to cases when GnuPG as a whole is invoked for symmetric encryption, or it might also include cases when GnuPG symmetrically en/decrypts its keys. > > You may process the private key file with gpg2john, then try to crack it > > with john. This will output the actual value, as well as show you the > > speed at which passphrases can be tested against that key on your system > > and with that version of JtR. To use a GPU, add "--format=gpg-opencl". > > Please use latest bleeding-jumbo off GitHub for all of this. > > Done that, but still fighting how to use "gpg2john" with the new > gpgv2 "private-keys-v1.d" key format. Exporting the private keys > using gpgv2 does not help as that requires the passphrase already, > thus removing the gpgv2-encryption, we want to test. I tried asking a JtR jumbo contributor to look into this, but unfortunately I got no response yet, and I had no time to look into it myself. This is something we ought to have an answer to, but I currently don't. > Just FYI: your releases on Openwall are still signed with the old > openwall-key, according to http://www.openwall.com/signatures/ the > key is "Old Openwall offline signing key (no longer used)". Sure. Releases made prior to the switch to the new key are signed with the old key. The "no longer used" comment applies to new signatures. Maybe we need to clarify that or/and re-sign some releases from prior to the key switch with the new key. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