USA and Canada: 866.253.7568   International: +1-501-313-0397
DidiSoft Ltd.

Long Hex Key ID’s in OpenPGP Library for Java

September 8th, 2016

In relation to the recent threats related to faking Linus Torvalds’┬ápublic key by providing a key with the same lower 4 bytes of the Key ID (the same short hexadecimal key ID) we have updated DidiSoft OpenPGP Library for Java to provide full support to long key ID’s.

What is a short Key ID

A short Key ID consists of a the low 4 bytes of the real Key ID which is of type java.lang.Long and is 8 bytes long. So the threat was someone to try to generates multiple keys until there is a key with the same lower 4 bytes as your key. Command line PGP and GnuPG tools are usually used by specifying the short Key ID like:

gpg --encrypt --recipient A3B26901

With our library you can specify a key with the hexadecimal key ID everywhere where a KeyStore and User ID parameters are expected. For example:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String shortKeyID = "A3B26901";pgp.encryptFile("data.txt", ks, shortKeyID, "data.pgp", asciiArmor);

As of version 3.1.1.8 we can use long key ID’s as well:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String longKeyID = "B21345CA3B26901";pgp.encryptFile("data.txt", ks, longKeyID, "data.pgp", asciiArmor);