a.engels@xxxxxxx wrote: > Imagine the following 2 scenarios: > > a) > salted single key setup: > the encrypted image is stolen. the attacker knows the salt, but not the used > password. > > b) > pgp multikey setup: > encrypted image + pgp encrypted multikey file is stolen and the attacker > doesnt know the pgp password. > > In which case it is easier to recover the data? a) has some known security > weaknesses (watermark), but maybe its easier in b) to do brute force > cracking? pgp multi-key setup is better, especially if patched version of gpg is used (patch from loop-AES tarball). > I think pgp must store some kind of checksum of the encrypted data, because > it recognizes if one enters a wrong password. If I remember correctly, encrypted data is prefixed with random bits and another 16 bits that are copies of earlier random bits. When decrypting, gpg knows that passphrase was wrong if those 16 bits decrypt incorrectly. Also, newer gpg on-disk formats include encrypted sha1 hash of the data. > I assume it could be exploited to speed up cracking? Nope. Most of the per passphrase computing cost is in iterated+salted key setup. And loop-AES' gpg patch makes key iteration 128 times slower than the default value. -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/