2

I am working on a C# app that encrypts/decrypts messages using PGP implemented by the Bouncy Castle (BC) library. I know PKI but the secret key in PGP throws me off a bit. I looked at the BC examples/source code and the PGP RFC but came away with more questions.

Is Secretkey == Session key?

Is Secretkey == Symmetric key?

Is Secretkey == private key (pub/priv key pairs)? At least the following seems to suggest that the secret key is a private key.

internal static PgpPrivateKey FindSecretKey(PgpSecretKeyRingBundle pgpSec, long keyID, char[] pass)

The RFC says the secretkey contains, among others, information about the publickey or may be the public key itself (at least that's my reading).

Also, somewhere I read the Secretkey is basically a password encrypted privatekey.

When/why would I need a secret key in the PGP protocol? Signing or encrypting?

Thanks

Stack Undefined
  • 1,050
  • 1
  • 14
  • 23

1 Answers1

6

Quoting RFC 4880, OpenPGP, 5.5.1.3. Secret-Key Packet:

A Secret-Key packet contains all the information that is found in a Public-Key packet, including the public-key material, but also includes the secret-key material after all the public-key fields.

and 11.2. Transferable Secret Keys:

[...] The format of a transferable secret key is the same as a transferable public key except that secret-key and secret-subkey packets are used instead of the public key and public-subkey packets. Implementations SHOULD include self- signatures on any user IDs and subkeys, [...]

With other words, the secret key contains the public/private key pair (eg., RSA), but should also contain user IDs and self-signatures. 12.1. Key Structures gives more details on how exported keys are constructed. A helpful tool for understanding the composition of OpenPGP packets are gpg --list-packets [file] or pgpdump [file], which dump the packet structure of their input.

Community
  • 1
  • 1
Jens Erat
  • 37,523
  • 16
  • 80
  • 96