gpg folks fixed serious remotely exploitable security flaw that affects gpg versions older than 1.4.6 and 2.0.2 http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html For loop-AES users who use patched version of gpg to encrypt loop-AES key files, the good news is that gpg-1.4.6 and gpg-2.x versions no longer require patching to change default amount of passphrase iteration. You can set this option in your options file ~/.gnupg/gpg.conf s2k-count 8388608 Or alternatively... You can use this gpg command line parameter: --s2k-count 8388608 Or alternatively... You can apply this source patch and recompile: --- gnupg-1.4.6/g10/gpg.c.old 2006-12-03 17:37:45.000000000 +0200 +++ gnupg-1.4.6/g10/gpg.c 2006-12-06 21:58:07.000000000 +0200 @@ -1792,7 +1792,7 @@ opt.cert_digest_algo = 0; opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ opt.s2k_mode = 3; /* iterated+salted */ - opt.s2k_count = 96; /* 65536 iterations */ + opt.s2k_count = 208; /* 8388608 byte count */ #ifdef USE_CAST5 opt.s2k_cipher_algo = CIPHER_ALGO_CAST5; #else To test that your gpg is using more passphrase iterations, you can run these commands: $ echo x | gpg --symmetric >test1.gpg $ gpg --decrypt -v -v <test1.gpg Second gpg invocation should output a line like this: salt 41f21861d981248e, count 8388608 (208) ^^^^^^^ Salt value will be different on each symmetrically encrypted file. Since the security flaw in older gpg versions also affects signature verification, I decided to include MD5 of original tarball here as well. ec8dc6df1bd83c1d7e1a1ea10653f9f4 gnupg-1.4.6.tar.bz2 -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
