draft-ietf-openpgp-formats-01.txt   draft-ietf-openpgp-formats-02.txt 
Network Working Group Jon Callas Network Working Group Jon Callas
Category: INTERNET-DRAFT Network Associates Category: INTERNET-DRAFT Network Associates
draft-ietf-openpgp-formats-01.txt Lutz Donnerhacke draft-ietf-openpgp-formats-02.txt
Expires Aug 1998 IN-Root-CA Individual Network e.V. Expires Oct 1998 Lutz Donnerhacke
March 1997 Hal Finney April 1997 IN-Root-CA Individual Network e.V.
Hal Finney
Network Associates Network Associates
Rodney Thayer Rodney Thayer
Sable Technology Sable Technology
OP Formats - OpenPGP Message Format OpenPGP Message Format
draft-ietf-openpgp-formats-01.txt draft-ietf-openpgp-formats-02.txt
Copyright 1998 by The Internet Society. All Rights Reserved. Copyright 1998 by The Internet Society. All Rights Reserved.
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and documents of the Internet Engineering Task Force (IETF), its areas,
its working groups. Note that other groups may also distribute working and its working groups. Note that other groups may also distribute
documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet- Drafts as reference at any time. It is inappropriate to use Internet-Drafts as
material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Abstract Abstract
This document is maintained in order to publish all necessary This document is maintained in order to publish all necessary
information needed to develop interoperable applications based on the information needed to develop interoperable applications based on
OP format. It is not a step-by-step cookbook for writing an the OpenPGP format. It is not a step-by-step cookbook for writing an
application, it describes only the format and methods needed to read, application. It describes only the format and methods needed to
check, generate and write conforming packets crossing any network. It read, check, generate and write conforming packets crossing any
does not deal with storing and implementation questions albeit it is network. It does not deal with storage and implementation questions.
necessary to avoid security flaws. It does, however, discuss implementation issues necessary to avoid
security flaws.
Open-PGP software uses a combination of strong public-key and Open-PGP software uses a combination of strong public-key and
conventional cryptography to provide security services for electronic symmetric cryptography to provide security services for electronic
communications and data storage. These services include communications and data storage. These services include
confidentiality, key management, authentication and digital signatures. confidentiality, key management, authentication and digital
This document specifies the message formats used in OP. signatures. This document specifies the message formats used in
OpenPGP.
Table of Contents Table of Contents
1. Introduction Status of this Memo 1
1.1 Terms Abstract 1
2. General functions Table of Contents 2
2.1 Confidentiality via Encryption 1. Introduction 5
2.2 Authentication via Digital signature 1.1. Terms 5
2.3 Compression 2. General functions 5
2.4 Conversion to Radix-64 2.1. Confidentiality via Encryption 5
3. Data Element Formats 2.2. Authentication via Digital signature 6
3.1 Scalar numbers 2.3. Compression 7
3.2 Multi-Precision Integers 2.4. Conversion to Radix-64 7
3.3 Key IDs 3. Data Element Formats 7
3.4 Text 3.1. Scalar numbers 7
3.5 Time fields 3.2. Multi-Precision Integers 7
3.6 String-to-key (S2K) specifiers 3.3. Key IDs 8
3.6.1 String-to-key (S2k) specifier types 3.4. Text 8
3.6.1.1 Simple S2K 3.5. Time fields 8
3.6.1.2 Salted S2K 3.6. String-to-key (S2K) specifiers 8
3.6.1.3 Iterated and Salted S2K 3.6.1. String-to-key (S2k) specifier types 8
3.6.2 String-to-key usage 3.6.1.1. Simple S2K 8
3.6.2.1 Secret key encryption 3.6.1.2. Salted S2K 9
3.6.2.2 Conventional message encryption 3.6.1.3. Iterated and Salted S2K 9
3.6.3 String-to-key algorithms 3.6.2. String-to-key usage 10
3.6.3.1 Simple S2K algorithm 3.6.2.1. Secret key encryption 10
3.6.3.2 Salted S2K algorithm 3.6.2.2. Symmetric-key message encryption 11
3.6.3.3 Iterated-Salted S2K algorithm 4. Packet Syntax 11
4. Packet Syntax 4.1. Overview 11
4.1 Overview 4.2. Packet Headers 11
4.2 Packet Headers 4.2.1. Old-Format Packet Lengths 12
4.3 Packet Tags 4.2.2. New-Format Packet Lengths 12
5. Packet Types 4.2.2.1. One-Octet Lengths 13
5.1 Public-Key Encrypted Session Key Packets (Tag 1) 4.2.2.2. Two-Octet Lengths 13
5.2 Signature Packet (Tag 2) 4.2.2.3. Five-Octet Lengths 13
5.2.1 Version 3 Signature Packet Format 4.2.2.4. Partial Body Lengths 13
5.2.2 Version 4 Signature Packet Format 4.2.3. Packet Length Examples 13
5.2.2.1 Signature Subpacket Specification 4.3. Packet Tags 14
5.2.2.2 Signature Subpacket Types 5. Packet Types 14
5.2.3 Signature Types 5.1. Public-Key Encrypted Session Key Packets (Tag 1) 14
5.2.4 Computing Signatures 5.2. Signature Packet (Tag 2) 16
5.3 Symmetric-Key Encrypted Session-Key Packets (Tag 3) 5.2.1. Signature Types 16
5.4 One-Pass Signature Packets (Tag 4) 5.2.2. Version 3 Signature Packet Format 18
5.5 Key Material Packet 5.2.3. Version 4 Signature Packet Format 19
5.5.1 Key Packet Variants 5.2.3.1. Signature Subpacket Specification 20
5.5.1.1 Public Key Packet (Tag 6) 5.2.3.2. Signature Subpacket Types 21
5.5.1.2 Public Subkey Packet (Tag 14) 5.2.3.3. Signature creation time 22
5.5.1.3 Secret Key Packet (Tag 5) 5.2.3.4. Issuer 22
5.5.1.4 Secret Subkey Packet (Tag 7) 5.2.3.5. Key expiration time 22
5.5.2 Public Key Packet Formats 5.2.3.6. Preferred symmetric algorithms 22
5.5.3 Secret Key Packet Formats 5.2.3.7. Preferred hash algorithms 23
5.2.3.8. Preferred compression algorithms 23
5.6 Compressed Data Packet (Tag 8) 5.2.3.9. Signature expiration time 23
5.7 Symmetrically Encrypted Data Packet (Tag 9) 5.2.3.10.Exportable 23
5.8 Marker Packet (Obsolete Literal Packet) (Tag 10) 5.2.3.11.Revocable 23
5.9 Literal Data Packet (Tag 11) 5.2.3.12.Trust signature 24
5.10 Trust Packet (Tag 12) 5.2.3.13.Regular expression 24
5.11 User ID Packet (Tag 13) 5.2.3.14.Revocation key 24
6. Radix-64 Conversions 5.2.3.15.Notation Data 25
6.1 An Implementation of the CRC-24 in "C" 5.2.3.16.Key server preferences 25
6.2 Forming ASCII Armor 5.2.3.17.Preferred key server 25
6.3 Encoding Binary in Radix-64 5.2.3.18.Primary user id 26
6.4 Decoding Radix-64 5.2.3.19.Policy URL 26
6.5 Examples of Radix-64 5.2.3.20.Key Flags 26
6.6 Example of an ASCII Armored Message 5.2.3.21.Signer's User ID 27
7. Cleartext signature framework 5.2.4. Computing Signatures 27
8. Regular expressions 5.3. Symmetric-Key Encrypted Session-Key Packets (Tag 3) 28
9. Constants 5.4. One-Pass Signature Packets (Tag 4) 29
9.1 Public Key Algorithms 5.5. Key Material Packet 29
9.2 Symmetric Key Algorithms 5.5.1. Key Packet Variants 29
9.3 Compression Algorithms 5.5.1.1. Public Key Packet (Tag 6) 29
9.4 Hash Algorithms 5.5.1.2. Public Subkey Packet (Tag 14) 30
10. Packet Composition 5.5.1.3. Secret Key Packet (Tag 5) 30
10.1 Transferable Public Keys 5.5.1.4. Secret Subkey Packet (Tag 7) 30
10.2 OP Messages 5.5.2. Public Key Packet Formats 30
11. Enhanced Key Formats 5.5.3. Secret Key Packet Formats 32
11.1 Key Structures 5.6. Compressed Data Packet (Tag 8) 33
11.2 V4 Key IDs and Fingerprints 5.7. Symmetrically Encrypted Data Packet (Tag 9) 34
12. Security Considerations 5.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 34
13. Authors and Working Group Chair 5.9. Literal Data Packet (Tag 11) 35
14. References 5.10. Trust Packet (Tag 12) 35
15. Full Copyright Statement 5.11. User ID Packet (Tag 13) 36
6. Radix-64 Conversions 36
6.1. An Implementation of the CRC-24 in "C" 36
6.2. Forming ASCII Armor 37
6.3. Encoding Binary in Radix-64 39
6.4. Decoding Radix-64 40
6.5. Examples of Radix-64 40
6.6. Example of an ASCII Armored Message 41
7. Cleartext signature framework 41
7.1. Dash-Escaped Text 42
8. Regular Expressions 42
9. Constants 43
9.1. Public Key Algorithms 43
9.2. Symmetric Key Algorithms 43
9.3. Compression Algorithms 44
9.4. Hash Algorithms 44
10. Packet Composition 44
10.1. Transferable Public Keys 44
10.2. OpenPGP Messages 45
11. Enhanced Key Formats 46
11.1. Key Structures 46
11.2. Key IDs and Fingerprints 47
12. Notes on Algorithms 48
12.1. Symmetric Algorithm Preferences 48
12.2. Other Algorithm Preferences 48
12.2.1. Compression Preferences 49
12.2.2. Hash Algorithm Preferences 49
12.3. Plaintext 49
12.4. RSA 49
12.5. Elgamal 49
12.6. DSA 50
12.7. OpenPGP CFB mode 50
13. Security Considerations 51
14. Authors and Working Group Chair 52
15. References 53
16. Full Copyright Statement 54
1. Introduction 1. Introduction
This document provides information on the message-exchange packet This document provides information on the message-exchange packet
formats used by OP to provide encryption, decryption, signing, key formats used by OpenPGP to provide encryption, decryption, signing,
management and functions. It builds on the foundation provided RFC key management and functions. It builds on the foundation provided
1991 "PGP Message Exchange Formats." in RFC 1991 "PGP Message Exchange Formats."
1.1 Terms 1.1. Terms
OP - OpenPGP. This is a definition for security software that uses PGP * OpenPGP - This is a definition for security software that uses
5.x as a basis. PGP 5.x as a basis.
PGP - Pretty Good Privacy. PGP is a family of software systems * PGP - Pretty Good Privacy. PGP is a family of software systems
developed by Philip R. Zimmermann from which OP is based. developed by Philip R. Zimmermann from which OpenPGP is based.
PGP 2.6.x - This version of PGP has many variants, hence the term PGP * PGP 2.6.x - This version of PGP has many variants, hence the
2.6.x. It used only RSA and IDEA for its cryptography. term PGP 2.6.x. It used only RSA, MD5, and IDEA for its
cryptographic transforms.
PGP 5.x - This version of PGP is formerly known as "PGP 3" in the * PGP 5.x - This version of PGP is formerly known as "PGP 3" in
community and also in the predecessor of this document, RFC1991. It the community and also in the predecessor of this document,
has new formats and corrects a number of problems in the PGP 2.6.x. It RFC1991. It has new formats and corrects a number of problems in
is referred to here as PGP 5.x because that software was the first the PGP 2.6.x design. It is referred to here as PGP 5.x because
release of the "PGP 3" code base. that software was the first release of the "PGP 3" code base.
"PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of
Network Associates, Inc. Network Associates, Inc.
2. General functions 2. General functions
OP provides data integrity services for messages and data files by OpenPGP provides data integrity services for messages and data files
using these core technologies: by using these core technologies:
- digital signatures
-digital signature
-encryption -encryption
-compression -compression
-radix-64 conversion -radix-64 conversion
In addition, OP provides key management and certificate services. In addition, OpenPGP provides key management and certificate
services, but many of these are beyond the scope of this document.
2.1 Confidentiality via Encryption 2.1. Confidentiality via Encryption
OP offers two encryption options to provide confidentiality: OpenPGP uses two encryption methods to provide confidentiality:
conventional (symmetric-key) encryption and public key encryption. symmetric-key encryption and public key encryption. With public-key
With public-key encryption, the message is actually encrypted using a encryption, the object is encrypted using a symmetric encryption
conventional encryption algorithm. In this mode, each conventional key algorithm. Each symmetric key is used only once. A new "session
is used only once. That is, a new key is generated as a random number key" is generated as a random number for each message. Since it is
for each message. Since it is used only once, the "session key" is used only once, the session key is bound to the message and
bound to the message and transmitted with it. To protect the key, it transmitted with it. To protect the key, it is encrypted with the
is encrypted with the receiver's public key. The sequence is as receiver's public key. The sequence is as follows:
follows:
1. The sender creates a message. 1. The sender creates a message.
2. The sending OP generates a random number to be used as a
2. The sending OpenPGP generates a random number to be used as a
session key for this message only. session key for this message only.
3. The session key is encrypted using each recipient's public key. 3. The session key is encrypted using each recipient's public key.
These "encrypted session keys" start the message. These "encrypted session keys" start the message.
4. The sending OP encrypts the message using the session key, which
forms the remainder of the message. Note that the message is
also usually compressed.
5. The receiving OP decrypts the session key using the recipient's
private key.
6. The receiving OP decrypts the message using the session key.
If the message was compressed, it will be decompressed.
Both digital signature and confidentiality services may be applied to 4. The sending OpenPGP encrypts the message using the session key,
the same message. First, a signature is generated for the message and which forms the remainder of the message. Note that the message
attached to the message. Then, the message plus signature is encrypted is also usually compressed.
using a conventional session key. Finally, the session key is
5. The receiving OpenPGP decrypts the session key using the
recipient's private key.
6. The receiving OpenPGP decrypts the message using the session
key. If the message was compressed, it will be decompressed.
With symmetric-key encryption, an object may encrypted with a
symmetric key derived from a passphrase (or other shared secret), or
a two-stage mechanism similar to the public-key method aboved can be
used where a session key is itself encrypted with a symmetric
algorithm keyed from a shared secret.
Both digital signature and confidentiality services may be applied
to the same message. First, a signature is generated for the message
and attached to the message. Then, the message plus signature is
encrypted using a symmetric session key. Finally, the session key is
encrypted using public-key encryption and prepended to the encrypted encrypted using public-key encryption and prepended to the encrypted
block. block.
2.2 Authentication via Digital signature 2.2. Authentication via Digital signature
The digital signature uses a hash code or message digest algorithm, and The digital signature uses a hash code or message digest algorithm,
a public-key signature algorithm. The sequence is as follows: and a public-key signature algorithm. The sequence is as follows:
1. The sender creates a message. 1. The sender creates a message.
2. The sending software generates a hash code of the message
3. The sending software generates a signature from the hash code using 2. The sending software generates a hash code of the message.
the sender's private key.
3. The sending software generates a signature from the hash code
using the sender's private key.
4. The binary signature is attached to the message. 4. The binary signature is attached to the message.
5. The receiving software keeps a copy of the message signature. 5. The receiving software keeps a copy of the message signature.
6. The receiving software generates a new hash code for the received
message and verifies it using the message's signature. If the
verification is successful, the message is accepted as authentic.
2.3 Compression 6. The receiving software generates a new hash code for the
received message and verifies it using the message's signature.
If the verification is successful, the message is accepted as
authentic.
OP implementations MAY compress the message after applying the 2.3. Compression
OpenPGP implementations MAY compress the message after applying the
signature but before encryption. signature but before encryption.
2.4 Conversion to Radix-64 2.4. Conversion to Radix-64
OP's underlying native representation for encrypted messages, signature OpenPGP's underlying native representation for encrypted messages,
certificates, and keys is a stream of arbitrary octets. Some systems signature certificates, and keys is a stream of arbitrary octets.
only permit the use of blocks consisting of seven-bit, printable text. Some systems only permit the use of blocks consisting of seven-bit,
For transporting OP's native raw binary octets through channels that printable text. For transporting OpenPGP's native raw binary octets
are not safe to raw binary data, a printable encoding of these binary through channels that are not safe to raw binary data, a printable
octets is needed. OP provides the service of converting the raw 8-bit encoding of these binary octets is needed. OpenPGP provides the
binary octet stream to a stream of printable ASCII characters, called service of converting the raw 8-bit binary octet stream to a stream
Radix-64 encoding or ASCII Armor. of printable ASCII characters, called Radix-64 encoding or ASCII
Armor.
Implementations SHOULD provide Radix-64 conversions. Implementations SHOULD provide Radix-64 conversions.
Note that many applications, particularly messaging applications, will Note that many applications, particularly messaging applications,
want more advanced features as described in the OpenPGP-MIME document, will want more advanced features as described in the OpenPGP-MIME
RFC2015. An application that implements OP for messaging SHOULD also document, RFC2015. An application that implements OpenPGP for
implement OpenPGP-MIME. messaging SHOULD implement OpenPGP-MIME.
3. Data Element Formats 3. Data Element Formats
This section describes the data elements used by OP. This section describes the data elements used by OpenPGP.
3.1 Scalar numbers 3.1. Scalar numbers
Scalar numbers are unsigned, and are always stored in big-endian Scalar numbers are unsigned, and are always stored in big-endian
format. Using n[k] to refer to the kth octet being interpreted, the format. Using n[k] to refer to the kth octet being interpreted, the
value of a two-octet scalar is ((n[0] << 8) + n[1]). The value of a value of a two-octet scalar is ((n[0] << 8) + n[1]). The value of a
four-octet scalar is ((n[0] << 24) + (n[1] << 16) + (n[2] << 8) + four-octet scalar is ((n[0] << 24) + (n[1] << 16) + (n[2] << 8) +
n[3]). n[3]).
3.2 Multi-Precision Integers 3.2. Multi-Precision Integers
Multi-Precision Integers (also called MPIs) are unsigned integers used Multi-Precision Integers (also called MPIs) are unsigned integers
to hold large integers such as the ones used in cryptographic used to hold large integers such as the ones used in cryptographic
calculations. calculations.
An MPI consists of two pieces: a two-octet scalar that is the length of An MPI consists of two pieces: a two-octet scalar that is the length
the MPI in bits followed by a string of octets that contain the actual of the MPI in bits followed by a string of octets that contain the
integer. actual integer.
These octets form a big-endian number; a big-endian number can be made These octets form a big-endian number; a big-endian number can be
into an MPI by prefixing it with the appropriate length. made into an MPI by prefixing it with the appropriate length.
Examples: Examples:
(all numbers are in hexadecimal) (all numbers are in hexadecimal)
The string of octets [00 01 01] forms an MPI with the value 1. The The string of octets [00 01 01] forms an MPI with the value 1. The
string [00 09 01 FF] forms an MPI with the value of 511. string [00 09 01 FF] forms an MPI with the value of 511.
Additional rules: Additional rules:
The size of an MPI is ((MPI.length + 7) / 8) + 2. The size of an MPI is ((MPI.length + 7) / 8) + 2 octets.
The length field of an MPI describes the length starting from its most The length field of an MPI describes the length starting from its
significant non-zero bit. Thus, the MPI [00 02 01] is not formed most significant non-zero bit. Thus, the MPI [00 02 01] is not
correctly. It should be [00 01 01]. formed correctly. It should be [00 01 01].
3.3 Key IDs 3.3. Key IDs
A Key ID is an eight-octet number that identifies a key. A Key ID is an eight-octet scalar that identifies a key.
Implementations SHOULD NOT assume that Key IDs are unique. The Implementations SHOULD NOT assume that Key IDs are unique. The
section, "Enhanced Key Formats" below describes how Key IDs are formed. section, "Enhanced Key Formats" below describes how Key IDs are
formed.
3.4 Text 3.4. Text
The default character set for text is the UTF-8 [RFC2044] encoding of The default character set for text is the UTF-8 [RFC2044] encoding
Unicode [ISO10646]. of Unicode [ISO10646].
3.5 Time fields 3.5. Time fields
A time field is an unsigned four-octet number containing the number of A time field is an unsigned four-octet number containing the number
seconds elapsed since midnight, 1 January 1970 UTC. of seconds elapsed since midnight, 1 January 1970 UTC.
3.6 String-to-key (S2K) specifiers 3.6. String-to-key (S2K) specifiers
String-to-key (S2K) specifiers are used to convert passphrase strings String-to-key (S2K) specifiers are used to convert passphrase
into conventional encryption/decryption keys. They are used in two strings into symmetric-key encryption/decryption keys. They are
places, currently: to encrypt the secret part of private keys in the used in two places, currently: to encrypt the secret part of private
private keyring, and to convert passphrases to encryption keys for keys in the private keyring, and to convert passphrases to
conventionally encrypted messages. encryption keys for symmetrically encrypted messages.
3.6.1 String-to-key (S2k) specifier types 3.6.1. String-to-key (S2k) specifier types
There are three types of S2K specifiers currently supported, as There are three types of S2K specifiers currently supported, as
follows: follows:
3.6.1.1 Simple S2K 3.6.1.1. Simple S2K
This directly hashes the string to produce the key data. See below for This directly hashes the string to produce the key data. See below
how this hashing is done. for how this hashing is done.
Octet 0: 0x00 Octet 0: 0x00
Octet 1: hash algorithm Octet 1: hash algorithm
3.6.1.2 Salted S2K Simple S2K hashes the passphrase to produce the session key. The
manner in which this is done depends on the size of the session key
(which will depend on the cipher used) and the size of the hash
algorithm's output. If the hash size is greater than or equal to the
session key size, the high-order (leftmost) octets of the hash are
used as the key.
If the hash size is less than the key size, multiple instances of
the hash context are created -- enough to produce the required key
data. These instances are preloaded with 0, 1, 2, ... octets of
zeros (that is to say, the first instance has no preloading, the
second gets preloaded with 1 octet of zero, the third is preloaded
with two octets of zeros, and so forth).
As the data is hashed, it is given independently to each hash
context. Since the contexts have been initialized differently, they
will each produce different hash output. Once the passphrase is
hashed, the output data from the multiple hashes is concatenated,
first hash leftmost, to produce the key data, with any excess octets
on the right discarded.
3.6.1.2. Salted S2K
This includes a "salt" value in the S2K specifier -- some arbitrary This includes a "salt" value in the S2K specifier -- some arbitrary
data -- that gets hashed along with the passphrase string, to help data -- that gets hashed along with the passphrase string, to help
prevent dictionary attacks. prevent dictionary attacks.
Octet 0: 0x01 Octet 0: 0x01
Octet 1: hash algorithm Octet 1: hash algorithm
Octets 2-9: 8-octet salt value Octets 2-9: 8-octet salt value
3.6.1.3 Iterated and Salted S2K Salted S2K is exactly like Simple S2K, except that the input to the
hash function(s) consists of the 8 octets of salt from the S2K
specifier, followed by the passphrase.
3.6.1.3. Iterated and Salted S2K
This includes both a salt and an octet count. The salt is combined This includes both a salt and an octet count. The salt is combined
with the passphrase and the resulting value is hashed repeatedly. This with the passphrase and the resulting value is hashed repeatedly.
further increases the amount of work an attacker must do to try This further increases the amount of work an attacker must do to try
dictionary attacks. dictionary attacks.
Octet 0: 0x04 Octet 0: 0x03
Octet 1: hash algorithm Octet 1: hash algorithm
Octets 2-9: 8-octet salt value Octets 2-9: 8-octet salt value
Octets 10-13: count, a four-octet, unsigned value Octet 10: count, a one-octet, coded value
The count is coded into a one-octet number using the following
formula:
Note that the value 0x03 for octet 0 of a S2K specifier is reserved; it #define EXPBIAS 6
denotes an obsolete form of the Interated and Salted S2K. count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
3.6.2 String-to-key usage The above formula is in C, where "Int32" is a type for a 32-bit
integer, and the variable "c" is the coded count, Octet 10.
Iterated-Salted S2K hashes the passphrase and salt data multiple
times. The total number of octets to be hashed is specified in the
encoded count in the S2K specifier. Note that the resulting count
value is an octet count of how many octets will be hashed, not an
iteration count.
Initially, one or more hash contexts are set up as with the other
S2K algorithms, depending on how many octets of key data are needed.
Then the salt, followed by the passphrase data is repeatedly hashed
until the number of octets specified by the octet count has been
hashed. The one exception is that if the octet count is less than
the size of the salt plus passphrase, the full salt plus passphrase
will be hashed even though that is greater than the octet count.
After the hashing is done the data is unloaded from the hash
context(s) as with the other S2K algorithms.
3.6.2. String-to-key usage
Implementations SHOULD use salted or iterated-and-salted S2K Implementations SHOULD use salted or iterated-and-salted S2K
specifiers, as simple S2K specifiers are more vulnerable to dictionary specifiers, as simple S2K specifiers are more vulnerable to
attacks. dictionary attacks.
3.6.2.1 Secret key encryption 3.6.2.1. Secret key encryption
An S2K specifier can be stored in the secret keyring to specify how to An S2K specifier can be stored in the secret keyring to specify how
convert the passphrase to a key that unlocks the secret data. Older to convert the passphrase to a key that unlocks the secret data.
versions of PGP just stored a cipher algorithm octet preceding the Older versions of PGP just stored a cipher algorithm octet preceding
secret data or a zero to indicate that the secret data was unencrypted. the secret data or a zero to indicate that the secret data was
The MD5 hash function was always used to convert the passphrase to a unencrypted. The MD5 hash function was always used to convert the
key for the specified cipher algorithm. passphrase to a key for the specified cipher algorithm.
For compatibility, when an S2K specifier is used, the special value 255 For compatibility, when an S2K specifier is used, the special value
is stored in the position where the hash algorithm octet would have 255 is stored in the position where the hash algorithm octet would
been in the old data structure. This is then followed immediately by a have been in the old data structure. This is then followed
one-octet algorithm identifier, and then by the S2K specifier as immediately by a one-octet algorithm identifier, and then by the S2K
encoded above. specifier as encoded above.
Therefore, preceding the secret data there will be one of these Therefore, preceding the secret data there will be one of these
possibilities: possibilities:
0 secret data is unencrypted (no pass phrase) 0: secret data is unencrypted (no pass phrase)
255 followed by algorithm octet and S2K specifier 255: followed by algorithm octet and S2K specifier
Cipher alg use Simple S2K algorithm using MD5 hash Cipher alg: use Simple S2K algorithm using MD5 hash
This last possibility, the cipher algorithm number with an implicit
This last possibility, the cipher algorithm number with an implicit use use of MD5 and IDEA, is provided for backward compatibility; it MAY
of MD5 is provided for backward compatibility; it should be understood, be understood, but SHOULD NOT be generated, and is deprecated.
but not generated.
These are followed by an 8-octet Initial Vector for the decryption of These are followed by an 8-octet Initial Vector for the decryption
the secret values, if they are encrypted, and then the secret key of the secret values, if they are encrypted, and then the secret key
values themselves. values themselves.
3.6.2.2 Conventional message encryption 3.6.2.2. Symmetric-key message encryption
PGP 2.X always used IDEA with Simple string-to-key conversion when
conventionally encrypting a message. PGP 5 can create a Conventional
Encrypted Session Key packet at the front of a message. This can be
used to allow S2K specifiers to be used for the passphrase conversion,
to allow other ciphers than IDEA to be used, or to create messages with
a mix of conventional ESKs and public key ESKs. This allows a message
to be decrypted either with a passphrase or a public key.
3.6.3 String-to-key algorithms
3.6.3.1 Simple S2K algorithm
Simple S2K hashes the passphrase to produce the session key. The
manner in which this is done depends on the size of the session key
(which will depend on the cipher used) and the size of the hash
algorithm's output. If the hash size is greater than or equal to the
session key size, the leftmost octets of the hash are used as the key.
If the hash size is less than the key size, multiple instances of the
hash context are created -- enough to produce the required key data.
These instances are preloaded with 0, 1, 2, ... octets of zeros (that
is to say, the first instance has no preloading, the second gets
preloaded with 1 octet of zero, the third is preloaded with two octets
of zeros, and so forth).
As the data is hashed, it is given independently to each hash context.
Since the contexts have been initialized differently, they will each
produce different hash output. Once the passphrase is hashed, the
output data from the multiple hashes is concatenated, first hash
leftmost, to produce the key data, with any excess octets on the right
discarded.
3.6.3.2 Salted S2K algorithm
Salted S2K is exactly like Simple S2K, except that the input to the
hash function(s) consists of the 8 octets of salt from the S2K
specifier, followed by the passphrase.
3.6.3.3 Iterated-Salted S2K algorithm
Iterated-Salted S2K hashes the passphrase and salt data multiple times. OpenPGP can create a Symmetric-key Encrypted Session Key (ESK)
The total number of octets to be hashed is specified in the four-octet packet at the front of a message. This is used to allow S2K
count in the S2K specifier. Note that the resulting count value is an specifiers to be used for the passphrase conversion or to create
octet count of how many octets will be hashed, not an iteration count. messages with a mix of symmetric-key ESKs and public-key ESKs. This
allows a message to be decrypted either with a passphrase or a
public key.
Initially, one or more hash contexts are set up as with the other S2K PGP 2.X always used IDEA with Simple string-to-key conversion when
algorithms, depending on how many octets of key data are needed. Then encrypting a message with a symmetric algorithm. This is deprecated,
the salt, followed by the passphrase data is repeatedly hashed until but MAY be used for backwards-compatibility.
the number of octets specified by the octet count has been hashed. The
one exception is that if the octet count is less than the size of the
salt plus passphrase, the full salt plus passphrase will be hashed even
though that is greater than the octet count. After the hashing is done
the data is unloaded from the hash context(s) as with the other S2K
algorithms.
4. Packet Syntax 4. Packet Syntax
This section describes the packets used by OP. This section describes the packets used by OpenPGP.
4.1 Overview 4.1. Overview
An OP message is constructed from a number of records that are An OpenPGP message is constructed from a number of records that are
traditionally called packets. A packet is a chunk of data that has a traditionally called packets. A packet is a chunk of data that has a
tag specifying its meaning. An OP message, keyring, certificate, and tag specifying its meaning. An OpenPGP message, keyring,
so forth consists of a number of packets. Some of those packets may certificate, and so forth consists of a number of packets. Some of
contain other OP packets (for example, a compressed data packet, when those packets may contain other OpenPGP packets (for example, a
uncompressed, contains OP packets). compressed data packet, when uncompressed, contains OpenPGP
packets).
Each packet consists of a packet header, followed by the packet body. Each packet consists of a packet header, followed by the packet
The packet header is of variable length. body. The packet header is of variable length.
4.2 Packet Headers 4.2. Packet Headers
The first octet of the packet header is called the "Packet Tag." It The first octet of the packet header is called the "Packet Tag." It
determines the format of the header and denotes the packet contents. determines the format of the header and denotes the packet contents.
The remainder of the packet header is the length of the packet. The remainder of the packet header is the length of the packet.
Note that the most significant bit is the left-most bit, called bit 7. Note that the most significant bit is the left-most bit, called bit
A mask for this bit is 0x80 in hexadecimal. 7. A mask for this bit is 0x80 in hexadecimal.
+---------------+ +---------------+
PTag |7 6 5 4 3 2 1 0| PTag |7 6 5 4 3 2 1 0|
+---------------+ +---------------+
Bit 7 -- Always one Bit 7 -- Always one
Bit 6 -- New packet format if set Bit 6 -- New packet format if set
PGP 2.6.x only uses old format packets. Thus, software that
PGP 2.6.X only uses old format packets. Thus, software that
interoperates with those versions of PGP must only use old format interoperates with those versions of PGP must only use old format
packets. If interoperability is not an issue, either format may be packets. If interoperability is not an issue, either format may be
used. Note that old format packets have four bits of content tags, and used. Note that old format packets have four bits of content tags,
new format packets have six; some features cannot be used and still be and new format packets have six; some features cannot be used and
backwards-compatible. still be backwards-compatible.
Old format packets contain: Old format packets contain:
Bits 5-2 -- content tag Bits 5-2 -- content tag
Bits 1-0 - length-type Bits 1-0 - length-type
New format packets contain: New format packets contain:
Bits 5-0 -- content tag Bits 5-0 -- content tag
4.2.1. Old-Format Packet Lengths
The meaning of the length-type in old-format packets is: The meaning of the length-type in old-format packets is:
0 - The packet has a one-octet length. The header is 2 octets long. 0 - The packet has a one-octet length. The header is 2 octets long.
1 - The packet has a two-octet length. The header is 3 octets long. 1 - The packet has a two-octet length. The header is 3 octets long.
2 - The packet has a four-octet length. The header is 5 octets long. 2 - The packet has a four-octet length. The header is 5 octets long.
3 - The packet is of indeterminate length. The header is 1 byte long, 3 - The packet is of indeterminate length. The header is 1 octet
and the application must determine how long the packet is. If the long, and the implementation must determine how long the packet
packet is in a file, this means that the packet extends until the end is. If the packet is in a file, this means that the packet
of the file. In general, an application should not use indeterminate extends until the end of the file. In general, an implementation
length packets except where the end of the data will be clear from the should not use indeterminate length packets except where the end
context. of the data will be clear from the context. The new format
headers described below have a mechanism for precisely encoding
data of indeterminite length.
New format packets have three possible ways of encoding length. A 4.2.2. New-Format Packet Lengths
one-octet Body Length header encodes packet lengths of up to 191
octets, and a two-octet Body Length header encodes packet lengths of
192 to 8383 octets. For cases where longer packet body lengths are
needed, or where the length of the packet body is not known in advance
by the issuer, Partial Body Length headers can be used. These are
one-octet length headers that encode the length of only part of the
data packet.
Each Partial Body Length header is followed by a portion of the packet New format packets have four possible ways of encoding length:
body data. The Partial Body Length header specifies this portion's
length. Another length header (of one of the three types) follows that 1. A one-octet Body Length header encodes packet lengths of up to
portion. The last length header in the packet must always be a regular 191 octets.
Body Length header. Partial Body Length headers may only be used for
the non-final parts of the packet. 2. A two-octet Body Length header encodes packet lengths of 192 to
8383 octets.
3. A five-octet Body Length header encodes packet lengths of up to
4,294,967,295 (0xFFFFFFFF) octets in length. (This actually
encodes a four-octet scalar number.)
4. When the length of the packet body is not known in advance by
the issuer, Partial Body Length headers encode a packet of
indeterminite length, effectively making it a stream.
4.2.2.1. One-Octet Lengths
A one-octet Body Length header encodes a length of from 0 to 191 A one-octet Body Length header encodes a length of from 0 to 191
octets. This type of length header is recognized because the one octet octets. This type of length header is recognized because the one
value is less than 192. The body length is equal to: octet value is less than 192. The body length is equal to:
bodyLen = length_octet; bodyLen = length_octet;
4.2.2.2. Two-Octet Lengths
A two-octet Body Length header encodes a length of from 192 to 8383 A two-octet Body Length header encodes a length of from 192 to 8383
octets. It is recognized because its first octet is in the range 192 octets. It is recognized because its first octet is in the range
to 223. The body length is equal to: 192 to 223. The body length is equal to:
bodyLen = (1st_octet - 192) * 256 + (2nd_octet) + 192 bodyLen = (1st_octet - 192) * 256 + (2nd_octet) + 192
A Partial Body Length header is one octet long and encodes a length 4.2.2.3. Five-Octet Lengths
which is a power of 2, from 1 to 2147483648 (2 to the 31st power). It
is recognized because its one octet value is greater than or equal to A five-octet Body Length header consists of a single octet holding
224. The partial body length is equal to: the value 255, followed by a four-octet scalar. The body length is
equal to:
bodyLen = (2nd_octet << 24) | (3rd_octet << 16) |
(4th_octet << 8) | 5th_octet
4.2.2.4. Partial Body Lengths
A Partial Body Length header is one octet long and encodes the
length of only part of the data packet. This length is a power of 2,
from 1 to 1,073,741,824 (2 to the 30th power). It is recognized by
its one octet value that is greater than or equal to 224, and less
than 255. The partial body length is equal to:
partialBodyLen = 1 << (length_octet & 0x1f); partialBodyLen = 1 << (length_octet & 0x1f);
Examples: Each Partial Body Length header is followed by a portion of the
packet body data. The Partial Body Length header specifies this
portion's length. Another length header (of one of the three types)
follows that portion. The last length header in the packet must not
be a partial Body Length header. Partial Body Length headers may
only be used for the non-final parts of the packet.
4.2.3. Packet Length Examples
A packet with length 100 may have its length encoded in one octet: A packet with length 100 may have its length encoded in one octet:
0x64. This is followed by 100 octets of data. 0x64. This is followed by 100 octets of data.
A packet with length 1723 may have its length coded in two octets: A packet with length 1723 may have its length coded in two octets:
0xC5, 0xFB. This header is followed by the 1723 octets of data. 0xC5, 0xFB. This header is followed by the 1723 octets of data.
A packet with length 100000 might be encoded in the following octet A packet with length 100000 may have its length encoded in five
stream: 0xE1, first two octets of data, 0xE0, next one octet of data, octets: 0xFF, 0x01, 0x86, 0xA0.
0xEF, next 32768 octets of data, 0xF0, next 65536 octets of data, 0xC5,
0xDD, last 1693 octets of data. This is just one possible encoding, It might also be encoded in the following octet stream: 0xE1, first
and many variations are possible on the size of the Partial Body Length two octets of data, 0xE0, next one octet of data, 0xEF, next 32768
octets of data, 0xF0, next 65536 octets of data, 0xC5, 0xDD, last
1693 octets of data. This is just one possible encoding, and many
variations are possible on the size of the Partial Body Length
headers, as long as a regular Body Length header encodes the last headers, as long as a regular Body Length header encodes the last
portion of the data. Note also that the last Body Length header can be portion of the data. Note also that the last Body Length header can
a zero-length header. be a zero-length header.
Please note that in all of these explanations, the total length of the An implementation MUST only use Partial Body Lengths for data
packet is the length of the header(s) plus the length of the body. packets, be they literal, compressed, or encrypted. The first
partial length MUST be at least 512 octets long.
4.3 Packet Tags Please note that in all of these explanations, the total length of
the packet is the length of the header(s) plus the length of the
body.
