[ Contents ]
11. Enhanced Key Formats
11.1. Key Structures
The format of an OpenPGP V3 key is as follows. Entries in square
brackets are optional and ellipses indicate repetition.
RSA Public Key
[Revocation Self Signature]
User ID [Signature ...]
[User ID [Signature ...] ...]
Each signature certifies the RSA public key and the preceding user
ID. The RSA public key can have many user IDs and each user ID can
have many signatures.
The format of an OpenPGP V4 key that uses two public keys is similar
except that the other keys are added to the end as 'subkeys' of the
primary key.
Primary-Key
[Revocation Self Signature]
[Direct Key Self Signature...]
User ID [Signature ...]
[User ID [Signature ...] ...]
[[Subkey [Binding-Signature-Revocation]
Primary-Key-Binding-Signature] ...]
A subkey always has a single signature after it that is issued using
the primary key to tie the two keys together. This binding signature
may be in either V3 or V4 format, but V4 is preferred, of course.
In the above diagram, if the binding signature of a subkey has been
revoked, the revoked binding signature may be removed, leaving only
one signature.
In a key that has a main key and subkeys, the primary key MUST be a
key capable of signing. The subkeys may be keys of any other type.
There may be other constructions of V4 keys, too. For example, there
may be a single-key RSA key in V4 format, a DSA primary key with an
RSA encryption key, or RSA primary key with an Elgamal subkey, etc.
It is also possible to have a signature-only subkey. This permits a
primary key that collects certifications (key signatures) but is used
only used for certifying subkeys that are used for encryption and
signatures.
11.2. Key IDs and Fingerprints
For a V3 key, the eight-octet key ID consists of the low 64 bits of
the public modulus of the RSA key.
The fingerprint of a V3 key is formed by hashing the body (but not
the two-octet length) of the MPIs that form the key material (public
modulus n, followed by exponent e) with MD5.
A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet
Tag, followed by the two-octet packet length, followed by the entire
Public Key packet starting with the version field. The key ID is the
low order 64 bits of the fingerprint. Here are the fields of the
hash material, with the example of a DSA key:
a.1) 0x99 (1 octet)
a.2) high order length octet of (b)-(f) (1 octet)
a.3) low order length octet of (b)-(f) (1 octet)
b) version number = 4 (1 octet);
c) time stamp of key creation (4 octets);
d) algorithm (1 octet): 17 = DSA (example);
e) Algorithm specific fields.
Algorithm Specific Fields for DSA keys (example):
e.1) MPI of DSA prime p;
e.2) MPI of DSA group order q (q is a prime divisor of p-1);
e.3) MPI of DSA group generator g;
e.4) MPI of DSA public key value y (= g**x where x is secret).
Note that it is possible for there to be collisions of key IDs -- two
different keys with the same key ID. Note that there is a much
smaller, but still non-zero probability that two different keys have
the same fingerprint.
Also note that if V3 and V4 format keys share the same RSA key
material, they will have different key ids as well as different
fingerprints.
Updated: 1999-09-30 wkoch