gpg-1.4.6 and gpg-2.x

[Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>]

gpg folks fixed serious remotely exploitable security flaw that affects gpg
versions older than 1.4.6 and 2.0.2

http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html

For loop-AES users who use patched version of gpg to encrypt loop-AES key
files, the good news is that gpg-1.4.6 and gpg-2.x versions no longer
require patching to change default amount of passphrase iteration.

You can set this option in your options file ~/.gnupg/gpg.conf

 s2k-count 8388608


Or alternatively... You can use this gpg command line parameter:

 --s2k-count 8388608


Or alternatively... You can apply this source patch and recompile:

--- gnupg-1.4.6/g10/gpg.c.old	2006-12-03 17:37:45.000000000 +0200
+++ gnupg-1.4.6/g10/gpg.c	2006-12-06 21:58:07.000000000 +0200
@@ -1792,7 +1792,7 @@
     opt.cert_digest_algo = 0;
     opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
     opt.s2k_mode = 3; /* iterated+salted */
-    opt.s2k_count = 96; /* 65536 iterations */
+    opt.s2k_count = 208; /* 8388608 byte count */
 #ifdef USE_CAST5
     opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
 #else


To test that your gpg is using more passphrase iterations, you can run these
commands:

$ echo x | gpg --symmetric >test1.gpg
$ gpg --decrypt -v -v <test1.gpg

Second gpg invocation should output a line like this:

        salt 41f21861d981248e, count 8388608 (208)
                                     ^^^^^^^

Salt value will be different on each symmetrically encrypted file.

Since the security flaw in older gpg versions also affects signature
verification, I decided to include MD5 of original tarball here as well.

ec8dc6df1bd83c1d7e1a1ea10653f9f4  gnupg-1.4.6.tar.bz2

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/