Technical question about PGP passphrase verification

From: Kevin Fourtwenty (Kevin_at_Fourtwenty)
Date: 09/03/04


Date: Fri, 3 Sep 2004 15:27:16 -0400

Hi,

I have spent hours trying to figure this out. I'm not sure why its so
important to me, but I'm really curious. When you type an incorrect
passphrase to decrypt a symmetrically encrypted message, how does it know
that the password is incorrect. Now, having spent a lot of time trying to
find this out, before posting here, I have found two different explanations.

One person mentioned said:

"it's even simpler than that. no need to calculate CRC or hash. to check if
passphrase is correct it's enough to decrypt first 10 (18 for AES and
Twofish) bytes and compare byte 7 with 9 and 8 with 10 (15 with 16 and 17
with 18 for AES and Twofish), if they mach passphrase is correct."

The following somewhat verified that for me:

"Thus, for an algorithm that has a block size of 8 octets (64 bits), the IV
is 10 octets long and octets 7 and 8 of the IV are the same as octets 9 and
10. For an algorithm with a blocksize of 16 octets (128 bits), the IV is 18
octets long, and octets 17 and 18 replicate octets 15 and 16. Those extra
two octets are an easy check for a correct key." (from RFC 2440)

Also someone mentioned this:

"This hash is not stored; a 2-byte checksum of the encrypted data catches
most bad passphrases."

The first one seems like it most likely is the way PGP does this.
Apparently there are several ways to do this, but since I am writing an
article on PGP, I would like to know specifically how PGP does it.

Thanks for your time and information.

Kevin



Relevant Pages

  • RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x
    ... passphrase!?!?!), and your passphrase is just to access the disk, meaning, ... just to control user access to the pgp disk ??? ... me, since I assumed that the encryption key was my passphrase, so even if I ...
    (Bugtraq)
  • [Full-disclosure] RE: [security] A Nasty Security Bug that affect PGP Virtual Disks & PGP SD
    ... passphrase!?!?!), and your passphrase is just to access the disk, meaning, ... just to control user access to the pgp disk ??? ... me, since I assumed that the encryption key was my passphrase, so even if I ...
    (Full-Disclosure)
  • RE: Crypto Question
    ... make it infeasible for an attacker to break it, then making it any larger is ... that your passphrase strength matters if an attacker can get access to the ... passphrases that are truly difficult to brute force, and indeed, most people ... PGP / XML GATEWAY APPLIANCE ...
    (Security-Basics)
  • Re: Doonesbury: Kids These Days
    ... be a back door (as they could now for credit card transactions), ... The system is effectively unbreakable (refer to my post upthread about the ways to break PGP) which is the whole point of using it. ... If it uses terms from your childhood, then someone who knows about your childhood can guess and try those terms and perhaps break your passphrase and thus access your private key. ...
    (rec.arts.comics.strips)
  • [Full-disclosure] Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUTPATCHING
    ... But I think what you mentioned is a bug -- PGPdisk shouldn't show the contained files list before dectypting the disk. ... We do not agree with some of PGP comments. ... to the disk after replacing the passphrase bytes. ... We think Mr. Jon should play this flash video SLOW REAL SLOW. ...
    (Full-Disclosure)