.\" -*-nroff-*-
+.ie t \{\
+. if \n(.g \{\
+. fam P
+. \}
+. ds ss \s8\u
+. ds se \d\s0
+. ds us \s8\d
+. ds ue \u\s0
+. ds *t \(*t
+.\}
+.el \{\
+. ds ss ^
+. ds se
+. ds us _
+. ds ue
+. ds *t \fIt\fP
+.\}
.TH keyring 5 "5 June 1999" "Straylight/Edgeware" "Catacomb cryptographic library"
.SH NAME
keyring \- description of Catacomb keyring files
keyring files for consistency of locking and representation: this
description is provided for the benefit of administrators attempting to
understand or repair keyring files.
-.PP
+.SS "File format"
Lines containing only whitespace and lines whose first non-whitespace
character is
.RB ` # '
are ignored, but are not written back to the file. Thus, the comment
facility is not particularly useful.
.PP
-Each remaining line describes a key. Key descriptions consist of
+Each remaining line describes a key.
+.SS "Key records"
+Key descriptions consist of
between 4 and six whitespace-separated fields. The final comment field
may contain whitespace characters. The fields are, in order:
.TP
The key's type string, set when the key was created.
.TP
.B "key data"
-The actual key, Base64 encoded, as described in RFC2045.
+The actual key. See below.
.TP
.B "expiry time"
The time at which this key expires, represented as an integer, in the
It is deliberately not included as an attribute, since the urlencoded
nature of attributes makes them hard to read when perusing a keyring
file.
+.SS "Key data"
+There are two basic formats for keys: the
+.I text
+encoding and the
+.I binary
+encoding. The usual form for keys in a keyring is the text encoding;
+however, keys are represented as binary prior to being encrypted.
+.PP
+The textual form of a key is a comma-separated sequence of
+.IR attributes ,
+followed by a
+.RB ` : '
+and the actual key data. The attributes are as follows.
+.TP
+.BR "binary" ", " "integer" ", " "struct" ", " "encrypt" ", " "string" ", " "ec"
+The key encoding type. This describes the format of the actual key
+data.
+.TP
+.BR "symmetric" ", " "private" ", " "public" ", " "shared"
+The kind of key this is. This field can be used to filter public keys
+from private ones.
+.TP
+.B "burn"
+The key is sensitive; it should be stored in secure memory, and properly
+deleted after use.
+.PP
+As mentioned, the format of the key data itself following the colon
+depends on the encoding type. This works as follows.
+.TP
+.B "binary"
+The binary data is base64 encoded (RFC2045).
+.TP
+.B "integer"
+The integer is a string of decimal digits.
+.TP
+.B "struct"
+The representation is a
+.RB ` [ '
+followed by a sequence of
+.IB name = value
+pairs separated by
+.RB ` , ',
+and a final
+.RB ` ] '.
+The names are the subkey labels; the values are the encodings of the
+individual subkeys.
+.TP
+.B "string"
+The string is form-urlencoded (RFC1866).
+.TP
+.B "ec"
+The point at infinity is denoted
+.BR inf ;
+otherwise the point is written as a pair of hexadecimal integers, each
+preceded by
+.B 0x
+and separated by
+.RB ` , '.
+.TP
+.B "encrypt"
+The actual key data is encoded as binary and encrypted; the ciphertext
+is base64 encoded (RFC2045). Encryption works as follows. Let the
+passphrase be
+.I P
+and the plaintext be
+.IR m .
+A 160-bit nonce
+.I N
+is chosen at random. Let
+.IR K \ =\ N \ ||\ K .
+Generate 320 bits of output from RIPEMD-160 in
+MGF1 mode with seed
+.IR K ;
+let
+.I K\*(usE\*(ue
+be the first half and
+.I K\*(usT\*(ue
+be the second.
+Encrypt the message
+.I m
+using Blowfish in CBC mode, with ciphertext stealing if necessary, using
+a zero IV and the key
+.IR K\*(usE\*(ue ,
+giving the ciphertext
+.IR y\*(us0\*(ue .
+Let \*(*t be the 160-bit tag obtained from RIPEMD-160 in HMAC mode on
+the message
+.I y\*(us0\*(ue
+and with key
+.IR K\*(usT\*(ue .
+The ciphertext is then
+.IR y \ =\ N \ ||\ \*(*t\ ||\ y\*(us0\*(ue .
+This encryption scheme can be shown to provide integrity of ciphertexts
+and indistinguishability against chosen-ciphertext attack against an
+adversary who doesn't know
+.IR P .
.PP
-It is not envisaged that the file format will change in the future. Any
-extensions will be made by defining new attributes.
+The binary format is also quite simple. All integers are stored
+base-256, one digit per octet, in big-endian order. A key begins with a
+header consisting of a two-octet flags field and a two-octet length.
+The flags encode the attributes described above; see the header file
+.B key\-data.h
+for the values of the flags. The length gives the number of octets in
+the following key data, not including the header. Finally, the key data
+is padded with zero octets to make it a multiple of 4 octets long. The
+length does not include this padding. The various key encodings are as
+follows.
+.TP
+.B "binary"
+The key data is stored as-is.
+.TP
+.B "integer"
+The integer is stored, base-256, one digit per octet, in big-endian
+order, using as few octets as possible. The value 0 has length zero.
+.TP
+.B "struct"
+A sequence of subkeys is stored; the sequence is sorted by
+lexicographical order of the subkeys' labels. Each subkey consists of a
+single octet giving the length of the subkey's label; the label itself
+in ASCII, zero-octet padding to make the subkey start at a multiple of
+four octets, and then the encoding of the subkey. There is no
+terminator: the outer length field indicates when to stop reading
+subkeys.
+.TP
+.B "string"
+The string is stored as-is, with no terminator.
+.TP
+.B "ec"
+The point at infinity has length zero. Otherwise, the key consists of
+the
+.IR x -
+and
+.IR y -coordinates
+expressed as integers in the obvious way and encoded as for
+.B integer
+keys, each preceded by a two-octet length. There is no padding between
+the two coordinates.
+.TP
+.B "encrypt"
+The key data is encoded as binary and encrypted as described above. The
+resulting ciphertext is stored as is.
+.SS "Fingerprints"
+The fingerprint is computed by hashing the binary representation of (the
+selected parts of) a key's data followed by the key type preceded by a
+single length octet, and the key's attributes, in lexicographic order of
+the attribute name. Each attribute consists of the attribute's name
+preceded by a single length octet, followed by the value preceded by a
+two-octet length. The lengths do not include themselves; neither string
+has a terminator character; there is no padding.
.SH AUTHOR
-Mark Wooding, <mdw@nsict.org>
+Mark Wooding, <mdw@distorted.org.uk>
projects / u / mdw / catacomb / blobdiff