Re: V3 secret keys
Wim Lewis <wiml@hhhh.org> Thu, 02 February 2006 20:11 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F4knH-0004mU-AP for openpgp-archive@megatron.ietf.org; Thu, 02 Feb 2006 15:11:11 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA04994 for <openpgp-archive@lists.ietf.org>; Thu, 2 Feb 2006 15:09:09 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k12JvqYH086676; Thu, 2 Feb 2006 11:57:52 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id k12JvquD086675; Thu, 2 Feb 2006 11:57:52 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from photomat.hhhh.org (photomat.hhhh.org [207.202.171.50]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k12Jvp5o086669 for <ietf-openpgp@imc.org>; Thu, 2 Feb 2006 11:57:51 -0800 (PST) (envelope-from wiml@hhhh.org)
Received: by photomat.hhhh.org (Postfix, from userid 4395) id 7D6DB81C0; Thu, 2 Feb 2006 11:57:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by photomat.hhhh.org (Postfix) with ESMTP id 64E9FAD37; Thu, 2 Feb 2006 11:57:50 -0800 (PST)
Date: Thu, 02 Feb 2006 11:57:50 -0800
From: Wim Lewis <wiml@hhhh.org>
To: OpenPGP <ietf-openpgp@imc.org>
Cc: Adam Back <adam@cypherspace.org>, Ben Laurie <ben@algroup.co.uk>, "Daniel A. Nagy" <nagydani@epointsystem.org>
Subject: Re: V3 secret keys
In-Reply-To: <20060202184601.GA20613@bitchcake.off.net>
Message-ID: <Pine.NEB.4.62.0602021105420.13506@photomat.hhhh.org>
References: <43E20DB6.30209@algroup.co.uk> <20060202140612.GA13906@epointsystem.org> <43E23D08.10806@algroup.co.uk> <20060202184601.GA20613@bitchcake.off.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Thu, 2 Feb 2006, Adam Back wrote: > So actually (I implemented this funky thing at some point to get > compat with some parts of pgp) Likewise :-) I had to go examine the pgp2.6.2 source to be sure I was doing it right, IIRC. > So it I think really is standard partial block encryption, but to > resume after the block you take the last 8 bytes from the end of the > previous ciphertext chunk and use as the IV for the next chunk. As I understand it (it's been a while...), normal CFB has no concept of partial block encryption except at the end of the stream. Even there, one could argue, you're just padding the stream to a block boundary, then truncating the output back to the original length, and taking advantage of the property that the last block's worth of bits are independent (no mixing / avalanche). So one way to describe PGP's operation is to say that each field is encrypted independently using CFB, and the results are concatenated; the fields after the first use an IV equal to the last eight bytes of the output so far. (If the total ciphertext at that point is still too short, then bytes from the original IV are used as if they preceded the cipher stream.) For fields which are a multiple of the block length, this is the same as normal CFB; for short fields, some of the ciphertext gets used as key material for more than one invocation of the block cipher: once for the last block of a field, and again (mixed with new ciphertext) for the first block of the next field. What I've written above is very much not the way that pgp2.6.2 thinks of the operation, but I'm pretty sure it's equivalent. IIRC, there are only two places in PGP where the odd feedback mode comes into play: the check bytes at the beginning of an encrypted file, and encrypted MPIs in the secret key packet. > I agree what is written is pretty unclear. There's a comment in pgp2.6.2's idea.c which explains it reasonably well, I think. > On Thu, Feb 02, 2006 at 05:10:32PM +0000, Ben Laurie wrote: >> If that means anything at all, you appear to be describing standard CFB >> when applied to a partial block, which I assume the above is not. From the comment in 2.6.2: * Phil invented a unique way of doing CFB that's sensitive to semantic * boundaries within the data being encrypted. [... detailed explanation snipped ... ] * This is equivalent to using a * shorter feedback length (if you're familiar with the general CFB * technique) briefly, and doesn't weaken the cipher any (using shorter * CFB lengths makes it stronger, actually), it just makes it a bit unusual. The unusual aspect is the varying feedback length, where the feedback length depends on the presence of a semantic boundary in the plaintext. Normally CFB operates on an undifferentiated stream-of-bytes, and field boundaries are not preserved nor significant.
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Ian G
- Re: V3 secret keys "Hal Finney"
- V3 secret keys Ben Laurie
- Re: V3 secret keys Daniel A. Nagy
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Adam Back
- Re: V3 secret keys Wim Lewis
- Re: V3 secret keys Daniel A. Nagy
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Daniel A. Nagy
- V3 secret keys Ben Laurie
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys vedaal
- Re: V3 secret keys Daniel A. Nagy
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys Peter Gutmann
- Re: V3 secret keys Ian G
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Peter Gutmann
- Re: V3 secret keys "Hal Finney"
- Re: V3 secret keys David Shaw
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Jon Callas
- Re: V3 secret keys David Shaw
- Re: V3 secret keys Ben Laurie
- Re: V3 secret keys Jon Callas