vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

Avoid the term "encapsulation".

Browse source 
The RFC doesn't use the term in this context. And my impression is that it's only used for hybrid systems.
This commit is contained in:
Heiko Schaefer 2023-12-11 01:39:39 +01:00
parent a9db0e3a64
commit b24fddf2a9
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
book/source/10-encryption.md
View file

@ -25,7 +25,7 @@ For an in-depth, packet-level view of encrypted data in OpenPGP, see {ref}`zoom_
Encryption in OpenPGP is performed in two distinct steps:
1. **Symmetric encryption**: The plaintext is encrypted based on a (secret) symmetric key, the [*session key*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-confidentiality-via-encrypt). The (potentially large) ciphertext only needs to be stored once, even if it is sent to multiple recipients. All recipients get access to the same shared session key to decrypt the message.
2. **Encapsulating session key**: For each recipient of the message, a packet that contains the session key is generated.
2. **Session key transmission**: For each recipient of the message, a packet that contains the session key is generated.
- Usually, the session key is encrypted to a public encryption component key of the recipient.
- Alternatively - or additionally - the session key may also be encrypted using a passphrase. This is a specialized and less commonly used mode of operation that doesn't require OpenPGP certificates.
@ -40,7 +40,7 @@ A *signed message*, in turn, is a packet sequence that either
- *prefixed-signed* message (one or more *Signature* packets followed by a single *Literal Data* packet).
```
## History of encryption mechanisms in OpenPGP
## Encryption mechanism versions
OpenPGP's encryption mechanisms have evolved over time. The RFC shows an [overview of encryption mechanisms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-10.3.2.1), and how they may be combined.
@ -55,9 +55,9 @@ SEIPD packets are used in combination with two mechanisms that store *session ke
The typical combination of mechanisms for encryption in OpenPGP is a [hybrid cryptosystem](hybrid_cryptosystems), consisting of one or more [Public-Key Encrypted Session Key](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-public-key-encrypted-sessio) packets (PKESK), followed by a [Symmetrically Encrypted Integrity Protected Data* (SEIPD) packet. In this combination, an asymmetric cryptographic mechanism is used to protect a *session key* inside PKESK packets, which is used to protect the plaintext using symmetric-key encryption in a SEIPD packet.
## Encapsulating session keys: PKESK, SKESK
## Encrypted session keys: PKESK, SKESK
"*ESK" (encrypted session key) packets are a family of mechanisms for encapsulation of symmetric key material. There are two branches:
"*ESK" (encrypted session key) packets are a family of mechanisms for securing symmetric key material. There are two branches:
- [PKESK](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-public-key-encrypted-sessio): Uses asymmetric OpenPGP key material to protect a session key, and
- [SKESK](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-symmetric-key-encrypted-ses): Uses passphrases to protect the symmetric key material, instead of OpenPGP asymmetric key material (this is less commonly used).