1Network Working Group Jon Callas 2Category: INTERNET-DRAFT PGP Corporation 3draft-ietf-openpgp-rfc2440bis-12.txt 4Expires May 2005 Lutz Donnerhacke 5November 2004 6 7Obsoletes: 1991, 2440 Hal Finney 8 Network Associates 9 10 Rodney Thayer 11 12 OpenPGP Message Format 13 draft-ietf-openpgp-rfc2440bis-12.txt 14 15 16 Copyright 2004 by The Internet Society. All Rights Reserved. 17 18Status of this Memo 19 20 This document is an Internet-Draft and is in full conformance with 21 all provisions of Section 10 of RFC2026. 22 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 27 28 Internet-Drafts are draft documents valid for a maximum of six 29 months and may be updated, replaced, or obsoleted by other documents 30 at any time. It is inappropriate to use Internet-Drafts as 31 reference material or to cite them other than as "work in progress." 32 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt 35 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 38 39IPR Claim Notice 40 41 By submitting this Internet-Draft, any applicable patent or other 42 IPR claims of which we are aware have been disclosed in accordance 43 with RFC 3668. 44 45IESG Note 46 47 This document defines many tag values, yet it doesn't describe a 48 mechanism for adding new tags (for new features). Traditionally the 49 Internet Assigned Numbers Authority (IANA) handles the allocation of 50 new values for future expansion and RFCs usually define the 51 procedure to be used by the IANA. However there are subtle (and not 52 so subtle) interactions that may occur in this protocol between new 53 features and existing features which result in a significant 54 reduction in over all security. Therefore this document does not 55 56Callas, et al. Expires May 23, 2005 [Page 1] 57INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 58 59 define an extension procedure. Instead requests to define new tag 60 values (say for new encryption algorithms for example) should be 61 forwarded to the IESG Security Area Directors for consideration or 62 forwarding to the appropriate IETF Working Group for consideration. 63 64Abstract 65 66 This document is maintained in order to publish all necessary 67 information needed to develop interoperable applications based on 68 the OpenPGP format. It is not a step-by-step cookbook for writing an 69 application. It describes only the format and methods needed to 70 read, check, generate, and write conforming packets crossing any 71 network. It does not deal with storage and implementation questions. 72 It does, however, discuss implementation issues necessary to avoid 73 security flaws. 74 75 OpenPGP software uses a combination of strong public-key and 76 symmetric cryptography to provide security services for electronic 77 communications and data storage. These services include 78 confidentiality, key management, authentication, and digital 79 signatures. This document specifies the message formats used in 80 OpenPGP. 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112Callas, et al. Expires May 23, 2005 [Page 2] 113INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 114 115Table of Contents 116 117 Status of this Memo 1 118 IPR Claim Notice 1 119 IESG Note 1 120 Abstract 2 121 Table of Contents 3 122 1. Introduction 6 123 1.1. Terms 6 124 2. General functions 6 125 2.1. Confidentiality via Encryption 7 126 2.2. Authentication via Digital signature 7 127 2.3. Compression 8 128 2.4. Conversion to Radix-64 8 129 2.5. Signature-Only Applications 8 130 3. Data Element Formats 9 131 3.1. Scalar numbers 9 132 3.2. Multiprecision Integers 9 133 3.3. Key IDs 9 134 3.4. Text 10 135 3.5. Time fields 10 136 3.6. Keyrings 10 137 3.7. String-to-key (S2K) specifiers 10 138 3.7.1. String-to-key (S2K) specifier types 10 139 3.7.1.1. Simple S2K 10 140 3.7.1.2. Salted S2K 11 141 3.7.1.3. Iterated and Salted S2K 11 142 3.7.2. String-to-key usage 12 143 3.7.2.1. Secret key encryption 12 144 3.7.2.2. Symmetric-key message encryption 13 145 4. Packet Syntax 13 146 4.1. Overview 13 147 4.2. Packet Headers 13 148 4.2.1. Old-Format Packet Lengths 14 149 4.2.2. New-Format Packet Lengths 14 150 4.2.2.1. One-Octet Lengths 15 151 4.2.2.2. Two-Octet Lengths 15 152 4.2.2.3. Five-Octet Lengths 15 153 4.2.2.4. Partial Body Lengths 15 154 4.2.3. Packet Length Examples 16 155 4.3. Packet Tags 16 156 5. Packet Types 17 157 5.1. Public-Key Encrypted Session Key Packets (Tag 1) 17 158 5.2. Signature Packet (Tag 2) 18 159 5.2.1. Signature Types 18 160 5.2.2. Version 3 Signature Packet Format 20 161 5.2.3. Version 4 Signature Packet Format 23 162 5.2.3.1. Signature Subpacket Specification 23 163 5.2.3.2. Signature Subpacket Types 25 164 5.2.3.3. Notes on Self-Signatures 25 165 5.2.3.4. Signature creation time 26 166 5.2.3.5. Issuer 26 167 168Callas, et al. Expires May 23, 2005 [Page 3] 169INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 170 171 5.2.3.6. Key expiration time 27 172 5.2.3.7. Preferred symmetric algorithms 27 173 5.2.3.8. Preferred hash algorithms 27 174 5.2.3.9. Preferred compression algorithms 27 175 5.2.3.10.Signature expiration time 27 176 5.2.3.11.Exportable Certification 28 177 5.2.3.12.Revocable 28 178 5.2.3.13.Trust signature 28 179 5.2.3.14.Regular expression 29 180 5.2.3.15.Revocation key 29 181 5.2.3.16.Notation Data 29 182 5.2.3.17.Key server preferences 30 183 5.2.3.18.Preferred key server 30 184 5.2.3.19.Primary User ID 31 185 5.2.3.20.Policy URL 31 186 5.2.3.21.Key Flags 31 187 5.2.3.22.Signer's User ID 32 188 5.2.3.23.Reason for Revocation 32 189 5.2.3.24.Features 33 190 5.2.3.25.Signature Target 34 191 5.2.3.26.Embedded Signature 34 192 5.2.4. Computing Signatures 34 193 5.2.4.1. Subpacket Hints 35 194 5.3. Symmetric-Key Encrypted Session Key Packets (Tag 3) 36 195 5.4. One-Pass Signature Packets (Tag 4) 36 196 5.5. Key Material Packet 37 197 5.5.1. Key Packet Variants 37 198 5.5.1.1. Public Key Packet (Tag 6) 37 199 5.5.1.2. Public Subkey Packet (Tag 14) 37 200 5.5.1.3. Secret Key Packet (Tag 5) 38 201 5.5.1.4. Secret Subkey Packet (Tag 7) 38 202 5.5.2. Public Key Packet Formats 38 203 5.5.3. Secret Key Packet Formats 39 204 5.6. Compressed Data Packet (Tag 8) 41 205 5.7. Symmetrically Encrypted Data Packet (Tag 9) 42 206 5.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 43 207 5.9. Literal Data Packet (Tag 11) 43 208 5.10. Trust Packet (Tag 12) 44 209 5.11. User ID Packet (Tag 13) 44 210 5.12. User Attribute Packet (Tag 17) 44 211 5.12.1. The Image Attribute Subpacket 45 212 5.13. Sym. Encrypted Integrity Protected Data Packet (Tag 18) 45 213 5.14. Modification Detection Code Packet (Tag 19) 47 214 6. Radix-64 Conversions 48 215 6.1. An Implementation of the CRC-24 in "C" 48 216 6.2. Forming ASCII Armor 49 217 6.3. Encoding Binary in Radix-64 51 218 6.4. Decoding Radix-64 52 219 6.5. Examples of Radix-64 53 220 6.6. Example of an ASCII Armored Message 53 221 7. Cleartext signature framework 53 222 7.1. Dash-Escaped Text 54 223 224Callas, et al. Expires May 23, 2005 [Page 4] 225INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 226 227 8. Regular Expressions 55 228 9. Constants 55 229 9.1. Public Key Algorithms 55 230 9.2. Symmetric Key Algorithms 56 231 9.3. Compression Algorithms 56 232 9.4. Hash Algorithms 57 233 10. Packet Composition 57 234 10.1. Transferable Public Keys 57 235 10.2. OpenPGP Messages 59 236 10.3. Detached Signatures 59 237 11. Enhanced Key Formats 59 238 11.1. Key Structures 59 239 11.2. Key IDs and Fingerprints 60 240 12. Notes on Algorithms 61 241 12.1. Symmetric Algorithm Preferences 61 242 12.2. Other Algorithm Preferences 62 243 12.2.1. Compression Preferences 62 244 12.2.2. Hash Algorithm Preferences 63 245 12.3. Plaintext 63 246 12.4. RSA 63 247 12.5. DSA 63 248 12.6. Elgamal 63 249 12.7. Reserved Algorithm Numbers 64 250 12.8. OpenPGP CFB mode 64 251 13. Security Considerations 65 252 14. Implementation Nits 67 253 15. Authors and Working Group Chair 68 254 16. References (Normative) 69 255 17. References (Non-Normative) 71 256 18. Full Copyright Statement 71 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280Callas, et al. Expires May 23, 2005 [Page 5] 281INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 282 2831. Introduction 284 285 This document provides information on the message-exchange packet 286 formats used by OpenPGP to provide encryption, decryption, signing, 287 and key management functions. It is a revision of RFC2440, "OpenPGP 288 Message Format", which itself replaces RFC 1991, "PGP Message 289 Exchange Formats." 290 2911.1. Terms 292 293 * OpenPGP - This is a definition for security software that uses 294 PGP 5.x as a basis, formalized in RFC 2440 and this document. 295 296 * PGP - Pretty Good Privacy. PGP is a family of software systems 297 developed by Philip R. Zimmermann from which OpenPGP is based. 298 299 * PGP 2.6.x - This version of PGP has many variants, hence the 300 term PGP 2.6.x. It used only RSA, MD5, and IDEA for its 301 cryptographic transforms. An informational RFC, RFC1991, was 302 written describing this version of PGP. 303 304 * PGP 5.x - This version of PGP is formerly known as "PGP 3" in 305 the community and also in the predecessor of this document, 306 RFC1991. It has new formats and corrects a number of problems in 307 the PGP 2.6.x design. It is referred to here as PGP 5.x because 308 that software was the first release of the "PGP 3" code base. 309 310 * GPG - GNU Privacy Guard, also called GnuPG. GPG is an OpenPGP 311 implementation that avoids all encumbered algorithms. 312 Consequently, early versions of GPG did not include RSA public 313 keys. GPG may or may not have (depending on version) support for 314 IDEA or other encumbered algorithms. 315 316 "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of 317 PGP Corporation and are used with permission. 318 319 This document uses the terms "MUST", "SHOULD", and "MAY" as defined 320 in RFC2119, along with the negated forms of those terms. 321 3222. General functions 323 324 OpenPGP provides data integrity services for messages and data files 325 by using these core technologies: 326 327 - digital signatures 328 329 - encryption 330 331 - compression 332 333 334 335 336Callas, et al. Expires May 23, 2005 [Page 6] 337INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 338 339 - radix-64 conversion 340 341 In addition, OpenPGP provides key management and certificate 342 services, but many of these are beyond the scope of this document. 343 3442.1. Confidentiality via Encryption 345 346 OpenPGP combines symmetric-key encryption and public key encryption 347 to provide confidentiality. When made confidential, first the object 348 is encrypted using a symmetric encryption algorithm. Each symmetric 349 key is used only once, for a single object. A new "session key" is 350 generated as a random number for each object (sometimes referred to 351 as a session). Since it is used only once, the session key is bound 352 to the message and transmitted with it. To protect the key, it is 353 encrypted with the receiver's public key. The sequence is as 354 follows: 355 356 1. The sender creates a message. 357 358 2. The sending OpenPGP generates a random number to be used as a 359 session key for this message only. 360 361 3. The session key is encrypted using each recipient's public key. 362 These "encrypted session keys" start the message. 363 364 4. The sending OpenPGP encrypts the message using the session key, 365 which forms the remainder of the message. Note that the message 366 is also usually compressed. 367 368 5. The receiving OpenPGP decrypts the session key using the 369 recipient's private key. 370 371 6. The receiving OpenPGP decrypts the message using the session 372 key. If the message was compressed, it will be decompressed. 373 374 With symmetric-key encryption, an object may be encrypted with a 375 symmetric key derived from a passphrase (or other shared secret), or 376 a two-stage mechanism similar to the public-key method described 377 above in which a session key is itself encrypted with a symmetric 378 algorithm keyed from a shared secret. 379 380 Both digital signature and confidentiality services may be applied 381 to the same message. First, a signature is generated for the message 382 and attached to the message. Then, the message plus signature is 383 encrypted using a symmetric session key. Finally, the session key is 384 encrypted using public-key encryption and prefixed to the encrypted 385 block. 386 3872.2. Authentication via Digital signature 388 389 The digital signature uses a hash code or message digest algorithm, 390 and a public-key signature algorithm. The sequence is as follows: 391 392Callas, et al. Expires May 23, 2005 [Page 7] 393INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 394 395 1. The sender creates a message. 396 397 2. The sending software generates a hash code of the message. 398 399 3. The sending software generates a signature from the hash code 400 using the sender's private key. 401 402 4. The binary signature is attached to the message. 403 404 5. The receiving software keeps a copy of the message signature. 405 406 6. The receiving software generates a new hash code for the 407 received message and verifies it using the message's signature. 408 If the verification is successful, the message is accepted as 409 authentic. 410 4112.3. Compression 412 413 OpenPGP implementations SHOULD compress the message after applying 414 the signature but before encryption. 415 416 If an implementation does not implement compression, its authors 417 should be aware that most PGP messages in the world are compressed. 418 Thus, it may even be wise for a space-constrained implementation to 419 implement decompression, but not compression. 420 421 Furthermore, compression has the added side-effect that some types 422 of attacks can be thwarted by the fact that slightly altered, 423 compressed data rarely uncompresses without severe errors. This is 424 hardly rigorous, but it is operationally useful. These attacks can 425 be rigorously prevented by implementing and using Modification 426 Detection Codes as described in sections following. 427 4282.4. Conversion to Radix-64 429 430 OpenPGP's underlying native representation for encrypted messages, 431 signature certificates, and keys is a stream of arbitrary octets. 432 Some systems only permit the use of blocks consisting of seven-bit, 433 printable text. For transporting OpenPGP's native raw binary octets 434 through channels that are not safe to raw binary data, a printable 435 encoding of these binary octets is needed. OpenPGP provides the 436 service of converting the raw 8-bit binary octet stream to a stream 437 of printable ASCII characters, called Radix-64 encoding or ASCII 438 Armor. 439 440 Implementations SHOULD provide Radix-64 conversions. 441 4422.5. Signature-Only Applications 443 444 OpenPGP is designed for applications that use both encryption and 445 signatures, but there are a number of problems that are solved by a 446 signature-only implementation. Although this specification requires 447 448Callas, et al. Expires May 23, 2005 [Page 8] 449INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 450 451 both encryption and signatures, it is reasonable for there to be 452 subset implementations that are non-conformant only in that they 453 omit encryption. 454 4553. Data Element Formats 456 457 This section describes the data elements used by OpenPGP. 458 4593.1. Scalar numbers 460 461 Scalar numbers are unsigned, and are always stored in big-endian 462 format. Using n[k] to refer to the kth octet being interpreted, the 463 value of a two-octet scalar is ((n[0] << 8) + n[1]). The value of a 464 four-octet scalar is ((n[0] << 24) + (n[1] << 16) + (n[2] << 8) + 465 n[3]). 466 4673.2. Multiprecision Integers 468 469 Multiprecision Integers (also called MPIs) are unsigned integers 470 used to hold large integers such as the ones used in cryptographic 471 calculations. 472 473 An MPI consists of two pieces: a two-octet scalar that is the length 474 of the MPI in bits followed by a string of octets that contain the 475 actual integer. 476 477 These octets form a big-endian number; a big-endian number can be 478 made into an MPI by prefixing it with the appropriate length. 479 480 Examples: 481 482 (all numbers are in hexadecimal) 483 484 The string of octets [00 01 01] forms an MPI with the value 1. The 485 string [00 09 01 FF] forms an MPI with the value of 511. 486 487 Additional rules: 488 489 The size of an MPI is ((MPI.length + 7) / 8) + 2 octets. 490 491 The length field of an MPI describes the length starting from its 492 most significant non-zero bit. Thus, the MPI [00 02 01] is not 493 formed correctly. It should be [00 01 01]. 494 495 Also note that when an MPI is encrypted, the length refers to the 496 plaintext MPI. It may be ill-formed in its ciphertext. 497 4983.3. Key IDs 499 500 A Key ID is an eight-octet scalar that identifies a key. 501 Implementations SHOULD NOT assume that Key IDs are unique. The 502 section, "Enhanced Key Formats" below describes how Key IDs are 503 504Callas, et al. Expires May 23, 2005 [Page 9] 505INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 506 507 formed. 508 5093.4. Text 510 511 Unless otherwise specified, the character set for text is the UTF-8 512 [RFC2279] encoding of Unicode [ISO10646]. 513 5143.5. Time fields 515 516 A time field is an unsigned four-octet number containing the number 517 of seconds elapsed since midnight, 1 January 1970 UTC. 518 5193.6. Keyrings 520 521 A keyring is a collection of one or more keys in a file or database. 522 Traditionally, a keyring is simply a sequential list of keys, but 523 may be any suitable database. It is beyond the scope of this 524 standard to discuss the details of keyrings or other databases. 525 5263.7. String-to-key (S2K) specifiers 527 528 String-to-key (S2K) specifiers are used to convert passphrase 529 strings into symmetric-key encryption/decryption keys. They are 530 used in two places, currently: to encrypt the secret part of private 531 keys in the private keyring, and to convert passphrases to 532 encryption keys for symmetrically encrypted messages. 533 5343.7.1. String-to-key (S2K) specifier types 535 536 There are three types of S2K specifiers currently supported, and 537 some reserved values: 538 539 ID S2K Type 540 -- --- ---- 541 0 Simple S2K 542 1 Salted S2K 543 2 Illegal value 544 3 Iterated and Salted S2K 545 100 to 110 Private/Experimental S2K 546 547 These are described as follows: 548 5493.7.1.1. Simple S2K 550 551 This directly hashes the string to produce the key data. See below 552 for how this hashing is done. 553 554 Octet 0: 0x00 555 Octet 1: hash algorithm 556 557 558 559 560Callas, et al. Expires May 23, 2005 [Page 10] 561INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 562 563 Simple S2K hashes the passphrase to produce the session key. The 564 manner in which this is done depends on the size of the session key 565 (which will depend on the cipher used) and the size of the hash 566 algorithm's output. If the hash size is greater than the session key 567 size, the high-order (leftmost) octets of the hash are used as the 568 key. 569 570 If the hash size is less than the key size, multiple instances of 571 the hash context are created -- enough to produce the required key 572 data. These instances are preloaded with 0, 1, 2, ... octets of 573 zeros (that is to say, the first instance has no preloading, the 574 second gets preloaded with 1 octet of zero, the third is preloaded 575 with two octets of zeros, and so forth). 576 577 As the data is hashed, it is given independently to each hash 578 context. Since the contexts have been initialized differently, they 579 will each produce different hash output. Once the passphrase is 580 hashed, the output data from the multiple hashes is concatenated, 581 first hash leftmost, to produce the key data, with any excess octets 582 on the right discarded. 583 5843.7.1.2. Salted S2K 585 586 This includes a "salt" value in the S2K specifier -- some arbitrary 587 data -- that gets hashed along with the passphrase string, to help 588 prevent dictionary attacks. 589 590 Octet 0: 0x01 591 Octet 1: hash algorithm 592 Octets 2-9: 8-octet salt value 593 594 Salted S2K is exactly like Simple S2K, except that the input to the 595 hash function(s) consists of the 8 octets of salt from the S2K 596 specifier, followed by the passphrase. 