Re: [openpgp] Disabling compression in OpenPGP

David Shaw <dshaw@jabberwocky.com> Tue, 18 March 2014 18:29 UTC

Return-Path: <dshaw@jabberwocky.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B82A71A03F6 for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 11:29:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxuRogPvMUfz for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 11:29:33 -0700 (PDT)
Received: from walrus.jabberwocky.com (walrus.jabberwocky.com [173.9.29.57]) by ietfa.amsl.com (Postfix) with ESMTP id 8C2211A0401 for <openpgp@ietf.org>; Tue, 18 Mar 2014 11:29:33 -0700 (PDT)
Received: from dshaw.nasuni.net (vpn.nasuni.com [173.166.63.186]) (authenticated bits=0) by walrus.jabberwocky.com (8.14.4/8.14.4) with ESMTP id s2IITN37020372 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 18 Mar 2014 14:29:24 -0400
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: David Shaw <dshaw@jabberwocky.com>
In-Reply-To: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com>
Date: Tue, 18 Mar 2014 14:29:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com>
To: Alfredo Pironti <alfredo.pironti@inria.fr>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/CCEGnIr6kpVRkdkNSKAUU5Bo4z8
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 18:29:37 -0000

On Mar 18, 2014, at 12:00 PM, Alfredo Pironti <alfredo.pironti@inria.fr> wrote:

> Dear list,
> 
> It is well known that compressing data before encrypting them leaks much about the plaintext [1]. Recently, this has been exploited against the TLS protocol in the so-called CRIME attack [2].
> 
> Looking at RFC 4880, section 2.3, I read
> “OpenPGP implementations SHOULD compress the message after applying the signature but before encryption.”
> And indeed, gpg faithfully follows the spec by enabling compression by default.
> 
> I have done some preliminary work on password managers that rely on OpenPGP (gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns out that compressing the password before encrypting it leaks much of the password entropy, making dictionary attacks significantly easier to mount. (In my preliminary experiments I used a password dictionary containing about 4 million passwords. If the attacker knows the original password length and its compressed length, then for some combinations of the two the candidate dictionary entries can reduce to as few as some hundreds.)
> 
> I believe similar attacks can be mounted in different contexts where OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to at least discourage (if not forbid) the use of compression.

It is not my intent to make light of your email, but I'm somewhat amused as a few years ago there was an attack that could be *avoided* by compression.  See https://www.schneier.com/paper-pgp.pdf for the details.  Damned if you do, damned if you don't?

Note that the use of compression in OpenPGP (at least in the public key context) is under the control of the recipient.  If a given recipient doesn't want compression used on messages to their key, they can set a preference reflecting that, and all OpenPGP implementations will not compress when encrypting a message to that key.

David