PGP BouncyCastle + Kleopatra Decryption: Unknown Packet Type: 20

Question

I am attempting to decrypt a file using BouncyCastle in C# that has been encrypted with RSA via Kleopatra. Unfortunately, I am receiving an error that states "Unknown packet type encountered: 20" when processing through the first few lines of decryption. The (pseudo) code:

   using (Stream inputStream = File.OpenRead(test.txt.gpg))
   {
       using (Stream keyIn = File.OpenRead(privatekey.asc))
       {
                PgpObject o = null;

                PgpObjectFactory pgpF = new PgpObjectFactory(PgpUtilities.GetDecoderStream(inputStream));
                
                PgpSecretKeyRingBundle pgpSec = new PgpSecretKeyRingBundle(PgpUtilities.GetDecoderStream(privateKeyStream));

                if (pgpF != null)
                {
                    o = pgpF.NextPgpObject(); -- THIS LINE THROWS THE UNKNOWN PACKET TYPE ERROR
                }
       }
   }

After googling, I have seen examples that the above code snippet models, but I have not yet seen any information about unknown packet types.

Does anyone know if I am doing anything wrong, or can point me in the direction of documentation of the error code numbers?

Thank you in advance for your time.

not2savvy · Accepted Answer

This packet type is not part of the official OpenPGP standard as defined in RFC 4880, which defines packet types only up to 19 (see section 4.3).

However, there is a Work in progress to update the OpenPGP specification from RFC4880 which defines packet type 20 as AEAD Encrypted Data Packet (see section 5.16).

Update: The successor RFC 9580 has been published in July 2024, but it does not define packet type 20 any more. There's also no more mentioning of AEAD at all. Not sure what this means with regard to existing implementations.

AEAD means Authenticated Encryption with Associated Data. It allows to include data from outside the actual encryption data in the authentication part. This aims at making it impossible to use the encrypted data outside its original context, effectively disabling a replay attack. For details, see this answer.

Obviously, said draft has not been approved and also has expired. Nevertheless, GnuPG seems to have implemented the proposal in version 2.3 (which Kleopatra uses under the hood), and even made it default, as I understand the docs (quoted from OpenPGP protocol specific options):

The MDC is always used unless the keys indicate that an AEAD algorithm can be used in which case AEAD is used.

By default, GnuPG 2.3+ generates keys that support AEAD, and when a key claims support for AEAD, GnuPG will use it to encrypt data.

BouncyCastle does not currently support PGP encryption with AEAD. As a work-around for this problem, PGP keys should be generated using GnuPG with the --rfc4880 or --openpgp flag which makes sure that the key adheres to RFC 4880.

It's also possible to remove AEAD from an existing key. To do so, first, edit the key and display the existing options:

$ gpg --expert --edit-key 
gpg> showpref
[ultimate] (1). Foobar McFooface (test) 
    Cipher: AES256, AES192, AES, 3DES
    AEAD: OCB
    Digest: SHA512, SHA384, SHA256, SHA224, SHA1
    Compression: ZLIB, BZIP2, ZIP, Uncompressed
    Features: MDC, AEAD, Keyserver no-modify

Then set the same options without AEAD:

gpg> setpref AES256 AES192 AES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP
Set preference list to:
    Cipher: AES256, AES192, AES, 3DES
    AEAD:
    Digest: SHA512, SHA384, SHA256, SHA224, SHA1
    Compression: ZLIB, BZIP2, ZIP, Uncompressed
    Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y

(Found on GnuPG ArchWiki: 8.1 Disable unsupported AEAD mechanism)

Updates

Since version 1.72 of BouncyCastle (Java library), support for PGP with AEAD has been added.

PGP BouncyCastle + Kleopatra Decryption: Unknown Packet Type: 20

Answers (2)

Updates

Related Questions