📄 rfc2440.txt
字号:
Network Working Group J. Callas
Request for Comments: 2440 Network Associates
Category: Standards Track L. Donnerhacke
IN-Root-CA Individual Network e.V.
H. Finney
Network Associates
R. Thayer
EIS Corporation
November 1998
OpenPGP Message Format
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
IESG Note
This document defines many tag values, yet it doesn't describe a
mechanism for adding new tags (for new features). Traditionally the
Internet Assigned Numbers Authority (IANA) handles the allocation of
new values for future expansion and RFCs usually define the procedure
to be used by the IANA. However, there are subtle (and not so
subtle) interactions that may occur in this protocol between new
features and existing features which result in a significant
reduction in over all security. Therefore, this document does not
define an extension procedure. Instead requests to define new tag
values (say for new encryption algorithms for example) should be
forwarded to the IESG Security Area Directors for consideration or
forwarding to the appropriate IETF Working Group for consideration.
Abstract
This document is maintained in order to publish all necessary
information needed to develop interoperable applications based on the
OpenPGP format. It is not a step-by-step cookbook for writing an
application. It describes only the format and methods needed to read,
check, generate, and write conforming packets crossing any network.
It does not deal with storage and implementation questions. It does,
Callas, et. al. Standards Track [Page 1]
RFC 2440 OpenPGP Message Format November 1998
however, discuss implementation issues necessary to avoid security
flaws.
Open-PGP software uses a combination of strong public-key and
symmetric cryptography to provide security services for electronic
communications and data storage. These services include
confidentiality, key management, authentication, and digital
signatures. This document specifies the message formats used in
OpenPGP.
Table of Contents
Status of this Memo 1
IESG Note 1
Abstract 1
Table of Contents 2
1. Introduction 4
1.1. Terms 5
2. General functions 5
2.1. Confidentiality via Encryption 5
2.2. Authentication via Digital signature 6
2.3. Compression 7
2.4. Conversion to Radix-64 7
2.5. Signature-Only Applications 7
3. Data Element Formats 7
3.1. Scalar numbers 8
3.2. Multi-Precision Integers 8
3.3. Key IDs 8
3.4. Text 8
3.5. Time fields 9
3.6. String-to-key (S2K) specifiers 9
3.6.1. String-to-key (S2k) specifier types 9
3.6.1.1. Simple S2K 9
3.6.1.2. Salted S2K 10
3.6.1.3. Iterated and Salted S2K 10
3.6.2. String-to-key usage 11
3.6.2.1. Secret key encryption 11
3.6.2.2. Symmetric-key message encryption 11
4. Packet Syntax 12
4.1. Overview 12
4.2. Packet Headers 12
4.2.1. Old-Format Packet Lengths 13
4.2.2. New-Format Packet Lengths 13
4.2.2.1. One-Octet Lengths 14
4.2.2.2. Two-Octet Lengths 14
4.2.2.3. Five-Octet Lengths 14
4.2.2.4. Partial Body Lengths 14
4.2.3. Packet Length Examples 14
Callas, et. al. Standards Track [Page 2]
RFC 2440 OpenPGP Message Format November 1998
4.3. Packet Tags 15
5. Packet Types 16
5.1. Public-Key Encrypted Session Key Packets (Tag 1) 16
5.2. Signature Packet (Tag 2) 17
5.2.1. Signature Types 17
5.2.2. Version 3 Signature Packet Format 19
5.2.3. Version 4 Signature Packet Format 21
5.2.3.1. Signature Subpacket Specification 22
5.2.3.2. Signature Subpacket Types 24
5.2.3.3. Signature creation time 25
5.2.3.4. Issuer 25
5.2.3.5. Key expiration time 25
5.2.3.6. Preferred symmetric algorithms 25
5.2.3.7. Preferred hash algorithms 25
5.2.3.8. Preferred compression algorithms 26
5.2.3.9. Signature expiration time 26
5.2.3.10.Exportable Certification 26
5.2.3.11.Revocable 27
5.2.3.12.Trust signature 27
5.2.3.13.Regular expression 27
5.2.3.14.Revocation key 27
5.2.3.15.Notation Data 28
5.2.3.16.Key server preferences 28
5.2.3.17.Preferred key server 29
5.2.3.18.Primary user id 29
5.2.3.19.Policy URL 29
5.2.3.20.Key Flags 29
5.2.3.21.Signer's User ID 30
5.2.3.22.Reason for Revocation 30
5.2.4. Computing Signatures 31
5.2.4.1. Subpacket Hints 32
5.3. Symmetric-Key Encrypted Session-Key Packets (Tag 3) 32
5.4. One-Pass Signature Packets (Tag 4) 33
5.5. Key Material Packet 34
5.5.1. Key Packet Variants 34
5.5.1.1. Public Key Packet (Tag 6) 34
5.5.1.2. Public Subkey Packet (Tag 14) 34
5.5.1.3. Secret Key Packet (Tag 5) 35
5.5.1.4. Secret Subkey Packet (Tag 7) 35
5.5.2. Public Key Packet Formats 35
5.5.3. Secret Key Packet Formats 37
5.6. Compressed Data Packet (Tag 8) 38
5.7. Symmetrically Encrypted Data Packet (Tag 9) 39
5.8. Marker Packet (Obsolete Literal Packet) (Tag 10) 39
5.9. Literal Data Packet (Tag 11) 40
5.10. Trust Packet (Tag 12) 40
5.11. User ID Packet (Tag 13) 41
6. Radix-64 Conversions 41
Callas, et. al. Standards Track [Page 3]
RFC 2440 OpenPGP Message Format November 1998
6.1. An Implementation of the CRC-24 in "C" 42
6.2. Forming ASCII Armor 42
6.3. Encoding Binary in Radix-64 44
6.4. Decoding Radix-64 46
6.5. Examples of Radix-64 46
6.6. Example of an ASCII Armored Message 47
7. Cleartext signature framework 47
7.1. Dash-Escaped Text 47
8. Regular Expressions 48
9. Constants 49
9.1. Public Key Algorithms 49
9.2. Symmetric Key Algorithms 49
9.3. Compression Algorithms 50
9.4. Hash Algorithms 50
10. Packet Composition 50
10.1. Transferable Public Keys 50
10.2. OpenPGP Messages 52
10.3. Detached Signatures 52
11. Enhanced Key Formats 52
11.1. Key Structures 52
11.2. Key IDs and Fingerprints 53
12. Notes on Algorithms 54
12.1. Symmetric Algorithm Preferences 54
12.2. Other Algorithm Preferences 55
12.2.1. Compression Preferences 56
12.2.2. Hash Algorithm Preferences 56
12.3. Plaintext 56
12.4. RSA 56
12.5. Elgamal 57
12.6. DSA 58
12.7. Reserved Algorithm Numbers 58
12.8. OpenPGP CFB mode 58
13. Security Considerations 59
14. Implementation Nits 60
15. Authors and Working Group Chair 62
16. References 63
17. Full Copyright Statement 65
1. Introduction
This document provides information on the message-exchange packet
formats used by OpenPGP to provide encryption, decryption, signing,
and key management functions. It builds on the foundation provided in
RFC 1991 "PGP Message Exchange Formats."
Callas, et. al. Standards Track [Page 4]
RFC 2440 OpenPGP Message Format November 1998
1.1. Terms
* OpenPGP - This is a definition for security software that uses
PGP 5.x as a basis.
* PGP - Pretty Good Privacy. PGP is a family of software systems
developed by Philip R. Zimmermann from which OpenPGP is based.
* PGP 2.6.x - This version of PGP has many variants, hence the term
PGP 2.6.x. It used only RSA, MD5, and IDEA for its cryptographic
transforms. An informational RFC, RFC 1991, was written
describing this version of PGP.
* PGP 5.x - This version of PGP is formerly known as "PGP 3" in the
community and also in the predecessor of this document, RFC 1991.
It has new formats and corrects a number of problems in the PGP
2.6.x design. It is referred to here as PGP 5.x because that
software was the first release of the "PGP 3" code base.
"PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of
Network Associates, Inc. and are used with permission.
This document uses the terms "MUST", "SHOULD", and "MAY" as defined
in RFC 2119, along with the negated forms of those terms.
2. General functions
OpenPGP provides data integrity services for messages and data files
by using these core technologies:
- digital signatures
- encryption
- compression
- radix-64 conversion
In addition, OpenPGP provides key management and certificate
services, but many of these are beyond the scope of this document.
2.1. Confidentiality via Encryption
OpenPGP uses two encryption methods to provide confidentiality:
symmetric-key encryption and public key encryption. With public-key
encryption, the object is encrypted using a symmetric encryption
algorithm. Each symmetric key is used only once. A new "session key"
is generated as a random number for each message. Since it is used
Callas, et. al. Standards Track [Page 5]
RFC 2440 OpenPGP Message Format November 1998
only once, the session key is bound to the message and transmitted
with it. To protect the key, it is encrypted with the receiver's
public key. The sequence is as follows:
1. The sender creates a message.
2. The sending OpenPGP generates a random number to be used as a
session key for this message only.
3. The session key is encrypted using each recipient's public key.
These "encrypted session keys" start the message.
4. The sending OpenPGP encrypts the message using the session key,
which forms the remainder of the message. Note that the message
is also usually compressed.
5. The receiving OpenPGP decrypts the session key using the
recipient's private key.
6. The receiving OpenPGP decrypts the message using the session key.
If the message was compressed, it will be decompressed.
With symmetric-key encryption, an object may be encrypted with a
symmetric key derived from a passphrase (or other shared secret), or
a two-stage mechanism similar to the public-key method described
above in which a session key is itself encrypted with a symmetric
algorithm keyed from a shared secret.
Both digital signature and confidentiality services may be applied to
the same message. First, a signature is generated for the message and
attached to the message. Then, the message plus signature is
encrypted using a symmetric session key. Finally, the session key is
encrypted using public-key encryption and prefixed to the encrypted
block.
2.2. Authentication via Digital signature
The digital signature uses a hash code or message digest algorithm,
and a public-key signature algorithm. The sequence is as follows:
1. The sender creates a message.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -