1 Network Working Group Jon Callas 2 Category: INTERNET-DRAFT PGP Corporation 3 draft-ietf-openpgp-rfc2440bis-13.txt 4 Expires November 2005 Lutz Donnerhacke 5 May 2005 6 7 Obsoletes: 1991, 2440 Hal Finney 8 Network Associates 9 10 Rodney Thayer 11 12 OpenPGP Message Format 13 draft-ietf-openpgp-rfc2440bis-13.txt 14 15 16 Copyright (C) The Internet Society (2005). 17 18 Status of this Memo 19 20 This document is an Internet-Draft and is in full conformance with 21 all provisions of Section 10 of RFC 2026. 22 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 27 28 Internet-Drafts are draft documents valid for a maximum of six 29 months and may be updated, replaced, or obsoleted by other documents 30 at any time. It is inappropriate to use Internet-Drafts as 31 reference material or to cite them other than as "work in progress." 32 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt 35 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 38 39 IPR Claim Notice 40 41 By submitting this Internet-Draft, each author represents that any 42 applicable patent or other IPR claims of which he or she is aware 43 have been or will be disclosed, and any of which he or she becomes 44 aware will be disclosed, in accordance with Section 6 of BCP 79. 45 46 IESG Note 47 48 This document defines many tag values, yet it doesn't describe a 49 mechanism for adding new tags (for new features). Traditionally the 50 Internet Assigned Numbers Authority (IANA) handles the allocation of 51 new values for future expansion and RFCs usually define the 52 procedure to be used by the IANA. However there are subtle (and not 53 so subtle) interactions that may occur in this protocol between new 54 features and existing features which result in a significant 55 56 Callas, et al. Expires Nov 23, 2005 [Page 1] 57 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 59 60 reduction in over all security. Therefore this document does not 61 define an extension procedure. Instead requests to define new tag 62 values (say for new encryption algorithms for example) should be 63 forwarded to the IESG Security Area Directors for consideration or 64 forwarding to the appropriate IETF Working Group for consideration. 65 66 Abstract 67 68 This document is maintained in order to publish all necessary 69 information needed to develop interoperable applications based on 70 the OpenPGP format. It is not a step-by-step cookbook for writing an 71 application. It describes only the format and methods needed to 72 read, check, generate, and write conforming packets crossing any 73 network. It does not deal with storage and implementation questions. 74 It does, however, discuss implementation issues necessary to avoid 75 security flaws. 76 77 OpenPGP software uses a combination of strong public-key and 78 symmetric cryptography to provide security services for electronic 79 communications and data storage. These services include 80 confidentiality, key management, authentication, and digital 81 signatures. This document specifies the message formats used in 82 OpenPGP. 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 Callas, et al. Expires Nov 23, 2005 [Page 2] 114 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 116 117 Table of Contents 118 119 Status of this Memo 1 120 IPR Claim Notice 1 121 IESG Note 1 122 Abstract 2 123 Table of Contents 3 124 1. Introduction 6 125 1.1. Terms 6 126 2. General functions 6 127 2.1. Confidentiality via Encryption 7 128 2.2. Authentication via Digital signature 7 129 2.3. Compression 8 130 2.4. Conversion to Radix-64 8 131 2.5. Signature-Only Applications 8 132 3. Data Element Formats 9 133 3.1. Scalar numbers 9 134 3.2. Multiprecision Integers 9 135 3.3. Key IDs 9 136 3.4. Text 10 137 3.5. Time fields 10 138 3.6. Keyrings 10 139 3.7. String-to-key (S2K) specifiers 10 140 3.7.1. String-to-key (S2K) specifier types 10 141 3.7.1.1. Simple S2K 10 142 3.7.1.2. Salted S2K 11 143 3.7.1.3. Iterated and Salted S2K 11 144 3.7.2. String-to-key usage 12 145 3.7.2.1. Secret key encryption 12 146 3.7.2.2. Symmetric-key message encryption 13 147 4. Packet Syntax 13 148 4.1. Overview 13 149 4.2. Packet Headers 13 150 4.2.1. Old-Format Packet Lengths 14 151 4.2.2. New-Format Packet Lengths 14 152 4.2.2.1. One-Octet Lengths 15 153 4.2.2.2. Two-Octet Lengths 15 154 4.2.2.3. Five-Octet Lengths 15 155 4.2.2.4. Partial Body Lengths 15 156 4.2.3. Packet Length Examples 16 157 4.3. Packet Tags 16 158 5. Packet Types 17 159 5.1. Public-Key Encrypted Session Key Packets (Tag 1) 17 160 5.2. Signature Packet (Tag 2) 18 161 5.2.1. Signature Types 18 162 5.2.2. Version 3 Signature Packet Format 20 163 5.2.3. Version 4 Signature Packet Format 23 164 5.2.3.1. Signature Subpacket Specification 23 165 5.2.3.2. Signature Subpacket Types 25 166 5.2.3.3. Notes on Self-Signatures 25 167 5.2.3.4. Signature creation time 26 168 5.2.3.5. Issuer 26 169 170 Callas, et al. Expires Nov 23, 2005 [Page 3] 171 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 173 174 5.2.3.6. Key expiration time 27 175 5.2.3.7. Preferred symmetric algorithms 27 176 5.2.3.8. Preferred hash algorithms 27 177 5.2.3.9. Preferred compression algorithms 27 178 5.2.3.10.Signature expiration time 27 179 5.2.3.11.Exportable Certification 28 180 5.2.3.12.Revocable 28 181 5.2.3.13.Trust signature 28 182 5.2.3.14.Regular expression 29 183 5.2.3.15.Revocation key 29 184 5.2.3.16.Notation Data 29 185 5.2.3.17.Key server preferences 30 186 5.2.3.18.Preferred key server 30 187 5.2.3.19.Primary User ID 31 188 5.2.3.20.Policy URI 31 189 5.2.3.21.Key Flags 31 190 5.2.3.22.Signer's User ID 32 191 5.2.3.23.Reason for Revocation 32 192 5.2.3.24.Features 33 193 5.2.3.25.Signature Target 34 194 5.2.3.26.Embedded Signature 34 195 5.2.4. Computing Signatures 34 196 5.2.4.1. Subpacket Hints 35 197 5.3. Symmetric-Key Encrypted Session Key Packets (Tag 3) 36 198 5.4. One-Pass Signature Packets (Tag 4) 37 199 5.5. Key Material Packet 37 200 5.5.1. Key Packet Variants 37 201 5.5.1.1. Public Key Packet (Tag 6) 37 202 5.5.1.2. Public Subkey Packet (Tag 14) 38 203 5.5.1.3. Secret Key Packet (Tag 5) 38 204 5.5.1.4. Secret Subkey Packet (Tag 7) 38 205 5.5.2. Public Key Packet Formats 38 206 5.5.3. Secret Key Packet Formats 40 207 5.6. Compressed Data Packet (Tag 8) 41 208 5.7. Symmetrically Encrypted Data Packet (Tag 9) 42 209 5.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 43 210 5.9. Literal Data Packet (Tag 11) 43 211 5.10. Trust Packet (Tag 12) 44 212 5.11. User ID Packet (Tag 13) 44 213 5.12. User Attribute Packet (Tag 17) 44 214 5.12.1. The Image Attribute Subpacket 45 215 5.13. Sym. Encrypted Integrity Protected Data Packet (Tag 18) 46 216 5.14. Modification Detection Code Packet (Tag 19) 47 217 6. Radix-64 Conversions 48 218 6.1. An Implementation of the CRC-24 in "C" 49 219 6.2. Forming ASCII Armor 49 220 6.3. Encoding Binary in Radix-64 51 221 6.4. Decoding Radix-64 52 222 6.5. Examples of Radix-64 53 223 6.6. Example of an ASCII Armored Message 53 224 7. Cleartext signature framework 54 225 7.1. Dash-Escaped Text 54 226 227 Callas, et al. Expires Nov 23, 2005 [Page 4] 228 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 230 231 8. Regular Expressions 55 232 9. Constants 55 233 9.1. Public Key Algorithms 56 234 9.2. Symmetric Key Algorithms 56 235 9.3. Compression Algorithms 57 236 9.4. Hash Algorithms 57 237 10. Packet Composition 57 238 10.1. Transferable Public Keys 57 239 10.2. OpenPGP Messages 59 240 10.3. Detached Signatures 59 241 11. Enhanced Key Formats 60 242 11.1. Key Structures 60 243 11.2. Key IDs and Fingerprints 60 244 12. Notes on Algorithms 61 245 12.1. Symmetric Algorithm Preferences 61 246 12.2. Other Algorithm Preferences 62 247 12.2.1. Compression Preferences 62 248 12.2.2. Hash Algorithm Preferences 63 249 12.3. Plaintext 63 250 12.4. RSA 63 251 12.5. DSA 63 252 12.6. Elgamal 64 253 12.7. Reserved Algorithm Numbers 64 254 12.8. OpenPGP CFB mode 64 255 13. Security Considerations 65 256 14. Implementation Nits 68 257 15. Authors and Working Group Chair 69 258 16. References (Normative) 70 259 17. References (Non-Normative) 71 260 18. Full Copyright Statement 72 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 Callas, et al. Expires Nov 23, 2005 [Page 5] 285 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 287 288 1. Introduction 289 290 This document provides information on the message-exchange packet 291 formats used by OpenPGP to provide encryption, decryption, signing, 292 and key management functions. It is a revision of RFC 2440, "OpenPGP 293 Message Format", which itself replaces RFC 1991, "PGP Message 294 Exchange Formats." 295 296 1.1. Terms 297 298 * OpenPGP - This is a definition for security software that uses 299 PGP 5.x as a basis, formalized in RFC 2440 and this document. 300 301 * PGP - Pretty Good Privacy. PGP is a family of software systems 302 developed by Philip R. Zimmermann from which OpenPGP is based. 303 304 * PGP 2.6.x - This version of PGP has many variants, hence the 305 term PGP 2.6.x. It used only RSA, MD5, and IDEA for its 306 cryptographic transforms. An informational RFC, RFC 1991, was 307 written describing this version of PGP. 308 309 * PGP 5.x - This version of PGP is formerly known as "PGP 3" in 310 the community and also in the predecessor of this document, RFC 311 1991. It has new formats and corrects a number of problems in 312 the PGP 2.6.x design. It is referred to here as PGP 5.x because 313 that software was the first release of the "PGP 3" code base. 314 315 * GPG - GNU Privacy Guard, also called GnuPG. GPG is an OpenPGP 316 implementation that avoids all encumbered algorithms. 317 Consequently, early versions of GPG did not include RSA public 318 keys. GPG may or may not have (depending on version) support for 319 IDEA or other encumbered algorithms. 320 321 "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of 322 PGP Corporation and are used with permission. 323 324 This document uses the terms "MUST", "SHOULD", and "MAY" as defined 325 in RFC 2119, along with the negated forms of those terms. 326 327 2. General functions 328 329 OpenPGP provides data integrity services for messages and data files 330 by using these core technologies: 331 332 - digital signatures 333 334 - encryption 335 336 - compression 337 338 339 340 341 Callas, et al. Expires Nov 23, 2005 [Page 6] 342 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 344 345 - radix-64 conversion 346 347 In addition, OpenPGP provides key management and certificate 348 services, but many of these are beyond the scope of this document. 349 350 2.1. Confidentiality via Encryption 351 352 OpenPGP combines symmetric-key encryption and public key encryption 353 to provide confidentiality. When made confidential, first the object 354 is encrypted using a symmetric encryption algorithm. Each symmetric 355 key is used only once, for a single object. A new "session key" is 356 generated as a random number for each object (sometimes referred to 357 as a session). Since it is used only once, the session key is bound 358 to the message and transmitted with it. To protect the key, it is 359 encrypted with the receiver's public key. The sequence is as 360 follows: 361 362 1. The sender creates a message. 363 364 2. The sending OpenPGP generates a random number to be used as a 365 session key for this message only. 366 367 3. The session key is encrypted using each recipient's public key. 368 These "encrypted session keys" start the message. 369 370 4. The sending OpenPGP encrypts the message using the session key, 371 which forms the remainder of the message. Note that the message 372 is also usually compressed. 373 374 5. The receiving OpenPGP decrypts the session key using the 375 recipient's private key. 376 377 6. The receiving OpenPGP decrypts the message using the session 378 key. If the message was compressed, it will be decompressed. 379 380 With symmetric-key encryption, an object may be encrypted with a 381 symmetric key derived from a passphrase (or other shared secret), or 382 a two-stage mechanism similar to the public-key method described 383 above in which a session key is itself encrypted with a symmetric 384 algorithm keyed from a shared secret. 385 386 Both digital signature and confidentiality services may be applied 387 to the same message. First, a signature is generated for the message 388 and attached to the message. Then, the message plus signature is 389 encrypted using a symmetric session key. Finally, the session key is 390 encrypted using public-key encryption and prefixed to the encrypted 391 block. 392 393 2.2. Authentication via Digital signature 394 395 The digital signature uses a hash code or message digest algorithm, 396 and a public-key signature algorithm. The sequence is as follows: 397 398 Callas, et al. Expires Nov 23, 2005 [Page 7] 399 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 401 402 1. The sender creates a message. 403 404 2. The sending software generates a hash code of the message. 405 406 3. The sending software generates a signature from the hash code 407 using the sender's private key. 408 409 4. The binary signature is attached to the message. 410 411 5. The receiving software keeps a copy of the message signature. 412 413 6. The receiving software generates a new hash code for the 414 received message and verifies it using the message's signature. 415 If the verification is successful, the message is accepted as 416 authentic. 417 418 2.3. Compression 419 420 OpenPGP implementations SHOULD compress the message after applying 421 the signature but before encryption. 422 423 If an implementation does not implement compression, its authors 424 should be aware that most OpenPGP messages in the world are 425 compressed. Thus, it may even be wise for a space-constrained 426 implementation to implement decompression, but not compression. 427 428 Furthermore, compression has the added side-effect that some types 429 of attacks can be thwarted by the fact that slightly altered, 430 compressed data rarely uncompresses without severe errors. This is 431 hardly rigorous, but it is operationally useful. These attacks can 432 be rigorously prevented by implementing and using Modification 433 Detection Codes as described in sections following. 434 435 2.4. Conversion to Radix-64 436 437 OpenPGP's underlying native representation for encrypted messages, 438 signature certificates, and keys is a stream of arbitrary octets. 439 Some systems only permit the use of blocks consisting of seven-bit, 440 printable text. For transporting OpenPGP's native raw binary octets 441 through channels that are not safe to raw binary data, a printable 442 encoding of these binary octets is needed. OpenPGP provides the 443 service of converting the raw 8-bit binary octet stream to a stream 444 of printable ASCII characters, called Radix-64 encoding or ASCII 445 Armor. 446 447 Implementations SHOULD provide Radix-64 conversions. 448 449 2.5. Signature-Only Applications 450 451 OpenPGP is designed for applications that use both encryption and 452 signatures, but there are a number of problems that are solved by a 453 signature-only implementation. Although this specification requires 454 455 Callas, et al. Expires Nov 23, 2005 [Page 8] 456 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 458 459 both encryption and signatures, it is reasonable for there to be 460 subset implementations that are non-conformant only in that they 461 omit encryption. 462 463 3. Data Element Formats 464 465 This section describes the data elements used by OpenPGP. 466 467 3.1. Scalar numbers 468 469 Scalar numbers are unsigned, and are always stored in big-endian 470 format. Using n[k] to refer to the kth octet being interpreted, the 471 value of a two-octet scalar is ((n[0] << 8) + n[1]). The value of a 472 four-octet scalar is ((n[0] << 24) + (n[1] << 16) + (n[2] << 8) + 473 n[3]). 474 475 3.2. Multiprecision Integers 476 477 Multiprecision Integers (also called MPIs) are unsigned integers 478 used to hold large integers such as the ones used in cryptographic 479 calculations. 480 481 An MPI consists of two pieces: a two-octet scalar that is the length 482 of the MPI in bits followed by a string of octets that contain the 483 actual integer. 484 485 These octets form a big-endian number; a big-endian number can be 486 made into an MPI by prefixing it with the appropriate length. 487 488 Examples: 489 490 (all numbers are in hexadecimal) 491 492 The string of octets [00 01 01] forms an MPI with the value 1. The 493 string [00 09 01 FF] forms an MPI with the value of 511. 494 495 Additional rules: 496 497 The size of an MPI is ((MPI.length + 7) / 8) + 2 octets. 498 499 The length field of an MPI describes the length starting from its 500 most significant non-zero bit. Thus, the MPI [00 02 01] is not 501 formed correctly. It should be [00 01 01]. 502 503 Unused bits of an MPI MUST be zero. 504 505 Also note that when an MPI is encrypted, the length refers to the 506 plaintext MPI. It may be ill-formed in its ciphertext. 507 508 3.3. Key IDs 509 510 A Key ID is an eight-octet scalar that identifies a key. 511 512 Callas, et al. Expires Nov 23, 2005 [Page 9] 513 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 515 516 Implementations SHOULD NOT assume that Key IDs are unique. The 517 section, "Enhanced Key Formats" below describes how Key IDs are 518 formed. 519 520 3.4. Text 521 522 Unless otherwise specified, the character set for text is the UTF-8 523 [RFC2279] encoding of Unicode [ISO10646]. 524 525 3.5. Time fields 526 527 A time field is an unsigned four-octet number containing the number 528 of seconds elapsed since midnight, 1 January 1970 UTC. 529 530 3.6. Keyrings 531 532 A keyring is a collection of one or more keys in a file or database. 533 Traditionally, a keyring is simply a sequential list of keys, but 534 may be any suitable database. It is beyond the scope of this 535 standard to discuss the details of keyrings or other databases. 536 537 3.7. String-to-key (S2K) specifiers 538 539 String-to-key (S2K) specifiers are used to convert passphrase 540 strings into symmetric-key encryption/decryption keys. They are 541 used in two places, currently: to encrypt the secret part of private 542 keys in the private keyring, and to convert passphrases to 543 encryption keys for symmetrically encrypted messages. 544 545 3.7.1. String-to-key (S2K) specifier types 546 547 There are three types of S2K specifiers currently supported, and 548 some reserved values: 549 550 ID S2K Type 551 -- --- ---- 552 0 Simple S2K 553 1 Salted S2K 554 2 Illegal value 555 3 Iterated and Salted S2K 556 100 to 110 Private/Experimental S2K 557 558 These are described as follows: 559 560 3.7.1.1. Simple S2K 561 562 This directly hashes the string to produce the key data. See below 563 for how this hashing is done. 564 565 Octet 0: 0x00 566 Octet 1: hash algorithm 567 568 569 Callas, et al. Expires Nov 23, 2005 [Page 10] 570 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 572 573 Simple S2K hashes the passphrase to produce the session key. The 574 manner in which this is done depends on the size of the session key 575 (which will depend on the cipher used) and the size of the hash 576 algorithm's output. If the hash size is greater than the session key 577 size, the high-order (leftmost) octets of the hash are used as the 578 key. 579 580 If the hash size is less than the key size, multiple instances of 581 the hash context are created -- enough to produce the required key 582 data. These instances are preloaded with 0, 1, 2, ... octets of 583 zeros (that is to say, the first instance has no preloading, the 584 second gets preloaded with 1 octet of zero, the third is preloaded 585 with two octets of zeros, and so forth). 586 587 As the data is hashed, it is given independently to each hash 588 context. Since the contexts have been initialized differently, they 589 will each produce different hash output. Once the passphrase is 590 hashed, the output data from the multiple hashes is concatenated, 591 first hash leftmost, to produce the key data, with any excess octets 592 on the right discarded. 593 594 3.7.1.2. Salted S2K 595 596 This includes a "salt" value in the S2K specifier -- some arbitrary 597 data -- that gets hashed along with the passphrase string, to help 598 prevent dictionary attacks. 599 600 Octet 0: 0x01 601 Octet 1: hash algorithm 602 Octets 2-9: 8-octet salt value 603 604 Salted S2K is exactly like Simple S2K, except that the input to the 605 hash function(s) consists of the 8 octets of salt from the S2K 606 specifier, followed by the passphrase. 607 608 3.7.1.3. Iterated and Salted S2K 609 610 This includes both a salt and an octet count. The salt is combined 611 with the passphrase and the resulting value is hashed repeatedly. 