[openpgp] Disabling compression in OpenPGP

Alfredo Pironti <alfredo.pironti@inria.fr> Tue, 18 March 2014 16:00 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4081A06FB for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 09:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wAUZyiFZ0Yn for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 09:00:41 -0700 (PDT)
Received: from mail-oa0-x231.google.com (mail-oa0-x231.google.com [IPv6:2607:f8b0:4003:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCF41A0703 for <openpgp@ietf.org>; Tue, 18 Mar 2014 09:00:37 -0700 (PDT)
Received: by mail-oa0-f49.google.com with SMTP id h16so1940096oag.36 for <openpgp@ietf.org>; Tue, 18 Mar 2014 09:00:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=RTz0701QpKItpjaZA3L4XiWeW+NQsX82gyidlNBBsPo=; b=KYvxg0cbvH85Wl6DBzSEgXxaulpXOqoIQtdLMXOo7gE3nodEv1uicbUUaQWXThKTHX 4iE8hyJNlD++jGbs4umfNCzPAXssIGrJXZCwdLF0CFvQqALXIge+AFN34mQmCZ/ntbhr cvNWoHClKEYIIcQZVALvK9grZotoTaOQ1evhc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=RTz0701QpKItpjaZA3L4XiWeW+NQsX82gyidlNBBsPo=; b=Tq67Z6cKM8XIzkXvCscnBoK6cNWiFKOKGAJZkZPT4p763mTwsj/B7jQTKITsROGGzO JHzC7ovNggpfmsEfeKLsUjr8viuMHJbqU3acONBKi1L/BQaCKDNiswZ8Kp4cx0yqbBE5 bR8hPYbfEMSReG9Vtrk9JVTRV0Xgoew4xeEJdLQRQloZVrmhL4yIF2uZPeTCvYD4Lfer Ym+J6JCsXOxkiDJn82pBTPojNqh8SkBZ21n9O9mjxqdELx96BSGvfv2q3ioxwplRezA4 q7cuyrlhlky6BPcSmdz7ZF3FycZFBwQFCHAwe33en/JoYfESKd7MYGcjrSDMnZQHBjgf ru3w==
X-Gm-Message-State: ALoCoQkNLHMLEUbpqeu6vt7WneZQRksQ6HlJ9duxiSbZcjveoC3xAarK04jo8evU0N2pNCeGCf1i
MIME-Version: 1.0
X-Received: by 10.182.28.7 with SMTP id x7mr854609obg.43.1395158429381; Tue, 18 Mar 2014 09:00:29 -0700 (PDT)
Sender: alfredo@pironti.eu
Received: by 10.76.151.35 with HTTP; Tue, 18 Mar 2014 09:00:29 -0700 (PDT)
X-Originating-IP: [128.93.161.197]
Date: Tue, 18 Mar 2014 17:00:29 +0100
X-Google-Sender-Auth: xadhrMVvtuCDzhbuVteSy6-fMWw
Message-ID: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com>
From: Alfredo Pironti <alfredo.pironti@inria.fr>
To: openpgp@ietf.org
Content-Type: multipart/alternative; boundary=089e015380ba96ccf304f4e3a23d
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/34SnYliCeRUml8yaBuAn7MHMV84
Subject: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 16:00:44 -0000

Dear list,

It is well known that compressing data before encrypting them leaks much
about the plaintext [1]. Recently, this has been exploited against the TLS
protocol in the so-called CRIME attack [2].

Looking at RFC 4880, section 2.3, I read
“OpenPGP implementations SHOULD compress the message after applying the
signature but before encryption.”
And indeed, gpg faithfully follows the spec by enabling compression by
default.

I have done some preliminary work on password managers that rely on OpenPGP
(gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns out that
compressing the password before encrypting it leaks much of the password
entropy, making dictionary attacks significantly easier to mount. (In my
preliminary experiments I used a password dictionary containing about 4
million passwords. If the attacker knows the original password length and
its compressed length, then for some combinations of the two the candidate
dictionary entries can reduce to as few as some hundreds.)

I believe similar attacks can be mounted in different contexts where
OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to
at least discourage (if not forbid) the use of compression.

I welcome comments and suggestions.
Alfredo Pironti

[1] Kelsey, J.: Compression and information leakage of plaintext. In: Fast
Software Encryption. pp. 263–276 (2002)
[2] See, e.g.: http://en.wikipedia.org/wiki/CRIME_%28security_exploit%29