search

SixArm / gpg-encrypt

Use GPG to encrypt a file using our best settings
67 stars 14 forks source link

KDF params don't work #1

Closed lukechilds closed 6 years ago

lukechilds commented 6 years ago

I don't think the key derivation function works:

$ cat secret | time gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha256 \
--cert-digest-algo sha256 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha256 \
--s2k-count 1 \
--force-mdc \
--quiet --no-greeting \
-passphrase password > secret.gpg
gpg --symmetric --cipher-algo aes256 --digest-algo sha256 --cert-digest-algo   0.00s user 0.00s system 79% cpu 0.007 total

$ cat secret | time gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha256 \
--cert-digest-algo sha256 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha256 \
--s2k-count 65011712 \
--force-mdc \
--quiet --no-greeting \
-passphrase password > secret.gpg
gpg --symmetric --cipher-algo aes256 --digest-algo sha256 --cert-digest-algo   0.00s user 0.00s system 80% cpu 0.007 total

Both commands complete basically instantly even though the first one uses a single round of SHA-256 and the second uses 65,011,712. That many rounds of SHA-256 should take a long time.

Or at least that's the case for me:

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.2
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/lukechilds/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
lukechilds commented 6 years ago

Apologies, invalid passphrase command was causing weirdness, it looks like it does work:

gpg-enc %
››› cat secret | time gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha256 \
--cert-digest-algo sha256 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha256 \
--s2k-count 1 \
--force-mdc \
--quiet --no-greeting \
--batch --passphrase password > secret.gpg
gpg --symmetric --cipher-algo aes256 --digest-algo sha256 --cert-digest-algo   0.19s user 0.00s system 99% cpu 0.195 total

gpg-enc %
››› cat secret | time gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha256 \
--cert-digest-algo sha256 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha256 \
--s2k-count 65011712 \
--force-mdc \
--quiet --no-greeting \
--batch --passphrase password > secret.gpg
gpg --symmetric --cipher-algo aes256 --digest-algo sha256 --cert-digest-algo   0.50s user 0.00s system 99% cpu 0.508 total