Symmetric Encryption Requirement

David Shaw dshaw at
Fri Dec 19 12:10:58 CET 2003

On Fri, Dec 19, 2003 at 11:37:59AM -0500, Mark Jacobs wrote:

> I tried to get the session key for the Symmetric Encrypted file, but
> it never displayed anything.  Looking through the GNUPG archive
> messages I found the statement that --show-session-key only works
> with public/private key encrypted files not Symmetric.

Oops - my mistake.  Using --show-session-key with symmetric messages
is a fairly new feature that was added in version 1.3.4.  That's the
development version, so you probably aren't using it.

> It also said that the session key for these files is created by a
> SHA1 has of the passphrase entered. Is this true?

For symmetric files, the most common way to make the session key is to
take the passphrase and repeatedly hash it (usually using SHA1) along
with some random salt.  The method is given in RFC-2440 as "iterated &
hashed S2K".  For public key encrypted files, the session key is

> Is the session key stored in the encrypted file or regenerated from
> the entered pass phrase during decryption. If it is stored in the
> encrypted file, I need to strip if from the file prior to decryption
> on the mainframe (assuming I can't get GNUPG to port)

It is stored in the encrypted file.  If you run gpgsplit (comes with
GnuPG) on a symmetric file, you'll end up with two files:
"000001-003.sym_enc" and "000002-009.encrypted".  The first is the
session key (see RFC-2440 for the format of packet #3).  The second is
the encrypted data (see RFC-2440 again, for packet #9).

I'd seriously try and build GnuPG on the mainframe.  Given that you
don't need a random number source, it should be fairly simple to come
up with the right set of configure options to build the thing.


More information about the Gnupg-users mailing list