612 This further increases the amount of work an attacker must do to try 613 dictionary attacks. 614 615 Octet 0: 0x03 616 Octet 1: hash algorithm 617 Octets 2-9: 8-octet salt value 618 Octet 10: count, a one-octet, coded value 619 620 The count is coded into a one-octet number using the following 621 formula: 622 623 624 625 626 Callas, et al. Expires Nov 23, 2005 [Page 11] 627 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 629 630 #define EXPBIAS 6 631 count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS); 632 633 The above formula is in C, where "Int32" is a type for a 32-bit 634 integer, and the variable "c" is the coded count, Octet 10. 635 636 Iterated-Salted S2K hashes the passphrase and salt data multiple 637 times. The total number of octets to be hashed is specified in the 638 encoded count in the S2K specifier. Note that the resulting count 639 value is an octet count of how many octets will be hashed, not an 640 iteration count. 641 642 Initially, one or more hash contexts are set up as with the other 643 S2K algorithms, depending on how many octets of key data are needed. 644 Then the salt, followed by the passphrase data is repeatedly hashed 645 until the number of octets specified by the octet count has been 646 hashed. The one exception is that if the octet count is less than 647 the size of the salt plus passphrase, the full salt plus passphrase 648 will be hashed even though that is greater than the octet count. 649 After the hashing is done the data is unloaded from the hash 650 context(s) as with the other S2K algorithms. 651 652 3.7.2. String-to-key usage 653 654 Implementations SHOULD use salted or iterated-and-salted S2K 655 specifiers, as simple S2K specifiers are more vulnerable to 656 dictionary attacks. 657 658 3.7.2.1. Secret key encryption 659 660 An S2K specifier can be stored in the secret keyring to specify how 661 to convert the passphrase to a key that unlocks the secret data. 662 Older versions of PGP just stored a cipher algorithm octet preceding 663 the secret data or a zero to indicate that the secret data was 664 unencrypted. The MD5 hash function was always used to convert the 665 passphrase to a key for the specified cipher algorithm. 666 667 For compatibility, when an S2K specifier is used, the special value 668 255 is stored in the position where the hash algorithm octet would 669 have been in the old data structure. This is then followed 670 immediately by a one-octet algorithm identifier, and then by the S2K 671 specifier as encoded above. 672 673 Therefore, preceding the secret data there will be one of these 674 possibilities: 675 676 0: secret data is unencrypted (no pass phrase) 677 255 or 254: followed by algorithm octet and S2K specifier 678 Cipher alg: use Simple S2K algorithm using MD5 hash 679 680 681 682 683 Callas, et al. Expires Nov 23, 2005 [Page 12] 684 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 686 687 This last possibility, the cipher algorithm number with an implicit 688 use of MD5 and IDEA, is provided for backward compatibility; it MAY 689 be understood, but SHOULD NOT be generated, and is deprecated. 690 691 These are followed by an Initial Vector of the same length as the 692 block size of the cipher for the decryption of the secret values, if 693 they are encrypted, and then the secret key values themselves. 694 695 3.7.2.2. Symmetric-key message encryption 696 697 OpenPGP can create a Symmetric-key Encrypted Session Key (ESK) 698 packet at the front of a message. This is used to allow S2K 699 specifiers to be used for the passphrase conversion or to create 700 messages with a mix of symmetric-key ESKs and public-key ESKs. This 701 allows a message to be decrypted either with a passphrase or a 702 public key pair. 703 704 PGP 2.X always used IDEA with Simple string-to-key conversion when 705 encrypting a message with a symmetric algorithm. This is deprecated, 706 but MAY be used for backward-compatibility. 707 708 4. Packet Syntax 709 710 This section describes the packets used by OpenPGP. 711 712 4.1. Overview 713 714 An OpenPGP message is constructed from a number of records that are 715 traditionally called packets. A packet is a chunk of data that has a 716 tag specifying its meaning. An OpenPGP message, keyring, 717 certificate, and so forth consists of a number of packets. Some of 718 those packets may contain other OpenPGP packets (for example, a 719 compressed data packet, when uncompressed, contains OpenPGP 720 packets). 721 722 Each packet consists of a packet header, followed by the packet 723 body. The packet header is of variable length. 724 725 4.2. Packet Headers 726 727 The first octet of the packet header is called the "Packet Tag." It 728 determines the format of the header and denotes the packet contents. 729 The remainder of the packet header is the length of the packet. 730 731 Note that the most significant bit is the left-most bit, called bit 732 7. A mask for this bit is 0x80 in hexadecimal. 733 734 +---------------+ 735 PTag |7 6 5 4 3 2 1 0| 736 +---------------+ 737 Bit 7 -- Always one 738 Bit 6 -- New packet format if set 739 740 Callas, et al. Expires Nov 23, 2005 [Page 13] 741 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 743 744 PGP 2.6.x only uses old format packets. Thus, software that 745 interoperates with those versions of PGP must only use old format 746 packets. If interoperability is not an issue, the new packet format 747 is preferred. Note that old format packets have four bits of packet 748 tags, and new format packets have six; some features cannot be used 749 and still be backward-compatible. 750 751 Also note that packets with a tag greater than or equal to 16 MUST 752 use new format packets. The old format packets can only express tags 753 less than or equal to 15. 754 755 Old format packets contain: 756 757 Bits 5-2 -- packet tag 758 Bits 1-0 - length-type 759 760 New format packets contain: 761 762 Bits 5-0 -- packet tag 763 764 4.2.1. Old-Format Packet Lengths 765 766 The meaning of the length-type in old-format packets is: 767 768 0 - The packet has a one-octet length. The header is 2 octets long. 769 770 1 - The packet has a two-octet length. The header is 3 octets long. 771 772 2 - The packet has a four-octet length. The header is 5 octets long. 773 774 3 - The packet is of indeterminate length. The header is 1 octet 775 long, and the implementation must determine how long the packet 776 is. If the packet is in a file, this means that the packet 777 extends until the end of the file. In general, an implementation 778 SHOULD NOT use indeterminate length packets except where the end 779 of the data will be clear from the context, and even then it is 780 better to use a definite length, or a new-format header. The 781 new-format headers described below have a mechanism for 782 precisely encoding data of indeterminate length. 783 784 4.2.2. New-Format Packet Lengths 785 786 New format packets have four possible ways of encoding length: 787 788 1. A one-octet Body Length header encodes packet lengths of up to 789 191 octets. 790 791 2. A two-octet Body Length header encodes packet lengths of 192 to 792 8383 octets. 793 794 795 796 797 Callas, et al. Expires Nov 23, 2005 [Page 14] 798 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 800 801 3. A five-octet Body Length header encodes packet lengths of up to 802 4,294,967,295 (0xFFFFFFFF) octets in length. (This actually 803 encodes a four-octet scalar number.) 804 805 4. When the length of the packet body is not known in advance by 806 the issuer, Partial Body Length headers encode a packet of 807 indeterminate length, effectively making it a stream. 808 809 4.2.2.1. One-Octet Lengths 810 811 A one-octet Body Length header encodes a length of from 0 to 191 812 octets. This type of length header is recognized because the one 813 octet value is less than 192. The body length is equal to: 814 815 bodyLen = 1st_octet; 816 817 4.2.2.2. Two-Octet Lengths 818 819 A two-octet Body Length header encodes a length of from 192 to 8383 820 octets. It is recognized because its first octet is in the range 821 192 to 223. The body length is equal to: 822 823 bodyLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 824 825 4.2.2.3. Five-Octet Lengths 826 827 A five-octet Body Length header consists of a single octet holding 828 the value 255, followed by a four-octet scalar. The body length is 829 equal to: 830 831 bodyLen = (2nd_octet << 24) | (3rd_octet << 16) | 832 (4th_octet << 8) | 5th_octet 833 834 This basic set of one, two, and five-octet lengths is also used 835 internally to some packets. 836 837 4.2.2.4. Partial Body Lengths 838 839 A Partial Body Length header is one octet long and encodes the 840 length of only part of the data packet. This length is a power of 2, 841 from 1 to 1,073,741,824 (2 to the 30th power). It is recognized by 842 its one octet value that is greater than or equal to 224, and less 843 than 255. The partial body length is equal to: 844 845 partialBodyLen = 1 << (1st_octet & 0x1f); 846 847 Each Partial Body Length header is followed by a portion of the 848 packet body data. The Partial Body Length header specifies this 849 portion's length. Another length header (one octet, two-octet, 850 five-octet, or partial) follows that portion. The last length header 851 in the packet MUST NOT be a partial Body Length header. Partial 852 Body Length headers may only be used for the non-final parts of the 853 854 Callas, et al. Expires Nov 23, 2005 [Page 15] 855 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 857 858 packet. 859 860 It might also be encoded in the following octet stream: 0xEF, first 861 32768 octets of data; 0xE1, next two octets of data; 0xE0, next one 862 octet of data; 0xF0, next 65536 octets of data; 0xC5, 0xDD, last 863 1693 octets of data. This is just one possible encoding, and many 864 variations are possible on the size of the Partial Body Length 865 headers, as long as a regular Body Length header encodes the last 866 portion of the data. 867 868 Note also that the last Body Length header can be a zero-length 869 header. 870 871 An implementation MAY use Partial Body Lengths for data packets, be 872 they literal, compressed, or encrypted. The first partial length 873 MUST be at least 512 octets long. Partial Body Lengths MUST NOT be 874 used for any other packet types. 875 876 4.2.3. Packet Length Examples 877 878 These examples show ways that new-format packets might encode the 879 packet lengths. 880 881 A packet with length 100 may have its length encoded in one octet: 882 0x64. This is followed by 100 octets of data. 883 884 A packet with length 1723 may have its length coded in two octets: 885 0xC5, 0xFB. This header is followed by the 1723 octets of data. 886 887 A packet with length 100000 may have its length encoded in five 888 octets: 0xFF, 0x00, 0x01, 0x86, 0xA0. 889 890 Please note that in all of these explanations, the total length of 891 the packet is the length of the header(s) plus the length of the 892 body. 893 894 4.3. Packet Tags 895 896 The packet tag denotes what type of packet the body holds. Note that 897 old format headers can only have tags less than 16, whereas new 898 format headers can have tags as great as 63. The defined tags (in 899 decimal) are: 900 901 0 -- Reserved - a packet tag must not have this value 902 1 -- Public-Key Encrypted Session Key Packet 903 2 -- Signature Packet 904 3 -- Symmetric-Key Encrypted Session Key Packet 905 4 -- One-Pass Signature Packet 906 5 -- Secret Key Packet 907 6 -- Public Key Packet 908 7 -- Secret Subkey Packet 909 8 -- Compressed Data Packet 910 911 Callas, et al. Expires Nov 23, 2005 [Page 16] 912 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 914 915 9 -- Symmetrically Encrypted Data Packet 916 10 -- Marker Packet 917 11 -- Literal Data Packet 918 12 -- Trust Packet 919 13 -- User ID Packet 920 14 -- Public Subkey Packet 921 17 -- User Attribute Packet 922 18 -- Sym. Encrypted and Integrity Protected Data Packet 923 19 -- Modification Detection Code Packet 924 60 to 63 -- Private or Experimental Values 925 926 5. Packet Types 927 928 5.1. Public-Key Encrypted Session Key Packets (Tag 1) 929 930 A Public-Key Encrypted Session Key packet holds the session key used 931 to encrypt a message. Zero or more Encrypted Session Key packets 932 (either Public-Key or Symmetric-Key) may precede a Symmetrically 933 Encrypted Data Packet, which holds an encrypted message. The 934 message is encrypted with the session key, and the session key is 935 itself encrypted and stored in the Encrypted Session Key packet(s). 936 The Symmetrically Encrypted Data Packet is preceded by one 937 Public-Key Encrypted Session Key packet for each OpenPGP key to 938 which the message is encrypted. The recipient of the message finds 939 a session key that is encrypted to their public key, decrypts the 940 session key, and then uses the session key to decrypt the message. 941 942 The body of this packet consists of: 943 944 - A one-octet number giving the version number of the packet type. 945 The currently defined value for packet version is 3. 946 947 - An eight-octet number that gives the key ID of the public key 948 that the session key is encrypted to. If the session key is 949 encrypted to a subkey then the key ID of this subkey is used 950 here instead of the key ID of the primary key. 951 952 - A one-octet number giving the public key algorithm used. 953 954 - A string of octets that is the encrypted session key. This 955 string takes up the remainder of the packet, and its contents 956 are dependent on the public key algorithm used. 957 958 Algorithm Specific Fields for RSA encryption 959 960 - multiprecision integer (MPI) of RSA encrypted value m**e mod n. 961 962 Algorithm Specific Fields for Elgamal encryption: 963 964 - MPI of Elgamal (Diffie-Hellman) value g**k mod p. 965 966 967 968 Callas, et al. Expires Nov 23, 2005 [Page 17] 969 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 971 972 - MPI of Elgamal (Diffie-Hellman) value m * y**k mod p. 973 974 The value "m" in the above formulas is derived from the session key 975 as follows. First the session key is prefixed with a one-octet 976 algorithm identifier that specifies the symmetric encryption 977 algorithm used to encrypt the following Symmetrically Encrypted Data 978 Packet. Then a two-octet checksum is appended which is equal to the 979 sum of the preceding session key octets, not including the algorithm 980 identifier, modulo 65536. This value is then encoded as described 981 in PKCS-1 block encoding EME-PKCS1-v1_5 [RFC2437] to form the "m" 982 value used in the formulas above. 983 984 Note that when an implementation forms several PKESKs with one 985 session key, forming a message that can be decrypted by several 986 keys, the implementation MUST make new PKCS-1 encoding for each key. 987 988 An implementation MAY accept or use a Key ID of zero as a "wild 989 card" or "speculative" Key ID. In this case, the receiving 990 implementation would try all available private keys, checking for a 991 valid decrypted session key. This format helps reduce traffic 992 analysis of messages. 993 994 5.2. Signature Packet (Tag 2) 995 996 A signature packet describes a binding between some public key and 997 some data. The most common signatures are a signature of a file or a 998 block of text, and a signature that is a certification of a User ID. 999 1000 Two versions of signature packets are defined. Version 3 provides 1001 basic signature information, while version 4 provides an expandable 1002 format with subpackets that can specify more information about the 1003 signature. PGP 2.6.x only accepts version 3 signatures. 1004 1005 Implementations SHOULD accept V3 signatures. Implementations SHOULD 1006 generate V4 signatures. 1007 1008 Note that if an implementation is creating an encrypted and signed 1009 message that is encrypted to a V3 key, it is reasonable to create a 1010 V3 signature. 1011 1012 5.2.1. Signature Types 1013 1014 There are a number of possible meanings for a signature, which are 1015 specified in a signature type octet in any given signature. These 1016 meanings are: 1017 1018 0x00: Signature of a binary document. 1019 This means the signer owns it, created it, or certifies that it 1020 has not been modified. 1021 1022 1023 1024 1025 Callas, et al. Expires Nov 23, 2005 [Page 18] 1026 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1028 1029 0x01: Signature of a canonical text document. 1030 This means the signer owns it, created it, or certifies that it 1031 has not been modified. The signature is calculated over the 1032 text data with its line endings converted to <CR><LF>. 1033 1034 0x02: Standalone signature. 1035 This signature is a signature of only its own subpacket 1036 contents. It is calculated identically to a signature over a 1037 zero-length binary document. Note that it doesn't make sense to 1038 have a V3 standalone signature. 1039 1040 0x10: Generic certification of a User ID and Public Key packet. 1041 The issuer of this certification does not make any particular 1042 assertion as to how well the certifier has checked that the 1043 owner of the key is in fact the person described by the User ID. 1044 1045 0x11: Persona certification of a User ID and Public Key packet. 1046 The issuer of this certification has not done any verification 1047 of the claim that the owner of this key is the User ID 1048 specified. 1049 1050 0x12: Casual certification of a User ID and Public Key packet. 1051 The issuer of this certification has done some casual 1052 verification of the claim of identity. 1053 1054 0x13: Positive certification of a User ID and Public Key packet. 1055 The issuer of this certification has done substantial 1056 verification of the claim of identity. 1057 1058 Please note that the vagueness of these certification claims is 1059 not a flaw, but a feature of the system. Because OpenPGP places 1060 final authority for validity upon the receiver of a 1061 certification, it may be that one authority's casual 1062 certification might be more rigorous than some other authority's 1063 positive certification. These classifications allow a 1064 certification authority to issue fine-grained claims. 1065 1066 Most OpenPGP implementations make their "key signatures" as 0x10 1067 certifications. Some implementations can issue 0x11-0x13 1068 certifications, but few differentiate between the types. 1069 1070 0x18: Subkey Binding Signature 1071 This signature is a statement by the top-level signing key that 1072 indicates that it owns the subkey. This signature is calculated 1073 directly on the subkey itself, not on any User ID or other 1074 packets. A signature that binds a signing subkey also has an 1075 embedded signature subpacket in this binding signature which 1076 contains a 0x19 signature made by the signing subkey on the 1077 primary key. 1078 1079 1080 1081 1082 Callas, et al. Expires Nov 23, 2005 [Page 19] 1083 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1085 1086 0x19 Primary Key Binding Signature 1087 This signature is a statement by a signing subkey, indicating 1088 that it is owned by the primary key. This signature is 1089 calculated directly on the primary key itself, and not on any 1090 User ID or other packets. 1091 1092 0x1F: Signature directly on a key 1093 This signature is calculated directly on a key. It binds the 1094 information in the signature subpackets to the key, and is 1095 appropriate to be used for subpackets that provide information 1096 about the key, such as the revocation key subpacket. It is also 1097 appropriate for statements that non-self certifiers want to make 1098 about the key itself, rather than the binding between a key and 1099 a name. 1100 1101 0x20: Key revocation signature 1102 The signature is calculated directly on the key being revoked. 1103 A revoked key is not to be used. Only revocation signatures by 1104 the key being revoked, or by an authorized revocation key, 1105 should be considered valid revocation signatures. 1106 1107 0x28: Subkey revocation signature 1108 The signature is calculated directly on the subkey being 1109 revoked. A revoked subkey is not to be used. Only revocation 1110 signatures by the top-level signature key that is bound to this 1111 subkey, or by an authorized revocation key, should be considered 1112 valid revocation signatures. 1113 1114 0x30: Certification revocation signature 1115 This signature revokes an earlier User ID certification 1116 signature (signature class 0x10 through 0x13) or direct-key 1117 signature (0x1F). It should be issued by the same key that 1118 issued the revoked signature or an authorized revocation key. 1119 The signature should have a later creation date than the 1120 signature it revokes. 1121 1122 0x40: Timestamp signature. 1123 This signature is only meaningful for the timestamp contained in 1124 it. 1125 1126 0x50: Third-Party Confirmation signature. 1127 This signature is a signature over some other OpenPGP signature 1128 packet(s). It is analogous to a notary seal on the signed data. 1129 A third-party signature SHOULD include Signature Target 1130 subpacket(s) to give easy identification. Note that we really do 1131 mean SHOULD. There are plausible uses for this (such as a blind 1132 party that only sees the signature, not the key nor source 1133 document) that cannot include a target subpacket. 1134 1135 5.2.2. Version 3 Signature Packet Format 1136 1137 The body of a version 3 Signature Packet contains: 1138 1139 Callas, et al. Expires Nov 23, 2005 [Page 20] 1140 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1142 1143 - One-octet version number (3). 1144 1145 - One-octet length of following hashed material. MUST be 5. 1146 1147 - One-octet signature type. 1148 1149 - Four-octet creation time. 1150 1151 - Eight-octet key ID of signer. 1152 1153 - One-octet public key algorithm. 1154 1155 - One-octet hash algorithm. 1156 1157 - Two-octet field holding left 16 bits of signed hash value. 1158 1159 - One or more multiprecision integers comprising the signature. 1160 This portion is algorithm specific, as described below. 1161 1162 The concatenation of the data to be signed, the signature type and 1163 creation time from the signature packet (5 additional octets) is 1164 hashed. The resulting hash value is used in the signature algorithm. 1165 The high 16 bits (first two octets) of the hash are included in the 1166 signature packet to provide a quick test to reject some invalid 1167 signatures. 1168 1169 Algorithm Specific Fields for RSA signatures: 1170 1171 - multiprecision integer (MPI) of RSA signature value m**d mod n. 1172 1173 Algorithm Specific Fields for DSA signatures: 1174 1175 - MPI of DSA value r. 1176 1177 - MPI of DSA value s. 1178 1179 The signature calculation is based on a hash of the signed data, as 1180 described above. The details of the calculation are different for 1181 DSA signature than for RSA signatures. 1182 1183 The hash h is PKCS-1 padded exactly the same way as for the above 1184 described RSA signatures. 1185 1186 With RSA signatures, the hash value is encoded as described in 1187 PKCS-1 section 9.2.1 encoded using PKCS-1 encoding type 1188 EMSA-PKCS1-v1_5 [RFC2437]. This requires inserting the hash value 1189 as an octet string into an ASN.1 structure. The object identifier 1190 for the type of hash being used is included in the structure. The 1191 hexadecimal representations for the currently defined hash 1192 algorithms are: 1193 1194 1195 1196 Callas, et al. Expires Nov 23, 2005 [Page 21] 1197 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1199 1200 - MD5: 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05 1201 1202 - RIPEMD-160: 0x2B, 0x24, 0x03, 0x02, 0x01 1203 1204 - SHA-1: 0x2B, 0x0E, 0x03, 0x02, 0x1A 1205 1206 - SHA256: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 1207 1208 - SHA384: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 1209 1210 - SHA512: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 1211 1212 The ASN.1 OIDs are: 1213 1214 - MD5: 1.2.840.113549.2.5 1215 1216 - RIPEMD-160: 1.3.36.3.2.1 1217 1218 - SHA-1: 1.3.14.3.2.26 1219 1220 - SHA256: 2.16.840.1.101.3.4.2.1 1221 1222 - SHA384: 2.16.840.1.101.3.4.2.2 1223 1224 - SHA512: 2.16.840.1.101.3.4.2.3 1225 1226 The full hash prefixes for these are: 1227 1228 MD5: 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 1229 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 1230 0x04, 0x10 1231 1232 RIPEMD-160: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 1233 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14 1234 1235 SHA-1: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0E, 1236 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 1237 1238 SHA256: 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1239 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 1240 0x00, 0x04, 0x20 1241 1242 SHA384: 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1243 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 1244 0x00, 0x04, 0x30 1245 1246 SHA512: 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1247 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 1248 0x00, 0x04, 0x40 1249 1250 1251 1252 1253 Callas, et al. Expires Nov 23, 2005 [Page 22] 1254 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1256 1257 DSA signatures MUST use hashes with a size of 160 bits, to match q, 1258 the size of the group generated by the DSA key's generator value. 1259 The hash function result is treated as a 160 bit number and used 1260 directly in the DSA signature algorithm. 1261 1262 5.2.3. Version 4 Signature Packet Format 1263 1264 The body of a version 4 Signature Packet contains: 1265 1266 - One-octet version number (4). 1267 1268 - One-octet signature type. 1269 1270 - One-octet public key algorithm. 1271 1272 - One-octet hash algorithm. 1273 1274 - Hashed subpacket data set. (zero or more subpackets) 1275 1276 - Two-octet scalar octet count for the following unhashed 1277 subpacket data. Note that this is the length in octets of all of 1278 the unhashed subpackets; a pointer incremented by this number 1279 will skip over the unhashed subpackets. 1280 1281 - Unhashed subpacket data set. (zero or more subpackets) 1282 1283 - Two-octet field holding the left 16 bits of the signed hash 1284 value. 1285 1286 - One or more multiprecision integers comprising the signature. 1287 This portion is algorithm specific, as described above. 1288 1289 The data being signed is hashed, and then the signature data from 1290 the version number through the hashed subpacket data (inclusive) is 1291 hashed. The resulting hash value is what is signed. The left 16 1292 bits of the hash are included in the signature packet to provide a 1293 quick test to reject some invalid signatures. 1294 1295 There are two fields consisting of signature subpackets. The first 1296 field is hashed with the rest of the signature data, while the 1297 second is unhashed. The second set of subpackets is not 1298 cryptographically protected by the signature and should include only 1299 advisory information. 1300 1301 The algorithms for converting the hash function result to a 1302 signature are described in a section below. 1303 1304 5.2.3.1. Signature Subpacket Specification 1305 1306 A subpacket data set consists of zero or more signature subpackets, 1307 preceded by a two-octet scalar count of the length in octets of all 1308 the subpackets; a pointer incremented by this number will skip over 1309 1310 Callas, et al. Expires Nov 23, 2005 [Page 23] 1311 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1313 1314 the subpacket data set. 1315 1316 Each subpacket consists of a subpacket header and a body. The 1317 header consists of: 1318 1319 - the subpacket length (1, 2, or 5 octets) 1320 1321 - the subpacket type (1 octet) 1322 1323 and is followed by the subpacket specific data. 1324 1325 The length includes the type octet but not this length. Its format 1326 is similar to the "new" format packet header lengths, but cannot 1327 have partial body lengths. That is: 1328 1329 if the 1st octet < 192, then 1330 lengthOfLength = 1 1331 subpacketLen = 1st_octet 1332 1333 if the 1st octet >= 192 and < 255, then 1334 lengthOfLength = 2 1335 subpacketLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 1336 1337 if the 1st octet = 255, then 1338 lengthOfLength = 5 1339 subpacket length = [four-octet scalar starting at 2nd_octet] 1340 1341 The value of the subpacket type octet may be: 1342 1343 2 = signature creation time 1344 3 = signature expiration time 1345 4 = exportable certification 1346 5 = trust signature 1347 6 = regular expression 1348 7 = revocable 1349 9 = key expiration time 1350 10 = placeholder for backward compatibility 1351 11 = preferred symmetric algorithms 1352 12 = revocation key 1353 16 = issuer key ID 1354 20 = notation data 1355 21 = preferred hash algorithms 1356 22 = preferred compression algorithms 1357 23 = key server preferences 1358 24 = preferred key server 1359 25 = primary User ID 1360 26 = policy URI 1361 27 = key flags 1362 28 = signer's User ID 1363 29 = reason for revocation 1364 30 = features 1365 31 = signature target 1366 1367 Callas, et al. Expires Nov 23, 2005 [Page 24] 1368 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1370 1371 32 = embedded signature 1372 1373 100 to 110 = internal or user-defined 1374 1375 An implementation SHOULD ignore any subpacket of a type that it does 1376 not recognize. 1377 1378 Bit 7 of the subpacket type is the "critical" bit. If set, it 1379 denotes that the subpacket is one that is critical for the evaluator 1380 of the signature to recognize. If a subpacket is encountered that 1381 is marked critical but is unknown to the evaluating software, the 1382 evaluator SHOULD consider the signature to be in error. 1383 1384 An evaluator may "recognize" a subpacket, but not implement it. The 1385 purpose of the critical bit is to allow the signer to tell an 1386 evaluator that it would prefer a new, unknown feature to generate an 1387 error than be ignored. 1388 1389 Implementations SHOULD implement "preferences" and the "reason for 1390 revocation" subpackets. Note, however, that if an implementation 1391 chooses not to implement some of the preferences, it is required to 1392 behave in a polite manner to respect the wishes of those users who 1393 do implement these preferences. 1394 1395 5.2.3.2. Signature Subpacket Types 1396 1397 A number of subpackets are currently defined. Some subpackets apply 1398 to the signature itself and some are attributes of the key. 1399 Subpackets that are found on a self-signature are placed on a 1400 certification made by the key itself. Note that a key may have more 1401 than one User ID, and thus may have more than one self-signature, 1402 and differing subpackets. 1403 1404 A subpacket may be found either in the hashed or unhashed subpacket 1405 sections of a signature. If a subpacket is not hashed, then the 1406 information in it cannot be considered definitive because it is not 1407 part of the signature proper. 1408 1409 5.2.3.3. Notes on Self-Signatures 1410 1411 A self-signature is a binding signature made by the key the 1412 signature refers to. There are three types of self-signatures, the 1413 certification signatures (types 0x10-0x13), the direct-key signature 1414 (type 0x1f), and the subkey binding signature (type 0x18). For 1415 certification self-signatures, each User ID may have a 1416 self-signature, and thus different subpackets in those 1417 self-signatures. For subkey binding signatures, each subkey in fact 1418 has a self-signature. Subpackets that appear in a certification 1419 self-signature apply to the username, and subpackets that appear in 1420 the subkey self-signature apply to the subkey. Lastly, subpackets on 1421 the direct-key signature apply to the entire key. 1422 1423 1424 Callas, et al. Expires Nov 23, 2005 [Page 25] 1425 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1427 1428 Implementing software should interpret a self-signature's preference 1429 subpackets as narrowly as possible. For example, suppose a key has 1430 two usernames, Alice and Bob. Suppose that Alice prefers the 1431 symmetric algorithm CAST5, and Bob prefers IDEA or TripleDES. If the 1432 software locates this key via Alice's name, then the preferred 1433 algorithm is CAST5, if software locates the key via Bob's name, then 1434 the preferred algorithm is IDEA. If the key is located by key ID, 1435 the algorithm of the primary User ID of the key provides the default 1436 symmetric algorithm. 1437 1438 Revoking a self-signature or allowing it to expire has a semantic 1439 meaning that varies with the signature type. Revoking the 1440 self-signature on a User ID effectively retires that user name. The 1441 self-signature is a statement, "My name X is tied to my signing key 1442 K" and is corroborated by other users' certifications. If another 1443 user revokes their certification, they are effectively saying that 1444 they no longer believe that name and that key are tied together. 1445 Similarly, if the user themselves revokes their self-signature, it 1446 means the user no longer goes by that name, no longer has that email 1447 address, etc. Revoking a binding signature effectively retires that 1448 subkey. Revoking a direct-key signature cancels that signature. 1449 Please see the "Reason for Revocation" subpacket below for more 1450 relevant detail. 1451 1452 Since a self-signature contains important information about the 1453 key's use, an implementation SHOULD allow the user to rewrite the 1454 self-signature, and important information in it, such as preferences 1455 and key expiration. 1456 1457 It is good practice to verify that a self-signature imported into an 1458 implementation doesn't advertise features that the implementation 1459 doesn't support, rewriting the signature as appropriate. 1460 1461 An implementation that encounters multiple self-signatures on the 1462 same object may resolve the ambiguity in any way it sees fit, but it 1463 is RECOMMENDED that priority be given to the most recent 1464 self-signature. 1465 1466 5.2.3.4. Signature creation time 1467 1468 (4 octet time field) 1469 1470 The time the signature was made. 1471 1472 MUST be present in the hashed area. 1473 1474 5.2.3.5. Issuer 1475 1476 (8 octet key ID) 1477 1478 1479 1480 1481 Callas, et al. Expires Nov 23, 2005 [Page 26] 1482 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1484 1485 The OpenPGP key ID of the key issuing the signature. 1486 1487 5.2.3.6. Key expiration time 1488 1489 (4 octet time field) 1490 1491 The validity period of the key. This is the number of seconds after 1492 the key creation time that the key expires. If this is not present 1493 or has a value of zero, the key never expires. This is found only on 1494 a self-signature. 1495 1496 5.2.3.7. Preferred symmetric algorithms 1497 1498 (array of one-octet values) 1499 1500 Symmetric algorithm numbers that indicate which algorithms the key 1501 holder prefers to use. The subpacket body is an ordered list of 1502 octets with the most preferred listed first. It is assumed that only 1503 algorithms listed are supported by the recipient's software. 1504 Algorithm numbers in section 9. This is only found on a 1505 self-signature. 1506 1507 5.2.3.8. Preferred hash algorithms 1508 1509 (array of one-octet values) 1510 1511 Message digest algorithm numbers that indicate which algorithms the 1512 key holder prefers to receive. Like the preferred symmetric 1513 algorithms, the list is ordered. Algorithm numbers are in section 9. 1514 This is only found on a self-signature. 1515 1516 5.2.3.9. Preferred compression algorithms 1517 1518 (array of one-octet values) 1519 1520 Compression algorithm numbers that indicate which algorithms the key 1521 holder prefers to use. Like the preferred symmetric algorithms, the 1522 list is ordered. Algorithm numbers are in section 9. If this 1523 subpacket is not included, ZIP is preferred. A zero denotes that 1524 uncompressed data is preferred; the key holder's software might have 1525 no compression software in that implementation. This is only found 1526 on a self-signature. 1527 1528 5.2.3.10. Signature expiration time 1529 1530 (4 octet time field) 1531 1532 The validity period of the signature. This is the number of seconds 1533 after the signature creation time that the signature expires. If 1534 this is not present or has a value of zero, it never expires. 1535 1536 1537 1538 Callas, et al. Expires Nov 23, 2005 [Page 27] 1539 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1541 1542 5.2.3.11. Exportable Certification 1543 1544 (1 octet of exportability, 0 for not, 1 for exportable) 1545 1546 This subpacket denotes whether a certification signature is 1547 "exportable," to be used by other users than the signature's issuer. 1548 The packet body contains a Boolean flag indicating whether the 1549 signature is exportable. If this packet is not present, the 1550 certification is exportable; it is equivalent to a flag containing a 1551 1. 1552 1553 Non-exportable, or "local," certifications are signatures made by a 1554 user to mark a key as valid within that user's implementation only. 1555 Thus, when an implementation prepares a user's copy of a key for 1556 transport to another user (this is the process of "exporting" the 1557 key), any local certification signatures are deleted from the key. 1558 1559 The receiver of a transported key "imports" it, and likewise trims 1560 any local certifications. In normal operation, there won't be any, 1561 assuming the import is performed on an exported key. However, there 1562 are instances where this can reasonably happen. For example, if an 1563 implementation allows keys to be imported from a key database in 1564 addition to an exported key, then this situation can arise. 1565 1566 Some implementations do not represent the interest of a single user 1567 (for example, a key server). Such implementations always trim local 1568 certifications from any key they handle. 1569 1570 5.2.3.12. Revocable 1571 1572 (1 octet of revocability, 0 for not, 1 for revocable) 1573 1574 Signature's revocability status. Packet body contains a Boolean 1575 flag indicating whether the signature is revocable. Signatures that 1576 are not revocable have any later revocation signatures ignored. 1577 They represent a commitment by the signer that he cannot revoke his 1578 signature for the life of his key. If this packet is not present, 1579 the signature is revocable. 1580 1581 5.2.3.13. Trust signature 1582 1583 (1 octet "level" (depth), 1 octet of trust amount) 1584 1585 Signer asserts that the key is not only valid, but also trustworthy, 1586 at the specified level. Level 0 has the same meaning as an ordinary 1587 validity signature. Level 1 means that the signed key is asserted 1588 to be a valid trusted introducer, with the 2nd octet of the body 1589 specifying the degree of trust. Level 2 means that the signed key is 1590 asserted to be trusted to issue level 1 trust signatures, i.e. that 1591 it is a "meta introducer". Generally, a level n trust signature 1592 asserts that a key is trusted to issue level n-1 trust signatures. 1593 The trust amount is in a range from 0-255, interpreted such that 1594 1595 Callas, et al. Expires Nov 23, 2005 [Page 28] 1596 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1598 1599 values less than 120 indicate partial trust and values of 120 or 1600 greater indicate complete trust. Implementations SHOULD emit values 1601 of 60 for partial trust and 120 for complete trust. 1602 1603 5.2.3.14. Regular expression 1604 1605 (null-terminated regular expression) 1606 1607 Used in conjunction with trust signature packets (of level > 0) to 1608 limit the scope of trust that is extended. Only signatures by the 1609 target key on User IDs that match the regular expression in the body 1610 of this packet have trust extended by the trust signature subpacket. 1611 The regular expression uses the same syntax as the Henry Spencer's 1612 "almost public domain" regular expression package. A description of 1613 the syntax is found in a section below. 1614 1615 5.2.3.15. Revocation key 1616 1617 (1 octet of class, 1 octet of algid, 20 octets of fingerprint) 1618 1619 Authorizes the specified key to issue revocation signatures for this 1620 key. Class octet must have bit 0x80 set. If the bit 0x40 is set, 1621 then this means that the revocation information is sensitive. Other 1622 bits are for future expansion to other kinds of authorizations. This 1623 is found on a self-signature. 1624 1625 If the "sensitive" flag is set, the keyholder feels this subpacket 1626 contains private trust information that describes a real-world 1627 sensitive relationship. If this flag is set, implementations SHOULD 1628 NOT export this signature to other users except in cases where the 1629 data needs to be available: when the signature is being sent to the 1630 designated revoker, or when it is accompanied by a revocation 1631 signature from that revoker. Note that it may be appropriate to 1632 isolate this subpacket within a separate signature so that it is not 1633 combined with other subpackets that need to be exported. 1634 1635 5.2.3.16. Notation Data 1636 1637 (4 octets of flags, 2 octets of name length (M), 1638 2 octets of value length (N), 1639 M octets of name data, 1640 N octets of value data) 1641 1642 This subpacket describes a "notation" on the signature that the 1643 issuer wishes to make. The notation has a name and a value, each of 1644 which are strings of octets. There may be more than one notation in 1645 a signature. Notations can be used for any extension the issuer of 1646 the signature cares to make. The "flags" field holds four octets of 1647 flags. 1648 1649 1650 1651 1652 Callas, et al. Expires Nov 23, 2005 [Page 29] 1653 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1655 1656 All undefined flags MUST be zero. Defined flags are: 1657 1658 First octet: 0x80 = human-readable. This note value is text, a 1659 note from one person to another, and need 1660 not have meaning to software. 1661 Other octets: none. 1662 1663 Notation names are arbitrary strings encoded in UTF-8. They reside 1664 two name spaces: The IETF name space and the user name space. 1665 1666 The IETF name space is registered with IANA. These names MUST NOT 1667 contain the "@" character (0x40). This this is a tag for the user 1668 name space. 1669 1670 Names in the user name space consist of a UTF-8 string tag followed 1671 by "@" followed by a DNS domain name. Note that the tag MUST NOT 1672 contain an "@" character. For example, the "sample" tag used by 1673 Example Corporation could be "sample (a] example.com". 1674 1675 Names in a user space are owned and controlled by the owners of that 1676 domain. Obviously, it's of bad form to create a new name in a DNS 1677 space that you don't own. 1678 1679 Since the user name space is in the form of an email address, 1680 implementers MAY wish to arrange for that address to reach a person 1681 who can be consulted about the use of the named tag. Note that due 1682 to UTF-8 encoding, not all valid user space name tags are valid 1683 email addresses. 1684 1685 If there is a critical notation, the criticality applies to that 1686 specific notation and not to notations in general. 1687 1688 5.2.3.17. Key server preferences 1689 1690 (N octets of flags) 1691 1692 This is a list of one-bit flags that indicate preferences that the 1693 key holder has about how the key is handled on a key server. All 1694 undefined flags MUST be zero. 1695 1696 First octet: 0x80 = No-modify 1697 the key holder requests that this key only be modified or 1698 updated by the key holder or an administrator of the key server. 1699 1700 This is found only on a self-signature. 1701 1702 5.2.3.18. Preferred key server 1703 1704 (String) 1705 1706 1707 1708 1709 Callas, et al. Expires Nov 23, 2005 [Page 30] 1710 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1712 1713 This is a URI of a key server that the key holder prefers be used 1714 for updates. Note that keys with multiple User IDs can have a 1715 preferred key server for each User ID. Note also that since this is 1716 a URI, the key server can actually be a copy of the key retrieved by 1717 ftp, http, finger, etc. 1718 1719 5.2.3.19. Primary User ID 1720 1721 (1 octet, Boolean) 1722 1723 This is a flag in a User ID's self signature that states whether 1724 this User ID is the main User ID for this key. It is reasonable for 1725 an implementation to resolve ambiguities in preferences, etc. by 1726 referring to the primary User ID. If this flag is absent, its value 1727 is zero. If more than one User ID in a key is marked as primary, the 1728 implementation may resolve the ambiguity in any way it sees fit, but 1729 it is RECOMMENDED that priority be given to the User ID with the 1730 most recent self-signature. 1731 1732 When appearing on a self-signature on a User ID packet, this 1733 subpacket applies only to User ID packets. When appearing on a 1734 self-signature on a User Attribute packet, this subpacket applies 1735 only to User Attribute packets. That is to say, there are two 1736 different and independent "primaries" - one for User IDs, and one 1737 for User Attributes. 1738 1739 5.2.3.20. Policy URI 1740 1741 (String) 1742 1743 This subpacket contains a URI of a document that describes the 1744 policy that the signature was issued under. 1745 1746 5.2.3.21. Key Flags 1747 1748 (N octets of flags) 1749 1750 This subpacket contains a list of binary flags that hold information 1751 about a key. It is a string of octets, and an implementation MUST 1752 NOT assume a fixed size. This is so it can grow over time. If a list 1753 is shorter than an implementation expects, the unstated flags are 1754 considered to be zero. The defined flags are: 1755 1756 First octet: 1757 1758 0x01 - This key may be used to certify other keys. 1759 1760 0x02 - This key may be used to sign data. 1761 1762 0x04 - This key may be used to encrypt communications. 1763 1764 1765 1766 Callas, et al. Expires Nov 23, 2005 [Page 31] 1767 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1769 1770 0x08 - This key may be used to encrypt storage. 1771 1772 0x10 - The private component of this key may have been split by 1773 a secret-sharing mechanism. 1774 1775 0x20 - This key may be used for authentication. 1776 1777 0x80 - The private component of this key may be in the 1778 possession of more than one person. 1779 1780 Usage notes: 1781 1782 The flags in this packet may appear in self-signatures or in 1783 certification signatures. They mean different things depending on 1784 who is making the statement -- for example, a certification 1785 signature that has the "sign data" flag is stating that the 1786 certification is for that use. On the other hand, the 1787 "communications encryption" flag in a self-signature is stating a 1788 preference that a given key be used for communications. Note 1789 however, that it is a thorny issue to determine what is 1790 "communications" and what is "storage." This decision is left wholly 1791 up to the implementation; the authors of this document do not claim 1792 any special wisdom on the issue, and realize that accepted opinion 1793 may change. 1794 1795 The "split key" (0x10) and "group key" (0x80) flags are placed on a 1796 self-signature only; they are meaningless on a certification 1797 signature. They SHOULD be placed only on a direct-key signature 1798 (type 0x1f) or a subkey signature (type 0x18), one that refers to 1799 the key the flag applies to. 1800 1801 5.2.3.22. Signer's User ID 1802 1803 (String) 1804 1805 This subpacket allows a keyholder to state which User ID is 1806 responsible for the signing. Many keyholders use a single key for 1807 different purposes, such as business communications as well as 1808 personal communications. This subpacket allows such a keyholder to 1809 state which of their roles is making a signature. 1810 1811 This subpacket is not appropriate to use to refer to a User 1812 Attribute packet. 1813 1814 5.2.3.23. Reason for Revocation 1815 1816 (1 octet of revocation code, N octets of reason string) 1817 1818 This subpacket is used only in key revocation and certification 1819 revocation signatures. It describes the reason why the key or 1820 certificate was revoked. 1821 1822 1823 Callas, et al. Expires Nov 23, 2005 [Page 32] 1824 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1826 1827 The first octet contains a machine-readable code that denotes the 1828 reason for the revocation: 1829 1830 0x00 - No reason specified (key revocations or cert revocations) 1831 0x01 - Key is superseded (key revocations) 1832 0x02 - Key material has been compromised (key revocations) 1833 0x03 - Key is retired and no longer used (key revocations) 1834 0x20 - User ID information is no longer valid (cert revocations) 1835 1836 Following the revocation code is a string of octets which gives 1837 information about the reason for revocation in human-readable form 1838 (UTF-8). The string may be null, that is, of zero length. The length 1839 of the subpacket is the length of the reason string plus one. 1840 1841 An implementation SHOULD implement this subpacket, include it in all 1842 revocation signatures, and interpret revocations appropriately. 1843 There are important semantic differences between the reasons, and 1844 there are thus important reasons for revoking signatures. 1845 1846 If a key has been revoked because of a compromise, all signatures 1847 created by that key are suspect. However, if it was merely 1848 superseded or retired, old signatures are still valid. If the 1849 revoked signature is the self-signature for certifying a User ID, a 1850 revocation denotes that that user name is no longer in use. Such a 1851 revocation SHOULD include an 0x20 subpacket. 1852 1853 Note that any signature may be revoked, including a certification on 1854 some other person's key. There are many good reasons for revoking a 1855 certification signature, such as the case where the keyholder leaves 1856 the employ of a business with an email address. A revoked 1857 certification is no longer a part of validity calculations. 1858 1859 5.2.3.24. Features 1860 1861 (N octets of flags) 1862 1863 The features subpacket denotes which advanced OpenPGP features a 1864 user's implementation supports. This is so that as features are 1865 added to OpenPGP that cannot be backwards-compatible, a user can 1866 state that they can use that feature. The flags are single bits that 1867 indicate that a given feature is supported. 1868 1869 This subpacket is similar to a preferences subpacket, and only 1870 appears in a self-signature. 1871 1872 An implementation SHOULD NOT use a feature listed when sending to a 1873 user who does not state that they can use it. 1874 1875 Defined features are: 1876 1877 1878 1879 1880 Callas, et al. Expires Nov 23, 2005 [Page 33] 1881 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1883 1884 First octet: 1885 1886 0x01 - Modification Detection (packets 18 and 19) 1887 1888 If an implementation implements any of the defined features, it 1889 SHOULD implement the features subpacket, too. 1890 1891 An implementation may freely infer features from other suitable 1892 implementation-dependent mechanisms. 1893 1894 5.2.3.25. Signature Target 1895 1896 (1 octet PK algorithm, 1 octet hash algorithm, N octets hash) 1897 1898 This subpacket identifies a specific target signature that a 1899 signature refers to. For revocation signatures, this subpacket 1900 provides explicit designation of which signature is being revoked. 1901 For a third-party or timestamp signature, this designates what 1902 signature is signed. All arguments are an identifier of that target 1903 signature. 1904 1905 The N octets of hash data MUST be the size of the hash of the 1906 signature. For example, a target signature with a SHA-1 hash MUST 1907 have 20 octets of hash data. 1908 1909 5.2.3.26. Embedded Signature 1910 1911 (1 signature packet body) 1912 1913 This subpacket contains a complete signature packet body as 1914 specified in section 5.2 above. It is useful when one signature 1915 needs to refer to, or be incorporated in, another signature. 1916 1917 5.2.4. Computing Signatures 1918 1919 All signatures are formed by producing a hash over the signature 1920 data, and then using the resulting hash in the signature algorithm. 1921 1922 The signature data is simple to compute for document signatures 1923 (types 0x00 and 0x01), for which the document itself is the data. 1924 For standalone signatures, this is a null string. 1925 1926 When a signature is made over a key, the hash data starts with the 1927 octet 0x99, followed by a two-octet length of the key, and then body 1928 of the key packet. (Note that this is an old-style packet header for 1929 a key packet with two-octet length.) A subkey binding signature 1930 (type 0x18) or primary key binding signature (type 0x19) then hashes 1931 the subkey using the same format as the main key (also using 0x99 as 1932 the first octet). Key revocation signatures (types 0x20 and 0x28) 1933 hash only the key being revoked. 1934 1935 1936 1937 Callas, et al. Expires Nov 23, 2005 [Page 34] 1938 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1940 1941 When a signature is made over a signature packet, the hash data 1942 starts with the octet 0x88, followed by the four-octet length of the 1943 signature, and then the body of the signature packet. The unhashed 1944 subpacket data of the signature packet being hashed is not included 1945 in the hash and the unhashed subpacket data length value is set to 1946 zero. (Note that this is an old-style packet header for a signature 1947 packet with the length-of-length set to zero). 1948 1949 A certification signature (type 0x10 through 0x13) hashes the User 1950 ID being bound to the key into the hash context after the above 1951 data. A V3 certification hashes the contents of the User ID or 1952 attribute packet packet, without any header. A V4 certification 1953 hashes the constant 0xb4 for User ID certifications or the constant 1954 0xd1 for User Attribute certifications, followed by a four-octet 1955 number giving the length of the User ID or User Attribute data, and 1956 then the User ID or User Attribute data. 1957 1958 Once the data body is hashed, then a trailer is hashed. A V3 1959 signature hashes five octets of the packet body, starting from the 1960 signature type field. This data is the signature type, followed by 1961 the four-octet signature time. A V4 signature hashes the packet body 1962 starting from its first field, the version number, through the end 1963 of the hashed subpacket data. Thus, the fields hashed are the 1964 signature version, the signature type, the public key algorithm, the 1965 hash algorithm, the hashed subpacket length, and the hashed 1966 subpacket body. 1967 1968 V4 signatures also hash in a final trailer of six octets: the 1969 version of the signature packet, i.e. 0x04; 0xFF; a four-octet, 1970 big-endian number that is the length of the hashed data from the 1971 signature packet (note that this number does not include these final 1972 six octets. 1973 1974 After all this has been hashed in a single hash context the 1975 resulting hash field is used in the signature algorithm, and placed 1976 at the end of the signature packet. 1977 1978 5.2.4.1. Subpacket Hints 1979 1980 It is certainly possible for a signature to contain conflicting 1981 information in subpackets. For example, a signature may contain 1982 multiple copies of a preference or multiple expiration times. In 1983 most cases, an implementation SHOULD use the last subpacket in the 1984 signature, but MAY use any conflict resolution scheme that makes 1985 more sense. Please note that we are intentionally leaving conflict 1986 resolution to the implementer; most conflicts are simply syntax 1987 errors, and the wishy-washy language here allows a receiver to be 1988 generous in what they accept, while putting pressure on a creator to 1989 be stingy in what they generate. 1990 1991 1992 1993 1994 Callas, et al. Expires Nov 23, 2005 [Page 35] 1995 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 1997 1998 Some apparent conflicts may actually make sense -- for example, 1999 suppose a keyholder has an V3 key and a V4 key that share the same 2000 RSA key material. Either of these keys can verify a signature 2001 created by the other, and it may be reasonable for a signature to 2002 contain an issuer subpacket for each key, as a way of explicitly 2003 tying those keys to the signature. 2004 2005 5.3. Symmetric-Key Encrypted Session Key Packets (Tag 3) 2006 2007 The Symmetric-Key Encrypted Session Key packet holds the 2008 symmetric-key encryption of a session key used to encrypt a message. 2009 Zero or more Encrypted Session Key packets and/or Symmetric-Key 2010 Encrypted Session Key packets may precede a Symmetrically Encrypted 2011 Data Packet that holds an encrypted message. The message is 2012 encrypted with a session key, and the session key is itself 2013 encrypted and stored in the Encrypted Session Key packet or the 2014 Symmetric-Key Encrypted Session Key packet. 2015 2016 If the Symmetrically Encrypted Data Packet is preceded by one or 2017 more Symmetric-Key Encrypted Session Key packets, each specifies a 2018 passphrase that may be used to decrypt the message. This allows a 2019 message to be encrypted to a number of public keys, and also to one 2020 or more pass phrases. This packet type is new, and is not generated 2021 by PGP 2.x or PGP 5.0. 2022 2023 The body of this packet consists of: 2024 2025 - A one-octet version number. The only currently defined version 2026 is 4. 2027 2028 - A one-octet number describing the symmetric algorithm used. 2029 2030 - A string-to-key (S2K) specifier, length as defined above. 2031 2032 - Optionally, the encrypted session key itself, which is decrypted 2033 with the string-to-key object. 2034 2035 If the encrypted session key is not present (which can be detected 2036 on the basis of packet length and S2K specifier size), then the S2K 2037 algorithm applied to the passphrase produces the session key for 2038 decrypting the file, using the symmetric cipher algorithm from the 2039 Symmetric-Key Encrypted Session Key packet. 2040 2041 If the encrypted session key is present, the result of applying the 2042 S2K algorithm to the passphrase is used to decrypt just that 2043 encrypted session key field, using CFB mode with an IV of all zeros. 2044 The decryption result consists of a one-octet algorithm identifier 2045 that specifies the symmetric-key encryption algorithm used to 2046 encrypt the following Symmetrically Encrypted Data Packet, followed 2047 by the session key octets themselves. 2048 2049 2050 2051 Callas, et al. Expires Nov 23, 2005 [Page 36] 2052 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2054 2055 Note: because an all-zero IV is used for this decryption, the S2K 2056 specifier MUST use a salt value, either a Salted S2K or an 2057 Iterated-Salted S2K. The salt value will insure that the decryption 2058 key is not repeated even if the passphrase is reused. 2059 2060 5.4. One-Pass Signature Packets (Tag 4) 2061 2062 The One-Pass Signature packet precedes the signed data and contains 2063 enough information to allow the receiver to begin calculating any 2064 hashes needed to verify the signature. It allows the Signature 2065 Packet to be placed at the end of the message, so that the signer 2066 can compute the entire signed message in one pass. 2067 2068 A One-Pass Signature does not interoperate with PGP 2.6.x or 2069 earlier. 2070 2071 The body of this packet consists of: 2072 2073 - A one-octet version number. The current version is 3. 2074 2075 - A one-octet signature type. Signature types are described in 2076 section 5.2.1. 2077 2078 - A one-octet number describing the hash algorithm used. 2079 2080 - A one-octet number describing the public key algorithm used. 2081 2082 - An eight-octet number holding the key ID of the signing key. 2083 2084 - A one-octet number holding a flag showing whether the signature 2085 is nested. A zero value indicates that the next packet is 2086 another One-Pass Signature packet that describes another 2087 signature to be applied to the same message data. 2088 2089 Note that if a message contains more than one one-pass signature, 2090 then the signature packets bracket the message; that is, the first 2091 signature packet after the message corresponds to the last one-pass 2092 packet and the final signature packet corresponds to the first 2093 one-pass packet. 2094 2095 5.5. Key Material Packet 2096 2097 A key material packet contains all the information about a public or 2098 private key. There are four variants of this packet type, and two 2099 major versions. Consequently, this section is complex. 2100 2101 5.5.1. Key Packet Variants 2102 2103 5.5.1.1. Public Key Packet (Tag 6) 2104 2105 A Public Key packet starts a series of packets that forms an OpenPGP 2106 key (sometimes called an OpenPGP certificate). 2107 2108 Callas, et al. Expires Nov 23, 2005 [Page 37] 2109 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2111 2112 5.5.1.2. Public Subkey Packet (Tag 14) 2113 2114 A Public Subkey packet (tag 14) has exactly the same format as a 2115 Public Key packet, but denotes a subkey. One or more subkeys may be 2116 associated with a top-level key. By convention, the top-level key 2117 provides signature services, and the subkeys provide encryption 2118 services. 2119 2120 Note: in PGP 2.6.x, tag 14 was intended to indicate a comment 2121 packet. This tag was selected for reuse because no previous version 2122 of PGP ever emitted comment packets but they did properly ignore 2123 them. Public Subkey packets are ignored by PGP 2.6.x and do not 2124 cause it to fail, providing a limited degree of backward 2125 compatibility. 2126 2127 5.5.1.3. Secret Key Packet (Tag 5) 2128 2129 A Secret Key packet contains all the information that is found in a 2130 Public Key packet, including the public key material, but also 2131 includes the secret key material after all the public key fields. 2132 2133 5.5.1.4. Secret Subkey Packet (Tag 7) 2134 2135 A Secret Subkey packet (tag 7) is the subkey analog of the Secret 2136 Key packet, and has exactly the same format. 2137 2138 5.5.2. Public Key Packet Formats 2139 2140 There are two versions of key-material packets. Version 3 packets 2141 were first generated by PGP 2.6. Version 4 keys first appeared in 2142 PGP 5.0, and are the preferred key version for OpenPGP. 2143 2144 OpenPGP implementations SHOULD create keys with version 4 format. V3 2145 keys are deprecated; an implementation SHOULD NOT generate a V3 key, 2146 but MAY accept it. An implementation MUST NOT create a V3 key with a 2147 public key algorithm other than RSA. 2148 2149 A version 3 public key or public subkey packet contains: 2150 2151 - A one-octet version number (3). 2152 2153 - A four-octet number denoting the time that the key was created. 2154 2155 - A two-octet number denoting the time in days that this key is 2156 valid. If this number is zero, then it does not expire. 2157 2158 - A one-octet number denoting the public key algorithm of this key 2159 2160 - A series of multiprecision integers comprising the key material: 2161 2162 2163 2164 2165 Callas, et al. Expires Nov 23, 2005 [Page 38] 2166 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2168 2169 - a multiprecision integer (MPI) of RSA public modulus n; 2170 2171 - an MPI of RSA public encryption exponent e. 2172 2173 V3 keys are deprecated. They contain three weaknesses in them. 2174 First, it is relatively easy to construct a V3 key that has the same 2175 key ID as any other key because the key ID is simply the low 64 bits 2176 of the public modulus. Secondly, because the fingerprint of a V3 key 2177 hashes the key material, but not its length, there is an increased 2178 opportunity for fingerprint collisions. Third, there are minor 2179 weaknesses in the MD5 hash algorithm that make developers prefer 2180 other algorithms. See below for a fuller discussion of key IDs and 2181 fingerprints. 2182 2183 V2 keys are identical to V3 keys except for the deprecated V3 keys 2184 except for the version number. An implementation MUST NOT generate 2185 them and may accept or reject them as it sees fit. 2186 2187 The version 4 format is similar to the version 3 format except for 2188 the absence of a validity period. This has been moved to the 2189 signature packet. In addition, fingerprints of version 4 keys are 2190 calculated differently from version 3 keys, as described in section 2191 "Enhanced Key Formats." 2192 2193 A version 4 packet contains: 2194 2195 - A one-octet version number (4). 2196 2197 - A four-octet number denoting the time that the key was created. 2198 2199 - A one-octet number denoting the public key algorithm of this key 2200 2201 - A series of multiprecision integers comprising the key material. 2202 This algorithm-specific portion is: 2203 2204 Algorithm Specific Fields for RSA public keys: 2205 2206 - multiprecision integer (MPI) of RSA public modulus n; 2207 2208 - MPI of RSA public encryption exponent e. 2209 2210 Algorithm Specific Fields for DSA public keys: 2211 2212 - MPI of DSA prime p; 2213 2214 - MPI of DSA group order q (q is a prime divisor of p-1); 2215 2216 - MPI of DSA group generator g; 2217 2218 - MPI of DSA public key value y (= g**x mod p where x is 2219 secret). 2220 2221 2222 Callas, et al. Expires Nov 23, 2005 [Page 39] 2223 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2225 2226 Algorithm Specific Fields for Elgamal public keys: 2227 2228 - MPI of Elgamal prime p; 2229 2230 - MPI of Elgamal group generator g; 2231 2232 - MPI of Elgamal public key value y (= g**x mod p where x is 2233 secret). 2234 2235 5.5.3. Secret Key Packet Formats 2236 2237 The Secret Key and Secret Subkey packets contain all the data of the 2238 Public Key and Public Subkey packets, with additional 2239 algorithm-specific secret key data appended, usually in encrypted 2240 form. 2241 2242 The packet contains: 2243 2244 - A Public Key or Public Subkey packet, as described above 2245 2246 - One octet indicating string-to-key usage conventions. Zero 2247 indicates that the secret key data is not encrypted. 255 or 254 2248 indicates that a string-to-key specifier is being given. Any 2249 other value is a symmetric-key encryption algorithm identifier. 2250 2251 - [Optional] If string-to-key usage octet was 255 or 254, a 2252 one-octet symmetric encryption algorithm. 2253 2254 - [Optional] If string-to-key usage octet was 255 or 254, a 2255 string-to-key specifier. The length of the string-to-key 2256 specifier is implied by its type, as described above. 2257 2258 - [Optional] If secret data is encrypted (string-to-key usage 2259 octet not zero), an Initial Vector (IV) of the same length as 2260 the cipher's block size. 2261 2262 - Plain or encrypted multiprecision integers comprising the secret 2263 key data. These algorithm-specific fields are as described 2264 below. 2265 2266 - If the string-to-key usage octet is zero or 255, then a 2267 two-octet checksum of the plaintext of the algorithm-specific 2268 portion (sum of all octets, mod 65536). If the string-to-key 2269 usage octet was 254, then a 20-octet SHA-1 hash of the plaintext 2270 of the algorithm-specific portion. This checksum or hash is 2271 encrypted together with the algorithm-specific fields (if 2272 string-to-key usage octet is not zero). Note that for all other 2273 values, a two-octet checksum is required. 2274 2275 Algorithm Specific Fields for RSA secret keys: 2276 2277 2278 2279 Callas, et al. Expires Nov 23, 2005 [Page 40] 2280 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2282 2283 - multiprecision integer (MPI) of RSA secret exponent d. 2284 2285 - MPI of RSA secret prime value p. 2286 2287 - MPI of RSA secret prime value q (p < q). 2288 2289 - MPI of u, the multiplicative inverse of p, mod q. 2290 2291 Algorithm Specific Fields for DSA secret keys: 2292 2293 - MPI of DSA secret exponent x. 2294 2295 Algorithm Specific Fields for Elgamal secret keys: 2296 2297 - MPI of Elgamal secret exponent x. 2298 2299 Secret MPI values can be encrypted using a passphrase. If a 2300 string-to-key specifier is given, that describes the algorithm for 2301 converting the passphrase to a key, else a simple MD5 hash of the 2302 passphrase is used. Implementations MUST use a string-to-key 2303 specifier; the simple hash is for backward compatibility and is 2304 deprecated, though implementations MAY continue to use existing 2305 private keys in the old format. The cipher for encrypting the MPIs 2306 is specified in the secret key packet. 2307 2308 Encryption/decryption of the secret data is done in CFB mode using 2309 the key created from the passphrase and the Initial Vector from the 2310 packet. A different mode is used with V3 keys (which are only RSA) 2311 than with other key formats. With V3 keys, the MPI bit count prefix 2312 (i.e., the first two octets) is not encrypted. Only the MPI 2313 non-prefix data is encrypted. Furthermore, the CFB state is 2314 resynchronized at the beginning of each new MPI value, so that the 2315 CFB block boundary is aligned with the start of the MPI data. 2316 2317 With V4 keys, a simpler method is used. All secret MPI values are 2318 encrypted in CFB mode, including the MPI bitcount prefix. 2319 2320 The two-octet checksum that follows the algorithm-specific portion 2321 is the algebraic sum, mod 65536, of the plaintext of all the 2322 algorithm-specific octets (including MPI prefix and data). With V3 2323 keys, the checksum is stored in the clear. With V4 keys, the 2324 checksum is encrypted like the algorithm-specific data. This value 2325 is used to check that the passphrase was correct. However, this 2326 checksum is deprecated; an implementation SHOULD NOT use it, but 2327 should rather use the SHA-1 hash denoted with a usage octet of 254. 2328 The reason for this is that there are some attacks on the private 2329 key that can undetectably modify the secret key. Using a SHA-1 hash 2330 prevents this. 2331 2332 5.6. Compressed Data Packet (Tag 8) 2333 2334 The Compressed Data packet contains compressed data. Typically, this 2335 2336 Callas, et al. Expires Nov 23, 2005 [Page 41] 2337 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2339 2340 packet is found as the contents of an encrypted packet, or following 2341 a Signature or One-Pass Signature packet, and contains literal data 2342 packets. 2343 2344 The body of this packet consists of: 2345 2346 - One octet that gives the algorithm used to compress the packet. 2347 2348 - The remainder of the packet is compressed data. 2349 2350 A Compressed Data Packet's body contains an block that compresses 2351 some set of packets. See section "Packet Composition" for details on 2352 how messages are formed. 2353 2354 ZIP-compressed packets are compressed with raw RFC 1951 DEFLATE 2355 blocks. Note that PGP V2.6 uses 13 bits of compression. If an 2356 implementation uses more bits of compression, PGP V2.6 cannot 2357 decompress it. 2358 2359 ZLIB-compressed packets are compressed with RFC 1950 ZLIB-style 2360 blocks. 2361 2362 5.7. Symmetrically Encrypted Data Packet (Tag 9) 2363 2364 The Symmetrically Encrypted Data packet contains data encrypted with 2365 a symmetric-key algorithm. When it has been decrypted, it contains 2366 other packets (usually literal data packets or compressed data 2367 packets, but in theory other Symmetrically Encrypted Data Packets or 2368 sequences of packets that form whole OpenPGP messages). 2369 2370 The body of this packet consists of: 2371 2372 - Encrypted data, the output of the selected symmetric-key cipher 2373 operating in OpenPGP's variant of Cipher Feedback (CFB) mode. 2374 2375 The symmetric cipher used may be specified in an Public-Key or 2376 Symmetric-Key Encrypted Session Key packet that precedes the 2377 Symmetrically Encrypted Data Packet. In that case, the cipher 2378 algorithm octet is prefixed to the session key before it is 2379 encrypted. If no packets of these types precede the encrypted data, 2380 the IDEA algorithm is used with the session key calculated as the 2381 MD5 hash of the passphrase, though this use is deprecated. 2382 2383 The data is encrypted in CFB mode, with a CFB shift size equal to 2384 the cipher's block size. The Initial Vector (IV) is specified as 2385 all zeros. Instead of using an IV, OpenPGP prefixes a string of 2386 length equal to the block size of the cipher plus two to the data 2387 before it is encrypted. The first block-size octets (for example, 8 2388 octets for a 64-bit block length) are random, and the following two 2389 octets are copies of the last two octets of the IV. For example, in 2390 an 8 octet block, octet 9 is a repeat of octet 7, and octet 10 is a 2391 repeat of octet 8. In a cipher of length 16, octet 17 is a repeat of 2392 2393 Callas, et al. Expires Nov 23, 2005 [Page 42] 2394 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2396 2397 octet 15 and octet 18 is a repeat of octet 16. As a pedantic 2398 clarification, in both these examples, we consider the first octet 2399 to be numbered 1. 2400 2401 After encrypting the first block-size-plus-two octets, the CFB state 2402 is resynchronized. The last block-size octets of ciphertext are 2403 passed through the cipher and the block boundary is reset. 2404 2405 The repetition of 16 bits in the random data prefixed to the message 2406 allows the receiver to immediately check whether the session key is 2407 incorrect. See the Security Considerations section for hints on the 2408 proper use of this "quick check." 2409 2410 5.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 2411 2412 An experimental version of PGP used this packet as the Literal 2413 packet, but no released version of PGP generated Literal packets 2414 with this tag. With PGP 5.x, this packet has been re-assigned and is 2415 reserved for use as the Marker packet. 2416 2417 The body of this packet consists of: 2418 2419 - The three octets 0x50, 0x47, 0x50 (which spell "PGP" in UTF-8). 2420 2421 Such a packet MUST be ignored when received. It may be placed at 2422 the beginning of a message that uses features not available in PGP 2423 2.6.x in order to cause that version to report that newer software 2424 is necessary to process the message. 2425 2426 5.9. Literal Data Packet (Tag 11) 2427 2428 A Literal Data packet contains the body of a message; data that is 2429 not to be further interpreted. 2430 2431 The body of this packet consists of: 2432 2433 - A one-octet field that describes how the data is formatted. 2434 2435 If it is a 'b' (0x62), then the literal packet contains binary data. 2436 If it is a 't' (0x74), then it contains text data, and thus may need 2437 line ends converted to local form, or other text-mode changes. The 2438 tag 'u' (0x75) means the same as 't', but also indicates that 2439 implementation believes that the literal data contains UTF-8 text. 2440 2441 Early versions of PGP also defined a value of 'l' as a 'local' mode 2442 for machine-local conversions. RFC 1991 incorrectly stated this 2443 local mode flag as '1' (ASCII numeral one). Both of these local 2444 modes are deprecated. 2445 2446 - File name as a string (one-octet length, followed by a file 2447 name). This may be a zero-length string. Commonly, if the source 2448 of the encrypted data is a file, this will be the name of the 2449 2450 Callas, et al. Expires Nov 23, 2005 [Page 43] 2451 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2453 2454 encrypted file. An implementation MAY consider the file name in 2455 the literal packet to be a more authoritative name than the 2456 actual file name. 2457 2458 If the special name "_CONSOLE" is used, the message is considered to 2459 be "for your eyes only". This advises that the message data is 2460 unusually sensitive, and the receiving program should process it 2461 more carefully, perhaps avoiding storing the received data to disk, 2462 for example. 2463 2464 - A four-octet number that indicates a date associated with the 2465 literal data. Commonly, the date might be the modification date 2466 of a file, or the time the packet was created, or a zero that 2467 indicates no specific time. 2468 2469 - The remainder of the packet is literal data. 2470 2471 Text data is stored with <CR><LF> text endings (i.e. network-normal 2472 line endings). These should be converted to native line endings by 2473 the receiving software. 2474 2475 5.10. Trust Packet (Tag 12) 2476 2477 The Trust packet is used only within keyrings and is not normally 2478 exported. Trust packets contain data that record the user's 2479 specifications of which key holders are trustworthy introducers, 2480 along with other information that implementing software uses for 2481 trust information. The format of trust packets is defined by a given 2482 implementation. 2483 2484 Trust packets SHOULD NOT be emitted to output streams that are 2485 transferred to other users, and they SHOULD be ignored on any input 2486 other than local keyring files. 2487 2488 5.11. User ID Packet (Tag 13) 2489 2490 A User ID packet consists of UTF-8 text that is intended to 2491 represent the name and email address of the key holder. By 2492 convention, it includes an RFC 822 mail name, but there are no 2493 restrictions on its content. The packet length in the header 2494 specifies the length of the User ID. 2495 2496 5.12. User Attribute Packet (Tag 17) 2497 2498 The User Attribute packet is a variation of the User ID packet. It 2499 is capable of storing more types of data than the User ID packet 2500 which is limited to text. Like the User ID packet, a User Attribute 2501 packet may be certified by the key owner ("self-signed") or any 2502 other key owner who cares to certify it. Except as noted, a User 2503 Attribute packet may be used anywhere that a User ID packet may be 2504 used. 2505 2506 2507 Callas, et al. Expires Nov 23, 2005 [Page 44] 2508 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2510 2511 While User Attribute packets are not a required part of the OpenPGP 2512 standard, implementations SHOULD provide at least enough 2513 compatibility to properly handle a certification signature on the 2514 User Attribute packet. A simple way to do this is by treating the 2515 User Attribute packet as a User ID packet with opaque contents, but 2516 an implementation may use any method desired. 2517 2518 The User Attribute packet is made up of one or more attribute 2519 subpackets. Each subpacket consists of a subpacket header and a 2520 body. The header consists of: 2521 2522 - the subpacket length (1, 2, or 5 octets) 2523 2524 - the subpacket type (1 octet) 2525 2526 and is followed by the subpacket specific data. 2527 2528 The only currently defined subpacket type is 1, signifying an image. 2529 An implementation SHOULD ignore any subpacket of a type that it does 2530 not recognize. Subpacket types 100 through 110 are reserved for 2531 private or experimental use. 2532 2533 5.12.1. The Image Attribute Subpacket 2534 2535 The image attribute subpacket is used to encode an image, presumably 2536 (but not required to be) that of the key owner. 2537 2538 The image attribute subpacket begins with an image header. The 2539 first two octets of the image header contain the length of the image 2540 header. Note that unlike other multi-octet numerical values in this 2541 document, due to an historical accident this value is encoded as a 2542 little-endian number. The image header length is followed by a 2543 single octet for the image header version. The only currently 2544 defined version of the image header is 1, which is a 16 octet image 2545 header. The first three octets of a version 1 image header are thus 2546 0x10 0x00 0x01. 2547 2548 The fourth octet of a version 1 image header designates the encoding 2549 format of the image. The only currently defined encoding format is 2550 the value 1 to indicate JPEG. Image format types 100 through 110 2551 are reserved for private or experimental use. The rest of the 2552 version 1 image header is made up of 12 reserved octets, all of 2553 which MUST be set to 0. 2554 2555 The rest of the image subpacket contains the image itself. As the 2556 only currently defined image type is JPEG, the image is encoded in 2557 the JPEG File Interchange Format (JFIF), a standard file format for 2558 JPEG images. [JFIF] 2559 2560 An implementation MAY try and determine the type of an image by 2561 examination of the image data if it is unable to handle a particular 2562 version of the image header or if a specified encoding format value 2563 2564 Callas, et al. Expires Nov 23, 2005 [Page 45] 2565 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2567 2568 is not recognized. 2569 2570 5.13. Sym. Encrypted Integrity Protected Data Packet (Tag 18) 2571 2572 The Symmetrically Encrypted Integrity Protected Data Packet is a 2573 variant of the Symmetrically Encrypted Data Packet. It is a new 2574 feature created for OpenPGP that addresses the problem of detecting 2575 a modification to encrypted data. It is used in combination with a 2576 Modification Detection Code Packet. 2577 2578 There is a corresponding feature in the features signature subpacket 2579 that denotes that an implementation can properly use this packet 2580 type. An implementation MUST support decrypting these packets and 2581 SHOULD prefer generating them to the older Symmetrically Encrypted 2582 Data Packet when possible. Since this data packet protects against 2583 modification attacks, this standard encourages its proliferation. 2584 While blanket adoption of this data packet would create 2585 interoperability problems, rapid adoption is nevertheless important. 2586 An implementation SHOULD specifically denote support for this 2587 packet, but it MAY infer it from other mechanisms. 2588 2589 For example, an implementation might infer from the use of a cipher 2590 such as AES or Twofish that a user supports this feature. It might 2591 place in the unhashed portion of another user's key signature a 2592 features subpacket. It might also present a user with an opportunity 2593 to regenerate their own self-signature with a features subpacket. 2594 2595 This packet contains data encrypted with a symmetric-key algorithm 2596 and protected against modification by the SHA-1 hash algorithm. When 2597 it has been decrypted, it will typically contain other packets 2598 (often literal data packets or compressed data packets). The last 2599 decrypted packet in this packet's payload MUST be a Modification 2600 Detection Code packet. 2601 2602 The body of this packet consists of: 2603 2604 - A one-octet version number. The only currently defined value is 2605 1. 2606 2607 - Encrypted data, the output of the selected symmetric-key cipher 2608 operating in Cipher Feedback mode with shift amount equal to the 2609 block size of the cipher (CFB-n where n is the block size). 