CODEWITHSUNDEEP
encryptionpgpopenpgp
calccrypto
calccrypto

Reputation: 8991

OpenPGP tag 18/19 description confusion

Can someone please clear up a bit of MDC and data encryption for me? in rfc 4880, it says:

The plaintext of the data to be encrypted is passed through the SHA-1 hash function, and the result of the hash is appended to the plaintext in a Modification Detection Code packet. The input to the hash function includes the prefix data described above; it includes all of the plaintext, and then also includes two octets of values 0xD3, 0x14. These represent the encoding of a Modification Detection Code packet tag and length field of 20 octets.

at first, it seems like the mdc (without its header data) is just: sha1([data]) -> hash_value

then the second sentence up to the semicolon makes it seem like sha1(OpenPGP_CFB_extra_data + [data]) -> hash_value

the stuff after the semicolon makes it seem like I am supposed to do sha1([data] + "\xd3\x14") -> hash_value. (this doesnt make sense at all, but it seems to be what is written)

what is going on?

after getting the correct MDC, what is done with it? is it its own packet, or something like this (according to my understanding) done?:

tag18_header + encrypt(plaintext + "\xd3\x14" + 20 byte hash)

Upvotes: 4

Views: 401

Answers (1)

Anders Lindahl
Anders Lindahl

Reputation: 42890

After reading RFC 4880 and parts of the GnuPG source code (g10/cipher.c seems to be the place where this is handled), I interpret it is like this:

  • 0xd3 is the MDC packet tag.
  • 0x14 is the MDC packet length (20 bytes).

The MDC hash is computed like this:

MCD_hash = SHA-1(OpenPGP_CFB_extra_data + [plaintext] + "\xd3\x14")

Then this is appended to the plaintext message and encrypted:

encrypt(OpenPGP_CFB_extra_data + [plaintext] + "\xd3\x14" + MDC_hash)

When decrypted, this hash is verified by computing SHA-1 of everything but the last 20 bytes and comparing the result to the last 20 bytes, as RFC 4880 writes (page 50):

During decryption, the plaintext data should be hashed with SHA-1, including the prefix data as well as the packet tag and length field of the Modification Detection Code packet. The body of the MDC packet, upon decryption, is compared with the result of the SHA-1 hash.

Upvotes: 3

Related Questions