4.3. Packet Tags
The packet tag denotes what type of packet the body holds. Note that The packet tag denotes what type of packet the body holds. Note that
old format packets can only have tags less than 16, whereas new format old format headers can only have tags less than 16, whereas new
packets can have tags as great as 63. The defined tags (in decimal) format headers can have tags as great as 63. The defined tags (in
are: decimal) are:
0 -- Reserved. A packet must not have a tag with this value. 0 -- Reserved - a packet tag must not have this value
1 -- Public-Key Encrypted Session Key Packet 1 -- Public-Key Encrypted Session Key Packet
2 -- Signature Packet 2 -- Signature Packet
3 -- Symmetric-Key Encrypted Session Key Packet 3 -- Symmetric-Key Encrypted Session Key Packet
4 -- One-Pass Signature Packet 4 -- One-Pass Signature Packet
5 -- Secret Key Packet 5 -- Secret Key Packet
6 -- Public Key Packet 6 -- Public Key Packet
7 -- Secret Subkey Packet 7 -- Secret Subkey Packet
8 -- Compressed Data Packet 8 -- Compressed Data Packet
9 -- Symmetrically Encrypted Data Packet 9 -- Symmetrically Encrypted Data Packet
10 -- Marker Packet 10 -- Marker Packet
11 -- Literal Data Packet 11 -- Literal Data Packet
12 -- Trust Packet 12 -- Trust Packet
skipping to change at page 12, line 15 skipping to change at page 14, line 45
3 -- Symmetric-Key Encrypted Session Key Packet 3 -- Symmetric-Key Encrypted Session Key Packet
4 -- One-Pass Signature Packet 4 -- One-Pass Signature Packet
5 -- Secret Key Packet 5 -- Secret Key Packet
6 -- Public Key Packet 6 -- Public Key Packet
7 -- Secret Subkey Packet 7 -- Secret Subkey Packet
8 -- Compressed Data Packet 8 -- Compressed Data Packet
9 -- Symmetrically Encrypted Data Packet 9 -- Symmetrically Encrypted Data Packet
10 -- Marker Packet 10 -- Marker Packet
11 -- Literal Data Packet 11 -- Literal Data Packet
12 -- Trust Packet 12 -- Trust Packet
13 -- Name Packet 13 -- User ID Packet
14 -- Subkey Packet 14 -- Subkey Packet
15 -- Reserved
60 to 63 -- Private or Experimental Values 60 to 63 -- Private or Experimental Values
5. Packet Types 5. Packet Types
5.1 Public-Key Encrypted Session Key Packets (Tag 1) 5.1. Public-Key Encrypted Session Key Packets (Tag 1)
A Public-Key Encrypted Session Key packet holds the key used to encrypt A Public-Key Encrypted Session Key packet holds the session key used
a message that is itself encrypted with a public key. Zero or more to encrypt a message. Zero or more Encrypted Session Key packets
Encrypted Session Key packets and/or Conventional Encrypted Session Key (either Public-Key or Symmetric-Key) may precede a Symmetrically
packets may precede a Symmetrically Encrypted Data Packet, which holds Encrypted Data Packet, which holds an encrypted message. The
an encrypted message. The message is encrypted with a session key, and message is encrypted with the session key, and the session key is
the session key is itself encrypted and stored in the Encrypted Session itself encrypted and stored in the Encrypted Session Key packet(s).
Key packet(s). The Symmetrically Encrypted Data Packet is preceded by The Symmetrically Encrypted Data Packet is preceded by one
one Public-Key Encrypted Session Key packet for each OP key to which Public-Key Encrypted Session Key packet for each OpenPGP key to
the message is encrypted. The recipient of the message finds a session which the message is encrypted. The recipient of the message finds
key that is encrypted to their public key, decrypts the session key, a session key that is encrypted to their public key, decrypts the
and then uses the session key to decrypt the message. session key, and then uses the session key to decrypt the message.
The body of this packet consists of: The body of this packet consists of:
- A one-octet number giving the version number of the packet type. - A one-octet number giving the version number of the packet type.
The currently defined value for packet version is 3. An The currently defined value for packet version is 3. An
implementation should accept, but not generate a version of 2, implementation should accept, but not generate a version of 2,
which is equivalent to V3 in all other respects. which is equivalent to V3 in all other respects.
- An eight-octet number that gives the key ID of the public key that
the session key is encrypted to. - An eight-octet number that gives the key ID of the public key
that the session key is encrypted to.
- A one-octet number giving the public key algorithm used. - A one-octet number giving the public key algorithm used.
- A string of octets that is the encrypted session key. This - A string of octets that is the encrypted session key. This
string takes up the remainder of the packet, and its contents are string takes up the remainder of the packet, and its contents
dependent on the public key algorithm used. are dependent on the public key algorithm used.
Algorithm Specific Fields for RSA encryption Algorithm Specific Fields for RSA encryption
- multiprecision integer (MPI) of RSA encrypted value m**e mod n. - multiprecision integer (MPI) of RSA encrypted value m**e mod n.
Algorithm Specific Fields for Elgamal encryption: Algorithm Specific Fields for Elgamal encryption:
- MPI of DSA value g**k mod p.
- MPI of DSA value m * y**k mod p.
The encrypted value "m" in the above formulas is derived from the - MPI of Elgamal (Diffie-Hellman) value g**k mod p.
session key as follows. First the session key is prepended with a
one-octet algorithm identifier that specifies the conventional
encryption algorithm used to encrypt the following Symmetrically
Encrypted Data Packet. Then a two-octet checksum is appended which is
equal to the sum of the preceding octets, including the algorithm
identifier and session key, modulo 65536. This value is then padded as
described in PKCS-1 block type 02 [PKCS1] to form the "m" value used in
the formulas above.
An implementation MAY use a Key ID of zero as a "wild card" or - MPI of Elgamal (Diffie-Hellman) value m * y**k mod p.
"speculative" Key ID. In this case, the implementation would try all
available private keys, checking for a valid decrypted session key.
This format helps reduce traffic analysis of messages.
5.2 Signature Packet (Tag 2) The value "m" in the above formulas is derived from the session key
as follows. First the session key is prefixed with a one-octet
algorithm identifier that specifies the symmetric encryption
algorithm used to encrypt the following Symmetrically Encrypted Data
Packet. Then a two-octet checksum is appended which is equal to the
sum of the preceding octets, including the algorithm identifier and
session key, modulo 65536. This value is then padded as described
in PKCS-1 block type 02 [PKCS1] to form the "m" value used in the
formulas above.
A signature packet describes a binding between some public key and some Note that when an implementation forms several PKESKs with one
data. The most common signatures are a signature of a file or a block session key, forming a message that can be decrypted by several
of text, and a signature that is a certification of a user ID. keys, the PKCS-1 the implementation MUST make new padding for each
key.
An implementation MAY accept or use a Key ID of zero as a "wild
card" or "speculative" Key ID. In this case, the receiving
implementation would try all available private keys, checking for a
valid decrypted session key. This format helps reduce traffic
analysis of messages.
5.2. Signature Packet (Tag 2)
A signature packet describes a binding between some public key and
some data. The most common signatures are a signature of a file or a
block of text, and a signature that is a certification of a user ID.
Two versions of signature packets are defined. Version 3 provides Two versions of signature packets are defined. Version 3 provides
basic signature information, while version 4 provides an expandable basic signature information, while version 4 provides an expandable
format with subpackets that can specify more information about the format with subpackets that can specify more information about the
signature. PGP 2.6.X only accepts version 3 signatures. signature. PGP 2.6.x only accepts version 3 signatures.
Implementations MUST accept V3 signatures. Implementations SHOULD Implementations MUST accept V3 signatures. Implementations SHOULD
generate V4 signatures, unless there is a need to generate a signature generate V4 signatures. Implementations MAY generate a V3 signature
that can be verified by old implementations. that can be verified by PGP 2.6.x.
Note that if an implementation is creating an encrypted and signed Note that if an implementation is creating an encrypted and signed
message that is encrypted to a V3 key, it is reasonable to create a V3 message that is encrypted to a V3 key, it is reasonable to create a
signature. V3 signature.
5.2.1 Version 3 Signature Packet Format 5.2.1. Signature Types
There are a number of possible meanings for a signature, which are
specified in a signature type octet in any given signature. These
meanings are:
0x00: Signature of a binary document.
Typically, this means the signer owns it, created it, or
certifies that it has not been modified.
0x01: Signature of a canonical text document.
Typically, this means the signer owns it, created it, or
certifies that it has not been modified. The signature will be
calculated over the text data with its line endings converted to
<CR><LF> and trailing blanks removed.
0x02: Standalone signature.
This signature is a signature of only its own subpacket
contents. It is calculated identically to a signature over a
zero-length binary document. Note that it doesn't make sense to
have a V3 standalone signature.
0x10: Generic certification of a User ID and Public Key packet.
The issuer of this certification does not make any particular
assertion as to how well the certifier has checked that the
owner of the key is in fact the person described by the user ID.
Note that all PGP "key signatures" are this type of
certification.
0x11: Persona certification of a User ID and Public Key packet.
The issuer of this certification has not done any verification
of the claim that the owner of this key is the user ID
specified.
0x12: Casual certification of a User ID and Public Key packet.
The issuer of this certification has done some casual
verification of the claim of identity.
0x13: Positive certification of a User ID and Public Key packet.
The issuer of this certification has done substantial
verification of the claim of identity.
Please note that the vagueness of these certification claims is
not a flaw, but a feature of the system. Because PGP places
final authority for validity upon the receiver of a
certification, it may be that one authority's casual
certification might be more rigorous than some other authority's
positive certification. These classifications allow a
certification authority to issue fine-grained claims.
0x18: Subkey Binding Signature
This signature is a statement by the top-level signing key
indicates that it owns the subkey. This signature is calculated
directly on the subkey itself, not on any User ID or other
packets.
0x1F: Signature directly on a key
This signature is calculated directly on a key. It binds the
information in the signature subpackets to the key, and is
appropriate to be used for subpackets which provide information
about the key, such as the revocation key subpacket. It is also
appropriate for statements that non-self certifiers want to make
about the key itself, rather than the binding between a key and
a name.
0x20: Key revocation signature
The signature is calculated directly on the key being revoked.
A revoked key is not to be used. Only revocation signatures by
the key being revoked, or by an authorized revocation key,
should be considered valid revocation signatures.
0x28: Subkey revocation signature
The signature is calculated directly on the subkey being
revoked. A revoked subkey is not to be used. Only revocation
signatures by the top-level signature key which is bound to this
subkey, or by an authorized revocation key, should be considered
valid revocation signatures.
0x30: Certification revocation signature
This signature revokes an earlier user ID certification
signature (signature class 0x10 through 0x13). It should be
issued by the same key which issued the revoked signature or an
authorized revocation key The signature should have a later
creation date than the signature it revokes.
0x40: Timestamp signature.
This signature is only meaningful for the timestamp contained in
it.
5.2.2. Version 3 Signature Packet Format
The body of a version 3 Signature Packet contains:
A version 3 Signature packet contains:
- One-octet version number (3). - One-octet version number (3).
- One-octet length of following hashed material. MUST be 5. - One-octet length of following hashed material. MUST be 5.
- One-octet signature type. - One-octet signature type.
- Four-octet creation time. - Four-octet creation time.
- Eight-octet key ID of signer. - Eight-octet key ID of signer.
- One-octet public key algorithm. - One-octet public key algorithm.
- One-octet hash algorithm. - One-octet hash algorithm.
- Two-octet field holding left 16 bits of signed hash value. - Two-octet field holding left 16 bits of signed hash value.
- One or more multi-precision integers comprising the signature. - One or more multi-precision integers comprising the signature.
This portion is algorithm specific, as described below. This portion is algorithm specific, as described below.
The data being signed is hashed, and then the signature type and The data being signed is hashed, and then the signature type and
creation time from the signature packet are hashed (5 additional creation time from the signature packet are hashed (5 additional
octets). The resulting hash value is used in the signature algorithm. octets). The resulting hash value is used in the signature
The high 16 bits (first two octets) of the hash are included in the algorithm. The high 16 bits (first two octets) of the hash are
included in the signature packet to provide a quick test to reject
signature packet to provide a quick test to reject some invalid some invalid signatures.
signatures.
Algorithm Specific Fields for RSA signatures: Algorithm Specific Fields for RSA signatures:
- multiprecision integer (MPI) of RSA signature value m**d. - multiprecision integer (MPI) of RSA signature value m**d.
Algorithm Specific Fields for DSA signatures: Algorithm Specific Fields for DSA signatures:
- MPI of DSA value r. - MPI of DSA value r.
- MPI of DSA value s. - MPI of DSA value s.
The signature calculation is based on a hash of the signed data, as The signature calculation is based on a hash of the signed data, as
described above. The details of the calculation are different for DSA described above. The details of the calculation are different for
signature than for RSA signatures. DSA signature than for RSA signatures.
With RSA signatures, the hash value is encoded as described in PKCS-1 With RSA signatures, the hash value is encoded as described in
section 10.1.2, "Data encoding", producing an ASN.1 value of type PKCS-1 section 10.1.2, "Data encoding", producing an ASN.1 value of
DigestInfo, and then padded using PKCS-1 block type 01 [PKCS1]. This type DigestInfo, and then padded using PKCS-1 block type 01 [PKCS1].
requires inserting the hash value as an octet string into an ASN.1 This requires inserting the hash value as an octet string into an
structure. The object identifier for the type of hash being used is ASN.1 structure. The object identifier for the type of hash being
included in the structure. The hexadecimal representations for the used is included in the structure. The hexadecimal representations
currently defined hash algorithms are: for the currently defined hash algorithms are:
- MD5: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05 - MD2: 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x02
- SHA-1: 0x2b, 0x0e, 0x03, 0x02, 0x1a
- RIPEMD-160: 0x2b, 0x24, 0x03, 0x02, 0x01 - MD5: 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05
- RIPEMD-160: 0x2B, 0x24, 0x03, 0x02, 0x01
- SHA-1: 0x2B, 0x0E, 0x03, 0x02, 0x1A
The ASN.1 OIDs are: The ASN.1 OIDs are:
- MD5: 1.2.840.113549.2.2
- MD5: 1.2.840.113549.2.5 - MD5: 1.2.840.113549.2.5
- SHA-1: 1.3.14.3.2.26
- RIPEMD160: 1.3.36.3.2.1 - RIPEMD160: 1.3.36.3.2.1
DSA signatures SHOULD use hashes with a size of 160 bits, to match q, - SHA-1: 1.3.14.3.2.26
the size of the group generated by the DSA key's generator value. The
hash function result is treated as a 160 bit number and used directly
in the DSA signature algorithm.
5.2.2 Version 4 Signature Packet Format DSA signatures SHOULD use hashes with a size of 160 bits, to match
q, the size of the group generated by the DSA key's generator value.
The hash function result is treated as a 160 bit number and used
directly in the DSA signature algorithm.
5.2.3. Version 4 Signature Packet Format
The body of a version 4 Signature Packet contains:
A version 4 Signature packet contains:
- One-octet version number (4). - One-octet version number (4).
- One-octet signature type. - One-octet signature type.
- One-octet public key algorithm. - One-octet public key algorithm.
- One-octet hash algorithm. - One-octet hash algorithm.
- Two-octet octet count for following hashed subpacket data.
- Two-octet scalar octet count for following hashed subpacket
data.
- Hashed subpacket data. (zero or more subpackets) - Hashed subpacket data. (zero or more subpackets)
- Two-octet octet count for following unhashed subpacket data.
- Two-octet scalar octet count for following unhashed subpacket
data.
- Unhashed subpacket data. (zero or more subpackets) - Unhashed subpacket data. (zero or more subpackets)
- Two-octet field holding left 16 bits of signed hash value. - Two-octet field holding left 16 bits of signed hash value.
- One or more multi-precision integers comprising the signature. - One or more multi-precision integers comprising the signature.
This portion is algorithm specific, as described above. This portion is algorithm specific, as described above.
The data being signed is hashed, and then the signature data from the The data being signed is hashed, and then the signature data from
version number through the hashed subpacket data is hashed. The the version number through the hashed subpacket data (inclusive) is
resulting hash value is what is signed. The left 16 bits of the hash hashed. The resulting hash value is what is signed. The left 16
are included in the signature packet to provide a quick test to reject bits of the hash are included in the signature packet to provide a
some invalid signatures. quick test to reject some invalid signatures.
There are two fields consisting of signature subpackets. The first There are two fields consisting of signature subpackets. The first
field is hashed with the rest of the signature data, while the second field is hashed with the rest of the signature data, while the
is unhashed. The second set of subpackets is not cryptographically second is unhashed. The second set of subpackets is not
protected by the signature and should include only advisory cryptographically protected by the signature and should include only
information. advisory information.
The algorithms for converting the hash function result to a signature The algorithms for converting the hash function result to a
are described above. signature are described in a section below.
5.2.2.1 Signature Subpacket Specification 5.2.3.1. Signature Subpacket Specification
The subpacket fields consist of zero or more signature subpackets. The subpacket fields consist of zero or more signature subpackets.
Each set of subpackets is preceded by a two-octet count of the length Each set of subpackets is preceded by a two-octet scalar count of
of the set of subpackets. the length of the set of subpackets.
Each subpacket consists of a subpacket header and a body. The header Each subpacket consists of a subpacket header and a body. The
consists of: header consists of:
- subpacket length (1 or 2 octets): - the subpacket length (1, 2, or 5 octets)
Length includes the type octet but not this length,
1st octet < 192, then length is octet value
1st octet >= 192, then length is 2 octets and equal to
(1st octet - 192) * 256 + (2nd octet) + 192
- subpacket type (1 octet): - the subpacket type (1 octet)
If bit 7 is set, subpacket understanding is critical,
2 = signature creation time,
3 = signature expiration time,
4 = exportable,
5 = trust signature,
6 = regular expression,
7 = revocable,
9 = key expiration time,
10 = placeholder for backwards compatibility
11 = preferred symmetric algorithms,
12 = revocation key,
16 = issuer key ID,
20 = notation data,
21 = preferred hash algorithms,
22 = preferred compression algorithms,
23 = key server preferences,
24 = preferred key server,
25 = primary user id,
26 = policy URL,
27 = key flags, 28 = Signer's user id - the subpacket specific data
- subpacket specific data: The length includes the type octet but not this length. Its format
is the same as the "new" format packet header lengths. That is:
An implementation SHOULD ignore any subpacket that it does not if the 1st octet < 192, then length is the octet value
recognize.
Bit 7 of the subpacket type is the "critical" bit. If set, it denotes if the 1st octet >= 192 and < 255, then length is 2 octets and
that the subpacket is one which is critical that the evaluator of the equal to (1st octet - 192) * 256 + (2nd octet) + 192
signature recognize. If a subpacket is encountered which is marked
critical but is unknown to the evaluating software, the evaluator if the 1st octet = 255, then the subpacket length is a
SHOULD consider the signature to be in error. four-octet scalar found in octets 2 through 5, as per the packet
header length.
The value of the subpacket type octet may be:
2 = signature creation time
3 = signature expiration time
4 = exportable
5 = trust signature
6 = regular expression
7 = revocable
9 = key expiration time
10 = placeholder for backwards compatibility
11 = preferred symmetric algorithms
12 = revocation key
16 = issuer key ID
20 = notation data
21 = preferred hash algorithms
22 = preferred compression algorithms
23 = key server preferences
24 = preferred key server
25 = primary user id
26 = policy URL
27 = key flags
28 = Signer's user id
100 to 110 = internal or user-defined
An implementation SHOULD ignore any subpacket of a type that it does
not recognize.
Bit 7 of the subpacket type is the "critical" bit. If set, it
denotes that the subpacket is one that is critical for the evaluator
of the signature to recognize. If a subpacket is encountered which
is marked critical but is unknown to the evaluating software, the
evaluator SHOULD consider the signature to be in error.
An evaluator may "recognize" a subpacket, but not implement it. The An evaluator may "recognize" a subpacket, but not implement it. The
purpose of the critical bit is to allow the signer to tell an evaluator purpose of the critical bit is to allow the signer to tell an
that it would prefer a new, unknown feature to generate an error than evaluator that it would prefer a new, unknown feature to generate an
be ignored. error than be ignored.
5.2.2.2 Signature Subpacket Types Implementations SHOULD implement "preferences".
Several types of subpackets are currently defined. Some subpackets 5.2.3.2. Signature Subpacket Types
apply to the signature itself and some are attributes of the key.
Subpackets that are found on a self-signature are placed on a user name
certification made by the key itself. Note that a key may have more
than one user name, and thus may have more than one self-signature, and
differing subpackets.
A self-signature is a binding signature made by the key the signature A number of subpackets are currently defined. Some subpackets apply
refers to. There are three types of self-signatures, the certification to the signature itself and some are attributes of the key.
signatures (types 0x10-0x13), the direct-key signature (type 0x1f), and Subpackets that are found on a self-signature are placed on a user
the subkey binding signature (type 0x18). For certification id certification made by the key itself. Note that a key may have
self-signatures, username may have a self-signature, and thus different more than one user id, and thus may have more than one
subpackets in those self-signatures. For subkey binding signatures, self-signature, and differing subpackets.
each subkey in fact has a self-signature. Subpackets that appear in a
certification self-signature apply to the username, and subpackets that A self-signature is a binding signature made by the key the
appear in the subkey self-signature apply to the subkey. Lastly, signature refers to. There are three types of self-signatures, the
subpackets on the direct key signature apply to the entire key. certification signatures (types 0x10-0x13), the direct-key signature
(type 0x1f), and the subkey binding signature (type 0x18). For
certification self-signatures, each user ID may have a
self-signature, and thus different subpackets in those
self-signatures. For subkey binding signatures, each subkey in fact
has a self-signature. Subpackets that appear in a certification
self-signature apply to the username, and subpackets that appear in
the subkey self-signature apply to the subkey. Lastly, subpackets on
the direct key signature apply to the entire key.
