Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171222195252.GA6497@openwall.com>
Date: Fri, 22 Dec 2017 20:52:52 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Recommendations GnuPG-2 replacement

On Sun, Dec 17, 2017 at 09:06:08AM +0000, halfdog wrote:
> Solar Designer writes:
> > Are you saying "--s2k-count" option to "gpg2" is ignored, and moreover
> > that this is documented?  gnupg-2.1.23/doc/gpg.texi says (formatted):
> > 
> > `--s2k-count `n''
> >      Specify how many times the passphrase mangling is repeated.  This
> >      value may range between 1024 and 65011712 inclusive.  The default
> >      is inquired from gpg-agent.  Note that not all values in the
> >      1024-65011712 range are legal and if an illegal value is selected,
> >      GnuPG will round up to the nearest legal value.  This option is
> >      only meaningful if `--s2k-mode' is 3.
> 
> Here is the gpgv2 documentation:
> 
> "     --s2k-count n
>               Specify how many times the passphrases  mangling  for  symmetric
>               encryption  is  repeated.  This value may range between 1024 and
>               65011712 inclusive.  The default  is  inquired  from  gpg-agent.
>               Note  that  not  all values in the 1024-65011712 range are legal
>               and if an illegal value is selected, GnuPG will round up to  the
>               nearest  legal  value.  This option is only meaningful if --s2k-
>               mode is set to the default of 3."

It's actually the same documentation - just a different place in it,
which I didn't notice until you pointed it out.  So this option is
documented differently in different places in the documentation.  Some
of those refer to different ones of the tools, but others might be just
repeats of what's supposed to be the same info yet is not?  Confusing.

> You noticed the additional "symmetric" word? According to GPG
> developer that means, that with gpgv2 this setting is only applied
> with symmetric schemes, e.g. the "--symmetric" mode of GPG. For
> assymetric mode the parameter is just ignored.

Weird.  Was this discussion with "GPG developer" anywhere public?

Did you test this yourself?  You don't need to determine the exact
s2k-count to see if the option has effect or not - you can instead set
the value to the highest supported and measure whether this increases
the delay compared to the default.

I think this description is ambiguous: "symmetric" might refer only to
cases when GnuPG as a whole is invoked for symmetric encryption, or it
might also include cases when GnuPG symmetrically en/decrypts its keys.

> > You may process the private key file with gpg2john, then try to crack it
> > with john.  This will output the actual value, as well as show you the
> > speed at which passphrases can be tested against that key on your system
> > and with that version of JtR.  To use a GPU, add "--format=gpg-opencl".
> > Please use latest bleeding-jumbo off GitHub for all of this.
> 
> Done that, but still fighting how to use "gpg2john" with the new
> gpgv2 "private-keys-v1.d" key format. Exporting the private keys
> using gpgv2 does not help as that requires the passphrase already,
> thus removing the gpgv2-encryption, we want to test.

I tried asking a JtR jumbo contributor to look into this, but
unfortunately I got no response yet, and I had no time to look into it
myself.  This is something we ought to have an answer to, but I
currently don't.

> Just FYI: your releases on Openwall are still signed with the old
> openwall-key, according to http://www.openwall.com/signatures/ the
> key is "Old Openwall offline signing key (no longer used)".

Sure.  Releases made prior to the switch to the new key are signed with
the old key.  The "no longer used" comment applies to new signatures.
Maybe we need to clarify that or/and re-sign some releases from prior to
the key switch with the new key.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.