597 5983.7.1.3. Iterated and Salted S2K 599 600 This includes both a salt and an octet count. The salt is combined 601 with the passphrase and the resulting value is hashed repeatedly. 602 This further increases the amount of work an attacker must do to try 603 dictionary attacks. 604 605 Octet 0: 0x03 606 Octet 1: hash algorithm 607 Octets 2-9: 8-octet salt value 608 Octet 10: count, a one-octet, coded value 609 610 The count is coded into a one-octet number using the following 611 formula: 612 613 614 615 616Callas, et al. Expires May 23, 2005 [Page 11] 617INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 618 619 #define EXPBIAS 6 620 count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS); 621 622 The above formula is in C, where "Int32" is a type for a 32-bit 623 integer, and the variable "c" is the coded count, Octet 10. 624 625 Iterated-Salted S2K hashes the passphrase and salt data multiple 626 times. The total number of octets to be hashed is specified in the 627 encoded count in the S2K specifier. Note that the resulting count 628 value is an octet count of how many octets will be hashed, not an 629 iteration count. 630 631 Initially, one or more hash contexts are set up as with the other 632 S2K algorithms, depending on how many octets of key data are needed. 633 Then the salt, followed by the passphrase data is repeatedly hashed 634 until the number of octets specified by the octet count has been 635 hashed. The one exception is that if the octet count is less than 636 the size of the salt plus passphrase, the full salt plus passphrase 637 will be hashed even though that is greater than the octet count. 638 After the hashing is done the data is unloaded from the hash 639 context(s) as with the other S2K algorithms. 640 6413.7.2. String-to-key usage 642 643 Implementations SHOULD use salted or iterated-and-salted S2K 644 specifiers, as simple S2K specifiers are more vulnerable to 645 dictionary attacks. 646 6473.7.2.1. Secret key encryption 648 649 An S2K specifier can be stored in the secret keyring to specify how 650 to convert the passphrase to a key that unlocks the secret data. 651 Older versions of PGP just stored a cipher algorithm octet preceding 652 the secret data or a zero to indicate that the secret data was 653 unencrypted. The MD5 hash function was always used to convert the 654 passphrase to a key for the specified cipher algorithm. 655 656 For compatibility, when an S2K specifier is used, the special value 657 255 is stored in the position where the hash algorithm octet would 658 have been in the old data structure. This is then followed 659 immediately by a one-octet algorithm identifier, and then by the S2K 660 specifier as encoded above. 661 662 Therefore, preceding the secret data there will be one of these 663 possibilities: 664 665 0: secret data is unencrypted (no pass phrase) 666 255 or 254: followed by algorithm octet and S2K specifier 667 Cipher alg: use Simple S2K algorithm using MD5 hash 668 669 670 671 672Callas, et al. Expires May 23, 2005 [Page 12] 673INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 674 675 This last possibility, the cipher algorithm number with an implicit 676 use of MD5 and IDEA, is provided for backward compatibility; it MAY 677 be understood, but SHOULD NOT be generated, and is deprecated. 678 679 These are followed by an Initial Vector of the same length as the 680 block size of the cipher for the decryption of the secret values, if 681 they are encrypted, and then the secret key values themselves. 682 6833.7.2.2. Symmetric-key message encryption 684 685 OpenPGP can create a Symmetric-key Encrypted Session Key (ESK) 686 packet at the front of a message. This is used to allow S2K 687 specifiers to be used for the passphrase conversion or to create 688 messages with a mix of symmetric-key ESKs and public-key ESKs. This 689 allows a message to be decrypted either with a passphrase or a 690 public key pair. 691 692 PGP 2.X always used IDEA with Simple string-to-key conversion when 693 encrypting a message with a symmetric algorithm. This is deprecated, 694 but MAY be used for backward-compatibility. 695 6964. Packet Syntax 697 698 This section describes the packets used by OpenPGP. 699 7004.1. Overview 701 702 An OpenPGP message is constructed from a number of records that are 703 traditionally called packets. A packet is a chunk of data that has a 704 tag specifying its meaning. An OpenPGP message, keyring, 705 certificate, and so forth consists of a number of packets. Some of 706 those packets may contain other OpenPGP packets (for example, a 707 compressed data packet, when uncompressed, contains OpenPGP 708 packets). 709 710 Each packet consists of a packet header, followed by the packet 711 body. The packet header is of variable length. 712 7134.2. Packet Headers 714 715 The first octet of the packet header is called the "Packet Tag." It 716 determines the format of the header and denotes the packet contents. 717 The remainder of the packet header is the length of the packet. 718 719 Note that the most significant bit is the left-most bit, called bit 720 7. A mask for this bit is 0x80 in hexadecimal. 721 722 +---------------+ 723 PTag |7 6 5 4 3 2 1 0| 724 +---------------+ 725 Bit 7 -- Always one 726 Bit 6 -- New packet format if set 727 728Callas, et al. Expires May 23, 2005 [Page 13] 729INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 730 731 PGP 2.6.x only uses old format packets. Thus, software that 732 interoperates with those versions of PGP must only use old format 733 packets. If interoperability is not an issue, the new packet format 734 is preferred. Note that old format packets have four bits of content 735 tags, and new format packets have six; some features cannot be used 736 and still be backward-compatible. 737 738 Also note that packets with a tag greater than or equal to 16 MUST 739 use new format packets. The old format packets can only express tags 740 less than or equal to 15. 741 742 Old format packets contain: 743 744 Bits 5-2 -- content tag 745 Bits 1-0 - length-type 746 747 New format packets contain: 748 749 Bits 5-0 -- content tag 750 7514.2.1. Old-Format Packet Lengths 752 753 The meaning of the length-type in old-format packets is: 754 755 0 - The packet has a one-octet length. The header is 2 octets long. 756 757 1 - The packet has a two-octet length. The header is 3 octets long. 758 759 2 - The packet has a four-octet length. The header is 5 octets long. 760 761 3 - The packet is of indeterminate length. The header is 1 octet 762 long, and the implementation must determine how long the packet 763 is. If the packet is in a file, this means that the packet 764 extends until the end of the file. In general, an implementation 765 SHOULD NOT use indeterminate length packets except where the end 766 of the data will be clear from the context, and even then it is 767 better to use a definite length, or a new-format header. The 768 new-format headers described below have a mechanism for 769 precisely encoding data of indeterminate length. 770 7714.2.2. New-Format Packet Lengths 772 773 New format packets have four possible ways of encoding length: 774 775 1. A one-octet Body Length header encodes packet lengths of up to 776 191 octets. 777 778 2. A two-octet Body Length header encodes packet lengths of 192 to 779 8383 octets. 780 781 782 783 784Callas, et al. Expires May 23, 2005 [Page 14] 785INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 786 787 3. A five-octet Body Length header encodes packet lengths of up to 788 4,294,967,295 (0xFFFFFFFF) octets in length. (This actually 789 encodes a four-octet scalar number.) 790 791 4. When the length of the packet body is not known in advance by 792 the issuer, Partial Body Length headers encode a packet of 793 indeterminate length, effectively making it a stream. 794 7954.2.2.1. One-Octet Lengths 796 797 A one-octet Body Length header encodes a length of from 0 to 191 798 octets. This type of length header is recognized because the one 799 octet value is less than 192. The body length is equal to: 800 801 bodyLen = 1st_octet; 802 8034.2.2.2. Two-Octet Lengths 804 805 A two-octet Body Length header encodes a length of from 192 to 8383 806 octets. It is recognized because its first octet is in the range 807 192 to 223. The body length is equal to: 808 809 bodyLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 810 8114.2.2.3. Five-Octet Lengths 812 813 A five-octet Body Length header consists of a single octet holding 814 the value 255, followed by a four-octet scalar. The body length is 815 equal to: 816 817 bodyLen = (2nd_octet << 24) | (3rd_octet << 16) | 818 (4th_octet << 8) | 5th_octet 819 820 This basic set of one, two, and five-octet lengths is also used 821 internally to some packets. 822 8234.2.2.4. Partial Body Lengths 824 825 A Partial Body Length header is one octet long and encodes the 826 length of only part of the data packet. This length is a power of 2, 827 from 1 to 1,073,741,824 (2 to the 30th power). It is recognized by 828 its one octet value that is greater than or equal to 224, and less 829 than 255. The partial body length is equal to: 830 831 partialBodyLen = 1 << (1st_octet & 0x1f); 832 833 Each Partial Body Length header is followed by a portion of the 834 packet body data. The Partial Body Length header specifies this 835 portion's length. Another length header (one octet, two-octet, 836 five-octet, or partial) follows that portion. The last length header 837 in the packet MUST NOT be a partial Body Length header. Partial 838 Body Length headers may only be used for the non-final parts of the 839 840Callas, et al. Expires May 23, 2005 [Page 15] 841INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 842 843 packet. 844 845 It might also be encoded in the following octet stream: 0xEF, first 846 32768 octets of data; 0xE1, next two octets of data; 0xE0, next one 847 octet of data; 0xF0, next 65536 octets of data; 0xC5, 0xDD, last 848 1693 octets of data. This is just one possible encoding, and many 849 variations are possible on the size of the Partial Body Length 850 headers, as long as a regular Body Length header encodes the last 851 portion of the data. 852 853 Note also that the last Body Length header can be a zero-length 854 header. 855 856 An implementation MAY use Partial Body Lengths for data packets, be 857 they literal, compressed, or encrypted. The first partial length 858 MUST be at least 512 octets long. Partial Body Lengths MUST NOT be 859 used for any other packet types. 860 8614.2.3. Packet Length Examples 862 863 These examples show ways that new-format packets might encode the 864 packet lengths. 865 866 A packet with length 100 may have its length encoded in one octet: 867 0x64. This is followed by 100 octets of data. 868 869 A packet with length 1723 may have its length coded in two octets: 870 0xC5, 0xFB. This header is followed by the 1723 octets of data. 871 872 A packet with length 100000 may have its length encoded in five 873 octets: 0xFF, 0x00, 0x01, 0x86, 0xA0. 874 875 Please note that in all of these explanations, the total length of 876 the packet is the length of the header(s) plus the length of the 877 body. 878 8794.3. Packet Tags 880 881 The packet tag denotes what type of packet the body holds. Note that 882 old format headers can only have tags less than 16, whereas new 883 format headers can have tags as great as 63. The defined tags (in 884 decimal) are: 885 886 0 -- Reserved - a packet tag must not have this value 887 1 -- Public-Key Encrypted Session Key Packet 888 2 -- Signature Packet 889 3 -- Symmetric-Key Encrypted Session Key Packet 890 4 -- One-Pass Signature Packet 891 5 -- Secret Key Packet 892 6 -- Public Key Packet 893 7 -- Secret Subkey Packet 894 8 -- Compressed Data Packet 895 896Callas, et al. Expires May 23, 2005 [Page 16] 897INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 898 899 9 -- Symmetrically Encrypted Data Packet 900 10 -- Marker Packet 901 11 -- Literal Data Packet 902 12 -- Trust Packet 903 13 -- User ID Packet 904 14 -- Public Subkey Packet 905 17 -- User Attribute Packet 906 18 -- Sym. Encrypted and Integrity Protected Data Packet 907 19 -- Modification Detection Code Packet 908 60 to 63 -- Private or Experimental Values 909 9105. Packet Types 911 9125.1. Public-Key Encrypted Session Key Packets (Tag 1) 913 914 A Public-Key Encrypted Session Key packet holds the session key used 915 to encrypt a message. Zero or more Encrypted Session Key packets 916 (either Public-Key or Symmetric-Key) may precede a Symmetrically 917 Encrypted Data Packet, which holds an encrypted message. The 918 message is encrypted with the session key, and the session key is 919 itself encrypted and stored in the Encrypted Session Key packet(s). 920 The Symmetrically Encrypted Data Packet is preceded by one 921 Public-Key Encrypted Session Key packet for each OpenPGP key to 922 which the message is encrypted. The recipient of the message finds 923 a session key that is encrypted to their public key, decrypts the 924 session key, and then uses the session key to decrypt the message. 925 926 The body of this packet consists of: 927 928 - A one-octet number giving the version number of the packet type. 929 The currently defined value for packet version is 3. 930 931 - An eight-octet number that gives the key ID of the public key 932 that the session key is encrypted to. If the session key is 933 encrypted to a subkey then the key ID of this subkey is used 934 here instead of the key ID of the primary key. 935 936 - A one-octet number giving the public key algorithm used. 937 938 - A string of octets that is the encrypted session key. This 939 string takes up the remainder of the packet, and its contents 940 are dependent on the public key algorithm used. 941 942 Algorithm Specific Fields for RSA encryption 943 944 - multiprecision integer (MPI) of RSA encrypted value m**e mod n. 945 946 Algorithm Specific Fields for Elgamal encryption: 947 948 - MPI of Elgamal (Diffie-Hellman) value g**k mod p. 949 950 951 952Callas, et al. Expires May 23, 2005 [Page 17] 953INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 954 955 - MPI of Elgamal (Diffie-Hellman) value m * y**k mod p. 956 957 The value "m" in the above formulas is derived from the session key 958 as follows. First the session key is prefixed with a one-octet 959 algorithm identifier that specifies the symmetric encryption 960 algorithm used to encrypt the following Symmetrically Encrypted Data 961 Packet. Then a two-octet checksum is appended which is equal to the 962 sum of the preceding session key octets, not including the algorithm 963 identifier, modulo 65536. This value is then encoded as described 964 in PKCS-1 block encoding EME-PKCS1-v1_5 [RFC2437] to form the "m" 965 value used in the formulas above. 966 967 Note that when an implementation forms several PKESKs with one 968 session key, forming a message that can be decrypted by several 969 keys, the implementation MUST make new PKCS-1 encoding for each key. 970 971 An implementation MAY accept or use a Key ID of zero as a "wild 972 card" or "speculative" Key ID. In this case, the receiving 973 implementation would try all available private keys, checking for a 974 valid decrypted session key. This format helps reduce traffic 975 analysis of messages. 976 9775.2. Signature Packet (Tag 2) 978 979 A signature packet describes a binding between some public key and 980 some data. The most common signatures are a signature of a file or a 981 block of text, and a signature that is a certification of a User ID. 982 983 Two versions of signature packets are defined. Version 3 provides 984 basic signature information, while version 4 provides an expandable 985 format with subpackets that can specify more information about the 986 signature. PGP 2.6.x only accepts version 3 signatures. 987 988 Implementations SHOULD accept V3 signatures. Implementations SHOULD 989 generate V4 signatures. 990 991 Note that if an implementation is creating an encrypted and signed 992 message that is encrypted to a V3 key, it is reasonable to create a 993 V3 signature. 994 9955.2.1. Signature Types 996 997 There are a number of possible meanings for a signature, which are 998 specified in a signature type octet in any given signature. These 999 meanings are: 1000 1001 0x00: Signature of a binary document. 1002 This means the signer owns it, created it, or certifies that it 1003 has not been modified. 1004 1005 1006 1007 1008Callas, et al. Expires May 23, 2005 [Page 18] 1009INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1010 1011 0x01: Signature of a canonical text document. 1012 This means the signer owns it, created it, or certifies that it 1013 has not been modified. The signature is calculated over the 1014 text data with its line endings converted to <CR><LF>. 1015 1016 0x02: Standalone signature. 1017 This signature is a signature of only its own subpacket 1018 contents. It is calculated identically to a signature over a 1019 zero-length binary document. Note that it doesn't make sense to 1020 have a V3 standalone signature. 1021 1022 0x10: Generic certification of a User ID and Public Key packet. 1023 The issuer of this certification does not make any particular 1024 assertion as to how well the certifier has checked that the 1025 owner of the key is in fact the person described by the User ID. 1026 Note that all PGP "key signatures" are this type of 1027 certification. 1028 1029 0x11: Persona certification of a User ID and Public Key packet. 1030 The issuer of this certification has not done any verification 1031 of the claim that the owner of this key is the User ID 1032 specified. 1033 1034 0x12: Casual certification of a User ID and Public Key packet. 1035 The issuer of this certification has done some casual 1036 verification of the claim of identity. 1037 1038 0x13: Positive certification of a User ID and Public Key packet. 1039 The issuer of this certification has done substantial 1040 verification of the claim of identity. 1041 1042 Please note that the vagueness of these certification claims is 1043 not a flaw, but a feature of the system. Because PGP places 1044 final authority for validity upon the receiver of a 1045 certification, it may be that one authority's casual 1046 certification might be more rigorous than some other authority's 1047 positive certification. These classifications allow a 1048 certification authority to issue fine-grained claims. 1049 1050 0x18: Subkey Binding Signature 1051 This signature is a statement by the top-level signing key that 1052 indicates that it owns the subkey. This signature is calculated 1053 directly on the subkey itself, not on any User ID or other 1054 packets. A signature that binds a signing subkey also has an 1055 embedded signature subpacket in this binding signature which 1056 contains a 0x19 signature made by the signing subkey on the 1057 primary key. 1058 1059 0x19 Primary Key Binding Signature 1060 This signature is a statement by a signing subkey, indicating 1061 that it is owned by the primary key. This signature is 1062 calculated directly on the primary key itself, and not on any 1063 1064Callas, et al. Expires May 23, 2005 [Page 19] 1065INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1066 1067 User ID or other packets. 1068 1069 0x1F: Signature directly on a key 1070 This signature is calculated directly on a key. It binds the 1071 information in the signature subpackets to the key, and is 1072 appropriate to be used for subpackets that provide information 1073 about the key, such as the revocation key subpacket. It is also 1074 appropriate for statements that non-self certifiers want to make 1075 about the key itself, rather than the binding between a key and 1076 a name. 1077 1078 0x20: Key revocation signature 1079 The signature is calculated directly on the key being revoked. 1080 A revoked key is not to be used. Only revocation signatures by 1081 the key being revoked, or by an authorized revocation key, 1082 should be considered valid revocation signatures. 1083 1084 0x28: Subkey revocation signature 1085 The signature is calculated directly on the subkey being 1086 revoked. A revoked subkey is not to be used. Only revocation 1087 signatures by the top-level signature key that is bound to this 1088 subkey, or by an authorized revocation key, should be considered 1089 valid revocation signatures. 