Nickolay L. writes:
And here is the question : I have one secret key (it seems, that it
was generated by PGP Desktop 9.0.3), and it have one problem -
symmetric algorithm (in place of S2KUsage) is reported to be 3DES,
which has 192bit keylength, but in standarts everywhere told, that
when S2K is absent, simple MD5 checksum should be used, but how to
derive from 128-bit MD5 192-bit key, there is no any ideas..
I'm surprised that PGP 9.0.3 would use this old format. This behavior
is deprecated in the new draft.
However, such cases should be handled identically to the Simple S2K
format. This is described in the new draft as follows:
Simple S2K hashes the passphrase to produce the session key. The
manner in which this is done depends on the size of the session key
(which will depend on the cipher used) and the size of the hash
algorithm's output. If the hash size is greater than the session key
size, the high-order (leftmost) octets of the hash are used as the
key.
If the hash size is less than the key size, multiple instances of
the hash context are created -- enough to produce the required key
data. These instances are preloaded with 0, 1, 2, ... octets of
zeros (that is to say, the first instance has no preloading, the
second gets preloaded with 1 octet of zero, the third is preloaded
with two octets of zeros, and so forth).
As the data is hashed, it is given independently to each hash
context. Since the contexts have been initialized differently, they
will each produce different hash output. Once the passphrase is
hashed, the output data from the multiple hashes is concatenated,
first hash leftmost, to produce the key data, with any excess octets
on the right discarded.
Hal Finney