[Top] [All Lists]

Re: Need some explanations about privarte key in OpenPGP format, CFB mode

2002-02-15 07:26:19

"Cornel GLIGAN" <cornel(_dot_)gligan(_at_)interscope(_dot_)ro> writes:


First fo all, I want to thank you for you answer me.

Here are my problems:

OpenPGP does symmetric encryption using a variant of Cipher Feedback
Mode (CFB mode). This section describes the procedure it uses in
detail. This mode is what is used for Symmetrically Encrypted Data
Packets; the mechanism used for encrypting secret key material is
similar, but described in those sections above.

In the "secret key material" section I found this: 
Encryption/decryption of the secret data is done in CFB mode using
the key created from the passphrase and the Initial Vector from the

(and now, back to the CFB mode)
OpenPGP CFB mode uses an initialization vector (IV) of all zeros,
and prefixes the plaintext with BS+2 octets of random data, such
that octets BS+1 and BS+2 match octets BS-1 and BS.  It does a CFB
"resync" after encrypting those BS+2 octets.

I want to mention that I want to keep a secret key in format OpenPGP not
a plain text.
1) What value should I fill in IV?
2) Are those BS+2 octets just for plain text or even for secret key

The OpenPGP CFB module uses an "Encrypted Initialization".  The way this
works is:
        1) start with an IV of all zeros (in the CFB Context)
        2) Create a buffer of "BS+2" bytes
        3) Fill in the first BS bytes with random bytes
        4) copy the last two bytes of BS into the extra two bytes at the end
        5) CFB Encrypt the "BS+2" bytes <-- This is the encrypted IV
        6) Re-Sync the CFB context.
        7) Start ecnrypting your data.

This is done EVERY TIME you initialize a CFB context.  These extra
BS+2 bytes are prefixed before every CFB encryption.

3. FRE is xored with the first BS octets of random data prefixed to
the plaintext to produce C[1] through C[BS], the first BS octets
of ciphertext.

3) Do the C[i] octets represent the final form for OpenPGP format? 

Yes.  Although C[0]..C[BS+2] are the encrypted IV bytes, not your data

12. FRE is xored with the next BS octets of plaintext, to produce
the next BS octets of ciphertext.  These are loaded into FR and
the process is repeated until the plaintext is used up.

4) Let's assume that I encrypt the algorithm-specific portion with IDEA.
What it happens with the last block of data if the length of the
algorithm-specific portion is not multiple of 8 (64 bit)? (and, of
course, the last block it will be less than BS - in this case 8 octets)

You clearly don't understand how CFB mode works.  You don't encrypt
your input in block-sized chunks; you rotate your feedback register in
block-sized chunks.  The ciphertext is just an xor of the feedback
register with the plaintext, and you rotate the feedback register by
encrypting your output.  So if the last block of plaintext is only 1
byte, you only use one byte from the last feedback and toss the rest
of your feedback on the floor.

Thank you in advance,

Cornel Gligan-Ignatescu


       Derek Atkins
       Computer and Internet Security Consultant