1090 1091 0x30: Certification revocation signature 1092 This signature revokes an earlier User ID certification 1093 signature (signature class 0x10 through 0x13) or direct-key 1094 signature (0x1F). It should be issued by the same key that 1095 issued the revoked signature or an authorized revocation key. 1096 The signature should have a later creation date than the 1097 signature it revokes. 1098 1099 0x40: Timestamp signature. 1100 This signature is only meaningful for the timestamp contained in 1101 it. 1102 1103 0x50: Third-Party Confirmation signature. 1104 This signature is a signature over some other OpenPGP signature 1105 packet(s). It is analogous to a notary seal on the signed data. 1106 A third-party signature SHOULD include Signature Target 1107 subpacket(s) to give easy identification. Note that we really do 1108 mean SHOULD. There are plausible uses for this (such as a blind 1109 party that only sees the signature, not the key nor source 1110 document) that cannot include a target subpacket. 1111 11125.2.2. Version 3 Signature Packet Format 1113 1114 The body of a version 3 Signature Packet contains: 1115 1116 - One-octet version number (3). 1117 1118 1119 1120Callas, et al. Expires May 23, 2005 [Page 20] 1121INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1122 1123 - One-octet length of following hashed material. MUST be 5. 1124 1125 - One-octet signature type. 1126 1127 - Four-octet creation time. 1128 1129 - Eight-octet key ID of signer. 1130 1131 - One-octet public key algorithm. 1132 1133 - One-octet hash algorithm. 1134 1135 - Two-octet field holding left 16 bits of signed hash value. 1136 1137 - One or more multiprecision integers comprising the signature. 1138 This portion is algorithm specific, as described below. 1139 1140 Algorithm Specific Fields for RSA signatures: 1141 1142 - multiprecision integer (MPI) of RSA signature value m**d mod n. 1143 1144 Algorithm Specific Fields for DSA signatures: 1145 1146 - MPI of DSA value r. 1147 1148 - MPI of DSA value s. 1149 1150 The signature calculation is based on a hash of the signed 1151 data. This is described in detail in section 5.2.4. The high 16 1152 bits (first two octets) of the hash are included in the signature 1153 packet to provide a quick test to reject some invalid signatures. 1154 1155Callas, et al. Expires May 23, 2005 [Page 22] 1156INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1157 11585.2.3. Version 4 Signature Packet Format 1159 1160 The body of a version 4 Signature Packet contains: 1161 1162 - One-octet version number (4). 1163 1164 - One-octet signature type. 1165 1166 - One-octet public key algorithm. 1167 1168 - One-octet hash algorithm. 1169 1170 - Two-octet scalar octet count for following hashed subpacket 1171 data. Note that this is the length in octets of all of the 1172 hashed subpackets; a pointer incremented by this number will 1173 skip over the hashed subpackets. 1174 1175 - Hashed subpacket data. (zero or more subpackets) 1176 1177 - Two-octet scalar octet count for following unhashed subpacket 1178 data. Note that this is the length in octets of all of the 1179 unhashed subpackets; a pointer incremented by this number will 1180 skip over the unhashed subpackets. 1181 1182 - Unhashed subpacket data. (zero or more subpackets) 1183 1184 - Two-octet field holding left 16 bits of signed hash value. 1185 1186 - One or more multiprecision integers comprising the signature. 1187 This portion is algorithm specific, as described above. 1188 1189 There are two fields consisting of signature subpackets. The first 1190 field is hashed with the rest of the signature data, while the 1191 second is unhashed. The second set of subpackets is not 1192 cryptographically protected by the signature and should include only 1193 advisory information. 1194 1195 The algorithms for calculating the hash and converting the result 1196 to a signature are described in section 5.2.4. The left 16 bits of 1197 the hash are included in the signature packet to provide a quick 1198 test to reject some invalid signatures. 1199 12005.2.3.1. Signature Subpacket Specification 1201 1202 The subpacket fields consist of zero or more signature subpackets. 1203 Each set of subpackets is preceded by a two-octet scalar count of 1204 the length of the set of subpackets. 1205 1206 1207Callas, et al. Expires May 23, 2005 [Page 23] 1208INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1209 1210 Each subpacket consists of a subpacket header and a body. The 1211 header consists of: 1212 1213 - the subpacket length (1, 2, or 5 octets) 1214 1215 - the subpacket type (1 octet) 1216 1217 and is followed by the subpacket specific data. 1218 1219 The length includes the type octet but not this length. Its format 1220 is similar to the "new" format packet header lengths, but cannot 1221 have partial body lengths. That is: 1222 1223 if the 1st octet < 192, then 1224 lengthOfLength = 1 1225 subpacketLen = 1st_octet 1226 1227 if the 1st octet >= 192 and < 255, then 1228 lengthOfLength = 2 1229 subpacketLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 1230 1231 if the 1st octet = 255, then 1232 lengthOfLength = 5 1233 subpacket length = [four-octet scalar starting at 2nd_octet] 1234 1235 The value of the subpacket type octet may be: 1236 1237 2 = signature creation time 1238 3 = signature expiration time 1239 4 = exportable certification 1240 5 = trust signature 1241 6 = regular expression 1242 7 = revocable 1243 9 = key expiration time 1244 10 = placeholder for backward compatibility 1245 11 = preferred symmetric algorithms 1246 12 = revocation key 1247 16 = issuer key ID 1248 20 = notation data 1249 21 = preferred hash algorithms 1250 22 = preferred compression algorithms 1251 23 = key server preferences 1252 24 = preferred key server 1253 25 = primary User ID 1254 26 = policy URL 1255 27 = key flags 1256 28 = signer's User ID 1257 29 = reason for revocation 1258 30 = features 1259 31 = signature target 1260 32 = embedded signature 1261 1262 1263Callas, et al. Expires May 23, 2005 [Page 24] 1264INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1265 1266 100 to 110 = internal or user-defined 1267 1268 An implementation SHOULD ignore any subpacket of a type that it does 1269 not recognize. 1270 1271 Bit 7 of the subpacket type is the "critical" bit. If set, it 1272 denotes that the subpacket is one that is critical for the evaluator 1273 of the signature to recognize. If a subpacket is encountered that 1274 is marked critical but is unknown to the evaluating software, the 1275 evaluator SHOULD consider the signature to be in error. 1276 1277 An evaluator may "recognize" a subpacket, but not implement it. The 1278 purpose of the critical bit is to allow the signer to tell an 1279 evaluator that it would prefer a new, unknown feature to generate an 1280 error than be ignored. 1281 1282 Implementations SHOULD implement "preferences" and the "reason for 1283 revocation" subpackets. Note, however, that if an implementation 1284 chooses not to implement some of the preferences, it is required to 1285 behave in a polite manner to respect the wishes of those users who 1286 do implement these preferences. 1287 12885.2.3.2. Signature Subpacket Types 1289 1290 A number of subpackets are currently defined. Some subpackets apply 1291 to the signature itself and some are attributes of the key. 1292 Subpackets that are found on a self-signature are placed on a 1293 certification made by the key itself. Note that a key may have more 1294 than one User ID, and thus may have more than one self-signature, 1295 and differing subpackets. 1296 1297 A subpacket may be found either in the hashed or unhashed subpacket 1298 sections of a signature. If a subpacket is not hashed, then the 1299 information in it cannot be considered definitive because it is not 1300 part of the signature proper. 1301 13025.2.3.3. Notes on Self-Signatures 1303 1304 A self-signature is a binding signature made by the key the 1305 signature refers to. There are three types of self-signatures, the 1306 certification signatures (types 0x10-0x13), the direct-key signature 1307 (type 0x1f), and the subkey binding signature (type 0x18). For 1308 certification self-signatures, each User ID may have a 1309 self-signature, and thus different subpackets in those 1310 self-signatures. For subkey binding signatures, each subkey in fact 1311 has a self-signature. Subpackets that appear in a certification 1312 self-signature apply to the username, and subpackets that appear in 1313 the subkey self-signature apply to the subkey. Lastly, subpackets on 1314 the direct-key signature apply to the entire key. 1315 1316 1317 1318 1319Callas, et al. Expires May 23, 2005 [Page 25] 1320INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1321 1322 Implementing software should interpret a self-signature's preference 1323 subpackets as narrowly as possible. For example, suppose a key has 1324 two usernames, Alice and Bob. Suppose that Alice prefers the 1325 symmetric algorithm CAST5, and Bob prefers IDEA or TripleDES. If the 1326 software locates this key via Alice's name, then the preferred 1327 algorithm is CAST5, if software locates the key via Bob's name, then 1328 the preferred algorithm is IDEA. If the key is located by key ID, 1329 the algorithm of the primary User ID of the key provides the default 1330 symmetric algorithm. 1331 1332 Revoking a self-signature or allowing it to expire has a semantic 1333 meaning that varies with the signature type. Revoking the 1334 self-signature on a User ID effectively retires that user name. The 1335 self-signature is a statement, "My name X is tied to my signing key 1336 K" and is corroborated by other users' certifications. If another 1337 user revokes their certification, they are effectively saying that 1338 they no longer believe that name and that key are tied together. 1339 Similarly, if the user themselves revokes their self-signature, it 1340 means the user no longer goes by that name, no longer has that email 1341 address, etc. Revoking a binding signature effectively retires that 1342 subkey. Revoking a direct-key signature cancels that signature. 1343 Please see the "Reason for Revocation" subpacket below for more 1344 relevant detail. 1345 1346 Since a self-signature contains important information about the 1347 key's use, an implementation SHOULD allow the user to rewrite the 1348 self-signature, and important information in it, such as preferences 1349 and key expiration. 1350 1351 It is good practice to verify that a self-signature imported into an 1352 implementation doesn't advertise features that the implementation 1353 doesn't support, rewriting the signature as appropriate. 1354 1355 An implementation that encounters multiple self-signatures on the 1356 same object may resolve the ambiguity in any way it sees fit, but it 1357 is RECOMMENDED that priority be given to the most recent 1358 self-signature. 1359 13605.2.3.4. Signature creation time 1361 1362 (4 octet time field) 1363 1364 The time the signature was made. 1365 1366 MUST be present in the hashed area. 1367 13685.2.3.5. Issuer 1369 1370 (8 octet key ID) 1371 1372 1373 1374 1375Callas, et al. Expires May 23, 2005 [Page 26] 1376INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1377 1378 The OpenPGP key ID of the key issuing the signature. 1379 13805.2.3.6. Key expiration time 1381 1382 (4 octet time field) 1383 1384 The validity period of the key. This is the number of seconds after 1385 the key creation time that the key expires. If this is not present 1386 or has a value of zero, the key never expires. This is found only on 1387 a self-signature. 1388 13895.2.3.7. Preferred symmetric algorithms 1390 1391 (sequence of one-octet values) 1392 1393 Symmetric algorithm numbers that indicate which algorithms the key 1394 holder prefers to use. The subpacket body is an ordered list of 1395 octets with the most preferred listed first. It is assumed that only 1396 algorithms listed are supported by the recipient's software. 1397 Algorithm numbers in section 9. This is only found on a 1398 self-signature. 1399 14005.2.3.8. Preferred hash algorithms 1401 1402 (array of one-octet values) 1403 1404 Message digest algorithm numbers that indicate which algorithms the 1405 key holder prefers to receive. Like the preferred symmetric 1406 algorithms, the list is ordered. Algorithm numbers are in section 6. 1407 This is only found on a self-signature. 1408 14095.2.3.9. Preferred compression algorithms 1410 1411 (array of one-octet values) 1412 1413 Compression algorithm numbers that indicate which algorithms the key 1414 holder prefers to use. Like the preferred symmetric algorithms, the 1415 list is ordered. Algorithm numbers are in section 6. If this 1416 subpacket is not included, ZIP is preferred. A zero denotes that 1417 uncompressed data is preferred; the key holder's software might have 1418 no compression software in that implementation. This is only found 1419 on a self-signature. 1420 14215.2.3.10. Signature expiration time 1422 1423 (4 octet time field) 1424 1425 The validity period of the signature. This is the number of seconds 1426 after the signature creation time that the signature expires. If 1427 this is not present or has a value of zero, it never expires. 1428 1429 1430 1431Callas, et al. Expires May 23, 2005 [Page 27] 1432INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1433 14345.2.3.11. Exportable Certification 1435 1436 (1 octet of exportability, 0 for not, 1 for exportable) 1437 1438 This subpacket denotes whether a certification signature is 1439 "exportable," to be used by other users than the signature's issuer. 1440 The packet body contains a Boolean flag indicating whether the 1441 signature is exportable. If this packet is not present, the 1442 certification is exportable; it is equivalent to a flag containing a 1443 1. 1444 1445 Non-exportable, or "local," certifications are signatures made by a 1446 user to mark a key as valid within that user's implementation only. 1447 Thus, when an implementation prepares a user's copy of a key for 1448 transport to another user (this is the process of "exporting" the 1449 key), any local certification signatures are deleted from the key. 1450 1451 The receiver of a transported key "imports" it, and likewise trims 1452 any local certifications. In normal operation, there won't be any, 1453 assuming the import is performed on an exported key. However, there 1454 are instances where this can reasonably happen. For example, if an 1455 implementation allows keys to be imported from a key database in 1456 addition to an exported key, then this situation can arise. 1457 1458 Some implementations do not represent the interest of a single user 1459 (for example, a key server). Such implementations always trim local 1460 certifications from any key they handle. 1461 14625.2.3.12. Revocable 1463 1464 (1 octet of revocability, 0 for not, 1 for revocable) 1465 1466 Signature's revocability status. Packet body contains a Boolean 1467 flag indicating whether the signature is revocable. Signatures that 1468 are not revocable have any later revocation signatures ignored. 1469 They represent a commitment by the signer that he cannot revoke his 1470 signature for the life of his key. If this packet is not present, 1471 the signature is revocable. 1472 14735.2.3.13. Trust signature 1474 1475 (1 octet "level" (depth), 1 octet of trust amount) 1476 1477 Signer asserts that the key is not only valid, but also trustworthy, 1478 at the specified level. Level 0 has the same meaning as an ordinary 1479 validity signature. Level 1 means that the signed key is asserted 1480 to be a valid trusted introducer, with the 2nd octet of the body 1481 specifying the degree of trust. Level 2 means that the signed key is 1482 asserted to be trusted to issue level 1 trust signatures, i.e. that 1483 it is a "meta introducer". Generally, a level n trust signature 1484 asserts that a key is trusted to issue level n-1 trust signatures. 1485 The trust amount is in a range from 0-255, interpreted such that 1486 1487Callas, et al. Expires May 23, 2005 [Page 28] 1488INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1489 1490 values less than 120 indicate partial trust and values of 120 or 1491 greater indicate complete trust. Implementations SHOULD emit values 1492 of 60 for partial trust and 120 for complete trust. 1493 14945.2.3.14. Regular expression 1495 1496 (null-terminated regular expression) 1497 1498 Used in conjunction with trust signature packets (of level > 0) to 1499 limit the scope of trust that is extended. Only signatures by the 1500 target key on User IDs that match the regular expression in the body 1501 of this packet have trust extended by the trust signature subpacket. 1502 The regular expression uses the same syntax as the Henry Spencer's 1503 "almost public domain" regular expression package. A description of 1504 the syntax is found in a section below. 1505 15065.2.3.15. Revocation key 1507 1508 (1 octet of class, 1 octet of algid, 20 octets of fingerprint) 1509 1510 Authorizes the specified key to issue revocation signatures for this 1511 key. Class octet must have bit 0x80 set. If the bit 0x40 is set, 1512 then this means that the revocation information is sensitive. Other 1513 bits are for future expansion to other kinds of authorizations. This 1514 is found on a self-signature. 1515 1516 If the "sensitive" flag is set, the keyholder feels this subpacket 1517 contains private trust information that describes a real-world 1518 sensitive relationship. If this flag is set, implementations SHOULD 1519 NOT export this signature to other users except in cases where the 1520 data needs to be available: when the signature is being sent to the 1521 designated revoker, or when it is accompanied by a revocation 1522 signature from that revoker. Note that it may be appropriate to 1523 isolate this subpacket within a separate signature so that it is not 1524 combined with other subpackets that need to be exported. 1525 15265.2.3.16. Notation Data 1527 1528 (4 octets of flags, 2 octets of name length (M), 1529 2 octets of value length (N), 1530 M octets of name data, 1531 N octets of value data) 1532 1533 This subpacket describes a "notation" on the signature that the 1534 issuer wishes to make. The notation has a name and a value, each of 1535 which are strings of octets. There may be more than one notation in 1536 a signature. Notations can be used for any extension the issuer of 1537 the signature cares to make. The "flags" field holds four octets of 1538 flags. 1539 1540 1541 1542 1543Callas, et al. Expires May 23, 2005 [Page 29] 1544INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1545 1546 All undefined flags MUST be zero. Defined flags are: 1547 1548 First octet: 0x80 = human-readable. This note value is text, a 1549 note from one person to another, and need 1550 not have meaning to software. 1551 Other octets: none. 1552 1553 Notation names are arbitrary strings encoded in UTF-8. They reside 1554 two name spaces: The IETF name space and the user name space. 1555 1556 The IETF name space is registered with IANA. These names MUST NOT 1557 contain the "@" character (0x40) is this is a tag for the user name 1558 space. 1559 1560 Names in the user name space consist of a UTF-8 string tag followed 1561 by "@" followed by a DNS domain name. Note that the tag MUST NOT 1562 contain an "@" character. For example, the "sample" tag used by 1563 Example Corporation could be "sample@example.com". 1564 1565 Names in a user space are owned and controlled by the owners of that 1566 domain. Obviously, it's of bad form to create a new name in a DNS 1567 space that you don't own. 1568 1569 Since the user name space is in the form of an email address, 1570 implementers MAY wish to arrange for that address to reach a person 1571 who can be consulted about the use of the named tag. Note that due 1572 to UTF-8 encoding, not all valid user space name tags are valid 1573 email addresses. 1574 15755.2.3.17. Key server preferences 1576 1577 (N octets of flags) 1578 1579 This is a list of one-bit flags that indicate preferences that the 1580 key holder has about how the key is handled on a key server. All 1581 undefined flags MUST be zero. 1582 1583 First octet: 0x80 = No-modify 1584 the key holder requests that this key only be modified or 1585 updated by the key holder or an administrator of the key server. 1586 1587 This is found only on a self-signature. 1588 15895.2.3.18. Preferred key server 1590 1591 (String) 1592 1593 This is a URL of a key server that the key holder prefers be used 1594 for updates. Note that keys with multiple User IDs can have a 1595 preferred key server for each User ID. Note also that since this is 1596 a URL, the key server can actually be a copy of the key retrieved by 1597 ftp, http, finger, etc. 1598 1599Callas, et al. Expires May 23, 2005 [Page 30] 1600INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1601 16025.2.3.19. Primary User ID 1603 1604 (1 octet, Boolean) 1605 1606 This is a flag in a User ID's self signature that states whether 1607 this User ID is the main User ID for this key. It is reasonable for 1608 an implementation to resolve ambiguities in preferences, etc. by 1609 referring to the primary User ID. If this flag is absent, its value 1610 is zero. If more than one User ID in a key is marked as primary, the 1611 implementation may resolve the ambiguity in any way it sees fit, but 1612 it is RECOMMENDED that priority be given to the User ID with the 1613 most recent self-signature. 1614 1615 When appearing on a self-signature on a User ID packet, this 1616 subpacket applies only to User ID packets. When appearing on a 1617 self-signature on a User Attribute packet, this subpacket applies 1618 only to User Attribute packets. That is to say, there are two 1619 different and independent "primaries" - one for User IDs, and one 1620 for User Attributes. 1621 16225.2.3.20. Policy URL 1623 1624 (String) 1625 1626 This subpacket contains a URL of a document that describes the 1627 policy that the signature was issued under. 1628 16295.2.3.21. Key Flags 1630 1631 (N octets of flags) 1632 1633 This subpacket contains a list of binary flags that hold information 1634 about a key. It is a string of octets, and an implementation MUST 1635 NOT assume a fixed size. This is so it can grow over time. If a list 1636 is shorter than an implementation expects, the unstated flags are 1637 considered to be zero. The defined flags are: 1638 1639 First octet: 1640 1641 0x01 - This key may be used to certify other keys. 1642 1643 0x02 - This key may be used to sign data. 1644 1645 0x04 - This key may be used to encrypt communications. 1646 1647 0x08 - This key may be used to encrypt storage. 1648 1649 0x10 - The private component of this key may have been split by 1650 a secret-sharing mechanism. 1651 1652 1653 1654 1655Callas, et al. Expires May 23, 2005 [Page 31] 1656INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1657 1658 0x20 - This key may be used for authentication. 1659 1660 0x80 - The private component of this key may be in the 1661 possession of more than one person. 1662 1663 Usage notes: 1664 1665 The flags in this packet may appear in self-signatures or in 1666 certification signatures. They mean different things depending on 1667 who is making the statement -- for example, a certification 1668 signature that has the "sign data" flag is stating that the 1669 certification is for that use. On the other hand, the 1670 "communications encryption" flag in a self-signature is stating a 1671 preference that a given key be used for communications. Note 1672 however, that it is a thorny issue to determine what is 1673 "communications" and what is "storage." This decision is left wholly 1674 up to the implementation; the authors of this document do not claim 1675 any special wisdom on the issue, and realize that accepted opinion 1676 may change. 1677 1678 The "split key" (0x10) and "group key" (0x80) flags are placed on a 1679 self-signature only; they are meaningless on a certification 1680 signature. They SHOULD be placed only on a direct-key signature 1681 (type 0x1f) or a subkey signature (type 0x18), one that refers to 1682 the key the flag applies to. 1683 16845.2.3.22. Signer's User ID 1685 1686 (String) 1687 1688 This subpacket allows a keyholder to state which User ID is 1689 responsible for the signing. Many keyholders use a single key for 1690 different purposes, such as business communications as well as 1691 personal communications. This subpacket allows such a keyholder to 1692 state which of their roles is making a signature. 1693 1694 This subpacket is not appropriate to use to refer to a User 1695 Attribute packet. 1696 16975.2.3.23. Reason for Revocation 1698 1699 (1 octet of revocation code, N octets of reason string) 1700 1701 This subpacket is used only in key revocation and certification 1702 revocation signatures. It describes the reason why the key or 1703 certificate was revoked. 1704 1705 The first octet contains a machine-readable code that denotes the 1706 reason for the revocation: 1707 1708 1709 1710 1711Callas, et al. Expires May 23, 2005 [Page 32] 1712INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1713 1714 0x00 - No reason specified (key revocations or cert revocations) 1715 0x01 - Key is superceded (key revocations) 1716 0x02 - Key material has been compromised (key revocations) 1717 0x03 - Key is retired and no longer used (key revocations) 1718 0x20 - User ID information is no longer valid (cert revocations) 1719 1720 Following the revocation code is a string of octets which gives 1721 information about the reason for revocation in human-readable form 1722 (UTF-8). The string may be null, that is, of zero length. The length 1723 of the subpacket is the length of the reason string plus one. 1724 1725 An implementation SHOULD implement this subpacket, include it in all 1726 revocation signatures, and interpret revocations appropriately. 1727 There are important semantic differences between the reasons, and 1728 there are thus important reasons for revoking signatures. 1729 1730 If a key has been revoked because of a compromise, all signatures 1731 created by that key are suspect. However, if it was merely 1732 superceded or retired, old signatures are still valid. If the 1733 revoked signature is the self-signature for certifying a User ID, a 1734 revocation denotes that that user name is no longer in use. Such a 1735 revocation SHOULD include an 0x20 subpacket. 1736 1737 Note that any signature may be revoked, including a certification on 1738 some other person's key. There are many good reasons for revoking a 1739 certification signature, such as the case where the keyholder leaves 1740 the employ of a business with an email address. A revoked 1741 certification is no longer a part of validity calculations. 1742 17435.2.3.24. Features 1744 1745 (N octets of flags) 1746 1747 The features subpacket denotes which advanced OpenPGP features a 1748 user's implementation supports. This is so that as features are 1749 added to OpenPGP that cannot be backwards-compatible, a user can 1750 state that they can use that feature. The flags are single bits that 1751 indicate that a given feature is supported. 1752 1753 This subpacket is similar to a preferences subpacket, and only 1754 appears in a self-signature. 1755 1756 An implementation SHOULD NOT use a feature listed when sending to a 1757 user who does not state that they can use it. 1758 1759 Defined features are: 1760 1761 First octet: 1762 1763 0x01 - Modification Detection (packets 18 and 19) 1764 1765 1766 1767Callas, et al. Expires May 23, 2005 [Page 33] 1768INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1769 1770 If an implementation implements any of the defined features, it 1771 SHOULD implement the features subpacket, too. 1772 1773 An implementation may freely infer features from other suitable 1774 implementation-dependent mechanisms. 1775 17765.2.3.25. Signature Target 1777 1778 (1 octet PK algorithm, 1 octet hash algorithm, N octets hash) 1779 1780 This subpacket identifies a specific target signature that a 1781 signature refers to. For revocation signatures, this subpacket 1782 provides explicit designation of which signature is being revoked. 1783 For a third-party or timestamp signature, this designates what 1784 signature is signed. All arguments are an identifier of that target 1785 signature. 1786 1787 The N octets of hash data MUST be the size of the hash of the 1788 signature. For example, a target signature with a SHA-1 hash MUST 1789 have 20 octets of hash data. 1790 17915.2.3.26. Embedded Signature 1792 1793 (1 signature packet body) 1794 1795 This subpacket contains a complete signature packet body as 1796 specified in section 5.2 above. It is useful when one signature 1797 needs to refer to, or be incorporated in, another signature. 1798 17995.2.4. Computing Signatures 1800 1801 All signatures are formed by producing a hash over the signature 1802 data, and then using the resulting hash in the signature algorithm. 1803 1804 The signature data is simple to compute for document signatures 1805 (types 0x00 and 0x01), for which the document itself is the data. 1806 For standalone signatures, this is a null string. 1807 1808 When a signature is made over a key, the hash data starts with the 1809 octet 0x99, followed by a two-octet length of the key, and then body 1810 of the key packet. (Note that this is an old-style packet header for 1811 a key packet with two-octet length.) A subkey binding signature 1812 (type 0x18) or primary key binding signature (type 0x19) then hashes 1813 the subkey using the same format as the main key (also using 0x99 as 1814 the first octet). Key revocation signatures (types 0x20 and 0x28) 1815 hash only the key being revoked. 1816 1817 When a signature is made over a signature packet, the hash data 1818 starts with the octet 0x88, followed by the four-octet length of the 1819 signature, and then the body of the signature packet. The unhashed 1820 subpacket data of the signature packet being hashed is not included 1821 in the hash and the unhashed subpacket data length value is set to 1822 1823Callas, et al. Expires May 23, 2005 [Page 34] 1824INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1825 1826 zero. (Note that this is an old-style packet header for a signature 1827 packet with the length-of-length set to zero). 1828 1829 A certification signature (type 0x10 through 0x13) hashes the User 1830 ID being bound to the key into the hash context after the above 1831 data. A V3 certification hashes the contents of the User ID or 1832 attribute packet packet, without any header. A V4 certification 1833 hashes the constant 0xb4 for User ID certifications or the constant 1834 0xd1 for User Attribute certifications, followed by a four-octet 1835 number giving the length of the User ID or User Attribute data, and 1836 then the User ID or User Attribute data. 1837 1838 Once the data body is hashed, then a trailer is hashed. A V3 1839 signature hashes five octets of the packet body, starting from the 1840 signature type field. This data is the signature type, followed by 1841 the four-octet signature time. A V4 signature hashes the packet body 1842 starting from its first field, the version number, through the end 1843 of the hashed subpacket data. Thus, the fields hashed are the 1844 signature version, the signature type, the public key algorithm, the 1845 hash algorithm, the hashed subpacket length, and the hashed 1846 subpacket body. 1847 1848 V4 signatures also hash in a final trailer of six octets: the 1849 version of the signature packet, i.e. 0x04; 0xFF; a four-octet, 1850 big-endian number that is the length of the hashed data from the 1851 signature packet (note that this number does not include these final 1852 six octets. 1853 1854 After all this has been hashed in a single hash context the 1855 resulting hash field is used in the signature algorithm, and placed 1856 at the end of the signature packet. 1857 18585.2.4.1. Signature Algorithms 1859 18605.2.4.1.1. DSA Signatures 1861 1862 A DSA signature is performed as specified in [FIPS-186-2] on the 1863 value of the hash, calculated as above. 1864 1865 DSA signatures MUST use hashes with a size of 160 bits, to match q, 1866 the size of the group generated by the DSA key's generator value. 1867 The hash function result is treated as a 160 bit number and used 1868 directly in the DSA signature algorithm. 1869 18705.2.4.1.2. RSA Signatures 1871 1872 With RSA signatures, the hash value is encoded as described in 1873 PKCS #1 section 9.2.1 encoded using PKCS #1 encoding type 1874 EMSA-PKCS1-v1_5 [RFC2437]. This requires inserting the hash value 1875 as an octet string into an ASN.1 structure. The object identifier 1876 for the type of hash being used is included in the structure. 1877 1878 The ASN.1 OIDs are: 1879 1880 - MD5: 1.2.840.113549.2.5 1881 1882 - RIPEMD-160: 1.3.36.3.2.1 1883 1884 - SHA-1: 1.3.14.3.2.26 1885 1886 - SHA256: 2.16.840.1.101.3.4.2.1 1887 1888 - SHA384: 2.16.840.1.101.3.4.2.2 1889 1890 - SHA512: 2.16.840.1.101.3.4.2.3 1891 1892 In practice this amounts to prefixing the hash with one of the 1893 following, then padding as described in PKCS #1: 1894 1895 MD5: 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 1896 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 1897 0x04, 0x10 1898 1899 RIPEMD-160: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 1900 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14 1901 1902 SHA-1: 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0E, 1903 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 1904 1905 SHA256: 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1906 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 1907 0x00, 0x04, 0x20 1908 1909 SHA384: 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1910 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 1911 0x00, 0x04, 0x30 1912 1913 SHA512: 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 1914 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 1915 0x00, 0x04, 0x40 1916 1917 The value emLen needed for the padding is equal to the length in 1918 bytes of the RSA public modulus, n. 1919 1920 Once the hash has been encoded and padded, the resulting string is 1921 encrypted with the RSA private key as described in [RSA]. 1922 19235.2.4.2. Subpacket Hints 1924 1925 It is certainly possible for a signature to contain conflicting 1926 information in subpackets. For example, a signature may contain 1927 multiple copies of a preference or multiple expiration times. In 1928 most cases, an implementation SHOULD use the last subpacket in the 1929 signature, but MAY use any conflict resolution scheme that makes 1930 more sense. Please note that we are intentionally leaving conflict 1931 resolution to the implementer; most conflicts are simply syntax 1932 errors, and the wishy-washy language here allows a receiver to be 1933 generous in what they accept, while putting pressure on a creator to 1934 be stingy in what they generate. 1935 1936 Some apparent conflicts may actually make sense -- for example, 1937 suppose a keyholder has an V3 key and a V4 key that share the same 1938 RSA key material. Either of these keys can verify a signature 1939 created by the other, and it may be reasonable for a signature to 1940 contain an issuer subpacket for each key, as a way of explicitly 1941 tying those keys to the signature. 1942 1943 1944Callas, et al. Expires May 23, 2005 [Page 35] 1945INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 1946 19475.3. Symmetric-Key Encrypted Session Key Packets (Tag 3) 1948 1949 The Symmetric-Key Encrypted Session Key packet holds the 1950 symmetric-key encryption of a session key used to encrypt a message. 1951 Zero or more Encrypted Session Key packets and/or Symmetric-Key 1952 Encrypted Session Key packets may precede a Symmetrically Encrypted 1953 Data Packet that holds an encrypted message. The message is 1954 encrypted with a session key, and the session key is itself 1955 encrypted and stored in the Encrypted Session Key packet or the 1956 Symmetric-Key Encrypted Session Key packet. 1957 1958 If the Symmetrically Encrypted Data Packet is preceded by one or 1959 more Symmetric-Key Encrypted Session Key packets, each specifies a 1960 passphrase that may be used to decrypt the message. This allows a 1961 message to be encrypted to a number of public keys, and also to one 1962 or more pass phrases. This packet type is new, and is not generated 1963 by PGP 2.x or PGP 5.0. 1964 1965 The body of this packet consists of: 1966 1967 - A one-octet version number. The only currently defined version 1968 is 4. 1969 1970 - A one-octet number describing the symmetric algorithm used. 1971 1972 - A string-to-key (S2K) specifier, length as defined above. 1973 1974 - Optionally, the encrypted session key itself, which is decrypted 1975 with the string-to-key object. 1976 1977 If the encrypted session key is not present (which can be detected 1978 on the basis of packet length and S2K specifier size), then the S2K 1979 algorithm applied to the passphrase produces the session key for 1980 decrypting the file, using the symmetric cipher algorithm from the 1981 Symmetric-Key Encrypted Session Key packet. 1982 1983 If the encrypted session key is present, the result of applying the 1984 S2K algorithm to the passphrase is used to decrypt just that 1985 encrypted session key field, using CFB mode with an IV of all zeros. 1986 The decryption result consists of a one-octet algorithm identifier 1987 that specifies the symmetric-key encryption algorithm used to 1988 encrypt the following Symmetrically Encrypted Data Packet, followed 1989 by the session key octets themselves. 1990 1991 Note: because an all-zero IV is used for this decryption, the S2K 1992 specifier MUST use a salt value, either a Salted S2K or an 1993 Iterated-Salted S2K. The salt value will insure that the decryption 1994 key is not repeated even if the passphrase is reused. 1995 19965.4. One-Pass Signature Packets (Tag 4) 1997 1998 The One-Pass Signature packet precedes the signed data and contains 1999 2000Callas, et al. Expires May 23, 2005 [Page 36] 2001INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2002 2003 enough information to allow the receiver to begin calculating any 2004 hashes needed to verify the signature. It allows the Signature 2005 Packet to be placed at the end of the message, so that the signer 2006 can compute the entire signed message in one pass. 2007 2008 A One-Pass Signature does not interoperate with PGP 2.6.x or 2009 earlier. 2010 2011 The body of this packet consists of: 2012 2013 - A one-octet version number. The current version is 3. 2014 2015 - A one-octet signature type. Signature types are described in 2016 section 5.2.1. 2017 2018 - A one-octet number describing the hash algorithm used. 2019 2020 - A one-octet number describing the public key algorithm used. 2021 2022 - An eight-octet number holding the key ID of the signing key. 2023 2024 - A one-octet number holding a flag showing whether the signature 2025 is nested. A zero value indicates that the next packet is 2026 another One-Pass Signature packet that describes another 2027 signature to be applied to the same message data. 2028 2029 Note that if a message contains more than one one-pass signature, 2030 then the signature packets bracket the message; that is, the first 2031 signature packet after the message corresponds to the last one-pass 2032 packet and the final signature packet corresponds to the first 2033 one-pass packet. 2034 20355.5. Key Material Packet 2036 2037 A key material packet contains all the information about a public or 2038 private key. There are four variants of this packet type, and two 2039 major versions. Consequently, this section is complex. 2040 20415.5.1. Key Packet Variants 2042 20435.5.1.1. Public Key Packet (Tag 6) 2044 2045 A Public Key packet starts a series of packets that forms an OpenPGP 2046 key (sometimes called an OpenPGP certificate). 2047 20485.5.1.2. Public Subkey Packet (Tag 14) 2049 2050 A Public Subkey packet (tag 14) has exactly the same format as a 2051 Public Key packet, but denotes a subkey. One or more subkeys may be 2052 associated with a top-level key. By convention, the top-level key 2053 provides signature services, and the subkeys provide encryption 2054 services. 2055 2056Callas, et al. Expires May 23, 2005 [Page 37] 2057INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2058 2059 Note: in PGP 2.6.x, tag 14 was intended to indicate a comment 2060 packet. This tag was selected for reuse because no previous version 2061 of PGP ever emitted comment packets but they did properly ignore 2062 them. Public Subkey packets are ignored by PGP 2.6.x and do not 2063 cause it to fail, providing a limited degree of backward 2064 compatibility. 2065 20665.5.1.3. Secret Key Packet (Tag 5) 2067 2068 A Secret Key packet contains all the information that is found in a 2069 Public Key packet, including the public key material, but also 2070 includes the secret key material after all the public key fields. 2071 20725.5.1.4. Secret Subkey Packet (Tag 7) 2073 2074 A Secret Subkey packet (tag 7) is the subkey analog of the Secret 2075 Key packet, and has exactly the same format. 2076 20775.5.2. Public Key Packet Formats 2078 2079 There are two versions of key-material packets. Version 3 packets 2080 were first generated by PGP 2.6. Version 4 keys first appeared in 2081 PGP 5.0, and are the preferred key version for OpenPGP. 2082 2083 OpenPGP implementations SHOULD create keys with version 4 format. V3 2084 keys are deprecated; an implementation SHOULD NOT generate a V3 key, 2085 but MAY accept it. An implementation MUST NOT create a V3 key with a 2086 public key algorithm other than RSA. 2087 2088 A version 3 public key or public subkey packet contains: 2089 2090 - A one-octet version number (3). 2091 2092 - A four-octet number denoting the time that the key was created. 2093 2094 - A two-octet number denoting the time in days that this key is 2095 valid. If this number is zero, then it does not expire. 2096 2097 - A one-octet number denoting the public key algorithm of this key 2098 2099 - A series of multiprecision integers comprising the key material: 2100 2101 - a multiprecision integer (MPI) of RSA public modulus n; 2102 2103 - an MPI of RSA public encryption exponent e. 2104 2105 V3 keys are deprecated. They contain three weaknesses in them. 2106 First, it is relatively easy to construct a V3 key that has the same 2107 key ID as any other key because the key ID is simply the low 64 bits 2108 of the public modulus. Secondly, because the fingerprint of a V3 key 2109 hashes the key material, but not its length, there is an increased 2110 opportunity for fingerprint collisions. Third, there are minor 2111 2112Callas, et al. Expires May 23, 2005 [Page 38] 2113INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2114 2115 weaknesses in the MD5 hash algorithm that make developers prefer 2116 other algorithms. See below for a fuller discussion of key IDs and 2117 fingerprints. 2118 2119 The version 4 format is similar to the version 3 format except for 2120 the absence of a validity period. This has been moved to the 2121 signature packet. In addition, fingerprints of version 4 keys are 2122 calculated differently from version 3 keys, as described in section 2123 "Enhanced Key Formats." 2124 2125 A version 4 packet contains: 2126 2127 - A one-octet version number (4). 2128 2129 - A four-octet number denoting the time that the key was created. 2130 2131 - A one-octet number denoting the public key algorithm of this key 2132 2133 - A series of multiprecision integers comprising the key material. 2134 This algorithm-specific portion is: 2135 2136 Algorithm Specific Fields for RSA public keys: 2137 2138 - multiprecision integer (MPI) of RSA public modulus n; 2139 2140 - MPI of RSA public encryption exponent e. 2141 2142 Algorithm Specific Fields for DSA public keys: 2143 2144 - MPI of DSA prime p; 2145 2146 - MPI of DSA group order q (q is a prime divisor of p-1); 2147 2148 - MPI of DSA group generator g; 2149 2150 - MPI of DSA public key value y (= g**x mod p where x is 2151 secret). 2152 2153 Algorithm Specific Fields for Elgamal public keys: 2154 2155 - MPI of Elgamal prime p; 2156 2157 - MPI of Elgamal group generator g; 2158 2159 - MPI of Elgamal public key value y (= g**x mod p where x is 2160 secret). 2161 21625.5.3. Secret Key Packet Formats 2163 2164 The Secret Key and Secret Subkey packets contain all the data of the 2165 Public Key and Public Subkey packets, with additional 2166 algorithm-specific secret key data appended, usually in encrypted 2167 2168Callas, et al. Expires May 23, 2005 [Page 39] 2169INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2170 2171 form. 2172 2173 The packet contains: 2174 2175 - A Public Key or Public Subkey packet, as described above 2176 2177 - One octet indicating string-to-key usage conventions. Zero 2178 indicates that the secret key data is not encrypted. 255 or 254 2179 indicates that a string-to-key specifier is being given. Any 2180 other value is a symmetric-key encryption algorithm identifier. 2181 2182 - [Optional] If string-to-key usage octet was 255 or 254, a 2183 one-octet symmetric encryption algorithm. 2184 2185 - [Optional] If string-to-key usage octet was 255 or 254, a 2186 string-to-key specifier. The length of the string-to-key 2187 specifier is implied by its type, as described above. 2188 2189 - [Optional] If secret data is encrypted (string-to-key usage 2190 octet not zero), an Initial Vector (IV) of the same length as 2191 the cipher's block size. 2192 2193 - Plain or encrypted multiprecision integers comprising the secret 2194 key data. These algorithm-specific fields are as described 2195 below. 2196 2197 - If the string-to-key usage octet is zero or 255, then a 2198 two-octet checksum of the plaintext of the algorithm-specific 2199 portion (sum of all octets, mod 65536). If the string-to-key 2200 usage octet was 254, then a 20-octet SHA-1 hash of the plaintext 2201 of the algorithm-specific portion. This checksum or hash is 2202 encrypted together with the algorithm-specific fields (if 2203 string-to-key usage octet is not zero). Note that for all other 2204 values, a two-octet checksum is required. 2205 2206 Algorithm Specific Fields for RSA secret keys: 2207 2208 - multiprecision integer (MPI) of RSA secret exponent d. 2209 2210 - MPI of RSA secret prime value p. 2211 2212 - MPI of RSA secret prime value q (p < q). 2213 2214 - MPI of u, the multiplicative inverse of p, mod q. 2215 2216 Algorithm Specific Fields for DSA secret keys: 2217 2218 - MPI of DSA secret exponent x. 2219 2220 Algorithm Specific Fields for Elgamal secret keys: 2221 2222 2223 2224Callas, et al. Expires May 23, 2005 [Page 40] 2225INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2226 2227 - MPI of Elgamal secret exponent x. 2228 2229 Secret MPI values can be encrypted using a passphrase. If a 2230 string-to-key specifier is given, that describes the algorithm for 2231 converting the passphrase to a key, else a simple MD5 hash of the 2232 passphrase is used. Implementations MUST use a string-to-key 2233 specifier; the simple hash is for backward compatibility and is 2234 deprecated, though implementations MAY continue to use existing 2235 private keys in the old format. The cipher for encrypting the MPIs 2236 is specified in the secret key packet. 2237 2238 Encryption/decryption of the secret data is done in CFB mode using 2239 the key created from the passphrase and the Initial Vector from the 2240 packet. A different mode is used with V3 keys (which are only RSA) 2241 than with other key formats. With V3 keys, the MPI bit count prefix 2242 (i.e., the first two octets) is not encrypted. Only the MPI 2243 non-prefix data is encrypted. Furthermore, the CFB state is 2244 resynchronized at the beginning of each new MPI value, so that the 2245 CFB block boundary is aligned with the start of the MPI data. 2246 2247 With V4 keys, a simpler method is used. All secret MPI values are 2248 encrypted in CFB mode, including the MPI bitcount prefix. 2249 2250 The two-octet checksum that follows the algorithm-specific portion 2251 is the algebraic sum, mod 65536, of the plaintext of all the 2252 algorithm-specific octets (including MPI prefix and data). With V3 2253 keys, the checksum is stored in the clear. With V4 keys, the 2254 checksum is encrypted like the algorithm-specific data. This value 2255 is used to check that the passphrase was correct. However, this 2256 checksum is deprecated; an implementation SHOULD NOT use it, but 2257 should rather use the SHA-1 hash denoted with a usage octet of 254. 2258 The reason for this is that there are some attacks on the private 2259 key that can undetectably modify the secret key. Using a SHA-1 hash 2260 prevents this. 2261 22625.6. Compressed Data Packet (Tag 8) 2263 2264 The Compressed Data packet contains compressed data. Typically, this 2265 packet is found as the contents of an encrypted packet, or following 2266 a Signature or One-Pass Signature packet, and contains literal data 2267 packets. 2268 2269 The body of this packet consists of: 2270 2271 - One octet that gives the algorithm used to compress the packet. 2272 2273 - The remainder of the packet is compressed data. 2274 2275 A Compressed Data Packet's body contains an block that compresses 2276 some set of packets. See section "Packet Composition" for details on 2277 how messages are formed. 2278 2279 2280Callas, et al. Expires May 23, 2005 [Page 41] 2281INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2282 2283 ZIP-compressed packets are compressed with raw RFC1951 DEFLATE 2284 blocks. Note that PGP V2.6 uses 13 bits of compression. If an 2285 implementation uses more bits of compression, PGP V2.6 cannot 2286 decompress it. 2287 2288 ZLIB-compressed packets are compressed with RFC1950 ZLIB-style 2289 blocks. 2290 22915.7. Symmetrically Encrypted Data Packet (Tag 9) 2292 2293 The Symmetrically Encrypted Data packet contains data encrypted with 2294 a symmetric-key algorithm. When it has been decrypted, it contains 2295 other packets (usually literal data packets or compressed data 2296 packets, but in theory other Symmetrically Encrypted Data Packets or 2297 sequences of packets that form whole OpenPGP messages). 2298 2299 The body of this packet consists of: 2300 2301 - Encrypted data, the output of the selected symmetric-key cipher 2302 operating in PGP's variant of Cipher Feedback (CFB) mode. 2303 2304 The symmetric cipher used may be specified in an Public-Key or 2305 Symmetric-Key Encrypted Session Key packet that precedes the 2306 Symmetrically Encrypted Data Packet. In that case, the cipher 2307 algorithm octet is prefixed to the session key before it is 2308 encrypted. If no packets of these types precede the encrypted data, 2309 the IDEA algorithm is used with the session key calculated as the 2310 MD5 hash of the passphrase, though this use is deprecated. 2311 2312 The data is encrypted in CFB mode, with a CFB shift size equal to 2313 the cipher's block size. The Initial Vector (IV) is specified as 2314 all zeros. Instead of using an IV, OpenPGP prefixes a string of 2315 length equal to the block size of the cipher plus two to the data 2316 before it is encrypted. The first block-size octets (for example, 8 2317 octets for a 64-bit block length) are random, and the following two 2318 octets are copies of the last two octets of the IV. For example, in 2319 an 8 octet block, octet 9 is a repeat of octet 7, and octet 10 is a 2320 repeat of octet 8. In a cipher of length 16, octet 17 is a repeat of 2321 octet 15 and octet 18 is a repeat of octet 16. As a pedantic 2322 clarification, in both these examples, we consider the first octet 2323 to be numbered 1. 2324 2325 After encrypting the first block-size-plus-two octets, the CFB state 2326 is resynchronized. The last block-size octets of ciphertext are 2327 passed through the cipher and the block boundary is reset. 2328 2329 The repetition of 16 bits in the random data prefixed to the message 2330 allows the receiver to immediately check whether the session key is 2331 incorrect. 2332 2333 2334 2335 2336Callas, et al. Expires May 23, 2005 [Page 42] 2337INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2338 23395.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 2340 2341 An experimental version of PGP used this packet as the Literal 2342 packet, but no released version of PGP generated Literal packets 2343 with this tag. With PGP 5.x, this packet has been re-assigned and is 2344 reserved for use as the Marker packet. 2345 2346 The body of this packet consists of: 2347 2348 - The three octets 0x50, 0x47, 0x50 (which spell "PGP" in UTF-8). 2349 2350 Such a packet MUST be ignored when received. It may be placed at 2351 the beginning of a message that uses features not available in PGP 2352 2.6.x in order to cause that version to report that newer software 2353 is necessary to process the message. 2354 23555.9. Literal Data Packet (Tag 11) 2356 2357 A Literal Data packet contains the body of a message; data that is 2358 not to be further interpreted. 2359 2360 The body of this packet consists of: 2361 2362 - A one-octet field that describes how the data is formatted. 2363 2364 If it is a 'b' (0x62), then the literal packet contains binary data. 2365 If it is a 't' (0x74), then it contains text data, and thus may need 2366 line ends converted to local form, or other text-mode changes. The 2367 tag 'u' (0x75) means the same as 't', but also indicates that 2368 implementation believes that the literal data contains UTF-8 text. 2369 2370 Early versions of PGP also defined a value of 'l' as a 'local' mode 2371 for machine-local conversions. RFC 1991 incorrectly stated this 2372 local mode flag as '1' (ASCII numeral one). Both of these local 2373 modes are deprecated. 2374 2375 - File name as a string (one-octet length, followed by file name), 2376 if the encrypted data should be saved as a file. 2377 2378 If the special name "_CONSOLE" is used, the message is considered to 2379 be "for your eyes only". This advises that the message data is 2380 unusually sensitive, and the receiving program should process it 2381 more carefully, perhaps avoiding storing the received data to disk, 2382 for example. 2383 2384 - A four-octet number that indicates the modification date of the 2385 file, or the creation time of the packet, or a zero that 2386 indicates the present time. 2387 2388 - The remainder of the packet is literal data. 2389 2390 2391 2392Callas, et al. Expires May 23, 2005 [Page 43] 2393INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2394 2395 Text data is stored with <CR><LF> text endings (i.e. network-normal 2396 line endings). These should be converted to native line endings by 2397 the receiving software. 2398 23995.10. Trust Packet (Tag 12) 2400 2401 The Trust packet is used only within keyrings and is not normally 2402 exported. Trust packets contain data that record the user's 2403 specifications of which key holders are trustworthy introducers, 2404 along with other information that implementing software uses for 2405 trust information. The format of trust packets is defined by a given 2406 implementation. 2407 2408 Trust packets SHOULD NOT be emitted to output streams that are 2409 transferred to other users, and they SHOULD be ignored on any input 2410 other than local keyring files. 2411 24125.11. User ID Packet (Tag 13) 2413 2414 A User ID packet consists of UTF-8 text that is intended to 2415 represent the name and email address of the key holder. By 2416 convention, it includes an RFC822 mail name, but there are no 2417 restrictions on its content. The packet length in the header 2418 specifies the length of the User ID. 2419 24205.12. User Attribute Packet (Tag 17) 2421 2422 The User Attribute packet is a variation of the User ID packet. It 2423 is capable of storing more types of data than the User ID packet 2424 which is limited to text. Like the User ID packet, a User Attribute 2425 packet may be certified by the key owner ("self-signed") or any 2426 other key owner who cares to certify it. Except as noted, a User 2427 Attribute packet may be used anywhere that a User ID packet may be 2428 used. 2429 2430 While User Attribute packets are not a required part of the OpenPGP 2431 standard, implementations SHOULD provide at least enough 2432 compatibility to properly handle a certification signature on the 2433 User Attribute packet. A simple way to do this is by treating the 2434 User Attribute packet as a User ID packet with opaque contents, but 2435 an implementation may use any method desired. 2436 2437 The User Attribute packet is made up of one or more attribute 2438 subpackets. Each subpacket consists of a subpacket header and a 2439 body. The header consists of: 2440 2441 - the subpacket length (1, 2, or 5 octets) 2442 2443 - the subpacket type (1 octet) 2444 2445 2446 2447 2448Callas, et al. Expires May 23, 2005 [Page 44] 2449INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2450 2451 and is followed by the subpacket specific data. 2452 2453 The only currently defined subpacket type is 1, signifying an image. 2454 An implementation SHOULD ignore any subpacket of a type that it does 2455 not recognize. Subpacket types 100 through 110 are reserved for 2456 private or experimental use. 2457 24585.12.1. The Image Attribute Subpacket 2459 2460 The image attribute subpacket is used to encode an image, presumably 2461 (but not required to be) that of the key owner. 2462 2463 The image attribute subpacket begins with an image header. The 2464 first two octets of the image header contain the length of the image 2465 header. Note that unlike other multi-octet numerical values in this 2466 document, due to an historical accident this value is encoded as a 2467 little-endian number. The image header length is followed by a 2468 single octet for the image header version. The only currently 2469 defined version of the image header is 1, which is a 16 octet image 2470 header. The first three octets of a version 1 image header are thus 2471 0x10 0x00 0x01. 2472 2473 The fourth octet of a version 1 image header designates the encoding 2474 format of the image. The only currently defined encoding format is 2475 the value 1 to indicate JPEG. Image format types 100 through 110 2476 are reserved for private or experimental use. The rest of the 2477 version 1 image header is made up of 12 reserved octets, all of 2478 which MUST be set to 0. 2479 2480 The rest of the image subpacket contains the image itself. As the 2481 only currently defined image type is JPEG, the image is encoded in 2482 the JPEG File Interchange Format (JFIF), a standard file format for 2483 JPEG images. [JFIF] 2484 2485 An implementation MAY try and determine the type of an image by 2486 examination of the image data if it is unable to handle a particular 2487 version of the image header or if a specified encoding format value 2488 is not recognized. 2489 24905.13. Sym. Encrypted Integrity Protected Data Packet (Tag 18) 2491 2492 The Symmetrically Encrypted Integrity Protected Data Packet is a 2493 variant of the Symmetrically Encrypted Data Packet. It is a new 2494 feature created for OpenPGP that addresses the problem of detecting 2495 a modification to encrypted data. It is used in combination with a 2496 Modification Detection Code Packet. 2497 2498 There is a corresponding feature in the features signature subpacket 2499 that denotes that an implementation can properly use this packet 2500 type. An implementation MUST support decrypting these packets and 2501 SHOULD prefer generating them to the older Symmetrically Encrypted 2502 Data Packet when possible. Since this data packet protects against 2503 2504Callas, et al. Expires May 23, 2005 [Page 45] 2505INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2506 2507 modification attacks, this standard encourages its proliferation. 2508 While blanket adoption of this data packet would create 2509 interoperability problems, rapid adoption is nevertheless important. 2510 An implementation SHOULD specifically denote support for this 2511 packet, but it MAY infer it from other mechanisms. 2512 2513 For example, an implementation might infer from the use of a cipher 2514 such as AES or Twofish that a user supports this feature. It might 2515 place in the unhashed portion of another user's key signature a 2516 features subpacket. It might also present a user with an opportunity 2517 to regenerate their own self-signature with a features subpacket. 2518 2519 This packet contains data encrypted with a symmetric-key algorithm 2520 and protected against modification by the SHA-1 hash algorithm. When 2521 it has been decrypted, it will typically contain other packets 2522 (often literal data packets or compressed data packets). The last 2523 decrypted packet in this packet's payload MUST be a Modification 2524 Detection Code packet. 