Multiple Sym. Encrypted Packets

Werner Koch wk at
Tue Nov 7 18:47:56 CET 2006

On Tue,  7 Nov 2006 15:50, emlynj at said:

> This doesn't:
> [PKESK][SED][PKESK][SED] (fails reading the second PKESK)

Right. This is because the sematics of two concatenated OpenPGP
messages are not well defined.

> This will read the two PKESK packets and the first SED but not the final one:

Indeed.  GnuPG views this as 


and ignore the extra data at the end.

> i)Should this be possible?
> ii)Are there any tools  (other than gpg -vvv) to help debug what gpg
> is finding in my packet stream?

Not really.

> iii)I'm pretty confident the size of the SED packet is specified
> correctly but do I need to make sure that the SED packet size is a
> multiple of the algorithm's block size?

PKESK = Public-Key Encrypted Session Key Packets (Tag 1)
SKESK = Symmetric-Key Encrypted Session Key Packets (Tag 3)
SED   = Symmetrically Encrypted Data Packet (Tag 9 or 18)

Using just an SED is only allowed for PGP2 compatibility.  It is
better to use a random session key for the ESD and encrypt that
session key using a SKESK.  Then you may use an arbitrary number and
order of PKESK and SKESK:


The actual content is encrypted in the SED and the other packets
merely encrypt the random session used with the SED.



More information about the Gnupg-users mailing list