An Open Specification for Pretty Good Privacy (openpgp)

Erron Criddle | 6 Sep 2000 07:01

Re: S2K and Tag 0x05 Q

At 09:54 PM 5/09/2000 -0700, hal <at> finney.org wrote:

<snip>

> > Do you decide what length of the S2K session key to use (in your program),
> > then when the secret key needs to be extracted from the secret key-ring,
> > just keep trying multiple session key lengths in block size multiples (as
> > generated from the S2K specifier) until the checksum checks out OK?
> >
> > It seems it would be a lot easier (maybe less secure?) if a session key
> > length was specified somewhere.
>
>The session key length is always known.  It is part of the algorithm
>identifier.  See section 9.2.

Oh...

I didn't link section 9.2 with the session key length of an S2K...maybe in 
the next revision of 2440, a simple reference to 9.2 in section 3.6 would 
help others who are also wondering what session key lengths to use with the 
S2K's.

Regards

Erron Criddle
Comasp Ltd.
Level 2, 45 Stirling Hwy
NEDLANDS  WA  6009
Australia

(Continue reading)

headers

hal | 6 Sep 2000 06:54

Re: S2K and Tag 0x05 Q

Erron writes:
> I've been looking at the S2K Usage (3.6.1) and, when using twofish as the 
> symmetrical algorithm (in say a type 0x00 S2K Usage), what do you do if you 
> want to use a 256 bit session key to encrypt the secret key? I'm assuming 
> here that S2K will only allow a session key equal to the symmetrical 
> algorithm block size...

No, it doesn't have this limitation.  You hash the plaintext and extract
whatever size session size is needed from the hash.  If necessary you
do multiple hashes and concatenate them.

> Do you decide what length of the S2K session key to use (in your program), 
> then when the secret key needs to be extracted from the secret key-ring, 
> just keep trying multiple session key lengths in block size multiples (as 
> generated from the S2K specifier) until the checksum checks out OK?
>
> It seems it would be a lot easier (maybe less secure?) if a session key 
> length was specified somewhere.

The session key length is always known.  It is part of the algorithm
identifier.  See section 9.2.

Hal