2610 2611 The symmetric cipher used MUST be specified in a Public-Key or 2612 Symmetric-Key Encrypted Session Key packet that precedes the 2613 Symmetrically Encrypted Data Packet. In either case, the cipher 2614 algorithm octet is prefixed to the session key before it is 2615 encrypted. 2616 2617 The data is encrypted in CFB mode, with a CFB shift size equal to 2618 the cipher's block size. The Initial Vector (IV) is specified as 2619 all zeros. Instead of using an IV, OpenPGP prefixes an octet string 2620 2621 Callas, et al. Expires Nov 23, 2005 [Page 46] 2622 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2624 2625 to the data before it is encrypted. The length of the octet string 2626 equals the block size of the cipher in octets, plus two. The first 2627 octets in the group, of length equal to the block size of the 2628 cipher, are random; the last two octets are each copies of their 2nd 2629 preceding octet. For example, with a cipher whose block size is 128 2630 bits or 16 octets, the prefix data will contain 16 random octets, 2631 then two more octets, which are copies of the 15th and 16th octets, 2632 respectively. Unlike the Symmetrically Encrypted Data Packet, no 2633 special CFB resynchronization is done after encrypting this prefix 2634 data. See OpenPGP CFB Mode below for more details. 2635 2636 The repetition of 16 bits in the random data prefixed to the message 2637 allows the receiver to immediately check whether the session key is 2638 incorrect. 2639 2640 The plaintext of the data to be encrypted is passed through the 2641 SHA-1 hash function, and the result of the hash is appended to the 2642 plaintext in a Modification Detection Code packet. The input to the 2643 hash function includes the prefix data described above; it includes 2644 all of the plaintext, and then also includes two octets of values 2645 0xD3, 0x14. These represent the encoding of a Modification 2646 Detection Code packet tag and length field of 20 octets. 2647 2648 The resulting hash value is stored in a Modification Detection Code 2649 packet which MUST use the two octet encoding just given to represent 2650 its tag and length field. The body of the MDC packet is the 20 2651 octet output of the SHA-1 hash. 2652 2653 The Modification Detection Code packet is appended to the plaintext 2654 and encrypted along with the plaintext using the same CFB context. 2655 2656 During decryption, the plaintext data should be hashed with SHA-1, 2657 including the prefix data as well as the packet tag and length field 2658 of the Modification Detection Code packet. The body of the MDC 2659 packet, upon decryption, is compared with the result of the SHA-1 2660 hash. 2661 2662 Any failure of the MDC indicates that the message has been modified 2663 and MUST be treated as a security problem. Failures include a 2664 difference in the hash values, but also the absence of an MDC 2665 packet, or an MDC packet in any position other than the end of the 2666 plaintext. Any failure SHOULD be reported to the user. 2667 2668 Note: future designs of new versions of this packet should consider 2669 rollback attacks since it will be possible for an attacker to change 2670 the version back to 1. 2671 2672 5.14. Modification Detection Code Packet (Tag 19) 2673 2674 The Modification Detection Code packet contains a SHA-1 hash of 2675 plaintext data which is used to detect message modification. It is 2676 only used with a Symmetrically Encrypted Integrity Protected Data 2677 2678 Callas, et al. Expires Nov 23, 2005 [Page 47] 2679 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2681 2682 packet. The Modification Detection Code packet MUST be the last 2683 packet in the plaintext data which is encrypted in the Symmetrically 2684 Encrypted Integrity Protected Data packet, and MUST appear in no 2685 other place. 2686 2687 A Modification Detection Code packet MUST have a length of 20 2688 octets. 2689 2690 The body of this packet consists of: 2691 2692 - A 20-octet SHA-1 hash of the preceding plaintext data of the 2693 Symmetrically Encrypted Integrity Protected Data packet, 2694 including prefix data, the tag octet, and length octet of the 2695 Modification Detection Code packet. 2696 2697 Note that the Modification Detection Code packet MUST always use a 2698 new-format encoding of the packet tag, and a one-octet encoding of 2699 the packet length. The reason for this is that the hashing rules for 2700 modification detection include a one-octet tag and one-octet length 2701 in the data hash. While this is a bit restrictive, it reduces 2702 complexity. 2703 2704 6. Radix-64 Conversions 2705 2706 As stated in the introduction, OpenPGP's underlying native 2707 representation for objects is a stream of arbitrary octets, and some 2708 systems desire these objects to be immune to damage caused by 2709 character set translation, data conversions, etc. 2710 2711 In principle, any printable encoding scheme that met the 2712 requirements of the unsafe channel would suffice, since it would not 2713 change the underlying binary bit streams of the native OpenPGP data 2714 structures. The OpenPGP standard specifies one such printable 2715 encoding scheme to ensure interoperability. 2716 2717 OpenPGP's Radix-64 encoding is composed of two parts: a base64 2718 encoding of the binary data, and a checksum. The base64 encoding is 2719 identical to the MIME base64 content-transfer-encoding [RFC2045]. 2720 2721 The checksum is a 24-bit CRC converted to four characters of 2722 radix-64 encoding by the same MIME base64 transformation, preceded 2723 by an equals sign (=). The CRC is computed by using the generator 2724 0x864CFB and an initialization of 0xB704CE. The accumulation is 2725 done on the data before it is converted to radix-64, rather than on 2726 the converted data. A sample implementation of this algorithm is in 2727 the next section. 2728 2729 The checksum with its leading equal sign MAY appear on the first 2730 line after the Base64 encoded data. 2731 2732 2733 2734 2735 Callas, et al. Expires Nov 23, 2005 [Page 48] 2736 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2738 2739 Rationale for CRC-24: The size of 24 bits fits evenly into printable 2740 base64. The nonzero initialization can detect more errors than a 2741 zero initialization. 2742 2743 6.1. An Implementation of the CRC-24 in "C" 2744 2745 #define CRC24_INIT 0xb704ceL 2746 #define CRC24_POLY 0x1864cfbL 2747 2748 typedef long crc24; 2749 crc24 crc_octets(unsigned char *octets, size_t len) 2750 { 2751 crc24 crc = CRC24_INIT; 2752 int i; 2753 2754 while (len--) { 2755 crc ^= (*octets++) << 16; 2756 for (i = 0; i < 8; i++) { 2757 crc <<= 1; 2758 if (crc & 0x1000000) 2759 crc ^= CRC24_POLY; 2760 } 2761 } 2762 return crc & 0xffffffL; 2763 } 2764 2765 6.2. Forming ASCII Armor 2766 2767 When OpenPGP encodes data into ASCII Armor, it puts specific headers 2768 around the Radix-64 encoded data, so OpenPGP can reconstruct the 2769 data later. An OpenPGP implementation MAY use ASCII armor to protect 2770 raw binary data. OpenPGP informs the user what kind of data is 2771 encoded in the ASCII armor through the use of the headers. 2772 2773 Concatenating the following data creates ASCII Armor: 2774 2775 - An Armor Header Line, appropriate for the type of data 2776 2777 - Armor Headers 2778 2779 - A blank (zero-length, or containing only whitespace) line 2780 2781 - The ASCII-Armored data 2782 2783 - An Armor Checksum 2784 2785 - The Armor Tail, which depends on the Armor Header Line. 2786 2787 An Armor Header Line consists of the appropriate header line text 2788 surrounded by five (5) dashes ('-', 0x2D) on either side of the 2789 header line text. The header line text is chosen based upon the 2790 type of data that is being encoded in Armor, and how it is being 2791 2792 Callas, et al. Expires Nov 23, 2005 [Page 49] 2793 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2795 2796 encoded. Header line texts include the following strings: 2797 2798 BEGIN PGP MESSAGE 2799 Used for signed, encrypted, or compressed files. 2800 2801 BEGIN PGP PUBLIC KEY BLOCK 2802 Used for armoring public keys 2803 2804 BEGIN PGP PRIVATE KEY BLOCK 2805 Used for armoring private keys 2806 2807 BEGIN PGP MESSAGE, PART X/Y 2808 Used for multi-part messages, where the armor is split amongst Y 2809 parts, and this is the Xth part out of Y. 2810 2811 BEGIN PGP MESSAGE, PART X 2812 Used for multi-part messages, where this is the Xth part of an 2813 unspecified number of parts. Requires the MESSAGE-ID Armor 2814 Header to be used. 2815 2816 BEGIN PGP SIGNATURE 2817 Used for detached signatures, OpenPGP/MIME signatures, and 2818 cleartext signatures. Note that PGP 2.x uses BEGIN PGP MESSAGE 2819 for detached signatures. 2820 2821 Note that all these Armor Header Lines are to consist of a complete 2822 line. That is to say, there is always a line ending preceding the 2823 starting five dashes, and following the ending five dashes. The 2824 header lines, therefore, MUST start at the beginning of a line, and 2825 MUST NOT have text following them on the same line. These line 2826 endings are considered a part of the Armor Header Line for the 2827 purposes of determining the content they delimit. This is 2828 particularly important when computing a cleartext signature (see 2829 below). 2830 2831 The Armor Headers are pairs of strings that can give the user or the 2832 receiving OpenPGP implementation some information about how to 2833 decode or use the message. The Armor Headers are a part of the 2834 armor, not a part of the message, and hence are not protected by any 2835 signatures applied to the message. 2836 2837 The format of an Armor Header is that of a key-value pair. A colon 2838 (':' 0x38) and a single space (0x20) separate the key and value. 2839 OpenPGP should consider improperly formatted Armor Headers to be 2840 corruption of the ASCII Armor. Unknown keys should be reported to 2841 the user, but OpenPGP should continue to process the message. 2842 2843 Currently defined Armor Header Keys are: 2844 2845 - "Version", that states the OpenPGP implementation and version 2846 used to encode the message. 2847 2848 2849 Callas, et al. Expires Nov 23, 2005 [Page 50] 2850 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2852 2853 - "Comment", a user-defined comment. OpenPGP defines all text to 2854 be in UTF-8. A comment may be any UTF-8 string. However, the 2855 whole point of armoring is to provide seven-bit-clean data. 2856 Consequently, if a comment has characters that are outside the 2857 US-ASCII range of UTF, they may very well not survive transport. 2858 2859 - "MessageID", a 32-character string of printable characters. The 2860 string must be the same for all parts of a multi-part message 2861 that uses the "PART X" Armor Header. MessageID strings should 2862 be unique enough that the recipient of the mail can associate 2863 all the parts of a message with each other. A good checksum or 2864 cryptographic hash function is sufficient. 2865 2866 The MessageID SHOULD NOT appear unless it is in a multi-part 2867 message. If it appears at all, it MUST be computed from the 2868 finished (encrypted, signed, etc.) message in a deterministic 2869 fashion, rather than contain a purely random value. This is to 2870 allow the legitimate recipient to determine that the MessageID 2871 cannot serve as a covert means of leaking cryptographic key 2872 information. 2873 2874 - "Hash", a comma-separated list of hash algorithms used in this 2875 message. This is used only in cleartext signed messages. 2876 2877 - "Charset", a description of the character set that the plaintext 2878 is in. Please note that OpenPGP defines text to be in UTF-8. An 2879 implementation will get best results by translating into and out 2880 of UTF-8. However, there are many instances where this is easier 2881 said than done. Also, there are communities of users who have no 2882 need for UTF-8 because they are all happy with a character set 2883 like ISO Latin-5 or a Japanese character set. In such instances, 2884 an implementation MAY override the UTF-8 default by using this 2885 header key. An implementation MAY implement this key and any 2886 translations it cares to; an implementation MAY ignore it and 2887 assume all text is UTF-8. 2888 2889 The Armor Tail Line is composed in the same manner as the Armor 2890 Header Line, except the string "BEGIN" is replaced by the string 2891 "END". 2892 2893 6.3. Encoding Binary in Radix-64 2894 2895 The encoding process represents 24-bit groups of input bits as 2896 output strings of 4 encoded characters. Proceeding from left to 2897 right, a 24-bit input group is formed by concatenating three 8-bit 2898 input groups. These 24 bits are then treated as four concatenated 2899 6-bit groups, each of which is translated into a single digit in the 2900 Radix-64 alphabet. When encoding a bit stream with the Radix-64 2901 encoding, the bit stream must be presumed to be ordered with the 2902 most-significant-bit first. That is, the first bit in the stream 2903 will be the high-order bit in the first 8-bit octet, and the eighth 2904 bit will be the low-order bit in the first 8-bit octet, and so on. 2905 2906 Callas, et al. Expires Nov 23, 2005 [Page 51] 2907 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2909 2910 +--first octet--+-second octet--+--third octet--+ 2911 |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 2912 +-----------+---+-------+-------+---+-----------+ 2913 |5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0| 2914 +--1.index--+--2.index--+--3.index--+--4.index--+ 2915 2916 Each 6-bit group is used as an index into an array of 64 printable 2917 characters from the table below. The character referenced by the 2918 index is placed in the output string. 2919 2920 Value Encoding Value Encoding Value Encoding Value Encoding 2921 0 A 17 R 34 i 51 z 2922 1 B 18 S 35 j 52 0 2923 2 C 19 T 36 k 53 1 2924 3 D 20 U 37 l 54 2 2925 4 E 21 V 38 m 55 3 2926 5 F 22 W 39 n 56 4 2927 6 G 23 X 40 o 57 5 2928 7 H 24 Y 41 p 58 6 2929 8 I 25 Z 42 q 59 7 2930 9 J 26 a 43 r 60 8 2931 10 K 27 b 44 s 61 9 2932 11 L 28 c 45 t 62 + 2933 12 M 29 d 46 u 63 / 2934 13 N 30 e 47 v 2935 14 O 31 f 48 w (pad) 15 P 32 g 49 x 2936 16 Q 33 h 50 y 2937 2938 The encoded output stream must be represented in lines of no more 2939 than 76 characters each. 2940 2941 Special processing is performed if fewer than 24 bits are available 2942 at the end of the data being encoded. There are three possibilities: 2943 2944 1. The last data group has 24 bits (3 octets). No special 2945 processing is needed. 2946 2947 2. The last data group has 16 bits (2 octets). The first two 6-bit 2948 groups are processed as above. The third (incomplete) data group 2949 has two zero-value bits added to it, and is processed as above. 2950 A pad character (=) is added to the output. 2951 2952 3. The last data group has 8 bits (1 octet). The first 6-bit group 2953 is processed as above. The second (incomplete) data group has 2954 four zero-value bits added to it, and is processed as above. Two 2955 pad characters (=) are added to the output. 2956 2957 6.4. Decoding Radix-64 2958 2959 Any characters outside of the base64 alphabet are ignored in 2960 Radix-64 data. Decoding software must ignore all line breaks or 2961 2962 Callas, et al. Expires Nov 23, 2005 [Page 52] 2963 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 2965 2966 other characters not found in the table above. 2967 2968 In Radix-64 data, characters other than those in the table, line 2969 breaks, and other white space probably indicate a transmission 2970 error, about which a warning message or even a message rejection 2971 might be appropriate under some circumstances. 2972 2973 Because it is used only for padding at the end of the data, the 2974 occurrence of any "=" characters may be taken as evidence that the 2975 end of the data has been reached (without truncation in transit). No 2976 such assurance is possible, however, when the number of octets 2977 transmitted was a multiple of three and no "=" characters are 2978 present. 2979 2980 6.5. Examples of Radix-64 2981 2982 Input data: 0x14fb9c03d97e 2983 Hex: 1 4 f b 9 c | 0 3 d 9 7 e 2984 8-bit: 00010100 11111011 10011100 | 00000011 11011001 2985 11111110 2986 6-bit: 000101 001111 101110 011100 | 000000 111101 100111 2987 111110 2988 Decimal: 5 15 46 28 0 61 37 62 2989 Output: F P u c A 9 l + 2990 2991 Input data: 0x14fb9c03d9 2992 Hex: 1 4 f b 9 c | 0 3 d 9 2993 8-bit: 00010100 11111011 10011100 | 00000011 11011001 2994 pad with 00 2995 6-bit: 000101 001111 101110 011100 | 000000 111101 100100 2996 Decimal: 5 15 46 28 0 61 36 2997 pad with Output: F P u c A 9 k 2998 Input data: 0x14fb9c03 2999 Hex: 1 4 f b 9 c | 0 3 3000 8-bit: 00010100 11111011 10011100 | 00000011 3001 pad with 0000 3002 6-bit: 000101 001111 101110 011100 | 000000 110000 3003 Decimal: 5 15 46 28 0 48 3004 pad with = Output: F P u c A w = 3005 6.6. Example of an ASCII Armored Message 3006 3007 -----BEGIN PGP MESSAGE----- 3008 Version: OpenPrivacy 0.99 3009 3010 yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS 3011 vBSFjNSiVHsuAA= =njUN 3012 -----END PGP MESSAGE----- 3013 3014 Callas, et al. Expires Nov 23, 2005 [Page 53] 3015 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3017 3018 Note that this example is indented by two spaces. 3019 3020 7. Cleartext signature framework 3021 3022 It is desirable to sign a textual octet stream without ASCII 3023 armoring the stream itself, so the signed text is still readable 3024 without special software. In order to bind a signature to such a 3025 cleartext, this framework is used. (Note that RFC 3156 defines 3026 another way to sign cleartext messages for environments that support 3027 MIME.) 3028 3029 The cleartext signed message consists of: 3030 3031 - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a 3032 single line, 3033 3034 - One or more "Hash" Armor Headers, 3035 3036 - Exactly one empty line not included into the message digest, 3037 3038 - The dash-escaped cleartext that is included into the message 3039 digest, 3040 3041 - The ASCII armored signature(s) including the '-----BEGIN PGP 3042 SIGNATURE-----' Armor Header and Armor Tail Lines. 3043 3044 If the "Hash" armor header is given, the specified message digest 3045 algorithm(s) are used for the signature. If there are no such 3046 headers, MD5 is used. If MD5 is the only hash used, then an 3047 implementation MAY omit this header for improved V2.x compatibility. 3048 If more than one message digest is used in the signature, the "Hash" 3049 armor header contains a comma-delimited list of used message 3050 digests. 3051 3052 Current message digest names are described below with the algorithm 3053 IDs. 3054 3055 7.1. Dash-Escaped Text 3056 3057 The cleartext content of the message must also be dash-escaped. 3058 3059 Dash escaped cleartext is the ordinary cleartext where every line 3060 starting with a dash '-' (0x2D) is prefixed by the sequence dash '-' 3061 (0x2D) and space ' ' (0x20). This prevents the parser from 3062 recognizing armor headers of the cleartext itself. An implementation 3063 MAY dash escape any line, SHOULD dash escape lines commencing "From" 3064 followed by a space, and MUST dash escape any line commencing in a 3065 dash. The message digest is computed using the cleartext itself, not 3066 the dash escaped form. 3067 3068 3069 3070 3071 Callas, et al. Expires Nov 23, 2005 [Page 54] 3072 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3074 3075 As with binary signatures on text documents, a cleartext signature 3076 is calculated on the text using canonical <CR><LF> line endings. 3077 The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP 3078 SIGNATURE-----' line that terminates the signed text is not 3079 considered part of the signed text. 3080 3081 When reversing dash-escaping, an implementation MUST strip the 3082 string "- " if it occurs at the beginning of a line, and SHOULD warn 3083 on "-" and any character other than a space at the beginning of a 3084 line. 3085 3086 Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at 3087 the end of any line is removed when the cleartext signature is 3088 generated. 3089 3090 8. Regular Expressions 3091 3092 A regular expression is zero or more branches, separated by '|'. It 3093 matches anything that matches one of the branches. 3094 3095 A branch is zero or more pieces, concatenated. It matches a match 3096 for the first, followed by a match for the second, etc. 3097 3098 A piece is an atom possibly followed by '*', '+', or '?'. An atom 3099 followed by '*' matches a sequence of 0 or more matches of the atom. 3100 An atom followed by '+' matches a sequence of 1 or more matches of 3101 the atom. An atom followed by '?' matches a match of the atom, or 3102 the null string. 3103 3104 An atom is a regular expression in parentheses (matching a match for 3105 the regular expression), a range (see below), '.' (matching any 3106 single character), '^' (matching the null string at the beginning of 3107 the input string), '$' (matching the null string at the end of the 3108 input string), a '\' followed by a single character (matching that 3109 character), or a single character with no other significance 3110 (matching that character). 3111 3112 A range is a sequence of characters enclosed in '[]'. It normally 3113 matches any single character from the sequence. If the sequence 3114 begins with '^', it matches any single character not from the rest 3115 of the sequence. If two characters in the sequence are separated by 3116 '-', this is shorthand for the full list of ASCII characters between 3117 them (e.g. '[0-9]' matches any decimal digit). To include a literal 3118 ']' in the sequence, make it the first character (following a 3119 possible '^'). To include a literal '-', make it the first or last 3120 character. 3121 3122 9. Constants 3123 3124 This section describes the constants used in OpenPGP. 3125 3126 3127 3128 Callas, et al. Expires Nov 23, 2005 [Page 55] 3129 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3131 3132 Note that these tables are not exhaustive lists; an implementation 3133 MAY implement an algorithm not on these lists, so long as the 3134 algorithm number(s) are chosen from the private or experimental 3135 algorithm range. 3136 3137 See the section "Notes on Algorithms" below for more discussion of 3138 the algorithms. 3139 3140 9.1. Public Key Algorithms 3141 3142 ID Algorithm 3143 -- --------- 3144 1 - RSA (Encrypt or Sign) [HAC] 3145 2 - RSA Encrypt-Only 3146 3 - RSA Sign-Only 3147 16 - Elgamal (Encrypt-Only), see [ELGAMAL] [HAC] 3148 17 - DSA (Digital Signature Algorithm) [FIPS186] [HAC] 3149 18 - Reserved for Elliptic Curve 3150 19 - Reserved for ECDSA 3151 20 - Reserved (formerly Elgamal Encrypt or Sign) 3152 21 - Reserved for Diffie-Hellman (X9.42, 3153 as defined for IETF-S/MIME) 3154 100 to 110 - Private/Experimental algorithm. 3155 3156 Implementations MUST implement DSA for signatures, and Elgamal for 3157 encryption. Implementations SHOULD implement RSA keys. 3158 Implementations MAY implement any other algorithm. 3159 3160 9.2. Symmetric Key Algorithms 3161 3162 ID Algorithm 3163 -- --------- 3164 0 - Plaintext or unencrypted data 3165 1 - IDEA [IDEA] 3166 2 - TripleDES (DES-EDE, [SCHNEIER] [HAC] - 3167 168 bit key derived from 192) 3168 3 - CAST5 (128 bit key, as per RFC 2144) 3169 4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH] 3170 5 - Reserved 3171 6 - Reserved 3172 7 - AES with 128-bit key [AES] 3173 8 - AES with 192-bit key 3174 9 - AES with 256-bit key 3175 10 - Twofish with 256-bit key [TWOFISH] 3176 100 to 110 - Private/Experimental algorithm. 3177 3178 Implementations MUST implement TripleDES. Implementations SHOULD 3179 implement AES-128 and CAST5. Implementations that interoperate with 3180 PGP 2.6 or earlier need to support IDEA, as that is the only 3181 symmetric cipher those versions use. Implementations MAY implement 3182 any other algorithm. 3183 3184 3185 Callas, et al. Expires Nov 23, 2005 [Page 56] 3186 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3188 3189 9.3. Compression Algorithms 3190 3191 ID Algorithm 3192 -- --------- 3193 0 - Uncompressed 3194 1 - ZIP (RFC 1951) 3195 2 - ZLIB (RFC 1950) 3196 3 - BZip2 [BZ2] 3197 100 to 110 - Private/Experimental algorithm. 3198 3199 Implementations MUST implement uncompressed data. Implementations 3200 SHOULD implement ZIP. Implementations MAY implement any other 3201 algorithm. 3202 3203 9.4. Hash Algorithms 3204 3205 ID Algorithm Text Name 3206 -- --------- ---- ---- 3207 1 - MD5 "MD5" 3208 2 - SHA-1 [FIPS180] "SHA1" 3209 3 - RIPE-MD/160 "RIPEMD160" 3210 4 - Reserved 3211 5 - Reserved 3212 6 - Reserved 3213 7 - Reserved 3214 8 - SHA256 [FIPS180] "SHA256" 3215 9 - SHA384 [FIPS180] "SHA384" 3216 10 - SHA512 [FIPS180] "SHA512" 3217 100 to 110 - Private/Experimental algorithm. 3218 3219 Implementations MUST implement SHA-1. Implementations MAY implement 3220 other algorithms. 3221 3222 10. Packet Composition 3223 3224 OpenPGP packets are assembled into sequences in order to create 3225 messages and to transfer keys. Not all possible packet sequences 3226 are meaningful and correct. This section describes the rules for 3227 how packets should be placed into sequences. 3228 3229 10.1. Transferable Public Keys 3230 3231 OpenPGP users may transfer public keys. The essential elements of a 3232 transferable public key are: 3233 3234 - One Public Key packet 3235 3236 - Zero or more revocation signatures 3237 3238 - One or more User ID packets 3239 3240 3241 3242 Callas, et al. Expires Nov 23, 2005 [Page 57] 3243 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3245 3246 - After each User ID packet, zero or more signature packets 3247 (certifications) 3248 3249 - Zero or more User Attribute packets 3250 3251 - After each User Attribute packet, zero or more signature packets 3252 (certifications) 3253 3254 - Zero or more Subkey packets 3255 3256 - After each Subkey packet, one signature packet, plus optionally 3257 a revocation. 3258 3259 The Public Key packet occurs first. Each of the following User ID 3260 packets provides the identity of the owner of this public key. If 3261 there are multiple User ID packets, this corresponds to multiple 3262 means of identifying the same unique individual user; for example, a 3263 user may have more than one email address, and construct a User ID 3264 for each one. 3265 3266 Immediately following each User ID packet, there are zero or more 3267 signature packets. Each signature packet is calculated on the 3268 immediately preceding User ID packet and the initial Public Key 3269 packet. The signature serves to certify the corresponding public key 3270 and User ID. In effect, the signer is testifying to his or her 3271 belief that this public key belongs to the user identified by this 3272 User ID. 3273 3274 Within the same section as the User ID packets, there are zero or 3275 more User Attribute packets. Like the User ID packets, a User 3276 Attribute packet is followed by zero or more signature packets 3277 calculated on the immediately preceding User Attribute packet and 3278 the initial Public Key packet. 3279 3280 User Attribute packets and User ID packets may be freely intermixed 3281 in this section, so long as the signatures that follow them are 3282 maintained on the proper User Attribute or User ID packet. 3283 3284 After the User ID or Attribute packets there may be one or more 3285 Subkey packets. In general, subkeys are provided in cases where the 3286 top-level public key is a signature-only key. However, any V4 key 3287 may have subkeys, and the subkeys may be encryption-only keys, 3288 signature-only keys, or general-purpose keys. V3 keys MUST NOT have 3289 subkeys. 3290 3291 Each Subkey packet must be followed by one Signature packet, which 3292 should be a subkey binding signature issued by the top level key. 3293 For subkeys that can issue signatures, the subkey binding signature 3294 must contain an embedded signature subpacket with a primary key 3295 binding signature (0x19) issued by the subkey on the top level key. 3296 3297 3298 3299 Callas, et al. Expires Nov 23, 2005 [Page 58] 3300 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3302 3303 Subkey and Key packets may each be followed by a revocation 3304 Signature packet to indicate that the key is revoked. Revocation 3305 signatures are only accepted if they are issued by the key itself, 3306 or by a key that is authorized to issue revocations via a revocation 3307 key subpacket in a self-signature by the top level key. 3308 3309 Transferable public key packet sequences may be concatenated to 3310 allow transferring multiple public keys in one operation. 3311 3312 10.2. OpenPGP Messages 3313 3314 An OpenPGP message is a packet or sequence of packets that 3315 corresponds to the following grammatical rules (comma represents 3316 sequential composition, and vertical bar separates alternatives): 3317 3318 OpenPGP Message :- Encrypted Message | Signed Message | 3319 Compressed Message | Literal Message. 3320 3321 Compressed Message :- Compressed Data Packet. 3322 3323 Literal Message :- Literal Data Packet | 3324 Literal Message, Literal Data Packet. 3325 3326 ESK :- Public Key Encrypted Session Key Packet | 3327 Symmetric-Key Encrypted Session Key Packet. 3328 3329 ESK Sequence :- ESK | ESK Sequence, ESK. 3330 3331 Encrypted Data :- Symmetrically Encrypted Data Packet | 3332 Symmetrically Encrypted Integrity Protected Data Packet 3333 3334 Encrypted Message :- Encrypted Data | ESK Sequence, Encrypted Data. 3335 3336 One-Pass Signed Message :- One-Pass Signature Packet, 3337 OpenPGP Message, Corresponding Signature Packet. 3338 3339 Signed Message :- Signature Packet, OpenPGP Message | 3340 One-Pass Signed Message. 3341 3342 In addition, decrypting a Symmetrically Encrypted Data Packet or a 3343 Symmetrically Encrypted Integrity Protected Data Packet as well as 3344 3345 decompressing a Compressed Data packet must yield a valid OpenPGP 3346 Message. 3347 3348 10.3. Detached Signatures 3349 3350 Some OpenPGP applications use so-called "detached signatures." For 3351 example, a program bundle may contain a file, and with it a second 3352 file that is a detached signature of the first file. These detached 3353 signatures are simply a signature packet stored separately from the 3354 data that they are a signature of. 3355 3356 Callas, et al. Expires Nov 23, 2005 [Page 59] 3357 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3359 3360 11. Enhanced Key Formats 3361 3362 11.1. Key Structures 3363 3364 The format of an OpenPGP V3 key is as follows. Entries in square 3365 brackets are optional and ellipses indicate repetition. 3366 3367 RSA Public Key 3368 [Revocation Self Signature] 3369 User ID [Signature ...] 3370 [User ID [Signature ...] ...] 3371 3372 Each signature certifies the RSA public key and the preceding User 3373 ID. The RSA public key can have many User IDs and each User ID can 3374 have many signatures. V3 keys are deprecated. Implementations MUST 3375 NOT generate new V3 keys, but MAY continue to use existing ones. 3376 3377 The format of an OpenPGP V4 key that uses multiple public keys is 3378 similar except that the other keys are added to the end as "subkeys" 3379 of the primary key. 3380 3381 Primary-Key 3382 [Revocation Self Signature] 3383 [Direct Key Signature...] 3384 User ID [Signature ...] 3385 [User ID [Signature ...] ...] 3386 [User Attribute [Signature ...] ...] 3387 [[Subkey [Binding-Signature-Revocation] 3388 Primary-Key-Binding-Signature] ...] 3389 3390 A subkey always has a single signature after it that is issued using 3391 the primary key to tie the two keys together. This binding 3392 signature may be in either V3 or V4 format, but SHOULD be V4. 3393 3394 In the above diagram, if the binding signature of a subkey has been 3395 revoked, the revoked key may be removed, leaving only one key. 3396 3397 In a V4 key, the primary key MUST be a key capable of certification. 3398 The subkeys may be keys of any other type. There may be other 3399 constructions of V4 keys, too. For example, there may be a 3400 single-key RSA key in V4 format, a DSA primary key with an RSA 3401 encryption key, or RSA primary key with an Elgamal subkey, etc. 3402 3403 It is also possible to have a signature-only subkey. This permits a 3404 primary key that collects certifications (key signatures) but is 3405 used only used for certifying subkeys that are used for encryption 3406 and signatures. 3407 3408 11.2. Key IDs and Fingerprints 3409 3410 For a V3 key, the eight-octet key ID consists of the low 64 bits of 3411 the public modulus of the RSA key. 3412 3413 Callas, et al. Expires Nov 23, 2005 [Page 60] 3414 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3416 3417 The fingerprint of a V3 key is formed by hashing the body (but not 3418 the two-octet length) of the MPIs that form the key material (public 3419 modulus n, followed by exponent e) with MD5. Note that both V3 keys 3420 and MD5 are deprecated. 3421 3422 A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, 3423 followed by the two-octet packet length, followed by the entire 3424 Public Key packet starting with the version field. The key ID is 3425 the low order 64 bits of the fingerprint. Here are the fields of 3426 the hash material, with the example of a DSA key: 3427 3428 a.1) 0x99 (1 octet) 3429 3430 a.2) high order length octet of (b)-(f) (1 octet) 3431 3432 a.3) low order length octet of (b)-(f) (1 octet) 3433 3434 b) version number = 4 (1 octet); 3435 3436 c) time stamp of key creation (4 octets); 3437 3438 d) algorithm (1 octet): 17 = DSA (example); 3439 3440 e) Algorithm specific fields. 3441 3442 Algorithm Specific Fields for DSA keys (example): 3443 3444 e.1) MPI of DSA prime p; 3445 3446 e.2) MPI of DSA group order q (q is a prime divisor of p-1); 3447 3448 e.3) MPI of DSA group generator g; 3449 3450 e.4) MPI of DSA public key value y (= g**x mod p where x is secret). 3451 3452 Note that it is possible for there to be collisions of key IDs -- 3453 two different keys with the same key ID. Note that there is a much 3454 smaller, but still non-zero probability that two different keys have 3455 the same fingerprint. 3456 3457 Also note that if V3 and V4 format keys share the same RSA key 3458 material, they will have different key IDs as well as different 3459 fingerprints. 3460 3461 Finally, the key ID and fingerprint of a subkey are calculated in 3462 the same way as for a primary key, including the 0x99 as the first 3463 octet (even though this is not a valid packet ID for a public 3464 subkey). 3465 3466 12. Notes on Algorithms 3467 3468 12.1. Symmetric Algorithm Preferences 3469 3470 Callas, et al. Expires Nov 23, 2005 [Page 61] 3471 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3473 3474 3475 The symmetric algorithm preference is an ordered list of algorithms 3476 that the keyholder accepts. Since it is found on a self-signature, 3477 it is possible that a keyholder may have different preferences. For 3478 example, Alice may have TripleDES only specified for 3479 "alice (a] work.com" but CAST5, Blowfish, and TripleDES specified for 3480 "alice (a] home.org". Note that it is also possible for preferences to 3481 be in a subkey's binding signature. 3482 3483 Since TripleDES is the MUST-implement algorithm, if it is not 3484 explicitly in the list, it is tacitly at the end. However, it is 3485 good form to place it there explicitly. Note also that if an 3486 implementation does not implement the preference, then it is 3487 implicitly a TripleDES-only implementation. 3488 3489 An implementation MUST NOT use a symmetric algorithm that is not in 3490 the recipient's preference list. When encrypting to more than one 3491 recipient, the implementation finds a suitable algorithm by taking 3492 the intersection of the preferences of the recipients. Note that the 3493 MUST-implement algorithm, TripleDES, ensures that the intersection 3494 is not null. The implementation may use any mechanism to pick an 3495 algorithm in the intersection. 3496 3497 If an implementation can decrypt a message that a keyholder doesn't 3498 have in their preferences, the implementation SHOULD decrypt the 3499 message anyway, but MUST warn the keyholder that the protocol has 3500 been violated. (For example, suppose that Alice, above, has software 3501 that implements all algorithms in this specification. Nonetheless, 3502 she prefers subsets for work or home. If she is sent a message 3503 encrypted with IDEA, which is not in her preferences, the software 3504 warns her that someone sent her an IDEA-encrypted message, but it 3505 would ideally decrypt it anyway.) 3506 3507 12.2. Other Algorithm Preferences 3508 3509 Other algorithm preferences work similarly to the symmetric 3510 algorithm preference, in that they specify which algorithms the 3511 keyholder accepts. There are two interesting cases that other 3512 comments need to be made about, though, the compression preferences 3513 and the hash preferences. 3514 3515 12.2.1. Compression Preferences 3516 3517 Compression has been an integral part of PGP since its first days. 3518 OpenPGP and all previous versions of PGP have offered compression. 3519 In this specification, the default is for messages to be compressed, 3520 although an implementation is not required to do so. Consequently, 3521 the compression preference gives a way for a keyholder to request 3522 that messages not be compressed, presumably because they are using a 3523 minimal implementation that does not include compression. 3524 Additionally, this gives a keyholder a way to state that it can 3525 support alternate algorithms. 3526 3527 Callas, et al. Expires Nov 23, 2005 [Page 62] 3528 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3530 3531 Like the algorithm preferences, an implementation MUST NOT use an 3532 algorithm that is not in the preference vector. If the preferences 3533 are not present, then they are assumed to be [ZIP(1), 3534 UNCOMPRESSED(0)]. 3535 3536 Additionally, an implementation MUST implement this preference to 3537 the degree of recognizing when to send an uncompressed message. A 3538 robust implementation would satisfy this requirement by looking at 3539 the recipient's preference and acting accordingly. A minimal 3540 implementation can satisfy this requirement by never generating a 3541 compressed message, since all implementations can handle messages 3542 that have not been compressed. 3543 3544 12.2.2. Hash Algorithm Preferences 3545 3546 Typically, the choice of a hash algorithm is something the signer 3547 does, rather than the verifier, because a signer rarely knows who is 3548 going to be verifying the signature. This preference, though, allows 3549 a protocol based upon digital signatures ease in negotiation. 3550 3551 Thus, if Alice is authenticating herself to Bob with a signature, it 3552 makes sense for her to use a hash algorithm that Bob's software 3553 uses. This preference allows Bob to state in his key which 3554 algorithms Alice may use. 3555 3556 Since SHA1 is the MUST-implement hash algorithm, if it is not 3557 explicitly in the list, it is tacitly at the end. However, it is 3558 good form to place it there explicitly. 3559 3560 12.3. Plaintext 3561 3562 Algorithm 0, "plaintext," may only be used to denote secret keys 3563 that are stored in the clear. Implementations MUST NOT use plaintext 3564 in Symmetrically Encrypted Data Packets; they must use Literal Data 3565 Packets to encode unencrypted or literal data. 3566 3567 12.4. RSA 3568 3569 There are algorithm types for RSA-signature-only, and 3570 RSA-encrypt-only keys. These types are deprecated. The "key flags" 3571 subpacket in a signature is a much better way to express the same 3572 idea, and generalizes it to all algorithms. An implementation SHOULD 3573 NOT create such a key, but MAY interpret it. 3574 3575 An implementation SHOULD NOT implement RSA keys of size less than 3576 1024 bits. 3577 3578 12.5. DSA 3579 3580 An implementation SHOULD NOT implement DSA keys of size less than 3581 1024 bits. Note that present DSA is limited to a maximum of 1024 bit 3582 keys, which are recommended for long-term use. Also, DSA keys MUST 3583 3584 Callas, et al. Expires Nov 23, 2005 [Page 63] 3585 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3587 3588 be an even multiple of 64 bits long. 3589 3590 12.6. Elgamal 3591 3592 An implementation SHOULD NOT implement Elgamal keys of size less 3593 than 1024 bits. 3594 3595 12.7. Reserved Algorithm Numbers 3596 3597 A number of algorithm IDs have been reserved for algorithms that 3598 would be useful to use in an OpenPGP implementation, yet there are 3599 issues that prevent an implementer from actually implementing the 3600 algorithm. These are marked in the Public Algorithms section as 3601 "(reserved for)". 3602 3603 The reserved public key algorithms, Elliptic Curve (18), ECDSA (19), 3604 and X9.42 (21) do not have the necessary parameters, parameter 3605 order, or semantics defined. 3606 3607 Previous versions of OpenPGP permitted Elgamal [ELGAMAL] signatures 3608 with a public key identifier of 20. These are no longer permitted. 3609 An implementation MUST NOT generate such keys. An implementation 3610 MUST NOT generate Elgamal signatures. 3611 3612 12.8. OpenPGP CFB mode 3613 3614 OpenPGP does symmetric encryption using a variant of Cipher Feedback 3615 Mode (CFB mode). This section describes the procedure it uses in 3616 detail. This mode is what is used for Symmetrically Encrypted Data 3617 Packets; the mechanism used for encrypting secret key material is 3618 similar, but described in those sections above. 