2525 2526 The body of this packet consists of: 2527 2528 - A one-octet version number. The only currently defined value is 2529 1. 2530 2531 - Encrypted data, the output of the selected symmetric-key cipher 2532 operating in Cipher Feedback mode with shift amount equal to the 2533 block size of the cipher (CFB-n where n is the block size). 2534 2535 The symmetric cipher used MUST be specified in a Public-Key or 2536 Symmetric-Key Encrypted Session Key packet that precedes the 2537 Symmetrically Encrypted Data Packet. In either case, the cipher 2538 algorithm octet is prefixed to the session key before it is 2539 encrypted. 2540 2541 The data is encrypted in CFB mode, with a CFB shift size equal to 2542 the cipher's block size. The Initial Vector (IV) is specified as 2543 all zeros. Instead of using an IV, OpenPGP prefixes an octet string 2544 to the data before it is encrypted. The length of the octet string 2545 equals the block size of the cipher in octets, plus two. The first 2546 octets in the group, of length equal to the block size of the 2547 cipher, are random; the last two octets are each copies of their 2nd 2548 preceding octet. For example, with a cipher whose block size is 128 2549 bits or 16 octets, the prefix data will contain 16 random octets, 2550 then two more octets, which are copies of the 15th and 16th octets, 2551 respectively. Unlike the Symmetrically Encrypted Data Packet, no 2552 special CFB resynchronization is done after encrypting this prefix 2553 data. See OpenPGP CFB Mode below for more details. 2554 2555 The repetition of 16 bits in the random data prefixed to the message 2556 allows the receiver to immediately check whether the session key is 2557 incorrect. 2558 2559 2560Callas, et al. Expires May 23, 2005 [Page 46] 2561INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2562 2563 The plaintext of the data to be encrypted is passed through the 2564 SHA-1 hash function, and the result of the hash is appended to the 2565 plaintext in a Modification Detection Code packet. The input to the 2566 hash function includes the prefix data described above; it includes 2567 all of the plaintext, and then also includes two octets of values 2568 0xD3, 0x14. These represent the encoding of a Modification 2569 Detection Code packet tag and length field of 20 octets. 2570 2571 The resulting hash value is stored in a Modification Detection Code 2572 packet which MUST use the two octet encoding just given to represent 2573 its tag and length field. The body of the MDC packet is the 20 2574 octet output of the SHA-1 hash. 2575 2576 The Modification Detection Code packet is appended to the plaintext 2577 and encrypted along with the plaintext using the same CFB context. 2578 2579 During decryption, the plaintext data should be hashed with SHA-1, 2580 including the prefix data as well as the packet tag and length field 2581 of the Modification Detection Code packet. The body of the MDC 2582 packet, upon decryption, is compared with the result of the SHA-1 2583 hash. 2584 2585 Any failure of the MDC indicates that the message has been modified 2586 and MUST be treated as a security problem. Failures include a 2587 difference in the hash values, but also the absence of an MDC 2588 packet, or an MDC packet in any position other than the end of the 2589 plaintext. Any failure SHOULD be reported to the user. 2590 2591 Note: future designs of new versions of this packet should consider 2592 rollback attacks since it will be possible for an attacker to change 2593 the version back to 1. 2594 25955.14. Modification Detection Code Packet (Tag 19) 2596 2597 The Modification Detection Code packet contains a SHA-1 hash of 2598 plaintext data which is used to detect message modification. It is 2599 only used with a Symmetrically Encrypted Integrity Protected Data 2600 packet. The Modification Detection Code packet MUST be the last 2601 packet in the plaintext data which is encrypted in the Symmetrically 2602 Encrypted Integrity Protected Data packet, and MUST appear in no 2603 other place. 2604 2605 A Modification Detection Code packet MUST have a length of 20 2606 octets. 2607 2608 The body of this packet consists of: 2609 2610 - A 20-octet SHA-1 hash of the preceding plaintext data of the 2611 Symmetrically Encrypted Integrity Protected Data packet, 2612 including prefix data, the tag octet, and length octet of the 2613 Modification Detection Code packet. 2614 2615 2616Callas, et al. Expires May 23, 2005 [Page 47] 2617INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2618 2619 Note that the Modification Detection Code packet MUST always use a 2620 new-format encoding of the packet tag, and a one-octet encoding of 2621 the packet length. The reason for this is that the hashing rules for 2622 modification detection include a one-octet tag and one-octet length 2623 in the data hash. While this is a bit restrictive, it reduces 2624 complexity. 2625 26266. Radix-64 Conversions 2627 2628 As stated in the introduction, OpenPGP's underlying native 2629 representation for objects is a stream of arbitrary octets, and some 2630 systems desire these objects to be immune to damage caused by 2631 character set translation, data conversions, etc. 2632 2633 In principle, any printable encoding scheme that met the 2634 requirements of the unsafe channel would suffice, since it would not 2635 change the underlying binary bit streams of the native OpenPGP data 2636 structures. The OpenPGP standard specifies one such printable 2637 encoding scheme to ensure interoperability. 2638 2639 OpenPGP's Radix-64 encoding is composed of two parts: a base64 2640 encoding of the binary data, and a checksum. The base64 encoding is 2641 identical to the MIME base64 content-transfer-encoding [RFC 2045]. 2642 2643 The checksum is a 24-bit CRC converted to four characters of 2644 radix-64 encoding by the same MIME base64 transformation, preceded 2645 by an equals sign (=). The CRC is computed by using the generator 2646 0x864CFB and an initialization of 0xB704CE. The accumulation is 2647 done on the data before it is converted to radix-64, rather than on 2648 the converted data. A sample implementation of this algorithm is in 2649 the next section. 2650 2651 The checksum with its leading equal sign MAY appear on the first 2652 line after the Base64 encoded data. 2653 2654 Rationale for CRC-24: The size of 24 bits fits evenly into printable 2655 base64. The nonzero initialization can detect more errors than a 2656 zero initialization. 2657 26586.1. An Implementation of the CRC-24 in "C" 2659 2660 #define CRC24_INIT 0xb704ceL 2661 #define CRC24_POLY 0x1864cfbL 2662 2663 typedef long crc24; 2664 crc24 crc_octets(unsigned char *octets, size_t len) 2665 { 2666 crc24 crc = CRC24_INIT; 2667 int i; 2668 2669 2670 2671 2672Callas, et al. Expires May 23, 2005 [Page 48] 2673INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2674 2675 while (len--) { 2676 crc ^= (*octets++) << 16; 2677 for (i = 0; i < 8; i++) { 2678 crc <<= 1; 2679 if (crc & 0x1000000) 2680 crc ^= CRC24_POLY; 2681 } 2682 } 2683 return crc & 0xffffffL; 2684 } 2685 26866.2. Forming ASCII Armor 2687 2688 When OpenPGP encodes data into ASCII Armor, it puts specific headers 2689 around the Radix-64 encoded data, so OpenPGP can reconstruct the 2690 data later. An OpenPGP implementation MAY use ASCII armor to protect 2691 raw binary data. OpenPGP informs the user what kind of data is 2692 encoded in the ASCII armor through the use of the headers. 2693 2694 Concatenating the following data creates ASCII Armor: 2695 2696 - An Armor Header Line, appropriate for the type of data 2697 2698 - Armor Headers 2699 2700 - A blank (zero-length, or containing only whitespace) line 2701 2702 - The ASCII-Armored data 2703 2704 - An Armor Checksum 2705 2706 - The Armor Tail, which depends on the Armor Header Line. 2707 2708 An Armor Header Line consists of the appropriate header line text 2709 surrounded by five (5) dashes ('-', 0x2D) on either side of the 2710 header line text. The header line text is chosen based upon the 2711 type of data that is being encoded in Armor, and how it is being 2712 encoded. Header line texts include the following strings: 2713 2714 BEGIN PGP MESSAGE 2715 Used for signed, encrypted, or compressed files. 2716 2717 BEGIN PGP PUBLIC KEY BLOCK 2718 Used for armoring public keys 2719 2720 BEGIN PGP PRIVATE KEY BLOCK 2721 Used for armoring private keys 2722 2723 BEGIN PGP MESSAGE, PART X/Y 2724 Used for multi-part messages, where the armor is split amongst Y 2725 parts, and this is the Xth part out of Y. 2726 2727 2728Callas, et al. Expires May 23, 2005 [Page 49] 2729INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2730 2731 BEGIN PGP MESSAGE, PART X 2732 Used for multi-part messages, where this is the Xth part of an 2733 unspecified number of parts. Requires the MESSAGE-ID Armor 2734 Header to be used. 2735 2736 BEGIN PGP SIGNATURE 2737 Used for detached signatures, OpenPGP/MIME signatures, and 2738 cleartext signatures. Note that PGP 2.x uses BEGIN PGP MESSAGE 2739 for detached signatures. 2740 2741 Note that all these Armor Header Lines are to consist of a complete 2742 line. That is to say, there is always a line ending preceding the 2743 starting five dashes, and following the ending five dashes. The 2744 header lines, therefore, MUST start at the beginning of a line, and 2745 MUST NOT have text following them on the same line. These line 2746 endings are considered a part of the Armor Header Line for the 2747 purposes of determining the content they delimit. This is 2748 particularly important when computing a cleartext signature (see 2749 below). 2750 2751 The Armor Headers are pairs of strings that can give the user or the 2752 receiving OpenPGP implementation some information about how to 2753 decode or use the message. The Armor Headers are a part of the 2754 armor, not a part of the message, and hence are not protected by any 2755 signatures applied to the message. 2756 2757 The format of an Armor Header is that of a key-value pair. A colon 2758 (':' 0x38) and a single space (0x20) separate the key and value. 2759 OpenPGP should consider improperly formatted Armor Headers to be 2760 corruption of the ASCII Armor. Unknown keys should be reported to 2761 the user, but OpenPGP should continue to process the message. 2762 2763 Currently defined Armor Header Keys are: 2764 2765 - "Version", that states the OpenPGP implementation and version 2766 used to encode the message. 2767 2768 - "Comment", a user-defined comment. OpenPGP defines all text to 2769 be in UTF-8. A comment may be any UTF-8 string. However, the 2770 whole point of armoring is to provide seven-bit-clean data. 2771 Consequently, if a comment has characters that are outside the 2772 US-ASCII range of UTF, they may very well not survive transport. 2773 2774 - "MessageID", a 32-character string of printable characters. The 2775 string must be the same for all parts of a multi-part message 2776 that uses the "PART X" Armor Header. MessageID strings should 2777 be unique enough that the recipient of the mail can associate 2778 all the parts of a message with each other. A good checksum or 2779 cryptographic hash function is sufficient. 2780 2781 2782 2783 2784Callas, et al. Expires May 23, 2005 [Page 50] 2785INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2786 2787 The MessageID SHOULD NOT appear unless it is in a multi-part 2788 message. If it appears at all, it MUST be computed from the 2789 finished (encrypted, signed, etc.) message in a deterministic 2790 fashion, rather than contain a purely random value. This is to 2791 allow the legitimate recipient to determine that the MessageID 2792 cannot serve as a covert means of leaking cryptographic key 2793 information. 2794 2795 - "Hash", a comma-separated list of hash algorithms used in this 2796 message. This is used only in cleartext signed messages. 2797 2798 - "Charset", a description of the character set that the plaintext 2799 is in. Please note that OpenPGP defines text to be in UTF-8. An 2800 implementation will get best results by translating into and out 2801 of UTF-8. However, there are many instances where this is easier 2802 said than done. Also, there are communities of users who have no 2803 need for UTF-8 because they are all happy with a character set 2804 like ISO Latin-5 or a Japanese character set. In such instances, 2805 an implementation MAY override the UTF-8 default by using this 2806 header key. An implementation MAY implement this key and any 2807 translations it cares to; an implementation MAY ignore it and 2808 assume all text is UTF-8. 2809 2810 The Armor Tail Line is composed in the same manner as the Armor 2811 Header Line, except the string "BEGIN" is replaced by the string 2812 "END". 2813 28146.3. Encoding Binary in Radix-64 2815 2816 The encoding process represents 24-bit groups of input bits as 2817 output strings of 4 encoded characters. Proceeding from left to 2818 right, a 24-bit input group is formed by concatenating three 8-bit 2819 input groups. These 24 bits are then treated as four concatenated 2820 6-bit groups, each of which is translated into a single digit in the 2821 Radix-64 alphabet. When encoding a bit stream with the Radix-64 2822 encoding, the bit stream must be presumed to be ordered with the 2823 most-significant-bit first. That is, the first bit in the stream 2824 will be the high-order bit in the first 8-bit octet, and the eighth 2825 bit will be the low-order bit in the first 8-bit octet, and so on. 2826 2827 +--first octet--+-second octet--+--third octet--+ 2828 |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 2829 +-----------+---+-------+-------+---+-----------+ 2830 |5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0| 2831 +--1.index--+--2.index--+--3.index--+--4.index--+ 2832 2833 Each 6-bit group is used as an index into an array of 64 printable 2834 characters from the table below. The character referenced by the 2835 index is placed in the output string. 2836 2837 2838 2839 2840Callas, et al. Expires May 23, 2005 [Page 51] 2841INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2842 2843 Value Encoding Value Encoding Value Encoding Value Encoding 2844 0 A 17 R 34 i 51 z 2845 1 B 18 S 35 j 52 0 2846 2 C 19 T 36 k 53 1 2847 3 D 20 U 37 l 54 2 2848 4 E 21 V 38 m 55 3 2849 5 F 22 W 39 n 56 4 2850 6 G 23 X 40 o 57 5 2851 7 H 24 Y 41 p 58 6 2852 8 I 25 Z 42 q 59 7 2853 9 J 26 a 43 r 60 8 2854 10 K 27 b 44 s 61 9 2855 11 L 28 c 45 t 62 + 2856 12 M 29 d 46 u 63 / 2857 13 N 30 e 47 v 2858 14 O 31 f 48 w (pad) = 2859 15 P 32 g 49 x 2860 16 Q 33 h 50 y 2861 2862 The encoded output stream must be represented in lines of no more 2863 than 76 characters each. 2864 2865 Special processing is performed if fewer than 24 bits are available 2866 at the end of the data being encoded. There are three possibilities: 2867 2868 1. The last data group has 24 bits (3 octets). No special 2869 processing is needed. 2870 2871 2. The last data group has 16 bits (2 octets). The first two 6-bit 2872 groups are processed as above. The third (incomplete) data group 2873 has two zero-value bits added to it, and is processed as above. 2874 A pad character (=) is added to the output. 2875 2876 3. The last data group has 8 bits (1 octet). The first 6-bit group 2877 is processed as above. The second (incomplete) data group has 2878 four zero-value bits added to it, and is processed as above. Two 2879 pad characters (=) are added to the output. 2880 28816.4. Decoding Radix-64 2882 2883 Any characters outside of the base64 alphabet are ignored in 2884 Radix-64 data. Decoding software must ignore all line breaks or 2885 other characters not found in the table above. 2886 2887 In Radix-64 data, characters other than those in the table, line 2888 breaks, and other white space probably indicate a transmission 2889 error, about which a warning message or even a message rejection 2890 might be appropriate under some circumstances. 2891 2892 Because it is used only for padding at the end of the data, the 2893 occurrence of any "=" characters may be taken as evidence that the 2894 end of the data has been reached (without truncation in transit). No 2895 2896Callas, et al. Expires May 23, 2005 [Page 52] 2897INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2898 2899 such assurance is possible, however, when the number of octets 2900 transmitted was a multiple of three and no "=" characters are 2901 present. 2902 29036.5. Examples of Radix-64 2904 2905 Input data: 0x14fb9c03d97e 2906 Hex: 1 4 f b 9 c | 0 3 d 9 7 e 2907 8-bit: 00010100 11111011 10011100 | 00000011 11011001 2908 11111110 2909 6-bit: 000101 001111 101110 011100 | 000000 111101 100111 2910 111110 2911 Decimal: 5 15 46 28 0 61 37 62 2912 Output: F P u c A 9 l + 2913 2914 Input data: 0x14fb9c03d9 2915 Hex: 1 4 f b 9 c | 0 3 d 9 2916 8-bit: 00010100 11111011 10011100 | 00000011 11011001 2917 pad with 00 2918 6-bit: 000101 001111 101110 011100 | 000000 111101 100100 2919 Decimal: 5 15 46 28 0 61 36 2920 pad with = 2921 Output: F P u c A 9 k = 2922 2923 Input data: 0x14fb9c03 2924 Hex: 1 4 f b 9 c | 0 3 2925 8-bit: 00010100 11111011 10011100 | 00000011 2926 pad with 0000 2927 6-bit: 000101 001111 101110 011100 | 000000 110000 2928 Decimal: 5 15 46 28 0 48 2929 pad with = = 2930 Output: F P u c A w = = 2931 29326.6. Example of an ASCII Armored Message 2933 2934 2935 -----BEGIN PGP MESSAGE----- 2936 Version: OpenPrivacy 0.99 2937 yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS 2938 vBSFjNSiVHsuAA== 2939 =njUN 2940 -----END PGP MESSAGE----- 2941 2942 Note that this example is indented by two spaces. 2943 29447. Cleartext signature framework 2945 2946 It is desirable to sign a textual octet stream without ASCII 2947 armoring the stream itself, so the signed text is still readable 2948 without special software. In order to bind a signature to such a 2949 cleartext, this framework is used. (Note that RFC 3156 defines 2950 another way to sign cleartext messages for environments that support 2951 2952Callas, et al. Expires May 23, 2005 [Page 53] 2953INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 2954 2955 MIME.) 2956 2957 The cleartext signed message consists of: 2958 2959 - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a 2960 single line, 2961 2962 - One or more "Hash" Armor Headers, 2963 2964 - Exactly one empty line not included into the message digest, 2965 2966 - The dash-escaped cleartext that is included into the message 2967 digest, 2968 2969 - The ASCII armored signature(s) including the '-----BEGIN PGP 2970 SIGNATURE-----' Armor Header and Armor Tail Lines. 2971 2972 If the "Hash" armor header is given, the specified message digest 2973 algorithm(s) are used for the signature. If there are no such 2974 headers, MD5 is used. If MD5 is the only hash used, then an 2975 implementation MAY omit this header for improved V2.x compatibility. 2976 If more than one message digest is used in the signature, the "Hash" 2977 armor header contains a comma-delimited list of used message 2978 digests. 2979 2980 Current message digest names are described below with the algorithm 2981 IDs. 2982 29837.1. Dash-Escaped Text 2984 2985 The cleartext content of the message must also be dash-escaped. 2986 2987 Dash escaped cleartext is the ordinary cleartext where every line 2988 starting with a dash '-' (0x2D) is prefixed by the sequence dash '-' 2989 (0x2D) and space ' ' (0x20). This prevents the parser from 2990 recognizing armor headers of the cleartext itself. An implementation 2991 MAY dash escape any line, SHOULD dash escape lines commencing "From" 2992 followed by a space, and MUST dash escape any line commencing in a 2993 dash. The message digest is computed using the cleartext itself, not 2994 the dash escaped form. 2995 2996 As with binary signatures on text documents, a cleartext signature 2997 is calculated on the text using canonical <CR><LF> line endings. 2998 The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP 2999 SIGNATURE-----' line that terminates the signed text is not 3000 considered part of the signed text. 3001 3002 When reversing dash-escaping, an implementation MUST strip the 3003 string "- " if it occurs at the beginning of a line, and SHOULD warn 3004 on "-" and any character other than a space at the beginning of a 3005 line. 3006 3007 3008Callas, et al. Expires May 23, 2005 [Page 54] 3009INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3010 3011 Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at 3012 the end of any line is removed when the cleartext signature is 3013 generated. 3014 30158. Regular Expressions 3016 3017 A regular expression is zero or more branches, separated by '|'. It 3018 matches anything that matches one of the branches. 3019 3020 A branch is zero or more pieces, concatenated. It matches a match 3021 for the first, followed by a match for the second, etc. 3022 3023 A piece is an atom possibly followed by '*', '+', or '?'. An atom 3024 followed by '*' matches a sequence of 0 or more matches of the atom. 3025 An atom followed by '+' matches a sequence of 1 or more matches of 3026 the atom. An atom followed by '?' matches a match of the atom, or 3027 the null string. 3028 3029 An atom is a regular expression in parentheses (matching a match for 3030 the regular expression), a range (see below), '.' (matching any 3031 single character), '^' (matching the null string at the beginning of 3032 the input string), '$' (matching the null string at the end of the 3033 input string), a '\' followed by a single character (matching that 3034 character), or a single character with no other significance 3035 (matching that character). 3036 3037 A range is a sequence of characters enclosed in '[]'. It normally 3038 matches any single character from the sequence. If the sequence 3039 begins with '^', it matches any single character not from the rest 3040 of the sequence. If two characters in the sequence are separated by 3041 '-', this is shorthand for the full list of ASCII characters between 3042 them (e.g. '[0-9]' matches any decimal digit). To include a literal 3043 ']' in the sequence, make it the first character (following a 3044 possible '^'). To include a literal '-', make it the first or last 3045 character. 3046 30479. Constants 3048 3049 This section describes the constants used in OpenPGP. 3050 3051 Note that these tables are not exhaustive lists; an implementation 3052 MAY implement an algorithm not on these lists, so long as the 3053 algorithm number(s) are chosen from the private or experimental 3054 algorithm range. 3055 3056 See the section "Notes on Algorithms" below for more discussion of 3057 the algorithms. 3058 30599.1. Public Key Algorithms 3060 3061 ID Algorithm 3062 -- --------- 3063 3064Callas, et al. Expires May 23, 2005 [Page 55] 3065INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3066 3067 1 - RSA (Encrypt or Sign) 3068 2 - RSA Encrypt-Only 3069 3 - RSA Sign-Only 3070 16 - Elgamal (Encrypt-Only), see [ELGAMAL] 3071 17 - DSA (Digital Signature Algorithm) [DSA] 3072 18 - Reserved for Elliptic Curve 3073 19 - Reserved for ECDSA 3074 20 - Reserved (formerly Elgamal Encrypt or Sign) 3075 21 - Reserved for Diffie-Hellman (X9.42, 3076 as defined for IETF-S/MIME) 3077 100 to 110 - Private/Experimental algorithm. 3078 3079 Implementations MUST implement DSA for signatures, and Elgamal for 3080 encryption. Implementations SHOULD implement RSA keys. 3081 Implementations MAY implement any other algorithm. 3082 30839.2. Symmetric Key Algorithms 3084 3085 ID Algorithm 3086 -- --------- 3087 0 - Plaintext or unencrypted data 3088 1 - IDEA [IDEA] 3089 2 - TripleDES (DES-EDE, [SCHNEIER] - 3090 168 bit key derived from 192) 3091 3 - CAST5 (128 bit key, as per RFC2144) 3092 4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH] 3093 5 - Reserved 3094 6 - Reserved 3095 7 - AES with 128-bit key [AES] 3096 8 - AES with 192-bit key 3097 9 - AES with 256-bit key 3098 10 - Twofish with 256-bit key [TWOFISH] 3099 100 to 110 - Private/Experimental algorithm. 3100 3101 Implementations MUST implement TripleDES. Implementations SHOULD 3102 implement AES-128 and CAST5. Implementations that interoperate with 3103 PGP 2.6 or earlier need to support IDEA, as that is the only 3104 symmetric cipher those versions use. Implementations MAY implement 3105 any other algorithm. 3106 31079.3. Compression Algorithms 3108 3109 ID Algorithm 3110 -- --------- 3111 0 - Uncompressed 3112 1 - ZIP (RFC1951) 3113 2 - ZLIB (RFC1950) 3114 3 - BZip2 [BZ2] 3115 100 to 110 - Private/Experimental algorithm. 3116 3117 3118 3119 3120Callas, et al. Expires May 23, 2005 [Page 56] 3121INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3122 3123 Implementations MUST implement uncompressed data. Implementations 3124 SHOULD implement ZIP. Implementations MAY implement any other 3125 algorithm. 3126 31279.4. Hash Algorithms 3128 3129 ID Algorithm Text Name 3130 -- --------- ---- ---- 3131 1 - MD5 "MD5" 3132 2 - SHA-1 "SHA1" 3133 3 - RIPE-MD/160 "RIPEMD160" 3134 4 - Reserved 3135 5 - Reserved 3136 6 - Reserved 3137 7 - Reserved 3138 8 - SHA256 "SHA256" 3139 9 - SHA384 "SHA384" 3140 10 - SHA512 "SHA512" 3141 100 to 110 - Private/Experimental algorithm. 3142 3143 Implementations MUST implement SHA-1. Implementations MAY implement 3144 other algorithms. 3145 314610. Packet Composition 3147 3148 OpenPGP packets are assembled into sequences in order to create 3149 messages and to transfer keys. Not all possible packet sequences 3150 are meaningful and correct. This section describes the rules for 3151 how packets should be placed into sequences. 3152 315310.1. Transferable Public Keys 3154 3155 OpenPGP users may transfer public keys. The essential elements of a 3156 transferable public key are: 3157 3158 - One Public Key packet 3159 3160 - Zero or more revocation signatures 3161 3162 - One or more User ID packets 3163 3164 - After each User ID packet, zero or more signature packets 3165 (certifications) 3166 3167 - Zero or more User Attribute packets 3168 3169 - After each User Attribute packet, zero or more signature packets 3170 (certifications) 3171 3172 - Zero or more Subkey packets 3173 3174 3175 3176Callas, et al. Expires May 23, 2005 [Page 57] 3177INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3178 3179 - After each Subkey packet, one signature packet, plus optionally 3180 a revocation. 3181 3182 The Public Key packet occurs first. Each of the following User ID 3183 packets provides the identity of the owner of this public key. If 3184 there are multiple User ID packets, this corresponds to multiple 3185 means of identifying the same unique individual user; for example, a 3186 user may have more than one email address, and construct a User ID 3187 for each one. 3188 3189 Immediately following each User ID packet, there are zero or more 3190 signature packets. Each signature packet is calculated on the 3191 immediately preceding User ID packet and the initial Public Key 3192 packet. The signature serves to certify the corresponding public key 3193 and User ID. In effect, the signer is testifying to his or her 3194 belief that this public key belongs to the user identified by this 3195 User ID. 3196 3197 Within the same section as the User ID packets, there are zero or 3198 more User Attribute packets. Like the User ID packets, a User 3199 Attribute packet is followed by zero or more signature packets 3200 calculated on the immediately preceding User Attribute packet and 3201 the initial Public Key packet. 3202 3203 User Attribute packets and User ID packets may be freely intermixed 3204 in this section, so long as the signatures that follow them are 3205 maintained on the proper User Attribute or User ID packet. 3206 3207 After the User ID or Attribute packets there may be one or more 3208 Subkey packets. In general, subkeys are provided in cases where the 3209 top-level public key is a signature-only key. However, any V4 key 3210 may have subkeys, and the subkeys may be encryption-only keys, 3211 signature-only keys, or general-purpose keys. V3 keys MUST NOT have 3212 subkeys. 3213 3214 Each Subkey packet must be followed by one Signature packet, which 3215 should be a subkey binding signature issued by the top level key. 3216 For subkeys that can issue signatures, the subkey binding signature 3217 must contain an embedded signature subpacket with a primary key 3218 binding signature (0x19) issued by the subkey on the top level key. 3219 3220 Subkey and Key packets may each be followed by a revocation 3221 Signature packet to indicate that the key is revoked. Revocation 3222 signatures are only accepted if they are issued by the key itself, 3223 or by a key that is authorized to issue revocations via a revocation 3224 key subpacket in a self-signature by the top level key. 3225 3226 Transferable public key packet sequences may be concatenated to 3227 allow transferring multiple public keys in one operation. 3228 3229 3230 3231 3232Callas, et al. Expires May 23, 2005 [Page 58] 3233INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3234 323510.2. OpenPGP Messages 3236 3237 An OpenPGP message is a packet or sequence of packets that 3238 corresponds to the following grammatical rules (comma represents 3239 sequential composition, and vertical bar separates alternatives): 3240 3241 OpenPGP Message :- Encrypted Message | Signed Message | 3242 Compressed Message | Literal Message. 3243 3244 Compressed Message :- Compressed Data Packet. 3245 3246 Literal Message :- Literal Data Packet | 3247 Literal Message, Literal Data Packet. 3248 3249 ESK :- Public Key Encrypted Session Key Packet | 3250 Symmetric-Key Encrypted Session Key Packet. 3251 3252 ESK Sequence :- ESK | ESK Sequence, ESK. 3253 3254 Encrypted Data :- Symmetrically Encrypted Data Packet | 3255 Symmetrically Encrypted Integrity Protected Data Packet 3256 3257 Encrypted Message :- Encrypted Data | ESK Sequence, Encrypted Data. 3258 3259 One-Pass Signed Message :- One-Pass Signature Packet, 3260 OpenPGP Message, Corresponding Signature Packet. 3261 3262 Signed Message :- Signature Packet, OpenPGP Message | 3263 One-Pass Signed Message. 3264 3265 In addition, decrypting a Symmetrically Encrypted Data Packet or a 3266 Symmetrically Encrypted Integrity Protected Data Packet as well as 3267 3268 decompressing a Compressed Data packet must yield a valid OpenPGP 3269 Message. 3270 327110.3. Detached Signatures 3272 3273 Some OpenPGP applications use so-called "detached signatures." For 3274 example, a program bundle may contain a file, and with it a second 3275 file that is a detached signature of the first file. These detached 3276 signatures are simply a signature packet stored separately from the 3277 data that they are a signature of. 3278 327911. Enhanced Key Formats 3280 328111.1. Key Structures 3282 3283 The format of an OpenPGP V3 key is as follows. Entries in square 3284 brackets are optional and ellipses indicate repetition. 3285 3286 3287 3288Callas, et al. Expires May 23, 2005 [Page 59] 3289INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3290 3291 RSA Public Key 3292 [Revocation Self Signature] 3293 User ID [Signature ...] 3294 [User ID [Signature ...] ...] 3295 3296 Each signature certifies the RSA public key and the preceding User 3297 ID. The RSA public key can have many User IDs and each User ID can 3298 have many signatures. V3 keys are deprecated. Implementations MUST 3299 NOT generate new V3 keys, but MAY continue to use existing ones. 3300 3301 The format of an OpenPGP V4 key that uses multiple public keys is 3302 similar except that the other keys are added to the end as "subkeys" 3303 of the primary key. 3304 3305 Primary-Key 3306 [Revocation Self Signature] 3307 [Direct Key Signature...] 3308 User ID [Signature ...] 3309 [User ID [Signature ...] ...] 3310 [User Attribute [Signature ...] ...] 3311 [[Subkey [Binding-Signature-Revocation] 3312 Primary-Key-Binding-Signature] ...] 3313 3314 A subkey always has a single signature after it that is issued using 3315 the primary key to tie the two keys together. This binding 3316 signature may be in either V3 or V4 format, but SHOULD be V4. 3317 3318 In the above diagram, if the binding signature of a subkey has been 3319 revoked, the revoked key may be removed, leaving only one key. 3320 3321 In a V4 key, the primary key MUST be a key capable of certification. 3322 The subkeys may be keys of any other type. There may be other 3323 constructions of V4 keys, too. For example, there may be a 3324 single-key RSA key in V4 format, a DSA primary key with an RSA 3325 encryption key, or RSA primary key with an Elgamal subkey, etc. 3326 3327 It is also possible to have a signature-only subkey. This permits a 3328 primary key that collects certifications (key signatures) but is 3329 used only used for certifying subkeys that are used for encryption 3330 and signatures. 3331 333211.2. Key IDs and Fingerprints 3333 3334 For a V3 key, the eight-octet key ID consists of the low 64 bits of 3335 the public modulus of the RSA key. 3336 3337 The fingerprint of a V3 key is formed by hashing the body (but not 3338 the two-octet length) of the MPIs that form the key material (public 3339 modulus n, followed by exponent e) with MD5. Note that both V3 keys 3340 and MD5 are deprecated. 3341 3342 3343 3344Callas, et al. Expires May 23, 2005 [Page 60] 3345INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3346 3347 A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, 3348 followed by the two-octet packet length, followed by the entire 3349 Public Key packet starting with the version field. The key ID is 3350 the low order 64 bits of the fingerprint. Here are the fields of 3351 the hash material, with the example of a DSA key: 3352 3353 a.1) 0x99 (1 octet) 3354 3355 a.2) high order length octet of (b)-(f) (1 octet) 3356 3357 a.3) low order length octet of (b)-(f) (1 octet) 3358 3359 b) version number = 4 (1 octet); 3360 3361 c) time stamp of key creation (4 octets); 3362 3363 d) algorithm (1 octet): 17 = DSA (example); 3364 3365 e) Algorithm specific fields. 3366 3367 Algorithm Specific Fields for DSA keys (example): 3368 3369 e.1) MPI of DSA prime p; 3370 3371 e.2) MPI of DSA group order q (q is a prime divisor of p-1); 3372 3373 e.3) MPI of DSA group generator g; 3374 3375 e.4) MPI of DSA public key value y (= g**x mod p where x is secret). 3376 3377 Note that it is possible for there to be collisions of key IDs -- 3378 two different keys with the same key ID. Note that there is a much 3379 smaller, but still non-zero probability that two different keys have 3380 the same fingerprint. 3381 3382 Also note that if V3 and V4 format keys share the same RSA key 3383 material, they will have different key IDs as well as different 3384 fingerprints. 3385 3386 Finally, the key ID and fingerprint of a subkey are calculated in 3387 the same way as for a primary key, including the 0x99 as the first 3388 octet (even though this is not a valid packet ID for a public 3389 subkey). 3390 339112. Notes on Algorithms 3392 339312.1. Symmetric Algorithm Preferences 3394 3395 The symmetric algorithm preference is an ordered list of algorithms 3396 that the keyholder accepts. Since it is found on a self-signature, 3397 it is possible that a keyholder may have different preferences. For 3398 example, Alice may have TripleDES only specified for 3399 3400Callas, et al. Expires May 23, 2005 [Page 61] 3401INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3402 3403 "alice@work.com" but CAST5, Blowfish, and TripleDES specified for 3404 "alice@home.org". Note that it is also possible for preferences to 3405 be in a subkey's binding signature. 3406 3407 Since TripleDES is the MUST-implement algorithm, if it is not 3408 explicitly in the list, it is tacitly at the end. However, it is 3409 good form to place it there explicitly. Note also that if an 3410 implementation does not implement the preference, then it is 3411 implicitly a TripleDES-only implementation. 3412 3413 An implementation MUST NOT use a symmetric algorithm that is not in 3414 the recipient's preference list. When encrypting to more than one 3415 recipient, the implementation finds a suitable algorithm by taking 3416 the intersection of the preferences of the recipients. Note that the 3417 MUST-implement algorithm, TripleDES, ensures that the intersection 3418 is not null. The implementation may use any mechanism to pick an 3419 algorithm in the intersection. 3420 3421 If an implementation can decrypt a message that a keyholder doesn't 3422 have in their preferences, the implementation SHOULD decrypt the 3423 message anyway, but MUST warn the keyholder that the protocol has 3424 been violated. (For example, suppose that Alice, above, has software 3425 that implements all algorithms in this specification. Nonetheless, 3426 she prefers subsets for work or home. If she is sent a message 3427 encrypted with IDEA, which is not in her preferences, the software 3428 warns her that someone sent her an IDEA-encrypted message, but it 3429 would ideally decrypt it anyway.) 3430 343112.2. Other Algorithm Preferences 3432 3433 Other algorithm preferences work similarly to the symmetric 3434 algorithm preference, in that they specify which algorithms the 3435 keyholder accepts. There are two interesting cases that other 3436 comments need to be made about, though, the compression preferences 3437 and the hash preferences. 3438 343912.2.1. Compression Preferences 3440 3441 Compression has been an integral part of PGP since its first days. 3442 OpenPGP and all previous versions of PGP have offered compression. 3443 In this specification, the default is for messages to be compressed, 3444 although an implementation is not required to do so. Consequently, 3445 the compression preference gives a way for a keyholder to request 3446 that messages not be compressed, presumably because they are using a 3447 minimal implementation that does not include compression. 3448 Additionally, this gives a keyholder a way to state that it can 3449 support alternate algorithms. 3450 3451 Like the algorithm preferences, an implementation MUST NOT use an 3452 algorithm that is not in the preference vector. If the preferences 3453 are not present, then they are assumed to be [ZIP(1), 3454 UNCOMPRESSED(0)]. 3455 3456Callas, et al. Expires May 23, 2005 [Page 62] 3457INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3458 3459 Additionally, an implementation MUST implement this preference to 3460 the degree of recognizing when to send an uncompressed message. A 3461 robust implementation would satisfy this requirement by looking at 3462 the recipient's preference and acting accordingly. A minimal 3463 implementation can satisfy this requirement by never generating a 3464 compressed message, since all implementations can handle messages 3465 that have not been compressed. 3466 346712.2.2. Hash Algorithm Preferences 3468 3469 Typically, the choice of a hash algorithm is something the signer 3470 does, rather than the verifier, because a signer rarely knows who is 3471 going to be verifying the signature. This preference, though, allows 3472 a protocol based upon digital signatures ease in negotiation. 3473 3474 Thus, if Alice is authenticating herself to Bob with a signature, it 3475 makes sense for her to use a hash algorithm that Bob's software 3476 uses. This preference allows Bob to state in his key which 3477 algorithms Alice may use. 3478 3479 Since SHA1 is the MUST-implement hash algorithm, if it is not 3480 explicitly in the list, it is tacitly at the end. However, it is 3481 good form to place it there explicitly. 3482 348312.3. Plaintext 3484 3485 Algorithm 0, "plaintext," may only be used to denote secret keys 3486 that are stored in the clear. Implementations MUST NOT use plaintext 3487 in Symmetrically Encrypted Data Packets; they must use Literal Data 3488 Packets to encode unencrypted or literal data. 3489 349012.4. RSA 3491 3492 There are algorithm types for RSA-signature-only, and 3493 RSA-encrypt-only keys. These types are deprecated. The "key flags" 3494 subpacket in a signature is a much better way to express the same 3495 idea, and generalizes it to all algorithms. An implementation SHOULD 3496 NOT create such a key, but MAY interpret it. 3497 3498 An implementation SHOULD NOT implement RSA keys of size less than 3499 1024 bits. 3500 350112.5. DSA 3502 3503 An implementation SHOULD NOT implement DSA keys of size less than 3504 1024 bits. Note that present DSA is limited to a maximum of 1024 bit 3505 keys, which are recommended for long-term use. Also, DSA keys MUST 3506 be an even multiple of 64 bits long. 3507 350812.6. Elgamal 3509 3510 An implementation SHOULD NOT implement Elgamal keys of size less 3511 3512Callas, et al. Expires May 23, 2005 [Page 63] 3513INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3514 3515 than 1024 bits. 3516 351712.7. Reserved Algorithm Numbers 3518 3519 A number of algorithm IDs have been reserved for algorithms that 3520 would be useful to use in an OpenPGP implementation, yet there are 3521 issues that prevent an implementer from actually implementing the 3522 algorithm. These are marked in the Public Algorithms section as 3523 "(reserved for)". 3524 3525 The reserved public key algorithms, Elliptic Curve (18), ECDSA (19), 3526 and X9.42 (21) do not have the necessary parameters, parameter 3527 order, or semantics defined. 3528 3529 Previous versions of OpenPGP permitted Elgamal [ELGAMAL] signatures 3530 with a public key identifier of 20. These are no longer permitted. 3531 An implementation MUST NOT generate such keys. An implementation 3532 MUST NOT generate Elgamal signatures. 3533 353412.8. OpenPGP CFB mode 3535 3536 OpenPGP does symmetric encryption using a variant of Cipher Feedback 3537 Mode (CFB mode). This section describes the procedure it uses in 3538 detail. This mode is what is used for Symmetrically Encrypted Data 3539 Packets; the mechanism used for encrypting secret key material is 3540 similar, but described in those sections above. 3541 3542 In the description below, the value BS is the block size in octets 3543 of the cipher. Most ciphers have a block size of 8 octets. The AES 3544 and Twofish have a block size of 16 octets. Also note that the 3545 description below assumes that the IV and CFB arrays start with an 3546 index of 1 (unlike the C language, which assumes arrays start with a 3547 zero index). 3548 3549 OpenPGP CFB mode uses an initialization vector (IV) of all zeros, 3550 and prefixes the plaintext with BS+2 octets of random data, such 3551 that octets BS+1 and BS+2 match octets BS-1 and BS. It does a CFB 3552 "resync" after encrypting those BS+2 octets. 3553 3554 Thus, for an algorithm that has a block size of 8 octets (64 bits), 3555 the IV is 10 octets long and octets 7 and 8 of the IV are the same 3556 as octets 9 and 10. For an algorithm with a block size of 16 octets 3557 (128 bits), the IV is 18 octets long, and octets 17 and 18 replicate 3558 octets 15 and 16. Those extra two octets are an easy check for a 3559 correct key. 3560 3561 Step by step, here is the procedure: 3562 3563 1. The feedback register (FR) is set to the IV, which is all zeros. 3564 3565 3566 3567 3568Callas, et al. Expires May 23, 2005 [Page 64] 3569INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3570 3571 2. FR is encrypted to produce FRE (FR Encrypted). This is the 3572 encryption of an all-zero value. 3573 3574 3. FRE is xored with the first BS octets of random data prefixed to 3575 the plaintext to produce C[1] through C[BS], the first BS octets 3576 of ciphertext. 3577 3578 4. FR is loaded with C[1] through C[BS]. 3579 3580 5. FR is encrypted to produce FRE, the encryption of the first BS 3581 octets of ciphertext. 3582 3583 6. The left two octets of FRE get xored with the next two octets of 3584 data that were prefixed to the plaintext. This produces C[BS+1] 3585 and C[BS+2], the next two octets of ciphertext. 3586 3587 7. (The resync step) FR is loaded with C[3] through C[BS+2]. 3588 3589 8. FR is encrypted to produce FRE. 3590 3591 9. FRE is xored with the first BS octets of the given plaintext, 3592 now that we have finished encrypting the BS+2 octets of prefixed 3593 data. This produces C[BS+3] through C[BS+(BS+2)], the next BS 3594 octets of ciphertext. 3595 3596 10. FR is loaded with C[BS+3] to C[BS + (BS+2)] (which is C11-C18 3597 for an 8-octet block). 3598 3599 11. FR is encrypted to produce FRE. 3600 3601 12. FRE is xored with the next BS octets of plaintext, to produce 3602 the next BS octets of ciphertext. These are loaded into FR and 3603 the process is repeated until the plaintext is used up. 3604 360513. Security Considerations 3606 3607 * As with any technology involving cryptography, you should check 3608 the current literature to determine if any algorithms used here 3609 have been found to be vulnerable to attack. 3610 3611 * This specification uses Public Key Cryptography technologies. It 3612 is assumed that the private key portion of a public-private key 3613 pair is controlled and secured by the proper party or parties. 3614 3615 * Certain operations in this specification involve the use of 3616 random numbers. An appropriate entropy source should be used to 3617 generate these numbers. See RFC 1750. 3618 3619 * The MD5 hash algorithm has been found to have weaknesses, with 3620 collisions found in a number of cases. MD5 is deprecated for use 3621 in OpenPGP. Implementations MUST NOT generate new signatures 3622 using MD5 as a hash function. They MAY continue to consider old 3623 3624Callas, et al. Expires May 23, 2005 [Page 65] 3625INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3626 3627 signatures that used MD5 as valid. 3628 3629 * SHA384 requires the same work as SHA512. In general, there are 3630 few reasons to use it -- you need a situation where one needs 3631 more security than SHA256, but do not want to have the 512-bit 3632 data length. 3633 3634 * Many security protocol designers think that it is a bad idea to 3635 use a single key for both privacy (encryption) and integrity 3636 (signatures). In fact, this was one of the motivating forces 3637 behind the V4 key format with separate signature and encryption 3638 keys. If you as an implementer promote dual-use keys, you should 3639 at least be aware of this controversy. 3640 3641 * The DSA algorithm will work with any 160-bit hash, but it is 3642 sensitive to the quality of the hash algorithm, if the hash 3643 algorithm is broken, it can leak the secret key. The Digital 3644 Signature Standard (DSS) specifies that DSA be used with SHA-1. 3645 RIPEMD-160 is considered by many cryptographers to be as strong. 3646 An implementation should take care which hash algorithms are 3647 used with DSA, as a weak hash can not only allow a signature to 3648 be forged, but could leak the secret key. 3649 3650 * There is a somewhat-related potential security problem in 3651 signatures. If an attacker can find a message that hashes to the 3652 same hash with a different algorithm, a bogus signature 3653 structure can be constructed that evaluates correctly. 3654 3655 For example, suppose Alice DSA signs message M using hash 3656 algorithm H. Suppose that Mallet finds a message M' that has the 3657 same hash value as M with H'. Mallet can then construct a 3658 signature block that verifies as Alice's signature of M' with 3659 H'. However, this would also constitute a weakness in either H 3660 or H' or both. Should this ever occur, a revision will have to 3661 be made to this document to revise the allowed hash algorithms. 3662 3663 * If you are building an authentication system, the recipient may 3664 specify a preferred signing algorithm. However, the signer would 3665 be foolish to use a weak algorithm simply because the recipient 3666 requests it. 3667 3668 * Some of the encryption algorithms mentioned in this document 3669 have been analyzed less than others. For example, although 3670 CAST5 is presently considered strong, it has been analyzed less 3671 than TripleDES. Other algorithms may have other controversies 3672 surrounding them. 3673 3674 * In late summer 2002, Jallad, Katz, and Schneier published an 3675 interesting attack on the OpenPGP protocol and some of its 3676 implementations [JKS02]. In this attack, the attacker modifies a 3677 message and sends it to a user who then returns the erroneously 3678 decrypted message to the attacker. The attacker is thus using 3679 3680Callas, et al. Expires May 23, 2005 [Page 66] 3681INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3682 3683 the user as a random oracle, and can often decrypt the message. 3684 3685 Compressing data can ameliorate this attack. The incorrectly 3686 decrypted data nearly always decompresses in ways that defeats 3687 the attack. However, this is not a rigorous fix, and leaves open 3688 some small vulnerabilities. For example, if an implementation 3689 does not compress a message before encryption (perhaps because 3690 it knows it was already compressed), then that message is 3691 vulnerable. Because of this happenstance -- that modification 3692 attacks can be thwarted by decompression errors, an 3693 implementation SHOULD treat a decompression error as a security 3694 problem, not merely a data problem. 3695 3696 This attack can be defeated by the use of Modification 3697 Detection, provided that the implementation does not let the 3698 user naively return the data to the attacker. An implementation 3699 MUST treat an MDC failure as a security problem, not merely a 3700 data problem. 3701 3702 In either case, the implementation MAY allow the user access to 3703 the erroneous data, but MUST warn the user as to potential 3704 security problems should that data be returned to the sender. 3705 3706 While this attack is somewhat obscure, requiring a special set 3707 of circumstances to create it, it is nonetheless quite serious 3708 as it permits someone to trick a user to decrypt a message. 3709 Consequently, it is important that: 3710 3711 1. Implementers treat MDC errors and decompression failures as 3712 security problems. 3713 3714 2. Implementers implement Modification Detection with all due 3715 speed and encourage its spread. 3716 3717 3. Users migrate to implementations that support Modification 3718 Detection with all due speed. 3719 3720 * PKCS1 has been found to be vulnerable to attacks in which a 3721 system that reports errors in padding differently from errors in 3722 decryption becomes a random oracle that can leak the private key 3723 in mere millions of queries. Implementations must be aware of 3724 this attack and prevent it from happening. The simplest solution 3725 is report a single error code for all variants of decryption 3726 errors so as not to leak information to an attacker. 3727 3728 * Some technologies mentioned here may be subject to government 3729 control in some countries. 3730 373114. Implementation Nits 3732 3733 This section is a collection of comments to help an implementer, 3734 particularly with an eye to backward compatibility. Previous 3735 3736Callas, et al. Expires May 23, 2005 [Page 67] 3737INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3738 3739 implementations of PGP are not OpenPGP-compliant. Often the 3740 differences are small, but small differences are frequently more 3741 vexing than large differences. Thus, this is a non-comprehensive 3742 list of potential problems and gotchas for a developer who is trying 3743 to be backward-compatible. 3744 3745 * The IDEA algorithm is patented, and yet it is required for PGP 3746 2.x interoperability. It is also the defacto preferred algorithm 3747 for a V3 key with a V3 self-signature (or no self-signature). 3748 3749 * When exporting a private key, PGP 2.x generates the header 3750 "BEGIN PGP SECRET KEY BLOCK" instead of "BEGIN PGP PRIVATE KEY 3751 BLOCK". All previous versions ignore the implied data type, and 3752 look directly at the packet data type. 3753 3754 * PGP 2.0 through 2.5 generated V2 Public Key Packets. These are 3755 identical to the deprecated V3 keys except for the version 3756 number. An implementation MUST NOT generate them and may accept 3757 or reject them as it sees fit. Similarly, these versions 3758 generated V2 PKESK packets (Tag 1). An implementation may accept 3759 or reject V2 PKESK packets as it sees fit, and MUST NOT generate 3760 them. 3761 3762 * PGP 2.6.x will not accept key-material packets with versions 3763 greater than 3. 3764 3765 * There are many ways possible for two keys to have the same key 3766 material, but different fingerprints (and thus key IDs). Perhaps 3767 the most interesting is an RSA key that has been "upgraded" to 3768 V4 format, but since a V4 fingerprint is constructed by hashing 3769 the key creation time along with other things, two V4 keys 3770 created at different times, yet with the same key material will 3771 have different fingerprints. 3772 3773 * If an implementation is using zlib to interoperate with PGP 2.x, 3774 then the "windowBits" parameter should be set to -13. 3775 3776 * PGP 2.6.X and 5.0 do not trim trailing whitespace from a 3777 "canonical text" signature. They only remove it from cleartext 3778 signatures. These signatures are not OpenPGP compliant -- 3779 OpenPGP requires trimming the whitespace. If you wish to 3780 interoperate with PGP 2.6.X or PGP 5, you may wish to accept 3781 these non-compliant signatures. 3782 378315. Authors and Working Group Chair 3784 3785 The working group can be contacted via the current chair: 3786 3787 Derek Atkins 3788 IHTFP Consulting, Inc. 3789 6 Farragut Ave 3790 Somerville, MA 02144 USA 3791 3792Callas, et al. Expires May 23, 2005 [Page 68] 3793INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3794 3795 Email: derek@ihtfp.com 3796 Tel: +1 617 623 3745 3797 3798 The principal authors of this draft are: 3799 3800 Jon Callas 3801 3802 Email: jon@callas.org 3803 Tel: +1 (408) 448-6801 3804 3805 Lutz Donnerhacke 3806 IKS GmbH 3807 Wildenbruchstr. 15 3808 07745 Jena, Germany 3809 3810 EMail: lutz@iks-jena.de 3811 Tel: +49-3641-675642 3812 3813 Hal Finney 3814 Network Associates, Inc. 3815 3965 Freedom Circle 3816 Santa Clara, CA 95054, USA 3817 3818 Email: hal@finney.org 3819 3820 Rodney Thayer 3821 3822 Email: rodney@tillerman.to 3823 3824 This memo also draws on much previous work from a number of other 3825 authors who include: Derek Atkins, Charles Breed, Dave Del Torto, 3826 Marc Dyksterhouse, Gail Haspert, Gene Hoffman, Paul Hoffman, Raph 3827 Levien, Colin Plumb, Will Price, David Shaw, William Stallings, Mark 3828 Weaver, and Philip R. Zimmermann. 3829 383016. References (Normative) 3831 3832 3833 [AES] Advanced Encryption Standards Questions and Answers 3834 <http://csrc.nist.gov/encryption/aes/round2/ 3835 aesfact.html> 3836 3837 <http://csrc.nist.gov/encryption/aes/round2/ 3838 r2algs.html#Rijndael> 3839 3840 [BLOWFISH] Schneier, B. "Description of a New Variable-Length 3841 Key, 64-Bit Block Cipher (Blowfish)" Fast Software 3842 Encryption, Cambridge Security Workshop Proceedings 3843 (December 1993), Springer-Verlag, 1994, pp191-204 3844 <http://www.counterpane.com/bfsverlag.html> 3845 3846 3847 3848Callas, et al. Expires May 23, 2005 [Page 69] 3849INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3850 3851 [BZ2] J. Seward, jseward@acm.org, "The Bzip2 and libbzip2 3852 home page" 3853 <http://sources.redhat.com/bzip2/> 3854 [ELGAMAL] T. Elgamal, "A Public-Key Cryptosystem and a 3855 Signature Scheme Based on Discrete Logarithms," 3856 IEEE Transactions on Information Theory, v. IT-31, 3857 n. 4, 1985, pp. 469-472. 3858 [IDEA] Lai, X, "On the design and security of block 3859 ciphers", ETH Series in Information Processing, 3860 J.L. Massey (editor), Vol. 1, Hartung-Gorre Verlag 3861 Knostanz, Technische Hochschule (Zurich), 1992 3862 [ISO10646] ISO/IEC 10646-1:1993. International Standard -- 3863 Information technology -- Universal Multiple-Octet 3864 Coded Character Set (UCS) -- Part 1: Architecture 3865 and Basic Multilingual Plane. 3866 [JFIF] JPEG File Interchange Format (Version 1.02). 3867 Eric Hamilton, C-Cube Microsystems, Milpitas, CA, 3868 September 1, 1992. 3869 3870 [MENEZES] Alfred Menezes, Paul van Oorschot, and Scott 3871 Vanstone, "Handbook of Applied Cryptography," CRC 3872 Press, 1996. 3873 [RFC822] Crocker, D., "Standard for the format of ARPA 3874 Internet text messages", STD 11, RFC 822, August 3875 1982. 3876 [RFC1423] Balenson, D., "Privacy Enhancement for Internet 3877 Electronic Mail: Part III: Algorithms, Modes, and 3878 Identifiers", RFC 1423, October 1993. 3879 [RFC1641] Goldsmith, D. and M. Davis, "Using Unicode with 3880 MIME", RFC 1641, July 1994. 3881 [RFC1750] Eastlake, D., Crocker, S. and J. Schiller, 3882 "Randomness Recommendations for Security", RFC 3883 1750, December 1994. 3884 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format 3885 Specification version 1.3.", RFC 1951, May 1996. 3886 [RFC1991] Atkins, D., Stallings, W. and P. Zimmermann, "PGP 3887 Message Exchange Formats", RFC 1991, August 1996. 3888 [RFC2045] Borenstein, N. and N. Freed, "Multipurpose Internet 3889 Mail Extensions (MIME) Part One: Format of Internet 3890 Message Bodies.", RFC 2045, November 1996. 3891 [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 3892 2144, May 1997. 3893 [RFC2279] Yergeau., F., "UTF-8, a transformation format of 3894 Unicode and ISO 10646", RFC 2279, January 1998. 3895 [RFC2437] B. Kaliski and J. Staddon, " PKCS #1: RSA 3896 Cryptography Specifications Version 2.0", 3897 RFC 2437, October 1998. 3898 [RFC3156] M. Elkins, D. Del Torto, R. Levien, T. Roessler, 3899 "MIME Security with OpenPGP", RFC 3156, 3900 August 2001. 3901 [SCHNEIER] Schneier, B., "Applied Cryptography Second Edition: 3902 protocols, algorithms, and source code in C", 1996. 3903 3904Callas, et al. Expires May 23, 2005 [Page 70] 3905INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3906 3907 [TWOFISH] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. 3908 Hall, and N. Ferguson, "The Twofish Encryption 3909 Algorithm", John Wiley & Sons, 1999. 3910 391117. References (Non-Normative) 3912 3913 3914 [BLEICHENBACHER] Bleichenbacher, Daniel, "Generating Elgamal 3915 signatures without knowing the secret key," 3916 Eurocrypt 96. Note that the version in the 3917 proceedings has an error. A revised version is 3918 available at the time of writing from 3919 <ftp://ftp.inf.ethz.ch/pub/publications/papers/ti 3920 /isc/ElGamal.ps> 3921 [DONNERHACKE] Donnerhacke, L., et. al, "PGP263in - an improved 3922 international version of PGP", ftp://ftp.iks- 3923 jena.de/mitarb/lutz/crypt/software/pgp/ 3924 [JKS02] Kahil Jallad, Jonathan Katz, Bruce Schneier 3925 "Implementation of Chosen-Ciphertext Attacks 3926 against PGP and GnuPG" 3927 http://www.counterpane.com/pgp-attack.html 3928 3929 [RFC1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 3930 1983, August 1996. 3931 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3932 Requirement Level", BCP 14, RFC 2119, March 1997. 3933 [FIPS186-2] "Digital Signature Standard", FIPS 186-2, January 3934 2000. 3935 [RSA] Menezes, A., et al. "Handbook of Applied 3936 Cryptography", Section 8.2., October 1996. 3937 3938 3939 394018. Full Copyright Statement 3941 3942 Copyright 2004 by The Internet Society. All Rights Reserved. 3943 3944 This document is subject to the rights, licenses and restrictions 3945 contained in BCP 78, and except as set forth therein, the authors 3946 retain all their rights. 3947 3948 This document and the information contained herein are provided on 3949 an "AS IS" basis and the contributor, the organization he/she 3950 represents or is sponsored by (if any), the internet society and the 3951 internet engineering task force disclaim all warranties, express or 3952 implied, including but not limited to any warranty that the use of 3953 the information herein will not infringe any rights or any implied 3954 warranties of merchantability or fitness for a particular purpose. 3955 3956 This document and translations of it may be copied and furnished to 3957 others, and derivative works that comment on or otherwise explain it 3958 or assist in its implementation may be prepared, copied, published 3959 and distributed, in whole or in part, without restriction of any 3960 kind, provided that the above copyright notice and this paragraph 3961 are included on all such copies and derivative works. However, this 3962 document itself may not be modified in any way, such as by removing 3963 3964Callas, et al. Expires May 23, 2005 [Page 71] 3965INTERNET-DRAFT OpenPGP Message Format Nov 23, 2004 3966 3967 the copyright notice or references to the Internet Society or other 3968 Internet organizations, except as needed for the purpose of 3969 developing Internet standards in which case the procedures for 3970 copyrights defined in the Internet Standards process must be 3971 followed, or as required to translate it into languages other than 3972 English. 3973 3974 The limited permissions granted above are perpetual and will not be 3975 revoked by the Internet Society or its successors or assigns. 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988 3989 3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020Callas, et al. Expires May 23, 2005 [Page 72] 4021 4022 4023