Implementing software should interpret a self-signature's preference Implementing software should interpret a self-signature's preference
subpackets as narrowly as possible. For example, suppose a key has two subpackets as narrowly as possible. For example, suppose a key has
usernames, Alice and Bob. Suppose that Alice prefers the symmetric two usernames, Alice and Bob. Suppose that Alice prefers the
algorithm CAST5, and Bob prefers IDEA or Triple-DES. If the software symmetric algorithm CAST5, and Bob prefers IDEA or Triple-DES. If
locates this key via Alice's name, then the preferred algorithm is the software locates this key via Alice's name, then the preferred
CAST5, if software locates the key via Bob's name, then the preferred algorithm is CAST5, if software locates the key via Bob's name, then
algorithm is IDEA. If the key is located by key id, then algorithm of the preferred algorithm is IDEA. If the key is located by key id,
the default user name of the key provides the default symmetric then algorithm of the default user id of the key provides the
algorithm. default symmetric algorithm.
A subpacket may be found either in the hashed or unhashed subpacket A subpacket may be found either in the hashed or unhashed subpacket
sections of a signature. If a subpacket is not hashed, then the sections of a signature. If a subpacket is not hashed, then the
information in it cannot be considered definitive because it is not information in it cannot be considered definitive because it is not
part of the signature proper. part of the signature proper.
Subpacket types: 5.2.3.3. Signature creation time
Signature creation time (4 octet time field)
The time the signature was made. Always included with new
signatures.
Issuer (8 octet key ID)
The OP key ID of the key issuing the signature. (4 octet time field)
Key expiration time (4 octet time field) The time the signature was made.
The validity period of the key. This is the number of seconds MUST be present in the hashed area.
after the key creation time that the key expires. If this is
not present or has a value of zero, the key never expires. This
is found only on a self-signature.
Preferred symmetric algorithms (array of one-octet values) 5.2.3.4. Issuer
Symmetric algorithm numbers that indicate which algorithms the (8 octet key ID)
key holder prefers to use. This is an ordered list of octets
with the most preferred listed first. It should be assumed
that only algorithms listed are supported by the recipient's
software. Algorithm numbers in section 6. This is only found
on a self-signature.
Preferred hash algorithms (array of one-octet values) The OpenPGP key ID of the key issuing the signature.
Message digest algorithm numbers that indicate which algorithms MUST be present in the hashed area.
the key holder prefers to receive. Like the preferred
symmetric algorithms, the list is ordered. Algorithm numbers
are in section 6. This is only found on a self-signature.
Preferred compression algorithms (array of one-octet values) 5.2.3.5. Key expiration time
Compression algorithm numbers that indicate which algorithms (4 octet time field)
the key holder prefers to use. Like the preferred symmetric
algorithms, the list is ordered. Algorithm numbers are in
section 6. If this subpacket is not included, ZIP is
preferred. A zero denotes that uncompressed data is preferred;
the key holder's software may not have compression software.
This is only found on a self-signature.
Signature expiration time (4 octet time field) The validity period of the key. This is the number of seconds after
The validity period of the signature. This is the number of the key creation time that the key expires. If this is not present
seconds after the signature creation time that the signature or has a value of zero, the key never expires. This is found only on
expires. If this is not present or has a value of zero, it a self-signature.
never expires.
Exportable (1 octet of exportability, 0 for not, 1 for exportable) 5.2.3.6. Preferred symmetric algorithms
Signature's exportability status. Packet body contains a (sequence of one-octet values)
boolean flag indicating whether the signature is exportable. Symmetric algorithm numbers that indicate which algorithms the key
Signatures which are not exportable are ignored during export holder prefers to use. The subpacket body is an ordered list of
and import operations. If this packet is not present the octets with the most preferred listed first. It is assumed that only
signature is assumed to be exportable. algorithms listed are supported by the recipient's software.
Algorithm numbers in section 9. This is only found on a
self-signature.
Revocable (1 octet of revocability, 0 for not, 1 for revocable) 5.2.3.7. Preferred hash algorithms
Signature's revocability status. Packet body contains a (array of one-octet values)
boolean flag indicating whether the signature is revocable.
Signatures which are not revocable have any later revocation
signatures ignored. They represent a commitment by the signer
that he cannot revoke his signature for the life of his key.
If this packet is not present, the signature is revocable.
Trust signature (1 octet "level" (depth), 1 octet of trust amount) Message digest algorithm numbers that indicate which algorithms the
key holder prefers to receive. Like the preferred symmetric
algorithms, the list is ordered. Algorithm numbers are in section 6.
This is only found on a self-signature.
Signer asserts that the key is not only valid, but also 5.2.3.8. Preferred compression algorithms
trustworthy, at the specified level. Level 0 has the same
meaning as an ordinary validity signature. Level 1 means that
the signed key is asserted to be a valid trusted introducer,
with the 2nd octet of the body specifying the degree of trust.
Level 2 means that the signed key is asserted to be trusted to
issue level 1 trust signatures, i.e. that it is a "meta
introducer". Generally, a level n trust signature asserts that
a key is trusted to issue level n-1 trust signatures. The
trust amount is in a range from 0-255, interpreted such that
values less than 120 indicate partial trust and values of 120
or greater indicate complete trust. Implementations SHOULD
emit values of 60 for partial trust and 120 for complete trust.
Regular expression (null-terminated regular expression) (array of one-octet values)
Used in conjunction with trust signature packets (of level > 0) Compression algorithm numbers that indicate which algorithms the key
to limit the scope of trust which is extended. Only signatures holder prefers to use. Like the preferred symmetric algorithms, the
by the target key on user IDs which match the regular list is ordered. Algorithm numbers are in section 6. If this
expression in the body of this packet have trust extended by subpacket is not included, ZIP is preferred. A zero denotes that
the trust packet. The regular expression uses the same syntax uncompressed data is preferred; the key holder's software may not
as the Henry Spencer's "almost public domain" regular have compression software. This is only found on a self-signature.
expression package. A description of the syntax in in a
section below.
Revocation key (1 octet of class, 1 octet of algid, 20 octets of 5.2.3.9. Signature expiration time
fingerprint)
Authorizes the specified key to issue revocation (4 octet time field)
self-signatures for this key. Class octet must have bit 0x80
set, other bits are for future expansion to other kinds of
signature authorizations. This is found on a self-signature.
Authorizes the specified key to issue revocation signatures for The validity period of the signature. This is the number of seconds
this key. Class octet must have bit 0x80 set. If the bit 0x40 after the signature creation time that the signature expires. If
is set, then this means that the revocation information is this is not present or has a value of zero, it never expires.
sensitive. Other bits are for future expansion to other kinds
of authorizations. This is found on a self-signature.
If the "sensitive" flag is set, the keyholder feels this 5.2.3.10. Exportable
subpacket contains private trust information that describes a
real-world sensitive relationship. If this flag is set,
implementations SHOULD NOT export this signature to other users
except in cases where the data needs to be available: when the
signature is being sent to the designated revoker, or when it
is accompanied by a revocation signature from that revoker.
Note that it may be appropriate to isolate this subpacket
within a separate signature so that it is not combined with
other subpackets which need to be exported.
Notation Data (4 octets of flags, 2 octets of name length, (1 octet of exportability, 0 for not, 1 for exportable)
2 octets of value length, M octets of name data,
N octets of value data)
This subpacket describes a "notation" on the signature that the Signature's exportability status. Packet body contains a boolean
issuer wishes to make. The notation has a name and a value, flag indicating whether the signature is exportable. Signatures
each of which are strings of octets. There may be more than which are not exportable are ignored during export and import
one notation in a signature. Notations can be used for any operations. If this packet is not present the signature is assumed
extension the issuer of the signature cares to make. The to be exportable.
"flags" field holds four octets of flags.
All undefined flags MUST be zero. Defined flags are: 5.2.3.11. Revocable
First octet: 0x80 = human-readable. This note is text, a note
from one person to another, and has no
meaning to software.
Other octets: none.
Key server preferences (N octets of flags) (1 octet of revocability, 0 for not, 1 for revocable)
This is a list of flags that indicate preferences that the key Signature's revocability status. Packet body contains a boolean
holder has about how the key is handled on a key server. All flag indicating whether the signature is revocable. Signatures
undefined flags MUST be zero. which are not revocable have any later revocation signatures
ignored. They represent a commitment by the signer that he cannot
revoke his signature for the life of his key. If this packet is not
present, the signature is revocable.
First octet: 0x80 = No-modify -- the key holder requests that 5.2.3.12. Trust signature
this key only be modified or updated by the
key holder or an authorized administrator of
the key server.
This is found only on a self-signature.
Preferred key server (String) (1 octet "level" (depth), 1 octet of trust amount)
This is a URL of a key server that the key holder prefers be Signer asserts that the key is not only valid, but also trustworthy,
used for updates. Note that keys with multiple user names can at the specified level. Level 0 has the same meaning as an ordinary
have a preferred key server for each user name. Note also that validity signature. Level 1 means that the signed key is asserted
since this is a URL, the key server can actually be a copy of to be a valid trusted introducer, with the 2nd octet of the body
the key retrieved by ftp, http, finger, etc. specifying the degree of trust. Level 2 means that the signed key is
asserted to be trusted to issue level 1 trust signatures, i.e. that
it is a "meta introducer". Generally, a level n trust signature
asserts that a key is trusted to issue level n-1 trust signatures.
The trust amount is in a range from 0-255, interpreted such that
values less than 120 indicate partial trust and values of 120 or
greater indicate complete trust. Implementations SHOULD emit values
of 60 for partial trust and 120 for complete trust.
Primary user id (1 octet, boolean) 5.2.3.13. Regular expression
This is a flag in a user id's self signature that states (null-terminated regular expression)
whether this user id is the main user id for this key. It is
reasonable for an implementation to resolve ambiguities in
preferences, etc. by referring to the primary user id. If this
flag is absent, its value is zero. If more than one user id in
a key is marked as primary, the implementation may resolve the
ambiguity in any way it sees fit.
Policy URL (String) Used in conjunction with trust signature packets (of level > 0) to
limit the scope of trust which is extended. Only signatures by the
target key on user IDs which match the regular expression in the
body of this packet have trust extended by the trust packet. The
regular expression uses the same syntax as the Henry Spencer's
"almost public domain" regular expression package. A description of
the syntax is found in a section below.
This subpacket contains a URL of a document that describes the 5.2.3.14. Revocation key
policy under which the signature was issued.
Key Flags (Octet string) (1 octet of class, 1 octet of algid, 20 octets of fingerprint)
This subpacket contains a list of binary flags that hold Authorizes the specified key to issue revocation signatures for this
information about a key. It is a string of octets, and an key. Class octet must have bit 0x80 set, other bits are for future
implementation MUST NOT assume a fixed size. This is so it can expansion to other kinds of signature authorizations. This is found
grow over time. If a list is shorter than an implementation on a self-signature.
expects, the unstated flags are considered to be zero. The
defined flags are:
First octet: Authorizes the specified key to issue revocation signatures for this
0x01 - This key may be used to certify other keys. key. Class octet must have bit 0x80 set. If the bit 0x40 is set,
0x02 - This key may be used to sign data. then this means that the revocation information is sensitive. Other
0x04 - This key may be used to encrypt communications. bits are for future expansion to other kinds of authorizations. This
0x08 - This key may be used to encrypt storage. is found on a self-signature.
0x10 - The private component of this key may have been split by
a secret-sharing mechanism.
0x80 - The private component of this key may be in the posession
of more than one person.
Usage notes: If the "sensitive" flag is set, the keyholder feels this subpacket
contains private trust information that describes a real-world
sensitive relationship. If this flag is set, implementations SHOULD
NOT export this signature to other users except in cases where the
data needs to be available: when the signature is being sent to the
designated revoker, or when it is accompanied by a revocation
signature from that revoker. Note that it may be appropriate to
isolate this subpacket within a separate signature so that it is not
combined with other subpackets which need to be exported.
The flags in this packet may appear in self-signatures or in 5.2.3.15. Notation Data
certification signatures. They mean different things depending
on who is making the statement -- for example, a certification
signature that has the "sign data" flag is stating that the
certification is for that use. On the other hand, the
"communications encryption" flag in a self-signature is stating
a preference that a given key be used for communications. Note
however, that it is a thorny issue to determine what is
"communications" and what is "storage." This decision is left
wholly up to the implementation; the authors of this document
do not claim any special wisdom on the issue, and realize that
accepted opinion may change.
The "split key" (0x10) and "group key" (0x80) flags are placed (4 octets of flags, 2 octets of name length (M),
on a self-signature only; they are meaningless on a 2 octets of value length (N),
certification signature. They SHOULD be placed only on a M octets of name data,
direct-key signature (type 0x1f) or a subkey signature (type N octets of value data)
0x18), one that refers to the key the flag applies to.
Signer's User ID This subpacket describes a "notation" on the signature that the
issuer wishes to make. The notation has a name and a value, each of
which are strings of octets. There may be more than one notation in
a signature. Notations can be used for any extension the issuer of
the signature cares to make. The "flags" field holds four octets of
flags.
This subpacket allows a keyholder to state which user id is All undefined flags MUST be zero. Defined flags are:
responsible for the signing. Many keyholders use a single key
for different purposes, such as business communications as well
as personal communications. This subpacket allows such a
keyholder to state which of their roles is making a signature.
Implementations SHOULD implement "preferences". First octet: 0x80 = human-readable. This note is text, a note
from one person to another, and has no
meaning to software.
Other octets: none.
5.2.3 Signature Types 5.2.3.16. Key server preferences
There are a number of possible meanings for a signature, which are (N octets of flags)
specified in a signature type octet in any given signature. These
meanings are:
- 0x00: Signature of a binary document. This is a list of flags that indicate preferences that the key
holder has about how the key is handled on a key server. All
undefined flags MUST be zero.
Typically, this means the signer owns it, created it, or certifies that First octet: 0x80 = No-modify
it has not been modified. the key holder requests that this key only be modified or
updated by the key holder or an administrator of the key server.
- 0x01: Signature of a canonical text document. This is found only on a self-signature.
Typically, this means the signer owns it, created it, or certifies that 5.2.3.17. Preferred key server
it has not been modified. The signature will be calculated over the
text data with its line endings converted to <CR><LF>.
- 0x02: Standalone signature. (String)
This signature is a signature of only its own subpacket contents. It This is a URL of a key server that the key holder prefers be used
is calculated identically to a signature over a zero-length binary for updates. Note that keys with multiple user ids can have a
document. Note that it doesn't make sense to have a V3 standalone preferred key server for each user id. Note also that since this is
signature. a URL, the key server can actually be a copy of the key retrieved by
ftp, http, finger, etc.
- 0x10: The certification of a User ID and Public Key packet. 5.2.3.18. Primary user id
The issuer of this certification does not make any particular assertion (1 octet, boolean)
as to how well the certifier has checked that the owner of the key is
in fact the person described by the user ID. Note that all PGP "key
signatures" are this type of certification.
- 0x11: This is a persona certification of a User ID and This is a flag in a user id's self signature that states whether
Public Key packet. this user id is the main user id for this key. It is reasonable for
an implementation to resolve ambiguities in preferences, etc. by
referring to the primary user id. If this flag is absent, its value
is zero. If more than one user id in a key is marked as primary, the
implementation may resolve the ambiguity in any way it sees fit.
The issuer of this certification has not done any verification of the 5.2.3.19. Policy URL
claim that the owner of this key is the user ID specified.
- 0x12: This is the casual certification of a User ID and (String)
Public Key packet.
The issuer of this certification has done some casual verification of This subpacket contains a URL of a document that describes the
the claim of identity. policy under which the signature was issued.
- 0x13: This is the positive certification of a User ID and 5.2.3.20. Key Flags
Public Key packet.
The issuer of this certification has done substantial verification of (Octet string)
the claim of identity.
Please note that the vagueness of these certification claims is not a This subpacket contains a list of binary flags that hold information
flaw, but a feature of the system. Because PGP places final authority about a key. It is a string of octets, and an implementation MUST
for validity upon the receiver of a certification, it may be that one NOT assume a fixed size. This is so it can grow over time. If a list
authority's casual certification might be more rigorous than some other is shorter than an implementation expects, the unstated flags are
authority's positive certification. These classifications allow a considered to be zero. The defined flags are:
certification authority to issue fine-grained claims.
- 0x18: This is used for a signature by a signature key to bind a First octet:
subkey which will be used for encryption.
The signature is calculated directly on the subkey itself, not on any 0x01 - This key may be used to certify other keys.
User ID or other packets.
- 0x1f: Signature directly on a key 0x02 - This key may be used to sign data.
This signature is calculated directly on a key. It binds the 0x04 - This key may be used to encrypt communications.
information in the signature subpackets to the key, and is appropriate
to be used for subpackets which provide information about the key, such
as the revocation key subpacket. It is also appropriate for statements
that non-self certifiers want to make about the key itself, rather than
the binding between a key and a name.
- 0x20: This signature is used to revoke a key. 0x08 - This key may be used to encrypt storage.
The signature is calculated directly on the key being revoked. A 0x10 - The private component of this key may have been split by
revoked key is not to be used. Only revocation signatures by the key a secret-sharing mechanism.
being revoked, or by an authorized revocation key, should be
considered.
- 0x28: This is used to revoke a subkey. 0x80 - The private component of this key may be in the
possession of more than one person.
The signature is calculated directly on the subkey being revoked. A Usage notes:
revoked subkey is not to be used. Only revocation signatures by the
top-level signature key which is bound to this subkey, or by an
authorized revocation key, should be considered.
- 0x30: This signature revokes an earlier user ID certification The flags in this packet may appear in self-signatures or in
signature (signature class 0x10 through 0x13). certification signatures. They mean different things depending on
who is making the statement -- for example, a certification
signature that has the "sign data" flag is stating that the
certification is for that use. On the other hand, the
"communications encryption" flag in a self-signature is stating a
preference that a given key be used for communications. Note
however, that it is a thorny issue to determine what is
"communications" and what is "storage." This decision is left wholly
up to the implementation; the authors of this document do not claim
any special wisdom on the issue, and realize that accepted opinion
may change.
It should be issued by the same key which issued the revoked signature, The "split key" (0x10) and "group key" (0x80) flags are placed on a
and should have a later creation date than the signature it revokes. self-signature only; they are meaningless on a certification
signature. They SHOULD be placed only on a direct-key signature
(type 0x1f) or a subkey signature (type 0x18), one that refers to
the key the flag applies to.
- 0x40: Timestamp signature. 5.2.3.21. Signer's User ID
This signature is only meaningful for the timestamp contained in it. This subpacket allows a keyholder to state which user id is
responsible for the signing. Many keyholders use a single key for
different purposes, such as business communications as well as
personal communications. This subpacket allows such a keyholder to
state which of their roles is making a signature.
5.2.4 Computing Signatures 5.2.4. Computing Signatures
All signatures are formed by producing a hash over the signature data, All signatures are formed by producing a hash over the signature
and then using the resulting hash in the signature algorithm. data, and then using the resulting hash in the signature algorithm.
The signature data is simple to compute for document signatures (types The signature data is simple to compute for document signatures
0x00 and 0x01), for which the document itself is the data. For (types 0x00 and 0x01), for which the document itself is the data.
standalone signatures, this is a null string. For standalone signatures, this is a null string.