3619 3620 In the description below, the value BS is the block size in octets 3621 of the cipher. Most ciphers have a block size of 8 octets. The AES 3622 and Twofish have a block size of 16 octets. Also note that the 3623 description below assumes that the IV and CFB arrays start with an 3624 index of 1 (unlike the C language, which assumes arrays start with a 3625 zero index). 3626 3627 OpenPGP CFB mode uses an initialization vector (IV) of all zeros, 3628 and prefixes the plaintext with BS+2 octets of random data, such 3629 that octets BS+1 and BS+2 match octets BS-1 and BS. It does a CFB 3630 "resync" after encrypting those BS+2 octets. 3631 3632 Thus, for an algorithm that has a block size of 8 octets (64 bits), 3633 the IV is 10 octets long and octets 7 and 8 of the IV are the same 3634 as octets 9 and 10. For an algorithm with a block size of 16 octets 3635 (128 bits), the IV is 18 octets long, and octets 17 and 18 replicate 3636 octets 15 and 16. Those extra two octets are an easy check for a 3637 correct key. 3638 3639 3640 3641 Callas, et al. Expires Nov 23, 2005 [Page 64] 3642 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3644 3645 Step by step, here is the procedure: 3646 3647 1. The feedback register (FR) is set to the IV, which is all zeros. 3648 3649 2. FR is encrypted to produce FRE (FR Encrypted). This is the 3650 encryption of an all-zero value. 3651 3652 3. FRE is xored with the first BS octets of random data prefixed to 3653 the plaintext to produce C[1] through C[BS], the first BS octets 3654 of ciphertext. 3655 3656 4. FR is loaded with C[1] through C[BS]. 3657 3658 5. FR is encrypted to produce FRE, the encryption of the first BS 3659 octets of ciphertext. 3660 3661 6. The left two octets of FRE get xored with the next two octets of 3662 data that were prefixed to the plaintext. This produces C[BS+1] 3663 and C[BS+2], the next two octets of ciphertext. 3664 3665 7. (The resync step) FR is loaded with C[3] through C[BS+2]. 3666 3667 8. FR is encrypted to produce FRE. 3668 3669 9. FRE is xored with the first BS octets of the given plaintext, 3670 now that we have finished encrypting the BS+2 octets of prefixed 3671 data. This produces C[BS+3] through C[BS+(BS+2)], the next BS 3672 octets of ciphertext. 3673 3674 10. FR is loaded with C[BS+3] to C[BS + (BS+2)] (which is C11-C18 3675 for an 8-octet block). 3676 3677 11. FR is encrypted to produce FRE. 3678 3679 12. FRE is xored with the next BS octets of plaintext, to produce 3680 the next BS octets of ciphertext. These are loaded into FR and 3681 the process is repeated until the plaintext is used up. 3682 3683 13. Security Considerations 3684 3685 * As with any technology involving cryptography, you should check 3686 the current literature to determine if any algorithms used here 3687 have been found to be vulnerable to attack. 3688 3689 * This specification uses Public Key Cryptography technologies. It 3690 is assumed that the private key portion of a public-private key 3691 pair is controlled and secured by the proper party or parties. 3692 3693 * Certain operations in this specification involve the use of 3694 random numbers. An appropriate entropy source should be used to 3695 generate these numbers. See RFC 1750. 3696 3697 3698 Callas, et al. Expires Nov 23, 2005 [Page 65] 3699 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3701 3702 * The MD5 hash algorithm has been found to have weaknesses, with 3703 collisions found in a number of cases. MD5 is deprecated for use 3704 in OpenPGP. Implementations MUST NOT generate new signatures 3705 using MD5 as a hash function. They MAY continue to consider old 3706 signatures that used MD5 as valid. 3707 3708 * SHA384 requires the same work as SHA512. In general, there are 3709 few reasons to use it -- you need a situation where one needs 3710 more security than SHA256, but do not want to have the 512-bit 3711 data length. 3712 3713 * Many security protocol designers think that it is a bad idea to 3714 use a single key for both privacy (encryption) and integrity 3715 (signatures). In fact, this was one of the motivating forces 3716 behind the V4 key format with separate signature and encryption 3717 keys. If you as an implementer promote dual-use keys, you should 3718 at least be aware of this controversy. 3719 3720 * The DSA algorithm will work with any 160-bit hash, but it is 3721 sensitive to the quality of the hash algorithm, if the hash 3722 algorithm is broken, it can leak the secret key. The Digital 3723 Signature Standard (DSS) specifies that DSA be used with SHA-1. 3724 RIPEMD-160 is considered by many cryptographers to be as strong. 3725 An implementation should take care which hash algorithms are 3726 used with DSA, as a weak hash can not only allow a signature to 3727 be forged, but could leak the secret key. 3728 3729 * There is a somewhat-related potential security problem in 3730 signatures. If an attacker can find a message that hashes to the 3731 same hash with a different algorithm, a bogus signature 3732 structure can be constructed that evaluates correctly. 3733 3734 For example, suppose Alice DSA signs message M using hash 3735 algorithm H. Suppose that Mallet finds a message M' that has the 3736 same hash value as M with H'. Mallet can then construct a 3737 signature block that verifies as Alice's signature of M' with 3738 H'. However, this would also constitute a weakness in either H 3739 or H' or both. Should this ever occur, a revision will have to 3740 be made to this document to revise the allowed hash algorithms. 3741 3742 * If you are building an authentication system, the recipient may 3743 specify a preferred signing algorithm. However, the signer would 3744 be foolish to use a weak algorithm simply because the recipient 3745 requests it. 3746 3747 * Some of the encryption algorithms mentioned in this document 3748 have been analyzed less than others. For example, although 3749 CAST5 is presently considered strong, it has been analyzed less 3750 than TripleDES. Other algorithms may have other controversies 3751 surrounding them. 3752 3753 3754 3755 Callas, et al. Expires Nov 23, 2005 [Page 66] 3756 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3758 3759 * In late summer 2002, Jallad, Katz, and Schneier published an 3760 interesting attack on the OpenPGP protocol and some of its 3761 implementations [JKS02]. In this attack, the attacker modifies a 3762 message and sends it to a user who then returns the erroneously 3763 decrypted message to the attacker. The attacker is thus using 3764 the user as a random oracle, and can often decrypt the message. 3765 3766 Compressing data can ameliorate this attack. The incorrectly 3767 decrypted data nearly always decompresses in ways that defeats 3768 the attack. However, this is not a rigorous fix, and leaves open 3769 some small vulnerabilities. For example, if an implementation 3770 does not compress a message before encryption (perhaps because 3771 it knows it was already compressed), then that message is 3772 vulnerable. Because of this happenstance -- that modification 3773 attacks can be thwarted by decompression errors, an 3774 implementation SHOULD treat a decompression error as a security 3775 problem, not merely a data problem. 3776 3777 This attack can be defeated by the use of Modification 3778 Detection, provided that the implementation does not let the 3779 user naively return the data to the attacker. An implementation 3780 MUST treat an MDC failure as a security problem, not merely a 3781 data problem. 3782 3783 In either case, the implementation MAY allow the user access to 3784 the erroneous data, but MUST warn the user as to potential 3785 security problems should that data be returned to the sender. 3786 3787 While this attack is somewhat obscure, requiring a special set 3788 of circumstances to create it, it is nonetheless quite serious 3789 as it permits someone to trick a user to decrypt a message. 3790 Consequently, it is important that: 3791 3792 1. Implementers treat MDC errors and decompression failures as 3793 security problems. 3794 3795 2. Implementers implement Modification Detection with all due 3796 speed and encourage its spread. 3797 3798 3. Users migrate to implementations that support Modification 3799 Detection with all due speed. 3800 3801 * PKCS1 has been found to be vulnerable to attacks in which a 3802 system that reports errors in padding differently from errors in 3803 decryption becomes a random oracle that can leak the private key 3804 in mere millions of queries. Implementations must be aware of 3805 this attack and prevent it from happening. The simplest solution 3806 is report a single error code for all variants of decryption 3807 errors so as not to leak information to an attacker. 3808 3809 3810 3811 3812 Callas, et al. Expires Nov 23, 2005 [Page 67] 3813 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3815 3816 * Some technologies mentioned here may be subject to government 3817 control in some countries. 3818 3819 * In winter 2005, Serge Mister and Robert Zuccherato from Entrust 3820 released a paper describing a way that the "quick check" in 3821 OpenPGP CFB mode can be used with a random oracle to decrypt two 3822 octets of every cipher block [MZ05]. They recommend as 3823 prevention not using the quick check at all. 3824 3825 Many implementers have taken this advice to heart for any data 3826 that is both symmetrically encrypted, but also the session key 3827 is public-key encrypted. In this case, the quick check is not 3828 needed as the public key encryption of the session key should 3829 guarantee that it is the right session key. In other cases, the 3830 implementation should use the quick check with care. On the one 3831 hand, there is a danger to using it if there is a random oracle 3832 that can leak information to an attacker. On the other hand, it 3833 is inconvenient to the user to be informed that they typed in 3834 the wrong passphrase only after a petabyte of data is decrypted. 3835 There are many cases in cryptographic engineering where the 3836 implementer must use care and wisdom, and this is another. 3837 3838 14. Implementation Nits 3839 3840 This section is a collection of comments to help an implementer, 3841 particularly with an eye to backward compatibility. Previous 3842 implementations of PGP are not OpenPGP-compliant. Often the 3843 differences are small, but small differences are frequently more 3844 vexing than large differences. Thus, this is a non-comprehensive 3845 list of potential problems and gotchas for a developer who is trying 3846 to be backward-compatible. 3847 3848 * The IDEA algorithm is patented, and yet it is required for PGP 3849 2.x interoperability. It is also the defacto preferred algorithm 3850 for a V3 key with a V3 self-signature (or no self-signature). 3851 3852 * When exporting a private key, PGP 2.x generates the header 3853 "BEGIN PGP SECRET KEY BLOCK" instead of "BEGIN PGP PRIVATE KEY 3854 BLOCK". All previous versions ignore the implied data type, and 3855 look directly at the packet data type. 3856 3857 * PGP 2.0 through 2.5 generated V2 Public Key Packets. These are 3858 identical to the deprecated V3 keys except for the version 3859 number. An implementation MUST NOT generate them and may accept 3860 or reject them as it sees fit. Some older PGP versions generated 3861 V2 PKESK packets (Tag 1) as well. An implementation may accept 3862 or reject V2 PKESK packets as it sees fit, and MUST NOT generate 3863 them. 3864 3865 * PGP 2.6.x will not accept key-material packets with versions 3866 greater than 3. 3867 3868 3869 Callas, et al. Expires Nov 23, 2005 [Page 68] 3870 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3872 3873 * There are many ways possible for two keys to have the same key 3874 material, but different fingerprints (and thus key IDs). Perhaps 3875 the most interesting is an RSA key that has been "upgraded" to 3876 V4 format, but since a V4 fingerprint is constructed by hashing 3877 the key creation time along with other things, two V4 keys 3878 created at different times, yet with the same key material will 3879 have different fingerprints. 3880 3881 * If an implementation is using zlib to interoperate with PGP 2.x, 3882 then the "windowBits" parameter should be set to -13. 3883 3884 * PGP 2.6.X and 5.0 do not trim trailing whitespace from a 3885 "canonical text" signature. They only remove it from cleartext 3886 signatures. These signatures are not OpenPGP compliant -- 3887 OpenPGP requires trimming the whitespace. If you wish to 3888 interoperate with PGP 2.6.X or PGP 5, you may wish to accept 3889 these non-compliant signatures. 3890 3891 15. Authors and Working Group Chair 3892 3893 The working group can be contacted via the current chair: 3894 3895 Derek Atkins 3896 IHTFP Consulting, Inc. 3897 6 Farragut Ave 3898 Somerville, MA 02144 USA 3899 Email: derek (a] ihtfp.com 3900 Tel: +1 617 623 3745 3901 3902 The principal authors of this draft are: 3903 3904 Jon Callas 3905 3906 Email: jon (a] callas.org 3907 Tel: +1 (408) 448-6801 3908 3909 Lutz Donnerhacke 3910 IKS GmbH 3911 Wildenbruchstr. 15 3912 07745 Jena, Germany 3913 3914 EMail: lutz (a] iks-jena.de 3915 Tel: +49-3641-675642 3916 3917 Hal Finney 3918 Network Associates, Inc. 3919 3965 Freedom Circle 3920 Santa Clara, CA 95054, USA 3921 3922 Email: hal (a] finney.org 3923 3924 3925 3926 Callas, et al. Expires Nov 23, 2005 [Page 69] 3927 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3929 3930 Rodney Thayer 3931 3932 Email: rodney (a] tillerman.to 3933 3934 This memo also draws on much previous work from a number of other 3935 authors who include: Derek Atkins, Charles Breed, Dave Del Torto, 3936 Marc Dyksterhouse, Gail Haspert, Gene Hoffman, Paul Hoffman, Raph 3937 Levien, Colin Plumb, Will Price, David Shaw, William Stallings, Mark 3938 Weaver, and Philip R. Zimmermann. 3939 3940 16. References (Normative) 3941 3942 3943 [AES] Advanced Encryption Standards Questions and Answers 3944 <http://csrc.nist.gov/encryption/aes/round2/ 3945 aesfact.html> 3946 3947 <http://csrc.nist.gov/encryption/aes/round2/ 3948 r2algs.html#Rijndael> 3949 3950 [BLOWFISH] Schneier, B. "Description of a New Variable-Length 3951 Key, 64-Bit Block Cipher (Blowfish)" Fast Software 3952 Encryption, Cambridge Security Workshop Proceedings 3953 (December 1993), Springer-Verlag, 1994, pp191-204 3954 <http://www.counterpane.com/bfsverlag.html> 3955 3956 [BZ2] J. Seward, jseward (a] acm.org, "The Bzip2 and libbzip2 3957 home page" 3958 <http://sources.redhat.com/bzip2/> 3959 [ELGAMAL] T. Elgamal, "A Public-Key Cryptosystem and a 3960 Signature Scheme Based on Discrete Logarithms," 3961 IEEE Transactions on Information Theory, v. IT-31, 3962 n. 4, 1985, pp. 469-472. 3963 3964 [FIPS180] Secure Hash Signature Standard (SHS) (FIPS PUB 3965 180-2). 3966 <http://csrc.nist.gov/publications/fips/ 3967 fips180-2/fips180-2.pdf> 3968 3969 [FIPS186] Digital Signature Standard (DSS) (FIPS PUB 186-2). 3970 <http://csrc.nist.gov/publications/fips/ 3971 fips186-2/fips186-2.pdf> 3972 3973 [HAC] Alfred Menezes, Paul van Oorschot, and Scott 3974 Vanstone, "Handbook of Applied Cryptography," CRC 3975 Press, 1996. 3976 <http://www.cacr.math.uwaterloo.ca/hac/> 3977 [IDEA] Lai, X, "On the design and security of block 3978 ciphers", ETH Series in Information Processing, 3979 J.L. Massey (editor), Vol. 1, Hartung-Gorre Verlag 3980 Knostanz, Technische Hochschule (Zurich), 1992 3981 [ISO10646] ISO/IEC 10646-1:1993. International Standard -- 3982 3983 Callas, et al. Expires Nov 23, 2005 [Page 70] 3984 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 3986 3987 Information technology -- Universal Multiple-Octet 3988 Coded Character Set (UCS) -- Part 1: Architecture 3989 and Basic Multilingual Plane. 3990 [JFIF] JPEG File Interchange Format (Version 1.02). 3991 Eric Hamilton, C-Cube Microsystems, Milpitas, CA, 3992 September 1, 1992. 3993 3994 [RFC822] Crocker, D., "Standard for the format of ARPA 3995 Internet text messages", STD 11, RFC 822, August 3996 1982. 3997 [RFC1423] Balenson, D., "Privacy Enhancement for Internet 3998 Electronic Mail: Part III: Algorithms, Modes, and 3999 Identifiers", RFC 1423, October 1993. 4000 [RFC1641] Goldsmith, D. and M. Davis, "Using Unicode with 4001 MIME", RFC 1641, July 1994. 4002 [RFC1750] Eastlake, D., Crocker, S. and J. Schiller, 4003 "Randomness Recommendations for Security", RFC 4004 1750, December 1994. 4005 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format 4006 Specification version 1.3.", RFC 1951, May 1996. 4007 [RFC1991] Atkins, D., Stallings, W. and P. Zimmermann, "PGP 4008 Message Exchange Formats", RFC 1991, August 1996. 4009 [RFC2045] Borenstein, N. and N. Freed, "Multipurpose Internet 4010 Mail Extensions (MIME) Part One: Format of Internet 4011 Message Bodies.", RFC 2045, November 1996. 4012 [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 4013 2144, May 1997. 4014 [RFC2279] Yergeau., F., "UTF-8, a transformation format of 4015 Unicode and ISO 10646", RFC 2279, January 1998. 4016 [RFC2437] B. Kaliski and J. Staddon, " PKCS #1: RSA 4017 Cryptography Specifications Version 2.0", 4018 RFC 2437, October 1998. 4019 [RFC3156] M. Elkins, D. Del Torto, R. Levien, T. Roessler, 4020 "MIME Security with OpenPGP", RFC 3156, 4021 August 2001. 4022 [SCHNEIER] Schneier, B., "Applied Cryptography Second Edition: 4023 protocols, algorithms, and source code in C", 1996. 4024 [TWOFISH] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. 4025 Hall, and N. Ferguson, "The Twofish Encryption 4026 Algorithm", John Wiley & Sons, 1999. 4027 4028 17. References (Non-Normative) 4029 4030 4031 [BLEICHENBACHER] Bleichenbacher, Daniel, "Generating Elgamal 4032 signatures without knowing the secret key," 4033 Eurocrypt 96. Note that the version in the 4034 proceedings has an error. A revised version is 4035 available at the time of writing from 4036 <ftp://ftp.inf.ethz.ch/pub/publications/papers/ti 4037 /isc/ElGamal.ps> 4038 [DONNERHACKE] Donnerhacke, L., et. al, "PGP263in - an improved 4039 4040 Callas, et al. Expires Nov 23, 2005 [Page 71] 4041 INTERNET-DRAFT OpenPGP Message Format May 23, 2005 4043 4044 international version of PGP", ftp://ftp.iks- 4045 jena.de/mitarb/lutz/crypt/software/pgp/ 4046 [JKS02] Kahil Jallad, Jonathan Katz, Bruce Schneier 4047 "Implementation of Chosen-Ciphertext Attacks 4048 against PGP and GnuPG" 4049 http://www.counterpane.com/pgp-attack.html 4050 4051 [MZ05] Serge Mister, Robert Zuccherato, "An Attack on 4052 CFB Mode Encryption As Used By OpenPGP," IACR 4053 ePrint Archive: Report 2005/033, 8 Feb 2005 4054 http://eprint.iacr.org/2005/033 4055 4056 [RFC1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 4057 1983, August 1996. 4058 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4059 Requirement Level", BCP 14, RFC 2119, March 1997. 4060 4061 4062 4063 18. Full Copyright Statement 4064 4065 Copyright 2005 by The Internet Society. All Rights Reserved. 4066 4067 This document is subject to the rights, licenses and restrictions 4068 contained in BCP 78, and except as set forth therein, the authors 4069 retain all their rights. 4070 4071 This document and the information contained herein are provided on 4072 an "AS IS" basis and the contributor, the organization he/she 4073 represents or is sponsored by (if any), the internet society and the 4074 internet engineering task force disclaim all warranties, express or 4075 implied, including but not limited to any warranty that the use of 4076 the information herein will not infringe any rights or any implied 4077 warranties of merchantability or fitness for a particular purpose. 4078 4079 This document and translations of it may be copied and furnished to 4080 others, and derivative works that comment on or otherwise explain it 4081 or assist in its implementation may be prepared, copied, published 4082 and distributed, in whole or in part, without restriction of any 4083 kind, provided that the above copyright notice and this paragraph 4084 are included on all such copies and derivative works. However, this 4085 document itself may not be modified in any way, such as by removing 4086 the copyright notice or references to the Internet Society or other 4087 Internet organizations, except as needed for the purpose of 4088 developing Internet standards in which case the procedures for 4089 copyrights defined in the Internet Standards process must be 4090 followed, or as required to translate it into languages other than 4091 English. 4092 4093 The limited permissions granted above are perpetual and will not be 4094 revoked by the Internet Society or its successors or assigns. 4095 4096 4097 Callas, et al. Expires Nov 23, 2005 [Page 72] 4098 4099 4100
Indexes created Sat Feb 28 05:31:39 UTC 2026