Michael Young writes:
If you're asking whether there is a CFB resync before the checksum, then
the answer is no.
Perhaps Hal would be willing to change the wording to something like:
With V4 keys, a simpler method is used. All secret MPI values
(including their MPI bitcount prefixes) and the checksum are
encrypted in CFB mode, without any resynchronization.
This might help, although I don't think it works in terms of the
current explanation, which is:
Encryption/decryption of the secret data is done in CFB mode using
the key created from the passphrase and the Initial Vector from the
packet. A different mode is used with V3 keys (which are only RSA)
than with other key formats. With V3 keys, the MPI bit count prefix
(i.e., the first two octets) is not encrypted. Only the MPI non-
prefix data is encrypted. Furthermore, the CFB state is
resynchronized at the beginning of each new MPI value, so that the
CFB block boundary is aligned with the start of the MPI data.
With V4 keys, a simpler method is used. All secret MPI values are
encrypted in CFB mode, including the MPI bitcount prefix.
The 16-bit checksum that follows the algorithm-specific portion is
the algebraic sum, mod 65536, of the plaintext of all the algorithm-
specific octets (including MPI prefix and data). With V3 keys, the
checksum is stored in the clear. With V4 keys, the checksum is
encrypted like the algorithm-specific data. This value is used to
check that the passphrase was correct.
I agree that the last sentence of the first paragraph, about CFB
resynchronization, is not clearly stated as only being for V3. The
first sentence of the paragraph is for both V3 and V4, the next two
sentences are explicitly for V3, and the last is unstated. It is
meant to only be for V3 but we could clarify that.
Unfortunately referring to checksum encryption in the second paragraph,
as you suggest, may be confusing because the checksum and its encryption
rules are not explained until the third paragraph.
Maybe we could instead add a sentence to that paragraph, after "With
V4 keys, the checksum is encrypted like the algorithm-specific data."
We could add, "Note that no CFB resynchronization is done before the
checksum encryption."
We could also add, "and no resynchronization is used" to the end of
the second paragraph, just to make that very clear. This would give
us:
Encryption/decryption of the secret data is done in CFB mode using
the key created from the passphrase and the Initial Vector from the
packet. A different mode is used with V3 keys (which are only RSA)
than with other key formats. With V3 keys, the MPI bit count prefix
(i.e., the first two octets) is not encrypted. Only the MPI non-
prefix data is encrypted. Furthermore, the CFB state is
resynchronized at the beginning of each new MPI value, so that the
CFB block boundary is aligned with the start of the MPI data.
With V4 keys, a simpler method is used. All secret MPI values are
encrypted in CFB mode, including the MPI bitcount prefix, and no
resynchronization is used.
The 16-bit checksum that follows the algorithm-specific portion is
the algebraic sum, mod 65536, of the plaintext of all the algorithm-
specific octets (including MPI prefix and data). With V3 keys, the
checksum is stored in the clear. With V4 keys, the checksum is
encrypted like the algorithm-specific data. Note that no CFB
resynchronization is done before the checksum encryption. The checksum
value is used to check that the passphrase was correct.
I don't know, that last sentence is now left dangling, don't you think?
Hal