Represents structured data for Public-Key Encrypted Session Key Packet.

The :ciphertext attribute is set once the packet is decoded with .decode/1 and the packet data is still symmetrically encrypted. The next logical step is to decrypt packet with .decrypt/2 to get symmetrically encrypted session key material.

NOTE: As of 0.6.x Public Key Encrypted Session Key Packet:

1. Encrypts the session key with "Elgamal (Encrypt-Only)" algorithm only (algo 16)
2. Decrypts the session key encrypted with "RSA (Encrypt or Sign)" algorithm only (algo 1)

RFC4880

5.1. Public-Key Encrypted Session Key Packets (Tag 1)

A Public-Key Encrypted Session Key packet holds the session key used to encrypt a message. Zero or more Public-Key Encrypted Session Key packets and/or Symmetric-Key Encrypted Session Key packets may precede a Symmetrically Encrypted Data Packet, which holds an encrypted message. The message is encrypted with the session key, and the session key is itself encrypted and stored in the Encrypted Session Key packet(s). The Symmetrically Encrypted Data Packet is preceded by one Public-Key Encrypted Session Key packet for each OpenPGP key to which the message is encrypted. The recipient of the message finds a session key that is encrypted to their public key, decrypts the session key, and then uses the session key to decrypt the message.

The body of this packet consists of:

• A one-octet number giving the version number of the packet type. The currently defined value for packet version is 3.

• An eight-octet number that gives the Key ID of the public key to which the session key is encrypted. If the session key is encrypted to a subkey, then the Key ID of this subkey is used here instead of the Key ID of the primary key.

• A one-octet number giving the public-key algorithm used.

• A string of octets that is the encrypted session key. This string takes up the remainder of the packet, and its contents are dependent on the public-key algorithm used.

Algorithm Specific Fields for RSA encryption

• multiprecision integer (MPI) of RSA encrypted value m**e mod n.

Algorithm Specific Fields for Elgamal encryption:

• MPI of Elgamal (Diffie-Hellman) value g**k mod p.

• MPI of Elgamal (Diffie-Hellman) value m y*k mod p.

The value "m" in the above formulas is derived from the session key as follows. First, the session key is prefixed with a one-octet algorithm identifier that specifies the symmetric encryption algorithm used to encrypt the following Symmetrically Encrypted Data Packet. Then a two-octet checksum is appended, which is equal to the sum of the preceding session key octets, not including the algorithm identifier, modulo 65536. This value is then encoded as described in PKCS#1 block encoding EME-PKCS1-v1_5 in Section 7.2.1 of [RFC3447] to form the "m" value used in the formulas above. See Section 13.1 of this document for notes on OpenPGP's use of PKCS#1.

Note that when an implementation forms several PKESKs with one session key, forming a message that can be decrypted by several keys, the implementation MUST make a new PKCS#1 encoding for each key.

An implementation MAY accept or use a Key ID of zero as a "wild card" or "speculative" Key ID. In this case, the receiving implementation would try all available private keys, checking for a valid decrypted session key. This format helps reduce traffic analysis of messages.