secret-keys

Depends: algorithms, public-keys, checksum
Recommends: s2k

S2K is only required for encrypted secret keys.

This module specifies how to encode secret keys for use with OpenPGP.  Secret keys contain both the public and secret components of a key.

A primary secret key is represented by a packet with tag value 0x05.  A "subkey" is represented by an identically formatted packet with tag value 0x07 place after a primary public key packet in an OpenPGP message.

The packet is formatted thusly:

First, a public key packet, formatted as specified is public-keys.
The next octet is either 0x00 for an unencrypted secret key, or 0xFE for an encrypted secret key.

For an encrypted secret key:
	The next octet encodes the symmetric cipher used to encrypt the secret key material.
	Then, an S2K specifier.
	Then, an initialization vector (IV) of the same size as the symmetric cipher's block size.
	Then, the encrypted secret key data.

For an unencrypted RSA secret key:
	MPI of RSA secret exponent d.
	MPI of RSA secret prime value p.
	MPI of RSA secret prime value q (p < q).
	MPI of u, the multiplicative inverse of p, mod q.
	The two-octet checksum of the raw octets encoding all these MPIs.

== Encipherment of Secret Keys ==

Encipherment of secret key data is done in CFB mode using a key creating from the passphrase, the S2K specifier, and the IV from the packet.

The encoding of the data that is enciphered is exactly the same as the encoding of the secret values in the unencrypted key case above, except that the checksum algorithm is replaced by a 20-octet SHA1 hash.

For information on why integrity protecting secret keys is necessary, see: <http://eprint.iacr.org/2002/076.pdf>.

== Secret-Key Message Format ==

When transmitting a secret key (with optional subkeys and certification signatures), the message format is identical to the one for public keys, except that secret key packets are used.