gpg: Use SHA-256 as default s2k-digest-algo
Needs RevisionPublic
Actions

Authored by onovy on Nov 26 2021, 8:26 AM.

Details

Reviewers

Summary

The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010.
Use SHA-256 for passphrases mangling / key stretching when using symmetric encryption .

Better solution would be Argon 2id, but GPG doesn't support it (now?).

Test Plan

$ echo "test" >test
$ gpg -c test
$ gpg --list-packets test.gpg
...
:symkey enc packet: version 4, cipher 9, s2k 3, hash 8
...

hash should be 8 (SHA-256) instead of 2 (SHA-1).

Diff Detail

Repository

rG GnuPG

Lint

Lint Skipped

Unit

Unit Tests Skipped

Event Timeline

onovy requested review of this revision.Nov 26 2021, 8:26 AM

onovy created this revision.

onovy retitled this revision from Use SHA-256 as default s2k-digest-algo to gpg: Use SHA-256 as default s2k-digest-algo.

Sorry, we won't do that. Actually SHA-1 is still allowed when used in a KDF mechanism like S2K. OpenPGp is about Public Key cryptography and for that it is important to keep the keys safe. Protection the private key with a passaord is a failstop scheme which gives time to revoke the actual key and handle the compromise. When suing symmtric encryption (gpg -c) ist is strongly sutested to use a password with at least 128 bit entropy (e.g. by using our magic wand button). The S2K iteration is actually not needed in such a case.

This revision now requires changes to proceed.Nov 26 2021, 9:09 AM

Right, but SHA-256 have higher time consuption, which is always good in password stretching. Current notebooks hit maximum value for s2k_count:
$ gpg-connect-agent 'GETINFO s2k_count' /bye
D 105682944

which lowers security of stretched password, because time cost is limited.

Revision Contents
Changeset List

Path

Size

g10/

main.h

2 lines

Diff 1500

View Options

gpg: Use SHA-256 as default s2k-digest-algoNeeds RevisionPublicActions