Re: V3 secret keys

[Ben Laurie <ben@xxxxxxxxxxxxx>]

Hal Finney wrote:
> Ben Laurie writes:
>> No, I can't confirm that. I have code that works as we all expect CFB to
>> work (modulo "resync") on v4 secret keys. I had to make the change I
>> described to decrypt v3 keys. It seems to me rather unlikely that I have
>> it wrong given that I had to reverse engineer and write new code to get
>> a working implementation for v3!
> 
> To clarify, you are claiming that to unlock a V3 secret key, you don't
> use the IV as usual in CFB mode.  Instead, you use an all-zero buffer
> for the IV, and then prepend the IV from the secret key subpacket to
> the data, decrypt that, and discard the first block of output?

Yes.

> So in other words, to get the first block of plaintext you do, in effect:
> 
> buf1 = Enc (all-zeros);
> buf2 = buf1 xor IV;
> buf3 = Enc (buf2);
> buf4 = buf3 xor ciphertext
> 
> and buf4 will be the first block of plaintext?  You say your code does
> this, and it works????
> 
> My code does this:
> 
> buf1 = Enc (IV);
> buf2 = buf1 xor ciphertext
> 
> and buf2 is the first block of plaintext.
> 
> I just checked GPG and I confirmed that they work the same way I have
> said.
> 
> Could you possibly show a few lines of your code, that does this step?
> It's simply impossible for your code to be working as I have described
> above, and to interoperate with existing V3 keys.  Either I misunderstood
> your claim about the need for an all-zero IV, or you have misunderstood
> what your own code is doing.

The code is publicly available: http://openpgpsdk.nominet.org.uk/.

But what I'm going to do is instrument it so we can all see exactly what
is going on. Watch this space :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff