PGP Command Line receives the error "invalid key" when trying to encrypt to a PGP key
Only use your primary key for certification (and possibly signing). All software has bugs, and GnuPG is no exception. Not only is this a single point of failure, it is also a prime source of leaks of relationship information between OpenPGP with the keyserver pool over an encrypted channel, using a protocol called hkps. SecureTransport supports PGP encryption. The system If the key is expired, decryption succeeds, but signature verification, encryption, and signing fail. Exchanging OpenPGP Encrypted and Signed Data But unlike the OpenPGP keyservers, this process establishes a strong relation between the key and the.
It is even possible to announce multiple public keys in the Personal Eventing Protocol node. Implementations MUST be prepared to find multiple public keys. The 'rpad' element of the OpenPGP content elements exists to prevent length-based side channel attacks.
It mitigates replay attacks by including the recipient's address and a timestamp in the OpenPGP content element [ 20 ]. It allows for both, signing and encrypting of the element. The scope of the specification was deliberately limited to OpenPGP. Also XMPP, needs no additional error correction of payload. When doing certification of keys key signingthe partner must know what User ID she actually certifies. Third, having the Real Name inside provides no additional security or guideline if this key should be certified.
- Encrypting vs. Signing with OpenPGP. What’s the Difference?
- OpenPGP for Complete Beginners
- XEP-0373: OpenPGP for XMPP
The XMPP address is the only trust anchor here. Security Considerations The scope of this XEP is intentionally limited, so that the specification just defines way for XMPP entities to discover, announce and synchronize OpenPGP keys, and how to exchange signed and encrypted data between two or more parties. Everything else is outside its scope. For example, how 'secure' the key material is protected on the endpoints is up to the implementation.
Some systems only permit the use of blocks consisting of seven-bit, printable text. For transporting OpenPGP's native raw binary octets through channels that are not safe to raw binary data, a printable encoding of these binary octets is needed. Signature-Only Applications OpenPGP is designed for applications that use both encryption and signatures, but there are a number of problems that are solved by a signature-only implementation.
Although this specification requires both encryption and signatures, it is reasonable for there to be subset implementations that are non-conformant only in that they omit encryption. Scalar Numbers Scalar numbers are unsigned and are always stored in big-endian format. Multiprecision Integers Multiprecision integers also called MPIs are unsigned integers used to hold large integers such as the ones used in cryptographic calculations.
An MPI consists of two pieces: These octets form a big-endian number; a big-endian number can be made into an MPI by prefixing it with the appropriate length. The length field of an MPI describes the length starting from its most significant non-zero bit. Thus, the MPI [00 02 01] is not formed correctly. It should be [00 01 01].
It may be ill-formed in its ciphertext. Time Fields A time field is an unsigned four-octet number containing the number of seconds elapsed since midnight, 1 January UTC. Keyrings A keyring is a collection of one or more keys in a file or database. Traditionally, a keyring is simply a sequential list of keys, but may be any suitable database. It is beyond the scope of this standard to discuss the details of keyrings or other databases. They are used in two places, currently: Simple S2K This directly hashes the string to produce the key data.
See below for how this hashing is done. If the hash size is greater than the session key size, the high-order leftmost octets of the hash are used as the key. If the hash size is less than the key size, multiple instances of the hash context are created -- enough to produce the required key data. These instances are preloaded with 0, 1, 2, As the data is hashed, it is given independently to each hash context. Since the contexts have been initialized differently, they will each produce different hash output.
Once the passphrase is hashed, the output data from the multiple hashes is concatenated, first hash leftmost, to produce the key data, with any excess octets on the right discarded. Salted S2K This includes a "salt" value in the S2K specifier -- some arbitrary data -- that gets hashed along with the passphrase string, to help prevent dictionary attacks. Iterated and Salted S2K This includes both a salt and an octet count.
The salt is combined with the passphrase and the resulting value is hashed repeatedly. This further increases the amount of work an attacker must do to try dictionary attacks.
Iterated-Salted S2K hashes the passphrase and salt data multiple times. The total number of octets to be hashed is specified in the encoded count in the S2K specifier. Note that the resulting count value is an octet count of how many octets will be hashed, not an iteration count. Initially, one or more hash contexts are set up as with the other S2K algorithms, depending on how many octets of key data are needed.
Then the salt, followed by the passphrase data, is repeatedly hashed until the number of octets specified by the octet count has been hashed. The one exception is that if the octet count is less than the size of the salt plus passphrase, the full salt plus passphrase will be hashed even though that is greater than the octet count.
After the hashing is done, the data is unloaded from the hash context s as with the other S2K algorithms. Secret-Key Encryption An S2K specifier can be stored in the secret keyring to specify how to convert the passphrase to a key that unlocks the secret data. Older versions of PGP just stored a cipher algorithm octet preceding the secret data or a zero to indicate that the secret data was unencrypted.
The MD5 hash function was always used to convert the passphrase to a key for the specified cipher algorithm. For compatibility, when an S2K specifier is used, the special value or is stored in the position where the hash algorithm octet would have been in the old data structure. This is then followed immediately by a one-octet algorithm identifier, and then by the S2K specifier as encoded above. These are followed by an Initial Vector of the same length as the block size of the cipher for the decryption of the secret values, if they are encrypted, and then the secret-key values themselves.
This is used to allow S2K specifiers to be used for the passphrase conversion or to create messages with a mix of symmetric-key ESKs and public-key ESKs. This allows a message to be decrypted either with a passphrase or a public-key pair. X always used IDEA with Simple string-to-key conversion when encrypting a message with a symmetric algorithm.
This is deprecated, but MAY be used for backward-compatibility. Overview An OpenPGP message is constructed from a number of records that are traditionally called packets. A packet is a chunk of data that has a tag specifying its meaning. An OpenPGP message, keyring, certificate, and so forth consists of a number of packets. Each packet consists of a packet header, followed by the packet body. The packet header is of variable length. Packet Headers The first octet of the packet header is called the "Packet Tag".
It determines the format of the header and denotes the packet contents. The remainder of the packet header is the length of the packet.
A mask for this bit is 0x80 in hexadecimal.PGP Encryption Tutorial Part 2: Decryption
Thus, software that interoperates with those versions of PGP must only use old format packets. Note that old format packets have four bits of packet tags, and new format packets have six; some features cannot be used and still be backward-compatible.
Also note that packets with a tag greater than or equal to 16 MUST use new format packets. The old format packets can only express tags less than or equal to Old format packets contain: Bits -- packet tag Bits -- length-type New format packets contain: Bits -- packet tag 4.
Old Format Packet Lengths The meaning of the length-type in old format packets is: The header is 2 octets long. The header is 3 octets long. The header is 5 octets long. The header is 1 octet long, and the implementation must determine how long the packet is.
If the packet is in a file, this means that the packet extends until the end of the file. In general, an implementation SHOULD NOT use indeterminate-length packets except where the end of the data will be clear from the context, and even then it is better to use a definite length, or a new format header.
The new format headers described below have a mechanism for precisely encoding data of indeterminate length. New Format Packet Lengths New format packets have four possible ways of encoding length: A one-octet Body Length header encodes packet lengths of up to octets.
A two-octet Body Length header encodes packet lengths of to octets. This actually encodes a four-octet scalar number. When the length of the packet body is not known in advance by the issuer, Partial Body Length headers encode a packet of indeterminate length, effectively making it a stream. This type of length header is recognized because the one octet value is less than The body length is equal to: It is recognized because its first octet is in the range to Five-Octet Lengths A five-octet Body Length header consists of a single octet holding the valuefollowed by a four-octet scalar.
Partial Body Lengths A Partial Body Length header is one octet long and encodes the length of only part of the data packet. This length is a power of 2, from 1 to 1,, 2 to the 30th power. It is recognized by its one octet value that is greater than or equal toand less than The Partial Body Length is equal to: The Partial Body Length header specifies this portion's length.
Another length header one octet, two-octet, five-octet, or partial follows that portion. Partial Body Length headers may only be used for the non-final parts of the packet. Note also that the last Body Length header can be a zero-length header. The first partial length MUST be at least octets long. Packet Length Examples These examples show ways that new format packets might encode the packet lengths. A packet with length may have its length encoded in one octet: This is followed by octets of data.
A packet with length may have its length encoded in two octets: This header is followed by the octets of data. A packet with length may have its length encoded in five octets: It might also be encoded in the following octet stream: This is just one possible encoding, and many variations are possible on the size of the Partial Body Length headers, as long as a regular Body Length header encodes the last portion of the data. Packet Tags The packet tag denotes what type of packet the body holds.
Note that old format headers can only have tags less than 16, whereas new format headers can have tags as great as The defined tags in decimal are as follows: The message is encrypted with the session key, and the session key is itself encrypted and stored in the Encrypted Session Key packet s. The recipient of the message finds a session key that is encrypted to their public key, decrypts the session key, and then uses the session key to decrypt the message.
The currently defined value for packet version is 3. If the session key is encrypted to a subkey, then the Key ID of this subkey is used here instead of the Key ID of the primary key.
This string takes up the remainder of the packet, and its contents are dependent on the public-key algorithm used. Algorithm Specific Fields for Elgamal encryption: The value "m" in the above formulas is derived from the session key as follows. First, the session key is prefixed with a one-octet algorithm identifier that specifies the symmetric encryption algorithm used to encrypt the following Symmetrically Encrypted Data Packet.
