Re: V3 secret keys

[Ben Laurie <ben@algroup.co.uk>]

Wim Lewis wrote:
> 
> On Thu, 2 Feb 2006, Adam Back wrote:
>> So actually (I implemented this funky thing at some point to get
>> compat with some parts of pgp)
> 
> Likewise :-) I had to go examine the pgp2.6.2 source to be sure I was
> doing it right, IIRC.
> 
>> So it I think really is standard partial block encryption, but to
>> resume after the block you take the last 8 bytes from the end of the
>> previous ciphertext chunk and use as the IV for the next chunk.
> 
> As I understand it (it's been a while...), normal CFB has no concept of
> partial block encryption except at the end of the stream. Even there,
> one could argue, you're just padding the stream to a block boundary,
> then truncating the output back to the original length, and taking
> advantage of the property that the last block's worth of bits are
> independent
> (no mixing / avalanche).
> 
> So one way to describe PGP's operation is to say that each field is
> encrypted independently using CFB, and the results are concatenated;
> the fields after the first use an IV equal to the last eight bytes of
> the output so far. (If the total ciphertext at that point is still too
> short, then bytes from the original IV are used as if they
> preceded the cipher stream.)

Yes, this is what OpenSSL implements, and it definitely works with
OpenPGP (not surprisingly, because this is really equivalent to
decrypting the whole thing using CFB and then slicing it up afterwards).

> For fields which are a multiple of the block length, this is the same
> as normal CFB; for short fields, some of the ciphertext gets used as
> key material for more than one invocation of the block cipher: once
> for the last block of a field, and again (mixed with new ciphertext)
> for the first block of the next field.

No, this I don't agree with.

> What I've written above is very much not the way that pgp2.6.2 thinks of
> the operation, but I'm pretty sure it's equivalent.

I think not.

> IIRC, there are only two places in PGP where the odd feedback mode
> comes into play: the check bytes at the beginning of an encrypted
> file, and encrypted MPIs in the secret key packet.

I do not know what you mean by the "odd feedback mode".

>> I agree what is written is pretty unclear.
> 
> There's a comment in pgp2.6.2's idea.c which explains it reasonably well,
> I think.
> 
>> On Thu, Feb 02, 2006 at 05:10:32PM +0000, Ben Laurie wrote:
>>> If that means anything at all, you appear to be describing standard CFB
>>> when applied to a partial block, which I assume the above is not.
> 
> From the comment in 2.6.2:
> 
>  * Phil invented a unique way of doing CFB that's sensitive to semantic
>  * boundaries within the data being encrypted.
> [... detailed explanation snipped ... ]
>  *                                    This is equivalent to using a
>  * shorter feedback length (if you're familiar with the general CFB
>  * technique) briefly, and doesn't weaken the cipher any (using shorter
>  * CFB lengths makes it stronger, actually), it just makes it a bit
> unusual.
> 
> The unusual aspect is the varying feedback length, where the feedback
> length depends on the presence of a semantic boundary in the plaintext.
> Normally CFB operates on an undifferentiated stream-of-bytes, and field
> boundaries are not preserved nor significant.

I don't believe this is an accurate description of what's going on.

At least, not with v4 secret keys, which allegedly are nearly the same
(apart from "resynchronisation" - which I still am in the dark about).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff