Re: [openpgp] Deprecating compression support
Justus Winter <justuswinter@gmail.com> Mon, 18 March 2019 17:16 UTC
Return-Path: <justuswinter@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F66F130E00 for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 10:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4uwU9RwWvqGF for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A8651200D8 for <openpgp@ietf.org>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id z11so5354305wmi.0 for <openpgp@ietf.org>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:in-reply-to:references:date:message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=d5wztlGJYDeuXHydiBmyeGUg1qNylZB/oYDMiKcn04/3kcMpNzpq5JcfPVUX76SuvA hEDIX+5ORLR4F+udQJV4RnqU9+sGhrJSYwA2iFicqTyHPA5V9D2xxBGbhSoX9tfMi3/q CbX9dJvIUUgA2dp6Vfn7aotmWi8cXs7HhLDjejLWBLhKk5c8yy0WgsZGP3uqid8mh7ix 458iJRMmZSdhPIg+EZpmHYTVz4z6DhCkiGB7uYjvuYtbKbWPfnUMEmmPkI3SW0ZJccik OwyrBcdU99HjHe3b/tywrCSyyN4EKQ75kgybaog77Bk4M1NAqyPXGotQPJlYlXZlFeko cMSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=GwXekiGnKq+PRM1j0GkQergarwjNqw5YMjQyINLwPXNoFHZWYstfODEPJy8ii9Jj1j cnEQOBq9bsSmzpS1F4blHPU8oKZhtXQpWN9v/u+89z/cZsvb33bJ3cr4tEAnHD47IJ0b zUlNNpL30tcKJoX0o1FvttiejKN4mzfigBE7OmqB/RAyn3VoPwkMo9HboH0BcB5jFfs2 lKVw/V6Ip2PNmqVu67tBfSnjPBxOx8F9YpwmMpKc9HmyhnzhoJP1QJ083clEq/eeXHl8 gbqSY4/wnCR7q1kj9RxTJaIVpgBVsekcccOGBGfsO6rO573m+9lvB9JRlAdNfReOUaER 5wMw==
X-Gm-Message-State: APjAAAVSshez/DXu8tNHKFgEEqHNIaz95XjzQezEqfSepZ5xbai6gz95 pIhWAliWlxT3iMcFTpByr0w=
X-Google-Smtp-Source: APXvYqzmDVIzXA7CHYRkyQ13waGVh/p+GB2HxXgzbyCZAwwMU649r3qGVjlmwSqpJoLNtdEe/2+APA==
X-Received: by 2002:a1c:7306:: with SMTP id d6mr12411716wmb.40.1552929359827; Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
Received: from localhost (port-92-193-68-206.dynamic.qsc.de. [92.193.68.206]) by smtp.gmail.com with ESMTPSA id c10sm10250170wrr.1.2019.03.18.10.15.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
From: Justus Winter <justuswinter@gmail.com>
To: James Howard <james.howard@jhu.edu>, "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <EF1FF15B-1DDE-4259-93ED-6A2F49809157@jhu.edu>
References: <871s3475dy.fsf@europa.jade-hamburg.de> <EF1FF15B-1DDE-4259-93ED-6A2F49809157@jhu.edu>
Date: Mon, 18 Mar 2019 18:15:56 +0100
Message-ID: <87y35c5cj7.fsf@europa.jade-hamburg.de>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/H17ZYCBYPLRrh7WQcTh6gRIOg2k>
Subject: Re: [openpgp] Deprecating compression support
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 17:16:03 -0000
James Howard <james.howard@jhu.edu> writes: > Hello, long-time lurker, first time caller. As I read this, this > morning, I fail to see the advantages. For instance, let’s look at a > couple of these issues: > >> Compression makes it impossible to reason about the size of a >> decrypted message, > > It’s hard not to look at this and say, good! What I meant here is that the receiver (i.e. not an adversary) cannot know in advance how big a decrypted message is by looking at the encrypted message. This means that the only safe interface for an OpenPGP library is a streaming one, and this is perceived as difficult to use, and/or to increase the complexity of implementations. > The idea of encryption is the hide information and burying information > about the length of the message can only be an improvement. However, compress-then-encrypt leaks the entropy of the plaintext, see e.g. CRIME, BREACH. >> - Compression interacts badly with encryption, see e.g. CRIME, >> BREACH, and hiding of EFAIL-style CFB gadgets [0]. > > I am not sure how valid this is. For instance, in the paper cited, we > see the following comments: > > > [F]or OpenPGP, we needed to develop more complex exploit techniques > > upon malleability gadgets because the data is typically compressed > > before encryption OpenPGP’s plaintext compression significantly > > complicates our attack. The difficulty here is to guess a certain > > amount of compressed plaintext bytes in order to fully utilize the > > CFB gadget technique. Not knowing enough compressed plaintext bytes > > is hardly a countermeasure, but makes practical exploitation a lot > > harder. You conveniently left out the very next paragraph, which I will cite here: > We show how the compression structure can be exploited to create > exfiltration channels. Interestingly, with the compression in place, > we can create exfiltration chan- nels even more precisely and remove > the random data blocks from the resulting plaintext. > Then there’s this: > >> - The downstream application is in a better position to decide whether >> and how to compress data that is then encrypted using OpenPGP. > > Now, I will admit to misinterpreting this (I think) and assumed you > meant compressing after application of PGP. That’s, of course, silly, I meant compress-then-encrypt, of course. Justus PS: Your MUA is terrible, it doesn't preserve quotations.
- [openpgp] Deprecating compression support Justus Winter
- Re: [openpgp] Deprecating compression support Vincent Breitmoser
- Re: [openpgp] Deprecating compression support Neal H. Walfield
- Re: [openpgp] Deprecating compression support Derek Atkins
- Re: [openpgp] Deprecating compression support Vincent Breitmoser
- Re: [openpgp] Deprecating compression support James Howard
- Re: [openpgp] Deprecating compression support Justus Winter
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Andrey Jivsov
- Re: [openpgp] Deprecating compression support Peter Gutmann
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Vincent Breitmoser
- Re: [openpgp] Deprecating compression support Justus Winter
- Re: [openpgp] Deprecating compression support Andre Heinecke
- Re: [openpgp] Deprecating compression support Vincent Breitmoser
- Re: [openpgp] Deprecating compression support Andre Heinecke
- Re: [openpgp] Deprecating compression support Andre Heinecke
- Re: [openpgp] Deprecating compression support Daniel A. Nagy
- Re: [openpgp] Deprecating compression support Bart Butler
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Marcus Brinkmann
- Re: [openpgp] Deprecating compression support Gregory Maxwell
- Re: [openpgp] Deprecating compression support Werner Koch
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Werner Koch
- Re: [openpgp] Deprecating compression support Ronald Tse
- Re: [openpgp] Deprecating compression support Derek Atkins
- Re: [openpgp] Deprecating compression support Bart Butler
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support Jon Callas
- Re: [openpgp] Deprecating compression support ilf
- Re: [openpgp] Deprecating compression support Daniel Kahn Gillmor
- [openpgp] 4880bis status Neal H. Walfield
- Re: [openpgp] Deprecating compression support Neal H. Walfield
- Re: [openpgp] Deprecating compression support Neal H. Walfield
- Re: [openpgp] Deprecating compression support Andre Heinecke
- Re: [openpgp] Deprecating compression support Neal H. Walfield
- Re: [openpgp] Deprecating compression support Benjamin Kaduk
- Re: [openpgp] 4880bis status Bart Butler