Then a two-octet checksum is appended, which is equal to the sum of the preceding session key octets, not including the algorithm identifier, modulo In this case, the receiving implementation would try all available private keys, checking for a valid decrypted session key.
This format helps reduce traffic analysis of messages. Signature Packet Tag 2 A Signature packet describes a binding between some public key and some data. The most common signatures are a signature of a file or a block of text, and a signature that is a certification of a User ID.
Two versions of Signature packets are defined.
RFC - OpenPGP Message Format
Version 3 provides basic signature information, while version 4 provides an expandable format with subpackets that can specify more information about the signature.
Note that if an implementation is creating an encrypted and signed message that is encrypted to a V3 key, it is reasonable to create a V3 signature. Signature Types There are a number of possible meanings for a signature, which are indicated in a signature type octet in any given signature. Please note that the vagueness of these meanings is not a flaw, but a feature of the system. Because OpenPGP places final authority for validity upon the receiver of a signature, it may be that one signer's casual act might be more rigorous than some other authority's positive act.
These meanings are as follows: Signature of a binary document. This means the signer owns it, created it, or certifies that it has not been modified. Signature of a canonical text document. This signature is a signature of only its own subpacket contents. It is calculated identically to a signature over a zero-length binary document. Note that it doesn't make sense to have a V3 standalone signature. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID.
The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. The issuer of this certification has done some casual verification of the claim of identity.
The issuer of this certification has done substantial verification of the claim of identity. Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0xx13 certifications, but few differentiate between the types. Subkey Binding Signature This signature is a statement by the top-level signing key that indicates that it owns the subkey. This signature is calculated directly on the primary key and subkey, and not on any User ID or other packets.
A signature that binds a signing subkey MUST have an Embedded Signature subpacket in this binding signature that contains a 0x19 signature made by the signing subkey on the primary key and subkey. Primary Key Binding Signature This signature is a statement by a signing subkey, indicating that it is owned by the primary key and subkey.
This signature is calculated the same way as a 0x18 signature: Signature directly on a key This signature is calculated directly on a key. It binds the information in the Signature subpackets to the key, and is appropriate to be used for subpackets that provide information about the key, such as the Revocation Key subpacket.
PGP key encryption and signing
It is also appropriate for statements that non-self certifiers want to make about the key itself, rather than the binding between a key and a name. Key revocation signature The signature is calculated directly on the key being revoked. A revoked key is not to be used. Only revocation signatures by the key being revoked, or by an authorized revocation key, should be considered valid revocation signatures. Subkey revocation signature The signature is calculated directly on the subkey being revoked.
A revoked subkey is not to be used. Only revocation signatures by the top-level signature key that is bound to this subkey, or by an authorized revocation key, should be considered valid revocation signatures. Certification revocation signature This signature revokes an earlier User ID certification signature signature class 0x10 through 0x13 or direct-key signature 0x1F.
It should be issued by the same key that issued the revoked signature or an authorized revocation key. The signature is computed over the same data as the certificate that it revokes, and should have a later creation date than that certificate. This signature is only meaningful for the timestamp contained in it. It is analogous to a notary seal on the signed data.
There are plausible uses for this such as a blind party that only sees the signature, not the key or source document that cannot include a target subpacket. This portion is algorithm specific, as described below. The concatenation of the data to be signed, the signature type, and creation time from the Signature packet 5 additional octets is hashed. The resulting hash value is used in the signature algorithm. The high 16 bits first two octets of the hash are included in the Signature packet to provide a quick test to reject some invalid signatures.
The signature calculation is based on a hash of the signed data, as described above. This requires inserting the hash value as an octet string into an ASN. The object identifier for the type of hash being used is included in the structure. The hexadecimal representations for the currently defined hash algorithms are as follows: Callas, et al Standards Track [Page 23] RFC OpenPGP Message Format November If the output size of the chosen hash is larger than the number of bits of q, the hash result is truncated to fit by taking the number of leftmost bits equal to the number of bits of q.
This possibly truncated hash function result is treated as a number and used directly in the DSA signature algorithm. Note that this is the length in octets of all of the hashed subpackets; a pointer incremented by this number will skip over the hashed subpackets. Note that this is the length in octets of all of the unhashed subpackets; a pointer incremented by this number will skip over the unhashed subpackets.
This portion is algorithm specific, as described above. The concatenation of the data being signed and the signature data from the version number through the hashed subpacket data inclusive is hashed. The resulting hash value is what is signed. The left 16 bits of the hash are included in the Signature packet to provide a quick test to reject some invalid signatures. There are two fields consisting of Signature subpackets. The first field is hashed with the rest of the signature data, while the second is unhashed.
The algorithms for converting the hash function result to a signature are described in a section below. Signature Subpacket Specification A subpacket data set consists of zero or more Signature subpackets.