[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: V3 secret keys

To: Hal Finney <hal@xxxxxxxxxx>
Subject: Re: V3 secret keys
From: Ben Laurie <ben@xxxxxxxxxxxxx>
Date: Sun, 19 Feb 2006 15:47:33 +0000
Cc: ietf-openpgp@xxxxxxx
In-reply-to: <20060215201341.0D48557FAE@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <20060215201341.0D48557FAE@xxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Thunderbird 1.5 (Windows/20051201)

Hal Finney wrote:
> Ben Laurie writes:
>> No, I can't confirm that. I have code that works as we all expect CFB to
>> work (modulo "resync") on v4 secret keys. I had to make the change I
>> described to decrypt v3 keys. It seems to me rather unlikely that I have
>> it wrong given that I had to reverse engineer and write new code to get
>> a working implementation for v3!
> 
> To clarify, you are claiming that to unlock a V3 secret key, you don't
> use the IV as usual in CFB mode.  Instead, you use an all-zero buffer
> for the IV, and then prepend the IV from the secret key subpacket to
> the data, decrypt that, and discard the first block of output?
> 
> So in other words, to get the first block of plaintext you do, in effect:
> 
> buf1 = Enc (all-zeros);
> buf2 = buf1 xor IV;
> buf3 = Enc (buf2);
> buf4 = buf3 xor ciphertext
> 
> and buf4 will be the first block of plaintext?  You say your code does
> this, and it works????
> 
> My code does this:
> 
> buf1 = Enc (IV);
> buf2 = buf1 xor ciphertext
> 
> and buf2 is the first block of plaintext.
> 
> I just checked GPG and I confirmed that they work the same way I have
> said.
> 
> Could you possibly show a few lines of your code, that does this step?
> It's simply impossible for your code to be working as I have described
> above, and to interoperate with existing V3 keys.  Either I misunderstood
> your claim about the need for an all-zero IV, or you have misunderstood
> what your own code is doing.

In fact, after discussion with Hal, we've established that:

a) Both of us are correct about what our code is doing

b) The two algorithms are effectively the same (for decryption, at least).

c) There was a bug in my code related to resyncing that setting the IV
"the hard way" worked around - which is why it appeared that v3 keys
were crypted differently.

So, we're in agreement about how it works now. My complaint about
"resyncing" stands, however.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Follow-Ups:
- Re: V3 secret keys
  - From: Jon Callas

References:
- Re: V3 secret keys
  - From: "Hal Finney"

Prev by Date: Re: V3 secret keys
Next by Date: Questions about some signature subpackets
Previous by thread: Re: V3 secret keys
Next by thread: Re: V3 secret keys
Index(es):
- Date
- Thread