On Thu, 26 Mar 1998, Hal Finney wrote:
In the section beginning:
"The decryption result consists of a one-octet algorithm..."
Shouldn't there also be a two-octet checksum after the random key material
(to be identical to what is public-key encrypted)?
The purpose of a checksum is to tell you whether you've entered the
right passphrase. That's not necessary here because after decrypting the
session key (SK) it will immediately use that SK to decrypt the message,
and there is a check which is done in the first 10 bytes of the message
to see if the SK is correct.
It also says CFB mode with an IV of all zeros. I didn't know the 10 byte
with cfb reset (if the algorithm has a block size of 8 or less) was
supposed to be there (see next).
It is true that the public key ESK packets do have this checksum, so you
are correct that it would be more consistent to have them for the symmetric
ESK as well, but functionally they are not needed.
The ESK packets DO NOT have the 10 byte prefix but "is done in CFB
mode..." And there are resets between the secret values in RSA keys.
Wouldn't it be better to use both the key and iv from the S2K and add the
checksum instead of creating yet another mode?
Has anyone else implemented this yet? (PGP5.0ib8 doesn't).
--- reply to tzeruch - at - ceddec - dot - com ---