Lindsay Mathieson, <lindsay(_at_)powerup(_dot_)com(_dot_)au>, writes:
For Encrypted Session Key Packets (Section 5.1) the OpenPGP spec states:
The encrypted value "m" in the above formulas is derived from the
session key as follows. First the session key is prepended with a
one-octet algorithm identifier that specifies the conventional
encryption algorithm used to encrypt the following Symmetrically
Encrypted Data Packet. *Then a two-octet checksum is appended which is
equal to the sum of the preceding octets, including the algorithm
identifier and session key, modulo 65536.*
The problem is with the checksum, the spec states that it includes the
algorithm identifier, whereas in PGP 2.x it actually doesn't, it only
includes the session key itself. I'm not sure is this is the case for PGP
5.x though. Also it might be handy to mention that the checksum is in MSB
ordering.
So perhaps if it was changed to:
Then a two-octet checksum in MSB order is appended, which is
equal to the sum of the preceding session key octets, modulo 65536.
You are correct, I misread the code when I provided this information to
Jon. The alg ID is not included in the checksum in 5.X or in 2.X. We
should correct the draft spec.
Hal Finney
hal(_at_)pgp(_dot_)com
hal(_at_)rain(_dot_)org