ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Test Suite - and S2K Detail missing from the spec

1998-03-30 11:57:25
from [nospam-seesignature] [Permanent Link] 
On Mon, 30 Mar 1998 nospam-seesignature(_at_)ceddec(_dot_)com wrote:


Initially, one or more hash contexts are set up as with the other S2K
algorithms, depending on how many octets of key data are needed.

MD5 yields 16 bytes, SHA1 yields 20 bytes, DES needs 24.  How do I
generate the extra material needed by longer algorithms?


I figured this out.  The problem is that it is under each individual S2K
description when technically it applys everywhere (maybe a 3.6.3.?
Keylength Issues Common to all S2K algorithms).

In 5.3

If the encrypted session key is present, the result of applying the S2K
algorithm to the passphrase is used to decrypt just that encrypted
session key field, using CFB mode with an IV of all zeros.  The
decryption result consists of a one-octet algorithm identifier that
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
specifies the conventional encryption algorithm used to encrypt the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^->
following Symmetrically Encrypted Data Packet, followed by the session
key octets themselves.

Nothing says that the conventional algorithm used to encrypt the ESK need
be the same as that used to encrypt the SEDP.

Which is mainly the way it works, but there is a quirk in pgp5.0 that the
cipher length of the S2K cipher must equal the cipher length of the ESK: 

eskConvkeyValidate (byte const *buf, size_t len)
...
        c = pgpCipherByNumber (buf[1]);
This is the cipher used to encrypt the ESK, not the ultimate message.
        ret = pgpS2Kdecode (NULL, NULL, buf+2, len-2);
...
        len -= 2+ret;
...
        if (len < c->keysize+1)
                return PGPERR_ESK_TOOSHORT;
        if (len > c->keysize+1)
                return PGPERR_ESK_TOOLONG;

If 3DES encrypts a CAST key, or vice versa, the test will fail, but if
IDEA encrypts CAST or CAST encrypts IDEA, it will work (and PGP can't be
requiring both to use identical ciphers).

You would need to decrypt the ESK to find the new cipher number, and then
the keysize test would work (and probably where the test belongs).

#if 0-ing the test out made PGP work fine.

Note that this may be an issue depending on how "preferred ciphers" are
implemented.  If the ultimate user prefers CAST for the session key, I
might want to add a conventional key using 3DES to encrypt the session
key to someone else.  This won't work now.

--- reply to tzeruch - at - ceddec - dot - com ---
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  On my HAVAL implementation, Paulo Barreto
Next by Date:  Re: opgp91 uploaded, nospam-seesignature
Previous by Thread:  Test Suite - and S2K Detail missing from the spec, nospam-seesignature
Next by Thread:  On my HAVAL implementation, Paulo Barreto
Indexes:  [Date] [Thread] [Top] [All Lists]