.\" -*-nroff-*- .ie t \{\ . if \n(.g \{\ . fam P . \} . ds ss \s8\u . ds se \d\s0 . ds us \s8\d . ds ue \u\s0 . ds *t \(*t .\} .el \{\ . ds ss ^ . ds se . ds us _ . ds ue . ds *t \fIt\fP .\} .TH keyring 5 "5 June 1999" "Straylight/Edgeware" "Catacomb cryptographic library" .SH NAME keyring \- description of Catacomb keyring files .SH DESCRIPTION Keyring files are line-oriented text files. It is recommended that programs use only the provided interface for reading and modifying keyring files for consistency of locking and representation: this description is provided for the benefit of administrators attempting to understand or repair keyring files. .SS "File format" Lines containing only whitespace and lines whose first non-whitespace character is .RB ` # ' are ignored, but are not written back to the file. Thus, the comment facility is not particularly useful. .PP Each remaining line describes a key. .SS "Key records" Key descriptions consist of between 4 and six whitespace-separated fields. The final comment field may contain whitespace characters. The fields are, in order: .TP .B type The key's type string, set when the key was created. .TP .B "key data" The actual key. See below. .TP .B "expiry time" The time at which this key expires, represented as an integer, in the format returned by the .BR time (2) system call. .TP .B "deletion time" The time at which this key should be deleted, using the same representation as the expiry time. The special value 0 signifies that the key should be deleted on expiry. .TP .B attributes The key's attributes, encoded using the `form-urlencoded' encoding defined in RFC1866. This field is optional: if it is omitted, the key has no attributes. Alternatively, if there are no attributes, this field may be given as a single dash .RB ` \- '. .TP .B comment The comment field. This field is optional. It may contain whitespace. It is deliberately not included as an attribute, since the urlencoded nature of attributes makes them hard to read when perusing a keyring file. .SS "Key data" There are two basic formats for keys: the .I text encoding and the .I binary encoding. The usual form for keys in a keyring is the text encoding; however, keys are represented as binary prior to being encrypted. .PP The textual form of a key is a comma-separated sequence of .IR attributes , followed by a .RB ` : ' and the actual key data. The attributes are as follows. .TP .BR "binary" ", " "integer" ", " "struct" ", " "encrypt" ", " "string" ", " "ec" The key encoding type. This describes the format of the actual key data. .TP .BR "symmetric" ", " "private" ", " "public" ", " "shared" The kind of key this is. This field can be used to filter public keys from private ones. .TP .B "burn" The key is sensitive; it should be stored in secure memory, and properly deleted after use. .PP As mentioned, the format of the key data itself following the colon depends on the encoding type. This works as follows. .TP .B "binary" The binary data is base64 encoded (RFC2045). .TP .B "integer" The integer is a string of decimal digits. .TP .B "struct" The representation is a .RB ` [ ' followed by a sequence of .IB name = value pairs separated by .RB ` , ', and a final .RB ` ] '. The names are the subkey labels; the values are the encodings of the individual subkeys. .TP .B "string" The string is form-urlencoded (RFC1866). .TP .B "ec" The point at infinity is denoted .BR inf ; otherwise the point is written as a pair of hexadecimal integers, each preceded by .B 0x and separated by .RB ` , '. .TP .B "encrypt" The actual key data is encoded as binary and encrypted; the ciphertext is base64 encoded (RFC2045). Encryption works as follows. Let the passphrase be .I P and the plaintext be .IR m . A 160-bit nonce .I N is chosen at random. Let .IR K \ =\ N \ ||\ K . Generate 320 bits of output from RIPEMD-160 in MGF1 mode with seed .IR K ; let .I K\*(usE\*(ue be the first half and .I K\*(usT\*(ue be the second. Encrypt the message .I m using Blowfish in CBC mode, with ciphertext stealing if necessary, using a zero IV and the key .IR K\*(usE\*(ue , giving the ciphertext .IR y\*(us0\*(ue . Let \*(*t be the 160-bit tag obtained from RIPEMD-160 in HMAC mode on the message .I y\*(us0\*(ue and with key .IR K\*(usT\*(ue . The ciphertext is then .IR y \ =\ N \ ||\ \*(*t\ ||\ y\*(us0\*(ue . This encryption scheme can be shown to provide integrity of ciphertexts and indistinguishability against chosen-ciphertext attack against an adversary who doesn't know .IR P . .PP The binary format is also quite simple. All integers are stored base-256, one digit per octet, in big-endian order. A key begins with a header consisting of a two-octet flags field and a two-octet length. The flags encode the attributes described above; see the header file .B key\-data.h for the values of the flags. The length gives the number of octets in the following key data, not including the header. Finally, the key data is padded with zero octets to make it a multiple of 4 octets long. The length does not include this padding. The various key encodings are as follows. .TP .B "binary" The key data is stored as-is. .TP .B "integer" The integer is stored, base-256, one digit per octet, in big-endian order, using as few octets as possible. The value 0 has length zero. .TP .B "struct" A sequence of subkeys is stored; the sequence is sorted by lexicographical order of the subkeys' labels. Each subkey consists of a single octet giving the length of the subkey's label; the label itself in ASCII, zero-octet padding to make the subkey start at a multiple of four octets, and then the encoding of the subkey. There is no terminator: the outer length field indicates when to stop reading subkeys. .TP .B "string" The string is stored as-is, with no terminator. .TP .B "ec" The point at infinity has length zero. Otherwise, the key consists of the .IR x - and .IR y -coordinates expressed as integers in the obvious way and encoded as for .B integer keys, each preceded by a two-octet length. There is no padding between the two coordinates. .TP .B "encrypt" The key data is encoded as binary and encrypted as described above. The resulting ciphertext is stored as is. .SS "Fingerprints" The fingerprint is computed by hashing the binary representation of (the selected parts of) a key's data followed by the key type preceded by a single length octet, and the key's attributes, in lexicographic order of the attribute name. Each attribute consists of the attribute's name preceded by a single length octet, followed by the value preceded by a two-octet length. The lengths do not include themselves; neither string has a terminator character; there is no padding. .SH AUTHOR Mark Wooding,