Multiple Sym. Encrypted Packets
Werner Koch
wk at gnupg.org
Tue Nov 7 18:47:56 CET 2006
On Tue, 7 Nov 2006 15:50, emlynj at gmail.com said:
> This doesn't:
> [PKESK][SED][PKESK][SED] (fails reading the second PKESK)
Right. This is because the sematics of two concatenated OpenPGP
messages are not well defined.
> This will read the two PKESK packets and the first SED but not the final one:
> [PKESK][PKESK][SED][SED]
Indeed. GnuPG views this as
[PKESK][PKESK][SED]
and ignore the extra data at the end.
> i)Should this be possible?
> ii)Are there any tools (other than gpg -vvv) to help debug what gpg
> is finding in my packet stream?
Not really.
> iii)I'm pretty confident the size of the SED packet is specified
> correctly but do I need to make sure that the SED packet size is a
> multiple of the algorithm's block size?
PKESK = Public-Key Encrypted Session Key Packets (Tag 1)
SKESK = Symmetric-Key Encrypted Session Key Packets (Tag 3)
SED = Symmetrically Encrypted Data Packet (Tag 9 or 18)
Using just an SED is only allowed for PGP2 compatibility. It is
better to use a random session key for the ESD and encrypt that
session key using a SKESK. Then you may use an arbitrary number and
order of PKESK and SKESK:
[PKESK][SKESK][PKESK][PKESK][SKESK][SKESK][SED]
The actual content is encrypted in the SED and the other packets
merely encrypt the random session used with the SED.
Shalom-Salam,
Werner
More information about the Gnupg-users
mailing list