Re: V3 secret keys

Ben Laurie <ben@algroup.co.uk> Fri, 03 February 2006 15:44 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F536X-00043x-Un for openpgp-archive@megatron.ietf.org; Fri, 03 Feb 2006 10:44:18 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA11839 for <openpgp-archive@lists.ietf.org>; Fri, 3 Feb 2006 10:42:12 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k13FMG9x049005; Fri, 3 Feb 2006 07:22:16 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id k13FMGCF049003; Fri, 3 Feb 2006 07:22:16 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k13FME3Q048964 for <ietf-openpgp@imc.org>; Fri, 3 Feb 2006 07:22:15 -0800 (PST) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 1CF0233C3F; Fri, 3 Feb 2006 15:22:13 +0000 (GMT)
Message-ID: <43E3752D.40505@algroup.co.uk>
Date: Fri, 03 Feb 2006 15:22:21 +0000
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: Wim Lewis <wiml@hhhh.org>
CC: OpenPGP <ietf-openpgp@imc.org>, Adam Back <adam@cypherspace.org>, "Daniel A. Nagy" <nagydani@epointsystem.org>
Subject: Re: V3 secret keys
References: <43E20DB6.30209@algroup.co.uk> <20060202140612.GA13906@epointsystem.org> <43E23D08.10806@algroup.co.uk> <20060202184601.GA20613@bitchcake.off.net> <Pine.NEB.4.62.0602021105420.13506@photomat.hhhh.org>
In-Reply-To: <Pine.NEB.4.62.0602021105420.13506@photomat.hhhh.org>
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

Wim Lewis wrote:
> 
> On Thu, 2 Feb 2006, Adam Back wrote:
>> So actually (I implemented this funky thing at some point to get
>> compat with some parts of pgp)
> 
> Likewise :-) I had to go examine the pgp2.6.2 source to be sure I was
> doing it right, IIRC.
> 
>> So it I think really is standard partial block encryption, but to
>> resume after the block you take the last 8 bytes from the end of the
>> previous ciphertext chunk and use as the IV for the next chunk.
> 
> As I understand it (it's been a while...), normal CFB has no concept of
> partial block encryption except at the end of the stream. Even there,
> one could argue, you're just padding the stream to a block boundary,
> then truncating the output back to the original length, and taking
> advantage of the property that the last block's worth of bits are
> independent
> (no mixing / avalanche).
> 
> So one way to describe PGP's operation is to say that each field is
> encrypted independently using CFB, and the results are concatenated;
> the fields after the first use an IV equal to the last eight bytes of
> the output so far. (If the total ciphertext at that point is still too
> short, then bytes from the original IV are used as if they
> preceded the cipher stream.)

Yes, this is what OpenSSL implements, and it definitely works with
OpenPGP (not surprisingly, because this is really equivalent to
decrypting the whole thing using CFB and then slicing it up afterwards).

> For fields which are a multiple of the block length, this is the same
> as normal CFB; for short fields, some of the ciphertext gets used as
> key material for more than one invocation of the block cipher: once
> for the last block of a field, and again (mixed with new ciphertext)
> for the first block of the next field.

No, this I don't agree with.

> What I've written above is very much not the way that pgp2.6.2 thinks of
> the operation, but I'm pretty sure it's equivalent.

I think not.

> IIRC, there are only two places in PGP where the odd feedback mode
> comes into play: the check bytes at the beginning of an encrypted
> file, and encrypted MPIs in the secret key packet.

I do not know what you mean by the "odd feedback mode".

>> I agree what is written is pretty unclear.
> 
> There's a comment in pgp2.6.2's idea.c which explains it reasonably well,
> I think.
> 
>> On Thu, Feb 02, 2006 at 05:10:32PM +0000, Ben Laurie wrote:
>>> If that means anything at all, you appear to be describing standard CFB
>>> when applied to a partial block, which I assume the above is not.
> 
> From the comment in 2.6.2:
> 
>  * Phil invented a unique way of doing CFB that's sensitive to semantic
>  * boundaries within the data being encrypted.
> [... detailed explanation snipped ... ]
>  *                                    This is equivalent to using a
>  * shorter feedback length (if you're familiar with the general CFB
>  * technique) briefly, and doesn't weaken the cipher any (using shorter
>  * CFB lengths makes it stronger, actually), it just makes it a bit
> unusual.
> 
> The unusual aspect is the varying feedback length, where the feedback
> length depends on the presence of a semantic boundary in the plaintext.
> Normally CFB operates on an undifferentiated stream-of-bytes, and field
> boundaries are not preserved nor significant.

I don't believe this is an accurate description of what's going on.

At least, not with v4 secret keys, which allegedly are nearly the same
(apart from "resynchronisation" - which I still am in the dark about).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff