Long Hex Key ID’s in OpenPGP Library for Java

Long Hex Key ID’s in OpenPGP Library for Java

In relation to the recent threats related to faking Linus Torvalds’ public key by providing a key with the same lower 4 bytes of the Key ID (the same short hexadecimal key ID) we have updated DidiSoft OpenPGP Library for Java to provide full support to long key ID’s.

What is a short Key ID

A short Key ID consists of a the low 4 bytes of the real Key ID which is of type java.lang.Long and is 8 bytes long. So the threat was someone to try to generates multiple keys until there is a key with the same lower 4 bytes as your key. Command line PGP and GnuPG tools are usually used by specifying the short Key ID like:

gpg --encrypt --recipient A3B26901

With our library you can specify a key with the hexadecimal key ID everywhere where a KeyStore and User ID parameters are expected. For example:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String shortKeyID = "A3B26901";pgp.encryptFile("data.txt", ks, shortKeyID, "data.pgp", asciiArmor);

As of version 3.1.1.8 we can use long key ID’s as well:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String longKeyID = "B21345CA3B26901";pgp.encryptFile("data.txt", ks, longKeyID, "data.pgp", asciiArmor);