![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to pgformat.doc CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [PGP] / pgp / src|
Return to pgformat.doc CVS log | Up to [PGP] / pgp / src |
1.1 root 1: Appendix A. (Beta test release 22 May 91)
2:
3:
4: Internal Data Structures Used by PGP
5: ====================================
6:
7: This appendix describes the data structures used internally by Pretty
8: Good Privacy (PGP), the RSA public key cryptography application. The
9: intended audience mainly includes software engineers trying to port
10: PGP to other hardware environments or trying to implement other PGP-
11: compatible cryptography products.
12:
13: Some of these data structures may change before PGP is released.
14: Also, CRC-16 frame checks may be added to some packets.
15:
16:
17: Byte Order
18: ----------
19:
20: All integer data used by PGP is externally stored least significant
21: byte (LSB) first, regardless of the byte order used internally by the
22: host CPU architecture. This is for cross-compatibility of messages
23: and keys between hosts. This covers multiprecision RSA integers, bit
24: count prefix fields, byte count prefix fields, key IDs, and
25: timestamps.
26:
27:
28: Multiprecision Integers
29: -----------------------
30:
31: RSA arithmetic involves a lot of multiprecision integers, often
32: having hundreds of bits of precision. PGP externally stores a
33: multiprecision integer (MPI) with a 16-bit prefix that gives the
34: number of significant bits in the integer that follows. The integer
35: that follows this bitcount field is stored LSB first, with the MSB
36: padded with zero bits if the bitcount is not a multiple of 8. The
37: bitcount always specifies the exact number of significant bits. For
38: example, the integer value 5 would be stored as these three bytes:
39:
40: 03 00 05
41:
42: An MPI with a value of zero is simply stored with the 16-bit bitcount
43: prefix field containing a 0, with no value bytes following it.
44:
45:
46:
47: Key ID
48: ------
49:
50: Some packets use a "key ID" field. The key ID is the least
51: significant 64 bits of the RSA public modulus that was involved in
52: creating the packet. For all practical purposes it unique to each
53: RSA public key.
54:
55:
56: User ID
57: -------
58:
59: Some packets contain a "user ID", which is an ASCII string that
60: contains the user's name. Unlike a C string, the user ID has a
61: length byte at the beginning that has a byte count of the rest of the
62: string. This length byte does not include itself in the count.
63:
64:
65: Timestamp
66: ---------
67:
68: Some packets contain a timestamp, which is a 32-bit unsigned integer
69: of the number of seconds elapsed since 1970 Jan 1 00:00:00 GMT. This
70: is the standard format used by Unix timestamps. It spans 136 years.
71:
72:
73:
74: Cipher Type Byte (CTB)
75: ----------------------
76:
77: Many of these data structures begin with a Cipher Type Byte (CTB),
78: which specifies the type of data structure that follows it. The CTB
79: bit fields have the following meaning (bit 0 is the LSB, bit 7 is the
80: MSB):
81:
82: Bit 7: Always 1, which designates this as a CTB
83: Bit 6: Reserved.
84: Bits 5-2: CTB type field, specifies type of packet that follows
85: 0001 - RSA public-key-encrypted packet
86: 0010 - RSA secret-key-encrypted (signed) packet
87: 0011 - Message digest packet
88: 0100 - Conventional key packet
89: 0101 - Secret key certificate
90: 0110 - Public key certificate
91: 1000 - Compressed data packet
92: 1001 - Conventional-Key-Encrypted data
93: 1100 - Raw literal plaintext data
94: Other CTB packet types are unimplemented.
95: Bits 1-0: Length-of-length field:
96: 00 - 1 byte packet length field follows CTB
97: 01 - 2 byte packet length field follows CTB
98: 10 - 4 byte packet length field follows CTB
99: 11 - no length field follows CTB, unknown packet length.
100: The 8-, 16-, or 32-bit packet length field after the CTB
101: gives the length in bytes of the rest of the packet, not
102: counting the CTB and the packet length field.
103:
104:
105:
106: RSA public-key-encrypted packet
107: -------------------------------
108:
109: Offset Length Meaning
110: 0 1 CTB for RSA public-key-encrypted packet
111: 1 2 16-bit length of packet
112: 3 8 64-bit Key ID
113: 11 ? RSA-encrypted integer, encrypted conventional key
114: packet. (MPI with bitcount prefix)
115:
116: The conventionally-encrypted ciphertext packet begins right after the
117: RSA public-key-encrypted packet that contains the conventional key.
118:
119:
120:
121: RSA secret-key-encrypted (signed) packet
122: ----------------------------------------
123:
124: Offset Length Meaning
125: 0 1 CTB for RSA secret-key-encrypted (signed) packet
126: 1 2 16-bit length of packet
127: 3 8 64-bit Key ID
128: 11 ? RSA-encrypted integer, encrypted message digest
129: packet. (MPI with bitcount prefix)
130:
131: If the plaintext that was signed is included in the same file as the
132: signature packet, it begins right after the RSA secret-key-signed
133: packet that contains the message digest. The plaintext has a
134: "literal" CTB prefix.
135:
136:
137:
138: Message digest packet
139: ---------------------
140:
141: Offset Length Meaning
142: 0 1 CTB for Message digest packet
143: 1 1 8-bit length of packet
144: 2 1 Message digest algorithm selector byte
145: 3 16 128-bit message digest
146: 19 4 32-bit timestamp
147:
148:
149:
150: Conventional key packet
151: -----------------------
152:
153: Offset Length Meaning
154: 0 1 CTB for Conventional key packet
155: 1 1 8-bit length of packet
156: 2 1 Conventional encryption algorithm selector byte
157: 3 ? Key material for conventional algorithm
158:
159:
160:
161: Conventional Key Encrypted data packet
162: --------------------------------------
163:
164: Offset Length Meaning
165: 0 1 CTB for Conventional-Key-Encrypted data packet
166: 1 ? conventionally-encrypted data, no length field
167:
168: The conventionally-encrypted ciphertext begins right after the
169: CTB. No length field follows CTB, unknown packet length.
170: The decrypted ciphertext may contain a compressed data packet or a
171: literal plaintext packet.
172:
173: The conventionally-encrypted data has a 4-byte "key-check" prefix.
174: This key-check prefix is inserted before encryption and discarded
175: after decryption. The key-check prefix is only visible only after
176: decrypting the ciphertext in the packet. The key-check prefix is
177: composed of two identical copies of a 16-bit random number. During
178: decryption, the first 4 bytes of decrypted plaintext are checked to
179: see if the first 2 bytes match the second 2 bytes. If this key-check
180: prefix meets this criterium, then the conventional key is assumed to
181: be correct.
182:
183:
184:
185: Compressed data packet
186: ----------------------
187:
188: Offset Length Meaning
189: 0 1 CTB for Compressed data packet
190: 1 1 Compression algorithm selector byte
191: 2 ? compressed data, no length field
192:
193: The compressed data begins right after the algorithm selector byte.
194: No length field follows CTB, unknown packet length.
195: The compressed data may decompress into a raw literal plaintext data
196: packet with its own CTB.
197:
198:
199:
200: Literal data packet
201: -------------------
202:
203: Offset Length Meaning
204: 0 1 CTB for raw literal data packet
205: 1 ? raw literal plaintext data, no length field
206:
207: The raw literal plaintext data begins right after the
208: CTB. No length field follows CTB, unknown packet length.
209:
210:
211:
212: RSA secret key certificate
213: --------------------------
214:
215: Offset Length Meaning
216: 0 1 CTB for RSA secret key certificate
217: 1 2 16-bit length of packet
218: 3 4 Timestamp
219: 7 ? User ID
220: ? ? MPI of RSA public modulus n
221: ? ? MPI of RSA public encryption exponent e
222: ? ? MPI of RSA secret decryption exponent d
223: ? ? MPI of RSA secret factor p
224: ? ? MPI of RSA secret factor q
225: ? ? MPI of RSA secret multiplicative inverse u
226: (All MPI's have bitcount prefixes)
227:
228: All secret fields in the secret key certificate may be password-
229: encrypted. The public fields are not encrypted.
230:
231:
232:
233: Public key certificate
234: ----------------------
235:
236: Offset Length Meaning
237: 0 1 CTB for RSA public key certificate
238: 1 2 16-bit length of packet
239: 3 4 Timestamp
240: 7 ? User ID
241: ? ? MPI of RSA public modulus n
242: ? ? MPI of RSA public encryption exponent e
243: (All MPI's have bitcount prefixes)
244:
245:
246:
247: "Secret key compromised" certificate
248: ------------------------------------
249:
250: Note that a "secret key compromise" certificate is exactly the same
251: as a public key certificate, but with public exponent e=0.
252:
253: The current version of PGP does not generate any secret key
254: compromise certificates.
255:
256:
257:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.