Re: V3 secret keys

[Ben Laurie <ben@xxxxxxxxxxxxx>]

Hal Finney wrote:
> Ben Laurie writes:
>> Hal Finney wrote:
>>> The IV is used in the standard way.  You may be
>>> thinking of symmetrically encrypted data packets, which work as you
>>> say here.  V3 private keys are standard.
>> Experiment and code reading/running says it is correct.
> 
> I rechecked my source code and I can confirm my statement.  The IV is
> used in the standard way for V3 secret key CFB encryption.  The line is
> 
> 	PGPInitCFB(*cfbp, key, buf + alglen);
> 
> This initializes the CFB context in the first argument, using the key
> in the 2nd argument and the IV in the 3rd argument.  In this case the
> IV is buf+alglen where buf is a pointer into the secret key data and
> alglen is the offset past the S2K stuff.  If we were using an all-zeros
> IV as Ben suggests then we would have had to set up a buffer to act as
> the IV, fill it with zeros, and pass that to the PGPInitCFB function.
> We don't do that.
> 
> (This is an important point because if it doesn't work as I have
> described, then the spec is completely wrong and it would be extremely
> important to change it ASAP.  So I hope Ben or others can confirm that
> the spec is right on this matter.)

No, I can't confirm that. I have code that works as we all expect CFB to
work (modulo "resync") on v4 secret keys. I had to make the change I
described to decrypt v3 keys. It seems to me rather unlikely that I have
it wrong given that I had to reverse engineer and write new code to get
a working implementation for v3!

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff