Ben Laurie writes:
No, I can't confirm that. I have code that works as we all expect CFB to
work (modulo "resync") on v4 secret keys. I had to make the change I
described to decrypt v3 keys. It seems to me rather unlikely that I have
it wrong given that I had to reverse engineer and write new code to get
a working implementation for v3!
To clarify, you are claiming that to unlock a V3 secret key, you don't
use the IV as usual in CFB mode. Instead, you use an all-zero buffer
for the IV, and then prepend the IV from the secret key subpacket to
the data, decrypt that, and discard the first block of output?
So in other words, to get the first block of plaintext you do, in effect:
buf1 = Enc (all-zeros);
buf2 = buf1 xor IV;
buf3 = Enc (buf2);
buf4 = buf3 xor ciphertext
and buf4 will be the first block of plaintext? You say your code does
this, and it works????
My code does this:
buf1 = Enc (IV);
buf2 = buf1 xor ciphertext
and buf2 is the first block of plaintext.
I just checked GPG and I confirmed that they work the same way I have
Could you possibly show a few lines of your code, that does this step?
It's simply impossible for your code to be working as I have described
above, and to interoperate with existing V3 keys. Either I misunderstood
your claim about the need for an all-zero IV, or you have misunderstood
what your own code is doing.