2

The handbook suggests that symmetric encryption is appropriate (and therefore not less secure than public key encryption?) when only you need to access the plaintext. But according to this post, since gpg --symmetric only requires a passphrase, an attacker only needs to brute force this passphrase rather than the full 128/256 bit key generated from it.

It seems to me that the correct procedure then is to actually have a 128/256 bit key file which is used to symmetrically encrypt my data; which itself is symmetrically encrypted with a key generated from a passphrase, just like how private keys are protected. This would require an attacker to brute force the full symmetric key- even if they acquired my key file, they would still have to brute force my passphrase.

Does gpg support this sort of usage? Is my understanding of the situation flawed, is there a reason why this isn't a valid use case?

--

Or to put it another way:

In this question it is assumed that passphrase protection is sufficient- but basically my question is what if I don't trust myself to memorize a good 256 bit password? Can I use a symmetric key file just like with my private key? Obviously I could just actually use my private key, but the handbook suggests that the symmetric encryption would be the idiomatic choice in this situation.

Improve this question
2
  • I don't get your first sentence, partly because of "you" occurring twice. What exactly do you see as use case?
    – Jens Erat
    Commented Sep 19, 2015 at 7:07
  • Fixed editing errors and added another explanation. Use case might be storing data on cloud services- or really anytime you'd use symmetric encryption.
    – kgmstwo
    Commented Sep 19, 2015 at 13:43

1 Answer 1

Reset to default
1

In OpenPGP, there are two possibilities allowed for deriving the symmetric (session) key from the passphrase: directly using the passphrase to derive the key, or generating a random key which is itself encrypted with the generated key. Yet, in both cases the symmetric key is always stored together with the cipher text and symmetric key cannot be split apart without losing compatibility with the OpenPGP format. In the end, the key can also be brute-forced through the passphrase, no matter which kind of storing the key is used.

OpenPGP makes brute-forcing the passphrase hard though, though, by generating a large input to be hashed (iterating the passphrase multiple times for the hash input). This way brute-forcing the passphrase is much more expensive. From RFC 4880, OpenPGP, 3.7.1.3. Iterated and Salted S2K:

This includes both a salt and an octet count. The salt is combined with the passphrase and the resulting value is hashed repeatedly. This further increases the amount of work an attacker must do to try dictionary attacks.

In GnuPG, the number of times to repeat the passphrase (and some other options) can be tweaked using the --s2k-* options.

Improve this answer
4
  • "Brute-forcing the passphrase would still result in the symmetric key being exposed." Huh? How could you brute force the passphrase if all you have is cyphertext encypted with a random symmetric key? The fact that I keep that key stored encrypted with a passphase shouldn't change anything, right? I mean sure, if you got your hands on that file then you would only have to crack the passphrase, but my concern is that you'd only have to crack the passphrase given only the cyphertext. If my keys have been compromised, it's game over anyway right? (other than what keys are "safe" in my mind)
    – kgmstwo
    Commented Sep 20, 2015 at 13:31
  • If you store the key somewhere else (not together with the document), you're right, brute-forcing the encrypted document will get even harder; but OpenPGP does not allow this (without manually taking apart the OpenPGP packets). If you want to store the symmetric key separated from the ciphertext, don't go with OpenPGP symmetric encryption, this is not supported.
    – Jens Erat
    Commented Sep 20, 2015 at 13:45
  • Oh wow, okay then. So then the symmetric encryption supported by OpenPGP is not comparable with it's public key encryption because by going from public key to symmetric you are giving up a proper secret key and reverting to a passphrase. Accepted because that answers my question and confirms my understanding. Any reason for this functionality not being included other than just not being the focus of the software? Suggestions for what software would support this?
    – kgmstwo
    Commented Sep 20, 2015 at 14:05
  • Reading RFC 4880 again, I just realized I was (slightly) wrong. The key generated from the passphrase can be used to encrypt the session key, but anyway there is no way to split this from the signed message. I can only guess why this is not possible, and my guess is that symmetric encryption was just added "because all the tools were already there" and nothing new had to be added (apart from a packet putting the available things together). Symmetric key encryption is not OpenPGP's primary goal.
    – Jens Erat
    Commented Sep 20, 2015 at 14:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .