Wim Lewis wrote:
On Thu, 2 Feb 2006, Adam Back wrote:
So actually (I implemented this funky thing at some point to get
compat with some parts of pgp)
Likewise :-) I had to go examine the pgp2.6.2 source to be sure I was
doing it right, IIRC.
So it I think really is standard partial block encryption, but to
resume after the block you take the last 8 bytes from the end of the
previous ciphertext chunk and use as the IV for the next chunk.
As I understand it (it's been a while...), normal CFB has no concept of
partial block encryption except at the end of the stream. Even there,
one could argue, you're just padding the stream to a block boundary,
then truncating the output back to the original length, and taking
advantage of the property that the last block's worth of bits are
independent
(no mixing / avalanche).
So one way to describe PGP's operation is to say that each field is
encrypted independently using CFB, and the results are concatenated;
the fields after the first use an IV equal to the last eight bytes of
the output so far. (If the total ciphertext at that point is still too
short, then bytes from the original IV are used as if they
preceded the cipher stream.)
Yes, this is what OpenSSL implements, and it definitely works with
OpenPGP (not surprisingly, because this is really equivalent to
decrypting the whole thing using CFB and then slicing it up afterwards).
For fields which are a multiple of the block length, this is the same
as normal CFB; for short fields, some of the ciphertext gets used as
key material for more than one invocation of the block cipher: once
for the last block of a field, and again (mixed with new ciphertext)
for the first block of the next field.
No, this I don't agree with.
What I've written above is very much not the way that pgp2.6.2 thinks of
the operation, but I'm pretty sure it's equivalent.
I think not.
IIRC, there are only two places in PGP where the odd feedback mode
comes into play: the check bytes at the beginning of an encrypted
file, and encrypted MPIs in the secret key packet.
I do not know what you mean by the "odd feedback mode".
I agree what is written is pretty unclear.
There's a comment in pgp2.6.2's idea.c which explains it reasonably well,
I think.
On Thu, Feb 02, 2006 at 05:10:32PM +0000, Ben Laurie wrote:
If that means anything at all, you appear to be describing standard CFB
when applied to a partial block, which I assume the above is not.
From the comment in 2.6.2:
* Phil invented a unique way of doing CFB that's sensitive to semantic
* boundaries within the data being encrypted.
[... detailed explanation snipped ... ]
* This is equivalent to using a
* shorter feedback length (if you're familiar with the general CFB
* technique) briefly, and doesn't weaken the cipher any (using shorter
* CFB lengths makes it stronger, actually), it just makes it a bit
unusual.
The unusual aspect is the varying feedback length, where the feedback
length depends on the presence of a semantic boundary in the plaintext.
Normally CFB operates on an undifferentiated stream-of-bytes, and field
boundaries are not preserved nor significant.
I don't believe this is an accurate description of what's going on.
At least, not with v4 secret keys, which allegedly are nearly the same
(apart from "resynchronisation" - which I still am in the dark about).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff