Technical question about PGP passphrase verification

From: Kevin Fourtwenty (Kevin_at_Fourtwenty)
Date: 09/03/04

Date: Fri, 3 Sep 2004 15:27:16 -0400


I have spent hours trying to figure this out. I'm not sure why its so
important to me, but I'm really curious. When you type an incorrect
passphrase to decrypt a symmetrically encrypted message, how does it know
that the password is incorrect. Now, having spent a lot of time trying to
find this out, before posting here, I have found two different explanations.

One person mentioned said:

"it's even simpler than that. no need to calculate CRC or hash. to check if
passphrase is correct it's enough to decrypt first 10 (18 for AES and
Twofish) bytes and compare byte 7 with 9 and 8 with 10 (15 with 16 and 17
with 18 for AES and Twofish), if they mach passphrase is correct."

The following somewhat verified that for me:

"Thus, for an algorithm that has a block size of 8 octets (64 bits), the IV
is 10 octets long and octets 7 and 8 of the IV are the same as octets 9 and
10. For an algorithm with a blocksize of 16 octets (128 bits), the IV is 18
octets long, and octets 17 and 18 replicate octets 15 and 16. Those extra
two octets are an easy check for a correct key." (from RFC 2440)

Also someone mentioned this:

"This hash is not stored; a 2-byte checksum of the encrypted data catches
most bad passphrases."

The first one seems like it most likely is the way PGP does this.
Apparently there are several ways to do this, but since I am writing an
article on PGP, I would like to know specifically how PGP does it.

Thanks for your time and information.