[Winpt-users] What is the format of the passphrase stored.

vedaal@hush.com vedaal at hush.com
Mon Dec 4 18:35:42 CET 2006 


On Sat, 02 Dec 2006 05:25:38 -0500 Timo Schulz <twoaday at gmx.net> 
wrote:
>Vineet Madan wrote:
>
>> Can u pl tell that in what format is the passphrase stored in 
>the keyring
>
>The passphrase is *not* stored in the keyring!
>
>The passphrase will be hashed in combined with a salt to
>produce a "derrived random key" which is used to encrypt
>the secret key parts.


Vineet,

this symmetrically 'encrypted' part is stored in the secret key,
but as an an encryption of the secret key, not as a passphrase

only the 'right' passphrase unlocks the symmetric encryption,
and allows the secret key to be used,


as an illustration,
here is a test key : wpttk at key.test

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (MingW32) 
Comment: rsa 1024 test key

mI0ERXRSMwEEAMAl6BY4x8Pu+ah/DGYSVxZur3OJ1YD5f3qTP8E39mxVlr2PYJa6
LB/atefIgexoAM1JZEHF3Tvo47ocuiZEWcCxf4Z5xn2CWbbZtKqQ61aqbqhnqq2O
J/w1TwMXuwSh2B1YCPZ02DAbfFtntid+3bizN6ReLswfO4yJ8UXQyP8zABEBAAG0
FndwdHRrIDx3cHR0a0BrZXkudGVzdD6ItwQTAQgAIQUCRXRSMwIbIQcLCQgHAwIB
BBUCCAMEFgIDAQIeAQIXgAAKCRDkxJBcpVkY7TBxBACozkloz2lQ7lwFhwIYhzHj
x3Ox0gkMyCEdcm8CRtZ9ntmBnim8ubaWjp3BobhFmGOhLT0cBDUdJXakENph06ft
JFyp7n/RGmer+LspcAc5D1H4FRLehP5ZKvlu5G5yn6lAuHGHEUuyGNwYgPQurQvl
zaO/GFzKbx/lkgvl6aDetQ==
=W3FE
-----END PGP PUBLIC KEY BLOCK-----

here is the secret key, with a passphrase encrypting it:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.5 (MingW32)
Comment: passphrase: wpttk

lQIGBEV0UjMBBADAJegWOMfD7vmofwxmElcWbq9zidWA+X96kz/BN/ZsVZa9j2CW
uiwf2rXnyIHsaADNSWRBxd076OO6HLomRFnAsX+GecZ9glm22bSqkOtWqm6oZ6qt
jif8NU8DF7sEodgdWAj2dNgwG3xbZ7Ynft24szekXi7MHzuMifFF0Mj/MwARAQAB
/goDCDq4t2eTBURkYEoc2giyNp6REwln96/DxlVrxN3QfgW2MzeTo6stTKyt3X2e
p7i/59QuNeeScnTnc1WaJIvtgWDCE2gH7K7HFe+u5Ny/pILJRqLUj1wIAGqCCyY1
6qWPMjxKPLN87M1vuHZqjFv8SB5q7TR4mocjolZul9YQeMTs+JhuCbk/M/0i+8r0
0AdroGxwobPHV1JEpBL1p1VOPcoeXbFqY8hBD4tJXpaUjD66E9g21ijtoYv7YasL
FXmgCUYQGdl55TNOvl+OeyVgRdbl5IsPlxSDwgyi7DQpnl5mU0jS1cHM9+XGwbe+
X/hUTASK6TEeHN8LnV0BthasuFBvd0q/HAW0lzXr5j7ogYCXepERrHM2cIvZ5mpq
JjVPx3AaEjhATUrrIBrlGUmecG1vq5P94Y0EhZhLURaduPV1qI/2VFTfyr4lUcOb
YyHJKyWEyjTWVmgE3Y/zR9atmyxb8pazyf8bnZpKCH5uhlE23HbV7Cm0FndwdHRr
IDx3cHR0a0BrZXkudGVzdD6ItwQTAQgAIQUCRXRSMwIbIQcLCQgHAwIBBBUCCAME
FgIDAQIeAQIXgAAKCRDkxJBcpVkY7TBxBACozkloz2lQ7lwFhwIYhzHjx3Ox0gkM
yCEdcm8CRtZ9ntmBnim8ubaWjp3BobhFmGOhLT0cBDUdJXakENph06ftJFyp7n/R
Gmer+LspcAc5D1H4FRLehP5ZKvlu5G5yn6lAuHGHEUuyGNwYgPQurQvlzaO/GFzK
bx/lkgvl6aDetQ==
=UxHn
-----END PGP PRIVATE KEY BLOCK-----

here is the secret key with _no_ passphrase:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.5 (MingW32)
Comment: no passphrase, secret key un-encrypted

lQHYBEV0UjMBBADAJegWOMfD7vmofwxmElcWbq9zidWA+X96kz/BN/ZsVZa9j2CW
uiwf2rXnyIHsaADNSWRBxd076OO6HLomRFnAsX+GecZ9glm22bSqkOtWqm6oZ6qt
jif8NU8DF7sEodgdWAj2dNgwG3xbZ7Ynft24szekXi7MHzuMifFF0Mj/MwARAQAB
AAP9FDVIYeHp3IjrF9X4y1ldcF4GtMuHuU9EIXOQDnWgxIcB2gDUwzVkQ5tgazaS
t3a+sthno2U4Xb8iCCZSS4j/uU4qtc8A0l3+2b3QMwDY3Uk3h21RP0yG14b0avXH
2wWD77VHCNTHzAOf4VAdGhAAWz3CZ1d25enZXl0uByKlX3ECANysoch+6Kc+rqpB
rArR+WndicyOEPFO6JHGSNYdcIZ3/de+EViEaESe9nfQ3wPsc9Wivywxy44hKA0W
Qnt+RWMCAN7oQDO3g15uVRAVyyxs0SZ2igtZDkZp6MQgyhJEPcHKfSo1FrOs6PkF
SXPO18nCqmNvc9ylY6Ioxu4pIQ8Jr/EB/RQzA6rRTeOKb1uhbQ2qTkz/W8ArWBAU
s9TfaUwDiELlCfCKlKBMaNNjJ00JCGjbgPUhcZNAEtAYtDMRtaHfTK6dkLQWd3B0
dGsgPHdwdHRrQGtleS50ZXN0Poi3BBMBCAAhBQJFdFIzAhshBwsJCAcDAgEEFQII
AwQWAgMBAh4BAheAAAoJEOTEkFylWRjtMHEEAKjOSWjPaVDuXAWHAhiHMePHc7HS
CQzIIR1ybwJG1n2e2YGeKby5tpaOncGhuEWYY6EtPRwENR0ldqQQ2mHTp+0kXKnu
f9EaZ6v4uylwBzkPUfgVEt6E/lkq+W7kbnKfqUC4cYcRS7IY3BiA9C6tC+XNo78Y
XMpvH+WSC+XpoN61
=l4z5
-----END PGP PRIVATE KEY BLOCK-----

now,

save both of these private key blocks, and run gpg --list-packets
and compare the results:

i save the one with the secret key, as v:\wpttkSK.asc
and the one without the passphrase as v:\wpttkSKNP.asc

here is a comparison of the gpg --list-packet outputs:

c:\gnupg>gpg --list-packets v:\wpttkSK.asc
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v1.4.5

:public key packet:
        version 4, algo 1, created 1165251123, expires 0
        pkey[0]: [1024 bits]
        pkey[1]: [17 bits]
:user ID packet: "wpttk <wpttk at key.test>"
:signature packet: algo 1, keyid E4C4905CA55918ED
        version 4, created 1165251123, md5len 0, sigclass 13
        digest algo 8, begin of digest 30 71
        hashed subpkt 2 len 4 (sig created 2006-12-04)
        hashed subpkt 27 len 1 (key flags: 21)
        hashed subpkt 11 len 6 (pref-sym-algos: 9 8 7 3 2 1)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (key server preferences: 80)
        subpkt 16 len 8 (issuer key ID E4C4905CA55918ED)
        data: [1024 bits]
gpg: armor: BEGIN PGP PRIVATE KEY BLOCK
gpg: armor header: Version: GnuPG v1.4.5 (MingW32) 

:secret key packet:
        version 4, algo 1, created 1165251123, expires 0
        skey[0]: [1024 bits]
        skey[1]: [17 bits]
        iter+salt S2K, algo: 10, SHA1 protection, hash: 8, salt: 
3ab8b7679305446
4
        protect count: 96
        protect IV:  4a 1c da 08 b2 36 9e 91 13 09 67 f7 af c3 c6 55
        encrypted stuff follows
:user ID packet: "wpttk <wpttk at key.test>"
:signature packet: algo 1, keyid E4C4905CA55918ED
        version 4, created 1165251123, md5len 0, sigclass 13
        digest algo 8, begin of digest 30 71
        hashed subpkt 2 len 4 (sig created 2006-12-04)
        hashed subpkt 27 len 1 (key flags: 21)
        hashed subpkt 11 len 6 (pref-sym-algos: 9 8 7 3 2 1)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (key server preferences: 80)
        subpkt 16 len 8 (issuer key ID E4C4905CA55918ED)
        data: [1024 bits]


c:\gnupg>gpg --list-packets v:\wpttkSKNP.asc

(snipped public key part)

gpg: armor: BEGIN PGP PRIVATE KEY BLOCK
gpg: armor header: Version: GnuPG v1.4.5 (MingW32)

:secret key packet:
        version 4, algo 1, created 1165251123, expires 0
        skey[0]: [1024 bits]
        skey[1]: [17 bits]
        skey[2]: [1021 bits]
        skey[3]: [512 bits]
        skey[4]: [512 bits]
        skey[5]: [509 bits]
        checksum: 9d90
:user ID packet: "wpttk <wpttk at key.test>"
:signature packet: algo 1, keyid E4C4905CA55918ED
        version 4, created 1165251123, md5len 0, sigclass 13
        digest algo 8, begin of digest 30 71
        hashed subpkt 2 len 4 (sig created 2006-12-04)
        hashed subpkt 27 len 1 (key flags: 21)
        hashed subpkt 11 len 6 (pref-sym-algos: 9 8 7 3 2 1)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (key server preferences: 80)
        subpkt 16 len 8 (issuer key ID E4C4905CA55918ED)
        data: [1024 bits]


without the passphrase:
these parts of the secret key are ready for use:

skey[2]: [1021 bits]
skey[3]: [512 bits]
skey[4]: [512 bits]
skey[5]: [509 bits]

in the first example,
they are encrypted, and unavailable

in a sense,
the passphrase is 'stored' only functionally,
that the symmetrically encrypted packet
uses specifically that passphrase as the key to decrypt it


vedaal




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the Winpt-users mailing list