Re: V3 secret keys

[Wim Lewis <wiml@hhhh.org>]

On Thu, 2 Feb 2006, Adam Back wrote:
> So actually (I implemented this funky thing at some point to get
> compat with some parts of pgp)

Likewise :-) I had to go examine the pgp2.6.2 source to be sure I was
doing it right, IIRC.

> So it I think really is standard partial block encryption, but to
> resume after the block you take the last 8 bytes from the end of the
> previous ciphertext chunk and use as the IV for the next chunk.

As I understand it (it's been a while...), normal CFB has no concept of 
partial block encryption except at the end of the stream. Even there, one 
could argue, you're just padding the stream to a block boundary, then 
truncating the output back to the original length, and taking advantage of 
the property that the last block's worth of bits are independent
(no mixing / avalanche).

So one way to describe PGP's operation is to say that each field is
encrypted independently using CFB, and the results are concatenated;
the fields after the first use an IV equal to the last eight bytes of
the output so far. (If the total ciphertext at that point is 
still too short, then bytes from the original IV are used as if they
preceded the cipher stream.)

For fields which are a multiple of the block length, this is the same
as normal CFB; for short fields, some of the ciphertext gets used as
key material for more than one invocation of the block cipher: once
for the last block of a field, and again (mixed with new ciphertext)
for the first block of the next field.

What I've written above is very much not the way that pgp2.6.2 thinks of 
the operation, but I'm pretty sure it's equivalent.

IIRC, there are only two places in PGP where the odd feedback mode
comes into play: the check bytes at the beginning of an encrypted
file, and encrypted MPIs in the secret key packet.

> I agree what is written is pretty unclear.

There's a comment in pgp2.6.2's idea.c which explains it reasonably well,
I think.

> On Thu, Feb 02, 2006 at 05:10:32PM +0000, Ben Laurie wrote:
>> If that means anything at all, you appear to be describing standard CFB
>> when applied to a partial block, which I assume the above is not.

From the comment in 2.6.2:

  * Phil invented a unique way of doing CFB that's sensitive to semantic
  * boundaries within the data being encrypted.
[... detailed explanation snipped ... ]
  *                                    This is equivalent to using a
  * shorter feedback length (if you're familiar with the general CFB
  * technique) briefly, and doesn't weaken the cipher any (using shorter
  * CFB lengths makes it stronger, actually), it just makes it a bit unusual.

The unusual aspect is the varying feedback length, where the feedback
length depends on the presence of a semantic boundary in the plaintext.
Normally CFB operates on an undifferentiated stream-of-bytes, and field
boundaries are not preserved nor significant.