When a signature is made over a key, the hash data starts with the When a signature is made over a key, the hash data starts with the
octet 0x99, followed by a two-octet length of the key, and then body of octet 0x99, followed by a two-octet length of the key, and then body
the key packet. (Note that this is an old-style packet header for a key of the key packet. (Note that this is an old-style packet header for
packet with two-octet length.) A subkey signature (type 0x18) then a key packet with two-octet length.) A subkey signature (type 0x18)
hashes the subkey, using the same format as the main key. Key then hashes the subkey, using the same format as the main key. Key
revocation signatures (types 0x20 and 0x28) hash only the key being revocation signatures (types 0x20 and 0x28) hash only the key being
revoked. revoked.
A certification signature (type 0x10 through 0x13) then hashes the user A certification signature (type 0x10 through 0x13) hashes the user
name being bound to the key. A V3 certification hashes the contents of id being bound to the key into the hash context after the above
the name packet, without any header. A V4 certification hashes the data. A V3 certification hashes the contents of the name packet,
constant 0xd4 (which is an old-style CTB with the length-of-length set without any header. A V4 certification hashes the constant 0xd4
(which is an old-style packet header with the length-of-length set
to zero), a four-octet number giving the length of the username, and to zero), a four-octet number giving the length of the username, and
then the username data. then the username data.
Once the data body is hashed, then a trailer is hashed. A V3 signature Once the data body is hashed, then a trailer is hashed. A V3
hashes five octets of the packet body, starting from the signature type signature hashes five octets of the packet body, starting from the
field. This data is the signature type, followed by the four-octet signature type field. This data is the signature type, followed by
signature time. A V4 signature hashes the packet body starting from the four-octet signature time. A V4 signature hashes the packet body
its first field, the version number, through the end of the hashed starting from its first field, the version number, through the end
of the hashed subpacket data. Thus, the fields hashed are the
signature version, the signature type, the public key algorithm, the
hash algorithm, the hashed subpacket length, and the hashed
subpacket body.
subpacket data. Thus, the fields hashed are the signature version, the V4 signatures also hash in a final trailer of six octets: the
signature type, the public key algorithm, the hash algorithm, the version of the signature packet, i.e. 0x04; 0xFF; a four-octet,
hashed subpacket length, and the hashed subpacket body. big-endian number that is the length of the hashed data from the
signature packet (note that this number does not include these final
six octets.
After all this has been hashed, the resulting hash field is used in the After all this has been hashed, the resulting hash field is used in
signature algorithm, and placed at the end of the signature packet. the signature algorithm, and placed at the end of the signature
packet.
5.3 Symmetric-Key Encrypted Session-Key Packets (Tag 3) 5.3. Symmetric-Key Encrypted Session-Key Packets (Tag 3)
The Symmetric-Key Encrypted Session Key packet holds the The Symmetric-Key Encrypted Session Key packet holds the
conventional-cipher encryption of a session key used to encrypt a symmetric-key encryption of a session key used to encrypt a message.
message. Zero or more Encrypted Session Key packets and/or Zero or more Encrypted Session Key packets and/or Symmetric-Key
Conventional Encrypted Session Key packets may precede a Symmetrically Encrypted Session Key packets may precede a Symmetrically Encrypted
Encrypted Data Packet that holds an encrypted message. The message is Data Packet that holds an encrypted message. The message is
encrypted with a session key, and the session key is itself encrypted encrypted with a session key, and the session key is itself
and stored in the Encrypted Session Key packet or the Conventional encrypted and stored in the Encrypted Session Key packet or the
Encrypted Session Key packet. Symmetric-Key Encrypted Session Key packet.
If the Symmetrically Encrypted Data Packet is preceded by one or more If the Symmetrically Encrypted Data Packet is preceded by one or
Symmetric-Key Encrypted Session Key packets, each specifies a more Symmetric-Key Encrypted Session Key packets, each specifies a
passphrase which may be used to decrypt the message. This allows a passphrase which may be used to decrypt the message. This allows a
message to be encrypted to a number of public keys, and also to one or message to be encrypted to a number of public keys, and also to one
more pass phrases. This packet type is new, and is not generated by or more pass phrases. This packet type is new, and is not generated
PGP 2.x or PGP 5.0. by PGP 2.x or PGP 5.0.
The body of this packet consists of: The body of this packet consists of:
- A one-octet version number. The only currently defined version is
4. - A one-octet version number. The only currently defined version
is 4.
- A one-octet number describing the symmetric algorithm used. - A one-octet number describing the symmetric algorithm used.
- A string-to-key (S2K) specifier, length as defined above. - A string-to-key (S2K) specifier, length as defined above.
- Optionally, the encrypted session key itself, which is decrypted - Optionally, the encrypted session key itself, which is decrypted
with the string-to-key object. with the string-to-key object.
If the encrypted session key is not present (which can be detected on If the encrypted session key is not present (which can be detected
the basis of packet length and S2K specifier size), then the S2K on the basis of packet length and S2K specifier size), then the S2K
algorithm applied to the passphrase produces the session key for algorithm applied to the passphrase produces the session key for
decrypting the file, using the symmetric cipher algorithm from the decrypting the file, using the symmetric cipher algorithm from the
Symmetric-Key Encrypted Session Key packet. Symmetric-Key Encrypted Session Key packet.
If the encrypted session key is present, the result of applying the S2K If the encrypted session key is present, the result of applying the
algorithm to the passphrase is used to decrypt just that encrypted S2K algorithm to the passphrase is used to decrypt just that
session key field, using CFB mode with an IV of all zeros. The encrypted session key field, using CFB mode with an IV of all zeros.
decryption result consists of a one-octet algorithm identifier that The decryption result consists of a one-octet algorithm identifier
specifies the conventional encryption algorithm used to encrypt the that specifies the symmetric-key encryption algorithm used to
following Symmetrically Encrypted Data Packet, followed by the session encrypt the following Symmetrically Encrypted Data Packet, followed
key octets themselves. by the session key octets themselves.
Note: because an all-zero IV is used for this decryption, the S2K Note: because an all-zero IV is used for this decryption, the S2K
specifier MUST use a salt value, either a a Salted S2K or an specifier MUST use a salt value, either a a Salted S2K or an
Iterated-Salted S2K. The salt value will insure that the decryption Iterated-Salted S2K. The salt value will insure that the decryption
key is not repeated even if the passphrase is reused. key is not repeated even if the passphrase is reused.
5.4 One-Pass Signature Packets (Tag 4) 5.4. One-Pass Signature Packets (Tag 4)
The One-Pass Signature packet precedes the signed data and contains The One-Pass Signature packet precedes the signed data and contains
enough information to allow the receiver to begin calculating any enough information to allow the receiver to begin calculating any
hashes needed to verify the signature. It allows the Signature Packet hashes needed to verify the signature. It allows the Signature
to be placed at the end of the message, so that the signer can compute Packet to be placed at the end of the message, so that the signer
the entire signed message in one pass. can compute the entire signed message in one pass.
A One-Pass Signature does not interoperate with PGP 2.6.x or earlier. A One-Pass Signature does not interoperate with PGP 2.6.x or
earlier.
The body of this packet consists of: The body of this packet consists of:
- A one-octet version number. The current version is 3. - A one-octet version number. The current version is 3.
- A one-octet signature type. Signature types are described
in section 5.2.3. - A one-octet signature type. Signature types are described in
section 5.2.3.
- A one-octet number describing the hash algorithm used. - A one-octet number describing the hash algorithm used.
- A one-octet number describing the public key algorithm used. - A one-octet number describing the public key algorithm used.
- An eight-octet number holding the key ID of the signing key. - An eight-octet number holding the key ID of the signing key.
- A one-octet number holding a flag showing whether the signature - A one-octet number holding a flag showing whether the signature
is nested. A zero value indicates that the next packet is is nested. A zero value indicates that the next packet is
another One-Pass Signature packet which describes another another One-Pass Signature packet which describes another
signature to be applied to the same message data. signature to be applied to the same message data.
5.5 Key Material Packet 5.5. Key Material Packet
A key material packet contains all the information about a public or A key material packet contains all the information about a public or
private key. There are four variants of this packet type, and two private key. There are four variants of this packet type, and two
major versions. Consequently, this section is complex. major versions. Consequently, this section is complex.
5.5.1 Key Packet Variants 5.5.1. Key Packet Variants
5.5.1.1 Public Key Packet (Tag 6)
A Public Key packet starts a series of packets that forms an OP key 5.5.1.1. Public Key Packet (Tag 6)
(sometimes called an OP certificate). A Public Key packet starts a series of packets that forms an OpenPGP
key (sometimes called an OpenPGP certificate).
5.5.1.2 Public Subkey Packet (Tag 14) 5.5.1.2. Public Subkey Packet (Tag 14)
A Public Subkey packet (tag 14) has exactly the same format as a Public A Public Subkey packet (tag 14) has exactly the same format as a
Key packet, but denotes a subkey. One or more subkeys may be Public Key packet, but denotes a subkey. One or more subkeys may be
associated with a top-level key. By convention, the top-level key associated with a top-level key. By convention, the top-level key
provides signature services, and the subkeys provide encryption provides signature services, and the subkeys provide encryption
services. services.
Note: in PGP 2.6.X, tag 14 was intended to indicate a comment packet. Note: in PGP 2.6.x, tag 14 was intended to indicate a comment
This tag was selected for reuse because no previous version of PGP ever packet. This tag was selected for reuse because no previous version
emitted comment packets but they did properly ignore them. Public of PGP ever emitted comment packets but they did properly ignore
Subkey packets are ignored by PGP 2.6.X and do not cause it to fail, them. Public Subkey packets are ignored by PGP 2.6.x and do not
providing a limited degree of backwards compatibility. cause it to fail, providing a limited degree of backwards
compatibility.
5.5.1.3 Secret Key Packet (Tag 5) 5.5.1.3. Secret Key Packet (Tag 5)
A Secret Key packet contains all the information that is found in a A Secret Key packet contains all the information that is found in a
Public Key packet, including the public key material, but also includes Public Key packet, including the public key material, but also
the secret key material after all the public key fields. includes the secret key material after all the public key fields.
5.5.1.4 Secret Subkey Packet (Tag 7) 5.5.1.4. Secret Subkey Packet (Tag 7)
A Secret Subkey packet (tag 7) is the subkey analog of the Secret Key A Secret Subkey packet (tag 7) is the subkey analog of the Secret
packet, and has exactly the same format. Key packet, and has exactly the same format.
5.5.2 Public Key Packet Formats 5.5.2. Public Key Packet Formats
There are two versions of key-material packets. Version 3 packets were There are two versions of key-material packets. Version 3 packets
first generated PGP 2.6. Version 2 packets are identical in format to were first generated by PGP 2.6. Version 2 packets are identical in
Version 3 packets, but are generated by PGP 2.5 or before. PGP 5.0 format to Version 3 packets, but are generated by PGP 2.5 or before.
introduces version 4 packets, with new fields and semantics. PGP 2.6.X V2 packets are deprecated and they MUST NOT be generated.
will not accept key-material packets with versions greater than 3.
OP implementations SHOULD create keys with version 4 format. An PGP 5.0 introduced version 4 packets, with new fields and semantics.
PGP 2.6.x will not accept key-material packets with versions
greater than 3.
OpenPGP implementations SHOULD create keys with version 4 format. An
implementation MAY generate a V3 key to ensure interoperability with implementation MAY generate a V3 key to ensure interoperability with
old software; note, however, that V4 keys correct some security old software; note, however, that V4 keys correct some security
deficiencies in V3 keys. These deficiencies are described below. An deficiencies in V3 keys. These deficiencies are described below. An
implementation MUST NOT create a V3 key with a public key algorithm implementation MUST NOT create a V3 key with a public key algorithm
other than RSA. other than RSA.
A version 3 public key or public subkey packet contains: A version 3 public key or public subkey packet contains:
- A one-octet version number (3). - A one-octet version number (3).
- A four-octet number denoting the time that the key was created. - A four-octet number denoting the time that the key was created.
- A two-octet number denoting the time in days that this key is - A two-octet number denoting the time in days that this key is
valid. If this number is zero, then it does not expire. valid. If this number is zero, then it does not expire.
- A one-octet number denoting the public key algorithm of this key - A one-octet number denoting the public key algorithm of this key
- A series of multi-precision integers comprising the key - A series of multi-precision integers comprising the key
material: material:
- a multiprecision integer (MPI) of RSA public modulus n;
- an MPI of RSA public encryption exponent e.
The fingerprint of the key is formed by hashing the body (but not the - a multiprecision integer (MPI) of RSA public modulus n;
two-octet length) of the MPIs that form the key material (public
modulus n, followed by exponent e) with MD5.
The eight-octet key ID of the key consists of the low 64 bits of the - an MPI of RSA public encryption exponent e.
public modulus of an RSA key.
Since the release of V3 keys, there have been a number of improvements V3 keys SHOULD only be used for backards compatibility because of
desired in the key format. For example, if the key ID is a function of three weaknesses in them. First, it is relatively easy to construct
the public modulus, it is easy for a person to create a key that has a V3 key that has the same key ID as any other key because the key
the same key ID as some existing key. Similarly, MD5 is no longer the ID is simply the low 64 bits of the public modulus. Secondly,
preferred hash algorithm, and not hashing the length of an MPI with its because the fingerprint of a V3 key hashes the key material, but not
body increases the chances of a fingerprint collision. its length, which increases the opportunity for fingerprint
collisions. Third, there are minor weaknesses in the MD5 hash
algorithm that make developers prefer other algorithms. See below
for a fuller discussion of key IDs and fingerprints.
The version 4 format is similar to the version 3 format except for the The version 4 format is similar to the version 3 format except for
absence of a validity period. This has been moved to the signature the absence of a validity period. This has been moved to the
packet. In addition, fingerprints of version 4 keys are calculated signature packet. In addition, fingerprints of version 4 keys are
differently from version 3 keys, as described in section "Enhanced Key calculated differently from version 3 keys, as described in section
Formats." "Enhanced Key Formats."
A version 4 packet contains: A version 4 packet contains:
- A one-octet version number (4). - A one-octet version number (4).
- A four-octet number denoting the time that the key was created. - A four-octet number denoting the time that the key was created.
- A one-octet number denoting the public key algorithm of this key - A one-octet number denoting the public key algorithm of this key
- A series of multi-precision integers comprising the key - A series of multi-precision integers comprising the key
material. This algorithm-specific portion is: material. This algorithm-specific portion is:
Algorithm Specific Fields for RSA public keys: Algorithm Specific Fields for RSA public keys:
- multiprecision integer (MPI) of RSA public modulus n; - multiprecision integer (MPI) of RSA public modulus n;
- MPI of RSA public encryption exponent e. - MPI of RSA public encryption exponent e.
Algorithm Specific Fields for DSA public keys: Algorithm Specific Fields for DSA public keys:
- MPI of DSA prime p; - MPI of DSA prime p;
- MPI of DSA group order q (q is a prime divisor of p-1); - MPI of DSA group order q (q is a prime divisor of p-1);
- MPI of DSA group generator g; - MPI of DSA group generator g;
- MPI of DSA public key value y (= g**x where x is secret). - MPI of DSA public key value y (= g**x where x is secret).
Algorithm Specific Fields for Elgamal public keys: Algorithm Specific Fields for Elgamal public keys:
- MPI of Elgamal prime p; - MPI of Elgamal prime p;
- MPI of Elgamal group generator g; - MPI of Elgamal group generator g;
- MPI of Elgamal public key value y (= g**x where x
is secret).
5.5.3 Secret Key Packet Formats - MPI of Elgamal public key value y (= g**x where x is
secret).
5.5.3. Secret Key Packet Formats
The Secret Key and Secret Subkey packets contain all the data of the The Secret Key and Secret Subkey packets contain all the data of the
Public Key and Public Subkey packets, with additional Public Key and Public Subkey packets, with additional
algorithm-specific secret key data appended, in encrypted form. algorithm-specific secret key data appended, in encrypted form.
The packet contains: The packet contains:
- A Public Key or Public Subkey packet, as described above - A Public Key or Public Subkey packet, as described above
- One octet indicating string-to-key usage conventions. 0 indicates
that the secret key data is not encrypted. 255 indicates that a - One octet indicating string-to-key usage conventions. 0
string-to-key specifier is being given. Any other value indicates that the secret key data is not encrypted. 255
is a conventional encryption algorithm specifier. indicates that a string-to-key specifier is being given. Any
other value is a symmetric-key encryption algorithm specifier.
- [Optional] If string-to-key usage octet was 255, a one-octet - [Optional] If string-to-key usage octet was 255, a one-octet
conventional encryption algorithm. symmetric encryption algorithm.
- [Optional] If string-to-key usage octet was 255, a string-to-key - [Optional] If string-to-key usage octet was 255, a string-to-key
specifier. The length of the string-to-key specifier is implied specifier. The length of the string-to-key specifier is implied
by its type, as described above. by its type, as described above.
- [Optional] If secret data is encrypted, eight-octet Initial Vector
(IV). - [Optional] If secret data is encrypted, eight-octet Initial
- Encrypted multi-precision integers comprising the secret key data. Vector (IV).
These algorithm-specific fields are as described below.
- Encrypted multi-precision integers comprising the secret key
data. These algorithm-specific fields are as described below.
- Two-octet checksum of the plaintext of the algorithm-specific - Two-octet checksum of the plaintext of the algorithm-specific
portion (sum of all octets, mod 65536). portion (sum of all octets, mod 65536).
Algorithm Specific Fields for RSA secret keys: Algorithm Specific Fields for RSA secret keys:
- multiprecision integer (MPI) of RSA secret exponent d. - multiprecision integer (MPI) of RSA secret exponent d.
- MPI of RSA secret prime value p. - MPI of RSA secret prime value p.
- MPI of RSA secret prime value q (p < q). - MPI of RSA secret prime value q (p < q).
- MPI of u, the multiplicative inverse of p, mod q. - MPI of u, the multiplicative inverse of p, mod q.
Algorithm Specific Fields for DSA secret keys: Algorithm Specific Fields for DSA secret keys:
- MPI of DSA secret exponent x. - MPI of DSA secret exponent x.
Algorithm Specific Fields for Elgamal secret keys: Algorithm Specific Fields for Elgamal secret keys:
- MPI of Elgamal secret exponent x. - MPI of Elgamal secret exponent x.
Secret MPI values can be encrypted using a passphrase. If a Secret MPI values can be encrypted using a passphrase. If a
string-to-key specifier is given, that describes the algorithm for string-to-key specifier is given, that describes the algorithm for
converting the passphrase to a key, else a simple MD5 hash of the converting the passphrase to a key, else a simple MD5 hash of the
passphrase is used. Implementations SHOULD use a string-to-key passphrase is used. Implementations SHOULD use a string-to-key
specifier; the simple hash is for backwards compatibility. The cipher specifier; the simple hash is for backwards compatibility. The
for encrypting the MPIs is specified in the secret key packet. cipher for encrypting the MPIs is specified in the secret key
packet.
Encryption/decryption of the secret data is done in CFB mode using the Encryption/decryption of the secret data is done in CFB mode using
key created from the passphrase and the Initial Vector from the packet. the key created from the passphrase and the Initial Vector from the
A different mode is used with RSA keys than with other key formats. packet. A different mode is used with V3 keys (which are onlyRSA)
With RSA keys, the MPI bit count prefix (i.e., the first two octets) is than with other key formats. With V3 keys, the MPI bit count prefix
not encrypted. Only the MPI non-prefix data is encrypted. (i.e., the first two octets) is not encrypted. Only the MPI
Furthermore, the CFB state is resynchronized at the beginning of each non-prefix data is encrypted. Furthermore, the CFB state is
new MPI value, so that the CFB block boundary is aligned with the start resynchronized at the beginning of each new MPI value, so that the
of the MPI data. CFB block boundary is aligned with the start of the MPI data.
With non-RSA keys, a simpler method is used. All secret MPI values are With V4 keys, a simpler method is used. All secret MPI values are
encrypted in CFB mode, including the MPI bitcount prefix. encrypted in CFB mode, including the MPI bitcount prefix.
