You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
and copying the generated privkey from the browsers console and feeding it into either pgpdump or gpg --list-packets yields a (protect) count of 1024 (coded count 0) instead an expected value of 65011712.
If the value given is diminished by one to 65011711, the result actually after pgpduming the privkey reads 65011712 so i suppose there is a minor flaw in the calculation of the value for the coded count which could have quite some security implications (render attacks more feasible and efficient) if not double checked.
The text was updated successfully, but these errors were encountered:
Yes, I agree, we could check the range here. I also think that, to be fair, setting the iteration count rather than the iteration count byte would be a bit more intuitive, but would have some overhead which may or may not be worth it. But we could keep that in mind when designing the parameters for Argon2 (#1442), for example.
larabr
changed the title
setting s2kIterationCountByte to 65011712 results in 1024 being used
Clarify usage of config.s2kIterationCountByte
Sep 14, 2022
loading the following content saved to a file
test.html
into one of the browsers listed above (others not tested)and copying the generated privkey from the browsers console and feeding it into either
pgpdump
orgpg --list-packets
yields a (protect) count of 1024 (coded count 0) instead an expected value of 65011712.If the value given is diminished by one to 65011711, the result actually after pgpduming the privkey reads 65011712 so i suppose there is a minor flaw in the calculation of the value for the coded count which could have quite some security implications (render attacks more feasible and efficient) if not double checked.
The text was updated successfully, but these errors were encountered: