Page MenuHome GnuPG

gpg: Use SHA-256 as default s2k-digest-algo
Needs RevisionPublic

Authored by onovy on Nov 26 2021, 8:26 AM.



The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010.
Use SHA-256 for passphrases mangling / key stretching when using symmetric encryption .

Better solution would be Argon 2id, but GPG doesn't support it (now?).

Test Plan

$ echo "test" >test
$ gpg -c test
$ gpg --list-packets test.gpg
:symkey enc packet: version 4, cipher 9, s2k 3, hash 8

hash should be 8 (SHA-256) instead of 2 (SHA-1).

Diff Detail

rG GnuPG
Lint Skipped
Unit Tests Skipped

Event Timeline

onovy requested review of this revision.Nov 26 2021, 8:26 AM
onovy created this revision.
onovy retitled this revision from Use SHA-256 as default s2k-digest-algo to gpg: Use SHA-256 as default s2k-digest-algo.
werner requested changes to this revision.Nov 26 2021, 9:09 AM
werner added a subscriber: werner.

Sorry, we won't do that. Actually SHA-1 is still allowed when used in a KDF mechanism like S2K. OpenPGp is about Public Key cryptography and for that it is important to keep the keys safe. Protection the private key with a passaord is a failstop scheme which gives time to revoke the actual key and handle the compromise. When suing symmtric encryption (gpg -c) ist is strongly sutested to use a password with at least 128 bit entropy (e.g. by using our magic wand button). The S2K iteration is actually not needed in such a case.

This revision now requires changes to proceed.Nov 26 2021, 9:09 AM

Right, but SHA-256 have higher time consuption, which is always good in password stretching. Current notebooks hit maximum value for s2k_count:
$ gpg-connect-agent 'GETINFO s2k_count' /bye
D 105682944

which lowers security of stretched password, because time cost is limited.