The 16-bit checksum that follows the algorithm-specific portion is the The 16-bit checksum that follows the algorithm-specific portion is
algebraic sum, mod 65536, of the plaintext of all the the algebraic sum, mod 65536, of the plaintext of all the
algorithm-specific octets (including MPI prefix and data). With RSA algorithm-specific octets (including MPI prefix and data). With V3
keys, the checksum is stored in the clear. With non-RSA keys, the keys, the checksum is stored in the clear. With V4 keys, the
checksum is encrypted like the algorithm-specific data. This value is checksum is encrypted like the algorithm-specific data. This value
used to check that the passphrase was correct. is used to check that the passphrase was correct.
5.6 Compressed Data Packet (Tag 8) 5.6. Compressed Data Packet (Tag 8)
The Compressed Data packet contains compressed data. Typically, this The Compressed Data packet contains compressed data. Typically, this
packet is found as the contents of an encrypted packet, or following a packet is found as the contents of an encrypted packet, or following
Signature or One-Pass Signature packet, and contains literal data a Signature or One-Pass Signature packet, and contains literal data
packets. packets.
The body of this packet consists of: The body of this packet consists of:
- One octet that gives the algorithm used to compress the packet. - One octet that gives the algorithm used to compress the packet.
- The remainder of the packet is compressed data. - The remainder of the packet is compressed data.
A Compressed Data Packet's body contains an RFC1951 DEFLATE block that A Compressed Data Packet's body contains an block that compresses
compresses some set of packets. See section "Packet Composition" for some set of packets. See section "Packet Composition" for details on
details on how messages are formed. how messages are formed.
5.7 Symmetrically Encrypted Data Packet (Tag 9) ZIP-compressed packets are compressed with raw RFC1951 DEFLATE
blocks. Note that PGP V2.6 uses 13 bits of compression. If an
implementation uses more bits of compression, it cannot be
decompressed by PGP V2.6
The Symmetrically Encrypted Data packet contains data encrypted with a 5.7. Symmetrically Encrypted Data Packet (Tag 9)
conventional (symmetric-key) algorithm. When it has been decrypted, it
will typically contain other packets (often literal data packets or The Symmetrically Encrypted Data packet contains data encrypted with
a symmetric-key algorithm. When it has been decrypted, it will
typically contain other packets (often literal data packets or
compressed data packets). compressed data packets).
The body of this packet consists of: The body of this packet consists of:
- Encrypted data, the output of the selected conventional cipher - Encrypted data, the output of the selected symmetric-key cipher
operating in PGP's variant of Cipher Feedback (CFB) mode. operating in PGP's variant of Cipher Feedback (CFB) mode.
The conventional cipher used may be specified in an Encrypted Session The symmetric cipher used may be specified in an Public-Key or
Key or Conventional Encrypted Session Key packet which precedes the Symmetric-Key Encrypted Session Key packet which precedes the
Symmetrically Encrypted Data Packet. In that case, the cipher Symmetrically Encrypted Data Packet. In that case, the cipher
algorithm octet is prepended to the session key before it is encrypted. algorithm octet is prefixed to the session key before it is
If no packets of these types precede the encrypted data, the IDEA encrypted. If no packets of these types precede the encrypted data,
algorithm is used with the session key calculated as the MD5 hash of the IDEA algorithm is used with the session key calculated as the
the passphrase. MD5 hash of the passphrase.
The data is encrypted in CFB mode, with a CFB shift size equal to the The data is encrypted in CFB mode, with a CFB shift size equal to
cipher's block size. The Initial Vector (IV) is specified as all the cipher's block size. The Initial Vector (IV) is specified as
zeros. Instead of using an IV, OP prefixes a 10 octet string to the all zeros. Instead of using an IV, OpenPGP prefixes a 10 octet
data before it is encrypted. The first eight octets are random, and string to the data before it is encrypted. The first eight octets
the 9th and 10th octets are copies of the 7th and 8th octets, are random, and the 9th and 10th octets are copies of the 7th and
respectivelly. After encrypting the first 10 octets, the CFB state is 8th octets, respectivelly. After encrypting the first 10 octets, the
resynchronized if the cipher block size is 8 octets or less. The last CFB state is resynchronized if the cipher block size is 8 octets or
8 octets of ciphertext are passed through the cipher and the block less. The last 8 octets of ciphertext are passed through the cipher
boundary is reset. and the block boundary is reset.
The repetition of 16 bits in the 80 bits of random data prepended to The repetition of 16 bits in the 80 bits of random data prepended to
the message allows the receiver to immediately check whether the the message allows the receiver to immediately check whether the
session key is correct. session key is incorrect.
5.8 Marker Packet (Obsolete Literal Packet) (Tag 10) 5.8. Marker Packet (Obsolete Literal Packet) (Tag 10)
An experimental version of PGP used this packet as the Literal packet, An experimental version of PGP used this packet as the Literal
but no released version of PGP generated Literal packets with this tag. packet, but no released version of PGP generated Literal packets
With PGP 5.x, this packet has been re-assigned and is reserved for use with this tag. With PGP 5.x, this packet has been re-assigned and is
as the Marker packet. reserved for use as the Marker packet.
The body of this packet consists of: The body of this packet consists of:
- The three octets 0x60, 0x47, 0x60 (which spell "PGP" in UTF-8). - The three octets 0x60, 0x47, 0x60 (which spell "PGP" in UTF-8).
Such a packet MUST be ignored when received. It may be placed at the Such a packet MUST be ignored when received. It may be placed at
beginning of a message that uses features not available in PGP 2.6.X in the beginning of a message that uses features not available in PGP
order to cause that version to report that newer software necessary to 2.6.x in order to cause that version to report that newer software
process the message. is necessary to process the message.
5.9 Literal Data Packet (Tag 11) 5.9. Literal Data Packet (Tag 11)
A Literal Data packet contains the body of a message; data that is not A Literal Data packet contains the body of a message; data that is
to be further interpreted. not to be further interpreted.
The body of this packet consists of: The body of this packet consists of:
- A one-octet field that describes how the data is formatted. - A one-octet field that describes how the data is formatted.
If it is a 'b' (0x62), then the literal packet contains binary data. If If it is a 'b' (0x62), then the literal packet contains binary data.
it is a 't' (0x74), then it contains text data, and thus may need line If it is a 't' (0x74), then it contains text data, and thus may need
ends converted to local form, or other text-mode changes. RFC 1991 line ends converted to local form, or other text-mode changes. RFC
also defined a value of 'l' as a 'local' mode for machine-local 1991 also defined a value of 'l' as a 'local' mode for machine-local
conversions. This use is now deprecated. conversions. This use is now deprecated.
- File name as a string (one-octet length, followed by file name), - File name as a string (one-octet length, followed by file name),
if the encrypted data should be saved as a file. if the encrypted data should be saved as a file.
If the special name "_CONSOLE" is used, the message is considered to be If the special name "_CONSOLE" is used, the message is considered to
"for your eyes only". This advises that the message data is unusually be "for your eyes only". This advises that the message data is
sensitive, and the receiving program should process it more carefully, unusually sensitive, and the receiving program should process it
perhaps avoiding storing the received data to disk, for example. more carefully, perhaps avoiding storing the received data to disk,
for example.
- A four-octet number that indicates the modification date of the - A four-octet number that indicates the modification date of the
file, or the creation time of the packet, or a zero that indicates the file, or the creation time of the packet, or a zero that
present time. indicates the present time.
- The remainder of the packet is literal data. - The remainder of the packet is literal data.
Text data is stored with <CR><LF> text endings (i.e. network-normal Text data is stored with <CR><LF> text endings (i.e. network-normal
line endings). These should be converted to native line endings by the line endings). These should be converted to native line endings by
receiving software. the receiving software.
5.10 Trust Packet (Tag 12) 5.10. Trust Packet (Tag 12)
The Trust packet is used only within keyrings and is not normally The Trust packet is used only within keyrings and is not normally
exported. Trust packets contain data that record the user's exported. Trust packets contain data that record the user's
specifications of which key holders are trustworthy introducers, along specifications of which key holders are trustworthy introducers,
with other information that implementing software uses for trust along with other information that implementing software uses for
information. trust information.
Trust packets SHOULD NOT be emitted to output streams that are Trust packets SHOULD NOT be emitted to output streams that are
transferred to other users, and they SHOULD be ignored on any input transferred to other users, and they SHOULD be ignored on any input
other than local keyring files. other than local keyring files.
5.11 User ID Packet (Tag 13) 5.11. User ID Packet (Tag 13)
A User ID packet consists of data which is intended to represent the A User ID packet consists of data which is intended to represent the
name and email address of the key holder. By convention, it includes name and email address of the key holder. By convention, it
an RFC822 mail name, but there are no restrictions on its content. The includes an RFC822 mail name, but there are no restrictions on its
packet length in the header specifies the length of the user name. If content. The packet length in the header specifies the length of
it is text, it is encoded in UTF-8. the user id. If it is text, it is encoded in UTF-8.
6. Radix-64 Conversions 6. Radix-64 Conversions
As stated in the introduction, OP's underlying native representation As stated in the introduction, OpenPGP's underlying native
for objects is a stream of arbitrary octets, and some systems desire representation for objects is a stream of arbitrary octets, and some
these objects to be immune to damage caused by character set systems desire these objects to be immune to damage caused by
translation, data conversions, etc. character set translation, data conversions, etc.
In principle, any printable encoding scheme that met the requirements In principle, any printable encoding scheme that met the
of the unsafe channel would suffice, since it would not change the requirements of the unsafe channel would suffice, since it would not
underlying binary bit streams of the native OP data structures. The OP change the underlying binary bit streams of the native OpenPGP data
standard specifies one such printable encoding scheme to ensure structures. The OpenPGP standard specifies one such printable
interoperability. encoding scheme to ensure interoperability.
OP's Radix-64 encoding is composed of two parts: a base64 encoding of OpenPGP's Radix-64 encoding is composed of two parts: a base64
the binary data, and a checksum. The base64 encoding is identical to encoding of the binary data, and a checksum. The base64 encoding is
the MIME base64 content-transfer-encoding [RFC 2045, Section 6.8]. An identical to the MIME base64 content-transfer-encoding [RFC 2045,
OP implementation MAY use ASCII Armor to protect the raw binary data. Section 6.8]. An OpenPGP implementation MAY use ASCII Armor to
protect the raw binary data.
The checksum is a 24-bit CRC converted to four characters of radix-64 The checksum is a 24-bit CRC converted to four characters of
encoding by the same MIME base64 transformation, preceded by an equals radix-64 encoding by the same MIME base64 transformation, preceded
sign (=). The CRC is computed by using the generator 0x864CFB and an by an equals sign (=). The CRC is computed by using the generator
initialization of 0xB704CE. The accumulation is done on the data 0x864CFB and an initialization of 0xB704CE. The accumulation is
before it is converted to radix-64, rather than on the converted data. done on the data before it is converted to radix-64, rather than on
A sample implementation of this algorithm is in the next section. the converted data. A sample implementation of this algorithm is in
the next section.
The checksum with its leading equal sign MAY appear on the first line The checksum with its leading equal sign MAY appear on the first
after the Base64 encoded data. line after the Base64 encoded data.
Rationale for CRC-24: The size of 24 bits fits evenly into printable Rationale for CRC-24: The size of 24 bits fits evenly into printable
base64. The nonzero initialization can detect more errors than a zero base64. The nonzero initialization can detect more errors than a
initialization. zero initialization.
6.1 An Implementation of the CRC-24 in "C" 6.1. An Implementation of the CRC-24 in "C"
#define CRC24_INIT 0xb704ce #define CRC24_INIT 0xb704ce
#define CRC24_POLY 0x1864cfb #define CRC24_POLY 0x1864cfb
typedef long crc24;
crc24 crc_bytes(unsigned char *bytes, size_t len) crc24 crc_octets(unsigned char *octets, size_t len)
{ {
crc24 crc = CRC_INIT; crc24 crc = CRC24_INIT;
int i; int i;
while (len--) { while (len--) {
crc ^= *bytes++; crc ^= *octets++;
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
crc <<= 1; crc <<= 1;
if (crc & 0x1000000) if (crc & 0x1000000)
crc ^= CRC24_POLY; crc ^= CRC24_POLY;
} }
} }
return crc; return crc;
} }
6.2 Forming ASCII Armor 6.2. Forming ASCII Armor
When OP encodes data into ASCII Armor, it puts specific headers around When OpenPGP encodes data into ASCII Armor, it puts specific headers
the data, so OP can reconstruct the data later. OP informs the user around the data, so OpenPGP can reconstruct the data later. OpenPGP
what kind of data is encoded in the ASCII armor through the use of the informs the user what kind of data is encoded in the ASCII armor
headers. through the use of the headers.
Concatenating the following data creates ASCII Armor: Concatenating the following data creates ASCII Armor:
- An Armor Header Line, appropriate for the type of data - An Armor Header Line, appropriate for the type of data
- Armor Headers - Armor Headers
- A blank (zero-length, or containing only whitespace) line - A blank (zero-length, or containing only whitespace) line
- The ASCII-Armored data - The ASCII-Armored data
- An Armor Checksum - An Armor Checksum
- The Armor Tail, which depends on the Armor Header Line. - The Armor Tail, which depends on the Armor Header Line.
An Armor Header Line consists of the appropriate header line text An Armor Header Line consists of the appropriate header line text
surrounded by five (5) dashes ('-', 0x2D) on either side of the header surrounded by five (5) dashes ('-', 0x2D) on either side of the
line text. The header line text is chosen based upon the type of data header line text. The header line text is chosen based upon the
that is being encoded in Armor, and how it is being encoded. Header type of data that is being encoded in Armor, and how it is being
line texts include the following strings: encoded. Header line texts include the following strings:
BEGIN PGP MESSAGE used for signed, encrypted, or
compressed files
BEGIN PGP PUBLIC KEY BLOCK used for armoring public keys BEGIN PGP MESSAGE
Used for signed, encrypted, or compressed files
BEGIN PGP PRIVATE KEY BLOCK used for armoring private keys BEGIN PGP PUBLIC KEY BLOCK
Used for armoring public keys
BEGIN PGP PRIVATE KEY BLOCK
Used for armoring private keys
BEGIN PGP MESSAGE, PART X/Y used for multi-part messages, where BEGIN PGP MESSAGE, PART X/Y
the armor is split amongst Y parts, Used for multi-part messages, where the armor is split amongst Y
and this is the Xth part out of Y. parts, and this is the Xth part out of Y.
BEGIN PGP MESSAGE, PART X used for multi-part messages, where BEGIN PGP MESSAGE, PART X
this is the Xth part of an Used for multi-part messages, where this is the Xth part of an
unspecified number of parts. unspecified number of parts. Requires the MESSAGE-ID Armor
Requires the MESSAGE-ID Armor
Header to be used. Header to be used.
BEGIN PGP SIGNATURE used for detached signatures, BEGIN PGP SIGNATURE
OP/MIME signatures, and signatures Used for detached signatures, OpenPGP/MIME signatures, and
following clearsigned messages signatures following clearsigned messages
The Armor Headers are pairs of strings that can give the user or the The Armor Headers are pairs of strings that can give the user or the
receiving OP message block some information about how to decode or use receiving OpenPGP implementation some information about how to
the message. The Armor Headers are a part of the armor, not a part of decode or use the message. The Armor Headers are a part of the
the message, and hence are not protected by any signatures applied to armor, not a part of the message, and hence are not protected by any
the message. signatures applied to the message.
The format of an Armor Header is that of a key-value pair. A colon The format of an Armor Header is that of a key-value pair. A colon
(':' 0x38) and a single space (0x20) separate the key and value. OP (':' 0x38) and a single space (0x20) separate the key and value.
should consider improperly formatted Armor Headers to be corruption of OpenPGP should consider improperly formatted Armor Headers to be
the ASCII Armor. Unknown keys should be reported to the user, but OP corruption of the ASCII Armor. Unknown keys should be reported to
should continue to process the message. the user, but OpenPGP should continue to process the message.
Currently defined Armor Header Keys are: Currently defined Armor Header Keys are:
- "Version", which states the OP Version used to encode the - "Version", which states the OpenPGP Version used to encode the
message. message.
- "Comment", a user-defined comment. - "Comment", a user-defined comment.
- "MessageID", a 32-character string of printable characters. The - "MessageID", a 32-character string of printable characters. The
string must be the same for all parts of a multi-part message that string must be the same for all parts of a multi-part message
uses the "PART X" Armor Header. MessageID strings should be unique that uses the "PART X" Armor Header. MessageID strings should
enough that the recipient of the mail can associate all the parts be unique enough that the recipient of the mail can associate
of a message with each other. A good checksum or cryptographic all the parts of a message with each other. A good checksum or
hash function is sufficent. cryptographic hash function is sufficent.
The MessageID should not appear unless it is in a multi-part The MessageID SHOULD NOT appear unless it is in a multi-part
message. If it appears at all, it MUST be computed from the message message. If it appears at all, it MUST be computed from the
in a deterministic fashion, rather than contain a purely random finished (encrypted, signed, etc.) message in a deterministic
value. This is to allow anyone to determine that the MessageID fashion, rather than contain a purely random value. This is to
allow the legitimate recipient to determine that the MessageID
cannot serve as a covert means of leaking cryptographic key cannot serve as a covert means of leaking cryptographic key
information. information.
The Armor Tail Line is composed in the same manner as the Armor Header The Armor Tail Line is composed in the same manner as the Armor
Line, except the string "BEGIN" is replaced by the string "END." Header Line, except the string "BEGIN" is replaced by the string
"END."
6.3 Encoding Binary in Radix-64 6.3. Encoding Binary in Radix-64
The encoding process represents 24-bit groups of input bits as output The encoding process represents 24-bit groups of input bits as
strings of 4 encoded characters. Proceeding from left to right, a output strings of 4 encoded characters. Proceeding from left to
24-bit input group is formed by concatenating three 8-bit input groups. right, a 24-bit input group is formed by concatenating three 8-bit
These 24 bits are then treated as four concatenated 6-bit groups, each input groups. These 24 bits are then treated as four concatenated
of which is translated into a single digit in the Radix-64 alphabet. 6-bit groups, each of which is translated into a single digit in the
When encoding a bit stream with the Radix-64 encoding, the bit stream Radix-64 alphabet. When encoding a bit stream with the Radix-64
must be presumed to be ordered with the most-significant-bit first. encoding, the bit stream must be presumed to be ordered with the
That is, the first bit in the stream will be the high-order bit in the most-significant-bit first. That is, the first bit in the stream
first 8-bit byte, and the eighth bit will be the low-order bit in the will be the high-order bit in the first 8-bit octet, and the eighth
first 8-bit byte, and so on. bit will be the low-order bit in the first 8-bit octet, and so on.
+--first octet--+-second octet--+--third octet--+ +--first octet--+-second octet--+--third octet--+
|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
+-----------+---+-------+-------+---+-----------+ +-----------+---+-------+-------+---+-----------+
|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0| |5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|
+--1.index--+--2.index--+--3.index--+--4.index--+ +--1.index--+--2.index--+--3.index--+--4.index--+
Each 6-bit group is used as an index into an array of 64 printable Each 6-bit group is used as an index into an array of 64 printable
characters from the table below. The character referenced by the index characters from the table below. The character referenced by the
is placed in the output string. index is placed in the output string.
Value Encoding Value Encoding Value Encoding Value Encoding Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z 0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0 1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1 2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2 3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3 4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4 5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5 6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6 7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7 8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8 9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9 10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 + 11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 / 12 M 29 d 46 u 63 /
13 N 30 e 47 v 13 N 30 e 47 v
14 O 31 f 48 w (pad) = 14 O 31 f 48 w (pad) =
15 P 32 g 49 x 15 P 32 g 49 x
16 Q 33 h 50 y 16 Q 33 h 50 y
The encoded output stream must be represented in lines of no more than The encoded output stream must be represented in lines of no more
76 characters each. than 76 characters each.
Special processing is performed if fewer than 24 bits are available at Special processing is performed if fewer than 24 bits are available
the end of the data being encoded. There are three possibilities: at the end of the data being encoded. There are three possibilities:
- The last data group has 24 bits (3 octets). No special processing is 1. The last data group has 24 bits (3 octets). No special
needed. processing is needed.
- The last data group has 16 bits (2 octets). The first two 6-bit 2. The last data group has 16 bits (2 octets). The first two 6-bit
groups are processed as above. The third (incomplete) data group has groups are processed as above. The third (incomplete) data group
two zero-value bits added to it, and is processed as above. A pad has two zero-value bits added to it, and is processed as above.
character (=) is added to the output. A pad character (=) is added to the output.
- The last data group has 8 bits (1 octet). The first 6-bit group is 3. The last data group has 8 bits (1 octet). The first 6-bit group
processed as above. The second (incomplete) data group has four is processed as above. The second (incomplete) data group has
zero-value bits added to it, and is processed as above. Two pad four zero-value bits added to it, and is processed as above. Two
characters (=) are added to the output. pad characters (=) are added to the output.
6.4 Decoding Radix-64 6.4. Decoding Radix-64
Any characters outside of the base64 alphabet are ignored in Radix-64 Any characters outside of the base64 alphabet are ignored in
data. Decoding software must ignore all line breaks or other Radix-64 data. Decoding software must ignore all line breaks or
characters not found in the table above. other characters not found in the table above.
In Radix-64 data, characters other than those in the table, line In Radix-64 data, characters other than those in the table, line
breaks, and other white space probably indicate a transmission error, breaks, and other white space probably indicate a transmission
about which a warning message or even a message rejection might be error, about which a warning message or even a message rejection
appropriate under some circumstances. might be appropriate under some circumstances.
Because it is used only for padding at the end of the data, the Because it is used only for padding at the end of the data, the
occurrence of any "=" characters may be taken as evidence that the end occurrence of any "=" characters may be taken as evidence that the
of the data has been reached (without truncation in transit). No such end of the data has been reached (without truncation in transit). No
assurance is possible, however, when the number of octets transmitted such assurance is possible, however, when the number of octets
was a multiple of three and no "=" characters are present. transmitted was a multiple of three and no "=" characters are
present.
6.5 Examples of Radix-64 6.5. Examples of Radix-64
Input data: 0x14fb9c03d97e Input data: 0x14fb9c03d97e
Hex: 1 4 f b 9 c | 0 3 d 9 7 e Hex: 1 4 f b 9 c | 0 3 d 9 7 e
8-bit: 00010100 11111011 10011100 | 00000011 11011001 11111110 8-bit: 00010100 11111011 10011100 | 00000011 11011001
6-bit: 000101 001111 101110 011100 | 000000 111101 100111 111110 11111110
Decimal: 5 15 46 28 0 61 37 63 6-bit: 000101 001111 101110 011100 | 000000 111101 100111
Output: F P u c A 9 l / 111110
Decimal: 5 15 46 28 0 61 37 62
Output: F P u c A 9 l +
Input data: 0x14fb9c03d9 Input data: 0x14fb9c03d9
Hex: 1 4 f b 9 c | 0 3 d 9 Hex: 1 4 f b 9 c | 0 3 d 9
8-bit: 00010100 11111011 10011100 | 00000011 11011001 8-bit: 00010100 11111011 10011100 | 00000011 11011001
pad with 00 pad with 00
6-bit: 000101 001111 101110 011100 | 000000 111101 100100 6-bit: 000101 001111 101110 011100 | 000000 111101 100100
Decimal: 5 15 46 28 0 61 36 Decimal: 5 15 46 28 0 61 36
pad with = pad with =
Output: F P u c A 9 k = Output: F P u c A 9 k =
Input data: 0x14fb9c03 Input data: 0x14fb9c03
Hex: 1 4 f b 9 c | 0 3 Hex: 1 4 f b 9 c | 0 3
8-bit: 00010100 11111011 10011100 | 00000011 8-bit: 00010100 11111011 10011100 | 00000011
pad with 0000 pad with 0000
6-bit: 000101 001111 101110 011100 | 000000 110000 6-bit: 000101 001111 101110 011100 | 000000 110000
Decimal: 5 15 46 28 0 48 Decimal: 5 15 46 28 0 48
pad with = = pad with = =
Output: F P u c A w = = Output: F P u c A w = =
6.6 Example of an ASCII Armored Message 6.6. Example of an ASCII Armored Message
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
Version: OP V0.0 Version: OpenPGP 1.0
owFbx8DAYFTCWlySkpkHZDKEFCXmFedmFhdn5ucpZKdWFiv4hgaHKPj5hygUpSbn yCoBc07MUy9RSMyrzM9LVchOTS1QSFQoTk0uSgUKFuWX5qUoZKQWpdpzAQA=
l6UWpabo8XIBAA== =jYsF
=3m1o
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
Note that this example is indented by two spaces. Note that this example is indented by two spaces.
7. Cleartext signature framework 7. Cleartext signature framework
It is desirable to sign a textual octet stream without ASCII armoring It is desirable to sign a textual octet stream without ASCII
the stream itself, so the signed text is still readable without special armoring the stream itself, so the signed text is still readable
software. In order to bind a signature to such a cleartext, this without special software. In order to bind a signature to such a
framework is used. (Note that RFC 2015 defines another way to clear cleartext, this framework is used. (Note that RFC 2015 defines
sign messages for environments that support MIME.) another way to clear sign messages for environments that support
MIME.)
The cleartext signed message consists of: The cleartext signed message consists of:
- The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a
single line, single line,
- Zero or more "Hash" Armor Headers, - Zero or more "Hash" Armor Headers,
- Exactly one empty line not included into the message digest, - Exactly one empty line not included into the message digest,
- The dash-escaped cleartext that is included into the message digest,
- The ASCII armored signature(s) including the Armor Header and Armor - The dash-escaped cleartext that is included into the message
Tail Lines. digest,
- The ASCII armored signature(s) including the Armor Header and
Armor Tail Lines.
If the "Hash" armor header is given, the specified message digest If the "Hash" armor header is given, the specified message digest
algorithm is used for the signature. If there are no such headers, algorithm is used for the signature. If there are no such headers,
SHA-1 is used. If more than one message digest is used in the SHA-1 is used. If more than one message digest is used in the
signature, the "Hash" armor header contains a comma-delimited list of signature, the "Hash" armor header contains a comma-delimited list
used message digests. of used message digests.
Current message digest names are: Current message digest names are described below with the algorithm
IDs.
- "SHA1" 7.1. Dash-Escaped Text
- "MD5"
- "RIPEMD160"
The cleartext content of the message must also be dash-escaped. The cleartext content of the message must also be dash-escaped.
Dash escaped cleartext is the ordinary cleartext where every line Dash escaped cleartext is the ordinary cleartext where every line
starting with a dash '-' (0x2D) is prefixed by the sequence dash '-' starting with a dash '-' (0x2D) is prefixed by the sequence dash '-'
(0x2D) and space ' ' (0x20). This prevents the parser from recognizing (0x2D) and space ' ' (0x20). This prevents the parser from
armor headers of the cleartext itself. The message digest is computed recognizing armor headers of the cleartext itself. The message
using the cleartext itself, not the dash escaped form. digest is computed using the cleartext itself, not the dash escaped
form.
As with binary signatures on text documents, a cleartext signature is As with binary signatures on text documents, a cleartext signature
calculated on the text using canonical <CR><LF> line endings. The line is calculated on the text using canonical <CR><LF> line endings.
ending (i.e. the <CR><LF>) before the '-----BEGIN PGP SIGNATURE-----' The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
line that terminates the signed text is not considered part of the SIGNATURE-----' line that terminates the signed text is not
signed text. considered part of the signed text.
Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of
any line is ignored when the cleartext signature is calculated. any line is ignored when the cleartext signature is calculated.
8. Regular Expressions 8. Regular Expressions
A regular expression is zero or more branches, separated by `|'. It A regular expression is zero or more branches, separated by '|'. It
matches anything that matches one of the branches. matches anything that matches one of the branches.
A branch is zero or more pieces, concatenated. It matches a match for A branch is zero or more pieces, concatenated. It matches a match
the first, followed by a match for the second, etc. for the first, followed by a match for the second, etc.
A piece is an atom possibly followed by `*', `+', or `?'. An atom A piece is an atom possibly followed by '*', '+', or '?'. An atom
followed by `*' matches a sequence of 0 or more matches of the atom. followed by '*' matches a sequence of 0 or more matches of the atom.
An atom followed by `+' matches a sequence of 1 or more matches of the An atom followed by '+' matches a sequence of 1 or more matches of
atom. An atom fol- lowed by `?' matches a match of the atom, or the the atom. An atom followed by '?' matches a match of the atom, or
null string. the null string.
An atom is a regular expression in parentheses (matching a match for An atom is a regular expression in parentheses (matching a match for
the regular expression), a range (see below), `.' (matching any single the regular expression), a range (see below), '.' (matching any
character), `^' (matching the null string at the beginning of the input single character), '^' (matching the null string at the beginning of
string), `$' (matching the null string at the end of the input string), the input string), '$' (matching the null string at the end of the
a `\' followed by a single character (matching that char- acter), or a input string), a '\' followed by a single character (matching that
single character with no other significance (matching that character). char- acter), or a single character with no other significance
(matching that character).
A range is a sequence of characters enclosed in `[]'. It normally A range is a sequence of characters enclosed in '[]'. It normally
matches any single character from the sequence. If the sequence begins matches any single character from the sequence. If the sequence
with `^', it matches any single character not from the rest of the begins with '^', it matches any single character not from the rest
sequence. If two char- acters in the sequence are separated by `-', of the sequence. If two characters in the sequence are separated by
this is shorthand for the full list of ASCII characters between them '-', this is shorthand for the full list of ASCII characters between
(e.g. `[0-9]' matches any decimal digit). To include a literal `]' in them (e.g. '[0-9]' matches any decimal digit). To include a literal
the sequence, make it the first character (following a possible `^'). ']' in the sequence, make it the first character (following a
To include a literal `-', make it the first or last character. possible '^'). To include a literal '-', make it the first or last
character.
9. Constants 9. Constants
This section describes the constants used in OP. This section describes the constants used in OpenPGP.
Note that these tables are not exhaustive lists; an implementation MAY Note that these tables are not exhaustive lists; an implementation
implement an algorithm not on these lists. MAY implement an algorithm not on these lists.
9.1 Public Key Algorithms See the section "Notes on Algorithms" below for more discussion of
the algorithms.
9.1. Public Key Algorithms
ID Algorithm
-- ---------
1 - RSA (Encrypt or Sign) 1 - RSA (Encrypt or Sign)
2 - RSA Encrypt-Only 2 - RSA Encrypt-Only
3 - RSA Sign-Only 3 - RSA Sign-Only
16 - Elgamal, see [ELGAMAL] 16 - Elgamal (Encrypt-Only), see [ELGAMAL]
17 - DSA (Digital Signature Standard) 17 - DSA (Digital Signature Standard)
18 - Elliptic Curve 18 - Elliptic Curve
19 - ECDSA 19 - ECDSA
20 - Elgamal (Encrypt or Sign)
21 - Diffie-Hellman (X9.42) 21 - Diffie-Hellman (X9.42)
100 to 110 - Private/Experimental algorithm. 100 to 110 - Private/Experimental algorithm.
Implementations MUST implement DSA for signatures, and Elgamal for Implementations MUST implement DSA for signatures, and Elgamal for
encryption. Implementations SHOULD implement RSA encryption. encryption. Implementations SHOULD implement RSA keys.
Implementations MAY implement any other algorithm. Implementations MAY implement any other algorithm.
9.2 Symmetric Key Algorithms 9.2. Symmetric Key Algorithms
0 - Plaintext ID Algorithm
-- ---------
0 - Plaintext or unencrypted data
1 - IDEA 1 - IDEA
2 - Triple-DES (DES-EDE, as per spec - 2 - Triple-DES (DES-EDE, as per spec -
168 bit key derived from 192) 168 bit key derived from 192)
3 - CAST5 (128 bit key) 3 - CAST5 (128 bit key)
4 - Blowfish (128 bit key, 16 rounds) 4 - Blowfish (128 bit key, 16 rounds)
5 - ROT-N (128 bit N) 5 - SAFER-SK128 (13 rounds)
6 - SAFER-SK128 6 - DES/SK
7 - DES/SK
100 to 110 - Private/Experimental algorithm. 100 to 110 - Private/Experimental algorithm.
Implementations MUST implement Triple-DES. Implementations SHOULD Implementations MUST implement Triple-DES. Implementations SHOULD
implement IDEA and CAST5.Implementations MAY implement any other implement IDEA and CAST5.Implementations MAY implement any other
algorithm. algorithm.
9.3 Compression Algorithms 9.3. Compression Algorithms
ID Algorithm
-- ---------
0 - Uncompressed 0 - Uncompressed
1 - ZIP 1 - ZIP
100 to 110 - Private/Experimental algorithm. 100 to 110 - Private/Experimental algorithm.
Implementations MUST implement uncompressed data. Implementations Implementations MUST implement uncompressed data. Implementations
SHOULD implement ZIP. SHOULD implement ZIP.
9.4 Hash Algorithms 9.4. Hash Algorithms
1 - MD5 ID Algorithm Text Name
2 - SHA-1 -- --------- ---- ----
3 - RIPE-MD/160 1 - MD5 "MD5"
4 - HAVAL 2 - SHA-1 "SHA1"
3 - RIPE-MD/160 "RIPEMD160"
4 - HAVAL (5 pass, 160-bit) "HAVAL-5-160"
5 - MD2 "MD2"
100 to 110 - Private/Experimental algorithm. 100 to 110 - Private/Experimental algorithm.
Implementations MUST implement SHA-1. Implementations SHOULD implement Implementations MUST implement SHA-1. Implementations SHOULD
MD5. implement MD5.
10. Packet Composition 10. Packet Composition
OP packets are assembled into sequences in order to create messages and OpenPGP packets are assembled into sequences in order to create
to transfer keys. Not all possible packet sequences are meaningful and messages
correct. This describes the rules for how packets should be placed
into sequences.
10.1 Transferable Public Keys and to transfer keys. Not all possible packet sequences are
meaningful and correct. This describes the rules for how packets
should be placed into sequences.
OP users may transfer public keys. The essential elements of a 10.1. Transferable Public Keys
OpenPGP users may transfer public keys. The essential elements of a
transferable public key are: transferable public key are:
- One Public Key packet - One Public Key packet
- Zero or more revocation signatures - Zero or more revocation signatures
- One or more User ID packets - One or more User ID packets
- After each User ID packet, zero or more Signature packets - After each User ID packet, zero or more Signature packets
- Zero or more Subkey packets - Zero or more Subkey packets
- After each Subkey packet, one or more Signature packets
- After each Subkey packet, one or more Signature packets
The Public Key packet occurs first. Each of the following User ID The Public Key packet occurs first. Each of the following User ID
packets provides the identity of the owner of this public key. If packets provides the identity of the owner of this public key. If
there are multiple User ID packets, this corresponds to multiple means there are multiple User ID packets, this corresponds to multiple
of identifying the same unique individual user; for example, a user may means of identifying the same unique individual user; for example, a
enjoy the use of more than one e-mail address, and construct a User ID user may have more than one email address, and construct a User ID
packet for each one. for each one.
Immediately following each User ID packet, there are zero or more Immediately following each User ID packet, there are zero or more
signature packets. Each signature packet is calculated on the signature packets. Each signature packet is calculated on the
immediately preceding User ID packet and the initial Public Key packet. immediately preceding User ID packet and the initial Public Key
The signature serves to certify the corresponding public key and user packet. The signature serves to certify the corresponding public key
ID. In effect, the signer is testifying to his or her belief that this and user ID. In effect, the signer is testifying to his or her
public key belongs to the user identified by this user ID. belief that this public key belongs to the user identified by this
user ID.
After the User ID packets there may be one or more Subkey packets. In After the User ID packets there may be one or more Subkey packets.
general, subkeys are provided in cases where the top-level public key In general, subkeys are provided in cases where the top-level public
is a signature-only key. However, any V4 key may have subkeys, and the key is a signature-only key. However, any V4 key may have subkeys,
subkeys may be encryption-only keys, signature-only keys, or and the subkeys may be encryption-only keys, signature-only keys, or
general-purpose keys. general-purpose keys.
Each Subkey packet must be followed by at least one Signature packet, Each Subkey packet must be followed by at least one Signature
which should be of the subkey binding signature type, issued by the top packet, which should be of the subkey binding signature type, issued
level key. by the top level key.
Subkey and Key packets may each be followed by a revocation Signature Subkey and Key packets may each be followed by a revocation
packet to indicate that the key is revoked. Revocation signatures are Signature packet to indicate that the key is revoked. Revocation
only accepted if they are issued by the key itself, or by a key which signatures are only accepted if they are issued by the key itself,
is authorized to issue revocations via a revocation key subpacket in a or by a key which is authorized to issue revocations via a
self-signature by the top level key. revocation key subpacket in a self-signature by the top level key.
Transferable public key packet sequences may be concatenated to allow Transferable public key packet sequences may be concatenated to
transferring multiple public keys in one operation. allow transferring multiple public keys in one operation.
10.2 OP Messages 10.2. OpenPGP Messages
An OP message is a packet or sequence of packets that corresponds to An OpenPGP message is a packet or sequence of packets that
the following grammatical rules (comma represents sequential corresponds to the following grammatical rules (comma represents
composition, and vertical bar separates alternatives): sequential composition, and vertical bar separates alternatives):
OP Message :- Encrypted Message | Signed Message | Compressed Message OpenPGP Message :- Encrypted Message | Signed Message |
| Literal Message. Compressed Message | Literal Message.
Compressed Message :- Compressed Data Packet. Compressed Message :- Compressed Data Packet.
Literal Message :- Literal Data Packet. Literal Message :- Literal Data Packet.
ESK :- Pubic Key Encrypted Session Key Packet | ESK :- Pubic Key Encrypted Session Key Packet |
Conventionally Encrypted Session Key Packet. Symmetric-Key Encrypted Session Key Packet.
ESK Sequence :- ESK | ESK Sequence, ESK. ESK Sequence :- ESK | ESK Sequence, ESK.
Encrypted Message :- Symmetrically Encrypted Data Packet | Encrypted Message :- Symmetrically Encrypted Data Packet |
ESK Sequence, Symmetrically Encrypted Data Packet. ESK Sequence, Symmetrically Encrypted Data Packet.
One-Pass Signed Message :- One-Pass Signature Packet, OP Message, One-Pass Signed Message :- One-Pass Signature Packet,
Signature Packet. OpenPGP Message, Signature Packet.
Signed Message :- Signature Packet, OP Message | Signed Message :- Signature Packet, OpenPGP Message |
One-Pass Signed Message. One-Pass Signed Message.
In addition, decrypting a Symmetrically Encrypted Data packet and In addition, decrypting a Symmetrically Encrypted Data packet and
decompressing a Compressed Data packet must yield a valid OP Message.
decompressing a Compressed Data packet must yield a valid OpenPGP
Message.
11. Enhanced Key Formats 11. Enhanced Key Formats
11.1 Key Structures 11.1. Key Structures
The format of V3 OP key using RSA is as follows. Entries in square The format of an OpenPGP V3 key is as follows. Entries in square
brackets are optional and ellipses indicate repetition. brackets are optional and ellipses indicate repetition.
RSA Public Key RSA Public Key
[Revocation Self Signature] [Revocation Self Signature]
User ID [Signature ...] User ID [Signature ...]
[User ID [Signature ...] ...] [User ID [Signature ...] ...]
Each signature certifies the RSA public key and the preceding user ID. Each signature certifies the RSA public key and the preceding user
The RSA public key can have many user IDs and each user ID can have ID. The RSA public key can have many user IDs and each user ID can
many signatures. have many signatures.
The format of an OP V4 key that uses two public keys is very similar The format of an OpenPGP V4 key that uses two public keys is similar
except that the second key is added to the end as a 'subkey' of the except that the other keys are added to the end as 'subkeys' of the
primary key. primary key.
Primary-Key Primary-Key
[Revocation Self Signature] [Revocation Self Signature]
[Direct Key Self Signature...] [Direct Key Self Signature...]
User ID [Signature ...] User ID [Signature ...]
[User ID [Signature ...] ...] [User ID [Signature ...] ...]
[Subkey Primary-Key-Signature ...]
[Subkey Primary-Key-Signature] A subkey always has a single signature after it that is issued using
the primary key to tie the two keys together. The new format can
The subkey always has a single signature after it that is issued using use either the new signature packets or the old signature packets.
the primary key to tie the two keys together. The new format can use
either the new signature packets or the old signature packets.
In an key that has a main key and subkeys, the primary key MUST be a In a key that has a main key and subkeys, the primary key MUST be a
key capable of signing. The subkeys may be keys of any other type, and key capable of signing. The subkeys may be keys of any other type.
either version 3 or 4 of the signature packet can be used. There may There may be other constructions of V4 keys, too. For example, there
be other types of V4 keys, too. For example, there may be a single-key may be a single-key RSA key in V4 format, a DSA primary key with an
RSA key in V4 format, a DSA primary key with an RSA encryption key, RSA encryption key, or RSA primary key with an Elgamal subkey, etc.
etc, or RSA primary key with an Elgamal subkey.
It is also possible to have a signature-only subkey. This permits a It is also possible to have a signature-only subkey. This permits a
primary key that collects certifications (key signatures) but is used primary key that collects certifications (key signatures) but is
only used for certifying subkeys that are used for encryption and used only used for certifying subkeys that are used for encryption
signatures. and signatures.
11.2 V4 Key IDs and Fingerprints 11.2. Key IDs and Fingerprints
A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet Tag, For a V3 key, the eight-octet key ID consists of the low 64 bits of
followed by the two-octet packet length, followed by the entire Public the public modulus of the RSA key.
Key packet starting with the version field. The key ID is either the
low order 32 bits or 64 bits of the fingerprint. Here are the fields
of the hash material, with the example of a DSA key:
a.1) 0x99 (1 byte) The fingerprint of a V3 key is formed by hashing the body (but not
a.2) high order length byte of (b)-(f) (1 byte) the two-octet length) of the MPIs that form the key material (public
a.3) low order length byte of (b)-(f) (1 byte) modulus n, followed by exponent e) with MD5.
b) version number = 4 (1 byte);
c) time stamp of key creation (4 bytes); A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet
e) algorithm (1 byte): Tag, followed by the two-octet packet length, followed by the entire
17 = DSA; Public Key packet starting with the version field. The key ID is
f) Algorithm specific fields. either the low order 64 bits of the fingerprint. Here are the
fields of the hash material, with the example of a DSA key:
a.1) 0x99 (1 octet)
a.2) high order length octet of (b)-(f) (1 octet)
a.3) low order length octet of (b)-(f) (1 octet)
b) version number = 4 (1 octet);
c) time stamp of key creation (4 octets);
d) algorithm (1 octet): 7 = DSA (example);
e) Algorithm specific fields.
Algorithm Specific Fields for DSA keys (example): Algorithm Specific Fields for DSA keys (example):
f.1) MPI of DSA prime p;
f.2) MPI of DSA group order q (q is a prime divisor of p-1);
f.3) MPI of DSA group generator g;
f.4) MPI of DSA public key value y (= g**x where x is secret).
12. Security Considerations e.1) MPI of DSA prime p;
e.2) MPI of DSA group order q (q is a prime divisor of p-1);
e.3) MPI of DSA group generator g;
e.4) MPI of DSA public key value y (= g**x where x is secret).
Note that it is possible for there to be collisions of key IDs --
two different keys with the same key ID. Note that there is a much
smaller, but still non-zero probability that two different keys have
the same fingerprint.
Also note that if V3 and V4 format keys share the same RSA key
material, they will have different keyids as well as different
fingerprints.
12. Notes on Algorithms
12.1. Symmetric Algorithm Preferences
The symmetric algorithm preference is an ordered list of algorithms
that the keyholder accepts. Since it is found on a self-signature,
it is possible that a keyholder may have different preferences. For
example, Alice may have TripleDES only specified for
"alice@work.com" but CAST5, Blowfish, and TripleDES specified for
"alice@home.org". Note that it is also possible for preferences to
be in a subkey's binding signature.
Since TripleDES is the MUST-implement algorithm, if it is not
explicitly in the the list, it is tacitly at the end. However, it is
good form to place it there explicitly. Note also that if an
implementation does not implement the preference, then it is
implicitly a TripleDES-only implementation.
An implementation MUST not use a symmetric algorithm that is not in
the recipent's preference list. When encrypting to more than one
recipient, the implementation finds a suitable algorithm by taking
the intersection of the preferences of the recipients. Note that the
MUST-implement algorithm, TripleDES, ensures that the intersection
is not null. The implementation may use any mechanism to pick an
algorithm in the intersection.
If an implementation can decrypt a message that a keyholder doesn't
have in their preferences, the implementation SHOULD decrypt the
message anyway, but MUST warn the keyholder than protocol has been
violated. (For example, suppose that Alice, above, has software that
implements all algorithms in this specification. Nonetheless, she
prefers subsets for work or home. If she is sent a message encrypted
with IDEA, which is not in her preferences, the software warns her
that someone sent her an IDEA-encrypted message, but it would
ideally decrypt it anyway.)
An implementation that is striving for backwards compatibility MAY
consider a V3 key with a V3 self-signature to be an implicit
preference for IDEA, and no ability to do TripleDES. This is
technically non-compliant, so if an implementation is forming a
message to be read by a V3 keyholder and a V4 keyholder that does
not speak IDEA, the implementation must somehow break this up into
two messages (which is relatively easy to do for email), or issue an
error message when this is not possible.
12.2. Other Algorithm Preferences
Other algorithm preferences work similarly to the symmetric
algorithm preference, in that they specify which algorithms the
keyholder accepts. There are two interesting cases that other
comments need to be made about, though, the compression preferences
and the hash preferences.
12.2.1. Compression Preferences
Compression has been an integral part of PGP since its first days.
OpenPGP and all previous versions of PGP have offered compression.
And in this specification, the default is for messages to be
compressed, although an implementation is not required to do so.
Consequently, the compression preference gives a way for a keyholder
to request that messages not be compressed, presumably because they
are using a minimal implementation that does not include
compression.
12.2.2. Hash Algorithm Preferences
Typically, the choice of a hash algorithm is something the signer
does, rather than the verifier, because a signer does not typically
know who is going to be verifying the signature. This preference,
though, allows a protocol based upon digital signatures ease in
negotiation.
Thus, if Alice is authenticating herself to Bob with a signature, it
makes sense for her to use a hash algorithm that Bob's software
uses. This preference allows Bob to state in his key which
algorithms Alice may use.
12.3. Plaintext
Algorithm 0, "plaintext," may only be used to denote secret keys
that are stored in the clear. Implementations must not use plaintext
in Symmetrically Encrypted Data Packets; they must use Literal Data
Packets to encode unencrypted or literal data.
12.4. RSA
There are algorithm types for RSA-signature-only, and
RSA-encrypt-only keys. These types are deprecated. The "key flags"
subpacket in a signature is a much better way to express the same
idea, and generalizes it to all algorithms. An implementation SHOULD
NOT create such a key, but MAY interpret it.
An implementation SHOULD NOT implement RSA keys of size less than
768 bits.
It is permissable for an implementation to support RSA merely for
backwards compatibility; for example, such an implementation would
support V3 keys with IDEA symmetric cryptography. Note that this is
an exception to the other MUST-implement rules. An implementation
that supports RSA in V4 keys MUST implement the MUST-implement
features.
12.5. Elgamal
If an Elgamal key is to be used for both signing and encryption,
extra care must be taken in creating the key.
An ElGamal key consists of a generator g, a prime modulus p, a
secret exponent x, and a public value y = g^x mod p.
The generator and prime must be chosen so that solving the discrete
log problem is intractable. The group g should generate the
multiplicative group mod p-1 or a large subgroup of it, and the
order of g should have at least one large prime factor. A good
choice is to use a "strong" Sophie-Germain prime in choosing p, so
that both p and (p-1)/2 are primes.
In addition, a result of Bleichenbacher [BLEICHENBACHER] shows that
if the generator g has only small prime factors, and if g divides
the order of the group it generates, then signatures can be forged.
In particular, choosing g=2 is a bad choice if the group order may
be even. On the other hand, a generator of 2 is a fine choice for an
encryption-only key, as this will make the encryption faster.
While verifying Elgamal signatures, note that it is important to
test that r and s are less than p. If this test is not done then
signatures can be trivially forged by using large r values of
approximately twice the length of p. This attack is also discussed
in the Bleichenbacher paper.
Details on safe use of Elgamal signatures may be found in [MENEZES],
which discusses all the weaknesses described above.
If an implementation allows Elgamal signatures, then it MUST use the
algorithm identifier 20.
An implementation SHOULD NOT implement Elgamal keys of size less
than 768 bits. For long-term security, Elgamal keys should be 1024
bits or longer.
12.6. DSA
An implementation SHOULD NOT implement DSA keys of size less than
768 bits. Note that present DSA is limited to a maximum of 1024 bit
keys, which are recommended for long-term use.
12.7. OpenPGP CFB mode
OpenPGP does symmetric encryption using a variant of Cipher Feedback
Mode (CFB mode). This section describes the procedure it uses in
detail.
OpenPGP CFB mode uses an initialization vector (IV) of all zeros,
and prefixes the plaintext with ten bytes of random data, such that
bytes 9 and 10 match bytes 7 and 8. It does a CFB "resync" after
encrypting those ten bytes.
Note that for an algorithm that has a larger block size than 64
bits, the equivalent function will be done with that entire block.
Step by step, here is the procedure:
1. The feedback register (FR) is set to the IV, which is all zeros.
2. FR is encrypted to produce FRE (FR Encrypted). This is the
encryption of an all-zero value.
3. FRE is xored with the first 8 bytes of random data prefixed to
the plaintext to produce C1-C8, the first 8 bytes of ciphertext.
4. FR is loaded with C1-C8.
5. FR is encrypted to produce FRE, the encryption of the first 8
bytes of ciphertext.
6. The left two bytes of FRE get xored with the next two bytes of
data which were prepended to the plaintext. This produces
C9-C10, the next two bytes of ciphertext.
7. (The resync step) FR is loaded with C3-C10.
8. FR is encrypted to produce FRE.
9. FRE is xored with the first 8 bytes of the given plaintext, now
that we have finished encrypting the 10 bytes of prepended data.
This produces C11-C18, the next 8 bytes of ciphertext.
10. FR is loaded with C11-C18
11. FR is encrypted to produce FRE.
12. FRE is xored with the next 8 bytes of plaintext, to produce the
next 8 bytes of ciphertext. These are loaded into FR and the
process is repeated until the plaintext is used up.
13. Security Considerations
As with any technology involving cryptography, you should check the As with any technology involving cryptography, you should check the
current literature to determine if any algorithms used here have been current literature to determine if any algorithms used here have
found to be vulnerable to attack. been found to be vulnerable to attack.
This specification uses Public Key Cryptography technologies. This specification uses Public Key Cryptography technologies.
Possession of the private key portion of a public-private key pair is Possession of the private key portion of a public-private key pair
assumed to be controlled by the proper party or parties. is assumed to be controlled by the proper party or parties.
Certain operations in this specification involve the use of random Certain operations in this specification involve the use of random
numbers. An appropriate entropy source should be used to generate numbers. An appropriate entropy source should be used to generate
these numbers. See RFC 1750. these numbers. See RFC 1750.
The MD5 hash algorithm has been found to have weaknesses The MD5 hash algorithm has been found to have weaknesses
(pseudo-collisions in the compress function) that make some people (pseudo-collisions in the compress function) that make some people
deprecate its use. They consider the SHA-1 algorithm better. deprecate its use. They consider the SHA-1 algorithm better.
If you are building an authentication system, the recipient may specify The DSA algorithm will work with any 160-bit hash, but it is
a preferred signing algorithm. However, the signer would be foolish to sensitive to the quality of the hash algorithm, if the hash
use a weak algorithm simply because the recipient requests it. algorithm is broken, it can leak the secret key. The Digital
Signature Standard (DSS) specifies that DSA be used with SHA-1.
RIPEMD-160 is considered by many cryptographers to be as strong. An
implementation should take care which hash algorithms are used with
DSA, as a weak hash can not only allow a signature to be forged, but
could leak the secret key.
Some of the encryption algorithms mentioned in this document have been If you are building an authentication system, the recipient may
analyzed less than others. For example, although CAST5 is presently specify a preferred signing algorithm. However, the signer would be
considered strong, it has been analyzed less than Triple-DES. Other foolish to use a weak algorithm simply because the recipient
algorithms may have other controversies surrounding them. requests it.
Some technologies mentioned here may be subject to government control Some of the encryption algorithms mentioned in this document have
in some countries. been analyzed less than others. For example, although CAST5 is
presently considered strong, it has been analyzed less than
Triple-DES. Other algorithms may have other controversies
surrounding them.
13. Authors and Working Group Chair Some technologies mentioned here may be subject to government
control in some countries.
14. Authors and Working Group Chair
The working group can be contacted via the current chair: The working group can be contacted via the current chair:
John W. Noerenberg, II John W. Noerenberg, II
Qualcomm, Inc Qualcomm, Inc
6455 Lusk Blvd 6455 Lusk Blvd
San Diego, CA 92131 USA San Diego, CA 92131 USA
Email: jwn2@qualcomm.com Email: jwn2@qualcomm.com
Tel: +1 619-658-3510 Tel: +1 619-658-3510
The principal authors of this draft are (in alphabetical order): The principal authors of this draft are:
Jon Callas Jon Callas
Network Associates, Inc. Network Associates, Inc.
4200 Bohannon Drive 4200 Bohannon Drive
Menlo Park, CA 94025, USA Menlo Park, CA 94025, USA
Email: jon@pgp.com Email: jon@pgp.com
Tel: +1-650-473-2860 Tel: +1-650-473-2860
Lutz Donnerhacke Lutz Donnerhacke
IKS GmbH IKS GmbH
skipping to change at page 43, line 16 skipping to change at page 53, line 20
Email: hal@pgp.com Email: hal@pgp.com
Rodney Thayer Rodney Thayer
Sable Technology Corporation Sable Technology Corporation
246 Walnut Street 246 Walnut Street
Newton, MA 02160 USA Newton, MA 02160 USA
Email: rodney@sabletech.com Email: rodney@sabletech.com
Tel: +1-617-332-7292 Tel: +1-617-332-7292
This draft also draws on much previous work from a number of other This draft also draws on much previous work from a number of other
authors who include: Derek Atkins, Charles Breed, Dave Del Torto, Marc authors who include: Derek Atkins, Charles Breed, Dave Del Torto,
Dyksterhouse, Gail Haspert, Gene Hoffman, Paul Hoffman, Raph Levine, Marc Dyksterhouse, Gail Haspert, Gene Hoffman, Paul Hoffman, Raph
Colin Plumb, Will Price, William Stallings, Mark Weaver, and Philip R. Levine, Colin Plumb, Will Price, William Stallings, Mark Weaver, and
Zimmermann. Philip R. Zimmermann.
14. References 15. References
[BLEICHENBACHER] Bleichenbacher, Daniel, "Generating ElGamal
signatures without knowing the secret key," Eurocrypt 96. Note that
the version in the proceedings has an error. A revised version is
available at the time of writing from
<ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/ElGamal.ps>
[DONNERHACKE] Donnerhacke, L., et. al, "PGP263in - an improved [DONNERHACKE] Donnerhacke, L., et. al, "PGP263in - an improved
international version of PGP", international version of PGP",
ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/ ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/
[ELGAMAL] T. ElGamal, "A Public-Key Cryptosystem and a Signature [ELGAMAL] T. ElGamal, "A Public-Key Cryptosystem and a Signature
Scheme Based on Discrete Logarithms," IEEE Transactions on Information Scheme Based on Discrete Logarithms," IEEE Transactions on
Theory, v. IT-31, n. 4, 1985, pp. 469-472. Information Theory, v. IT-31, n. 4, 1985, pp. 469-472.
[ISO-10646] ISO/IEC 10646-1:1993. International Standard -- [ISO-10646] ISO/IEC 10646-1:1993. International Standard --
Information technology -- Universal Multiple-Octet Coded Character Set Information technology -- Universal Multiple-Octet Coded Character
(UCS) -- Part 1: Architecture and Basic Multilingual Plane. UTF-8 is Set (UCS) -- Part 1: Architecture and Basic Multilingual Plane.
described in Annex R, adopted but not yet published. UTF-16 is UTF-8 is described in Annex R, adopted but not yet published.
described in Annex Q, adopted but not yet published. UTF-16 is described in Annex Q, adopted but not yet published.
[PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard," version [MENEZES] Alfred Menezes, Paul van Oorschot, and Scott Vanstone,
1.5, November 1993 "Handbook of Applied Cryptography," CRC Press, 1996.
[PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard,"
version 1.5, November 1993
[RFC822] D. Crocker, "Standard for the format of ARPA Internet text [RFC822] D. Crocker, "Standard for the format of ARPA Internet text
messages", RFC 822, August 1982 messages", RFC 822, August 1982
[RFC1423] D. Balenson, "Privacy Enhancement for Internet Electronic [RFC1423] D. Balenson, "Privacy Enhancement for Internet Electronic
Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423,
October 1993 October 1993
[RFC1641] Goldsmith, D., and M. Davis, "Using Unicode with MIME", RFC [RFC1641] Goldsmith, D., and M. Davis, "Using Unicode with MIME",
1641, Taligent inc., July 1994. RFC 1641, Taligent inc., July 1994.
[RFC1750] Eastlake, Crocker, & Schiller., Randomness Recommendations [RFC1750] Eastlake, Crocker, & Schiller., Randomness Recommendations
for Security. December 1994. for Security. December 1994.
[RFC1951] Deutsch, P., DEFLATE Compressed Data Format Specification [RFC1951] Deutsch, P., DEFLATE Compressed Data Format Specification
version 1.3. May 1996. version 1.3. May 1996.
[RFC1983] G. Malkin., Internet Users' Glossary. August 1996. [RFC1983] G. Malkin., Internet Users' Glossary. August 1996.
[RFC1991] Atkins, D., Stallings, W., and P. Zimmermann, "PGP Message [RFC1991] Atkins, D., Stallings, W., and P. Zimmermann, "PGP Message
Exchange Formats", RFC 1991, August 1996. Exchange Formats", RFC 1991, August 1996.
[RFC2015] Elkins, M., "MIME Security with Pretty Good Privacy (PGP)", [RFC2015] Elkins, M., "MIME Security with Pretty Good Privacy
RFC 2015, October 1996. (PGP)", RFC 2015, October 1996.
[RFC2044] F. Yergeau., UTF-8, a transformation format of Unicode and [RFC2044] F. Yergeau., UTF-8, a transformation format of Unicode and
ISO 10646. October 1996. ISO 10646. October 1996.
[RFC2045] Borenstein, N., and Freed, N., "Multipurpose Internet Mail [RFC2045] Borenstein, N., and Freed, N., "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Bodies.", Extensions (MIME) Part One: Format of Internet Message Bodies.",
November 1996 November 1996
[RFC2119] Bradner, S., Key words for use in RFCs to Indicate [RFC2119] Bradner, S., Key words for use in RFCs to Indicate
Requirement Level. March 1997. Requirement Level. March 1997.
15. Full Copyright Statement 16. Full Copyright Statement
Copyright 1998 by The Internet Society. All Rights Reserved. Copyright 1998 by The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or others, and derivative works that comment on or otherwise explain it
assist in its implementation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published
distributed, in whole or in part, without restriction of any kind, and distributed, in whole or in part, without restriction of any
provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing the document itself may not be modified in any way, such as by removing
copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing Internet organizations, except as needed for the purpose of
Internet standards in which case the procedures for copyrights defined developing Internet standards in which case the procedures for
in the Internet Standards process must be followed, or as required to copyrights defined in the Internet Standards process must be
translate it into languages other than English. followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/