Re: [openpgp] Deprecating compression support

Justus Winter <> Mon, 18 March 2019 17:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F66F130E00 for <>; Mon, 18 Mar 2019 10:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4uwU9RwWvqGF for <>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A8651200D8 for <>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: by with SMTP id z11so5354305wmi.0 for <>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:to:subject:in-reply-to:references:date:message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=d5wztlGJYDeuXHydiBmyeGUg1qNylZB/oYDMiKcn04/3kcMpNzpq5JcfPVUX76SuvA hEDIX+5ORLR4F+udQJV4RnqU9+sGhrJSYwA2iFicqTyHPA5V9D2xxBGbhSoX9tfMi3/q CbX9dJvIUUgA2dp6Vfn7aotmWi8cXs7HhLDjejLWBLhKk5c8yy0WgsZGP3uqid8mh7ix 458iJRMmZSdhPIg+EZpmHYTVz4z6DhCkiGB7uYjvuYtbKbWPfnUMEmmPkI3SW0ZJccik OwyrBcdU99HjHe3b/tywrCSyyN4EKQ75kgybaog77Bk4M1NAqyPXGotQPJlYlXZlFeko cMSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=GwXekiGnKq+PRM1j0GkQergarwjNqw5YMjQyINLwPXNoFHZWYstfODEPJy8ii9Jj1j cnEQOBq9bsSmzpS1F4blHPU8oKZhtXQpWN9v/u+89z/cZsvb33bJ3cr4tEAnHD47IJ0b zUlNNpL30tcKJoX0o1FvttiejKN4mzfigBE7OmqB/RAyn3VoPwkMo9HboH0BcB5jFfs2 lKVw/V6Ip2PNmqVu67tBfSnjPBxOx8F9YpwmMpKc9HmyhnzhoJP1QJ083clEq/eeXHl8 gbqSY4/wnCR7q1kj9RxTJaIVpgBVsekcccOGBGfsO6rO573m+9lvB9JRlAdNfReOUaER 5wMw==
X-Gm-Message-State: APjAAAVSshez/DXu8tNHKFgEEqHNIaz95XjzQezEqfSepZ5xbai6gz95 pIhWAliWlxT3iMcFTpByr0w=
X-Google-Smtp-Source: APXvYqzmDVIzXA7CHYRkyQ13waGVh/p+GB2HxXgzbyCZAwwMU649r3qGVjlmwSqpJoLNtdEe/2+APA==
X-Received: by 2002:a1c:7306:: with SMTP id d6mr12411716wmb.40.1552929359827; Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
Received: from localhost ( []) by with ESMTPSA id c10sm10250170wrr.1.2019. (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
From: Justus Winter <>
To: James Howard <>, "openpgp\" <>
In-Reply-To: <>
References: <> <>
Date: Mon, 18 Mar 2019 18:15:56 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [openpgp] Deprecating compression support
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Mar 2019 17:16:03 -0000

James Howard <> writes:

> Hello, long-time lurker, first time caller.  As I read this, this
> morning, I fail to see the advantages.  For instance, let’s look at a
> couple of these issues:
>> Compression makes it impossible to reason about the size of a
>> decrypted message,
> It’s hard not to look at this and say, good!

What I meant here is that the receiver (i.e. not an adversary) cannot
know in advance how big a decrypted message is by looking at the
encrypted message.  This means that the only safe interface for an
OpenPGP library is a streaming one, and this is perceived as difficult
to use, and/or to increase the complexity of implementations.

> The idea of encryption is the hide information and burying information
> about the length of the message can only be an improvement.

However, compress-then-encrypt leaks the entropy of the plaintext, see

>>   - Compression interacts badly with encryption, see e.g. CRIME,
>>     BREACH, and hiding of EFAIL-style CFB gadgets [0].
> I am not sure how valid this is.  For instance, in the paper cited, we
> see the following comments:
> > [F]or OpenPGP, we needed to develop more complex exploit techniques
> > upon malleability gadgets because the data is typically compressed
> > before encryption OpenPGP’s plaintext compression significantly
> > complicates our attack.  The difficulty here is to guess a certain
> > amount of compressed plaintext bytes in order to fully utilize the
> > CFB gadget technique. Not knowing enough compressed plaintext bytes
> > is hardly a countermeasure, but makes practical exploitation a lot
> > harder.

You conveniently left out the very next paragraph, which I will cite

> We show how the compression structure can be exploited to create
> exfiltration channels. Interestingly, with the compression in place,
> we can create exfiltration chan- nels even more precisely and remove
> the random data blocks from the resulting plaintext.

> Then there’s this:
>>   - The downstream application is in a better position to decide whether
>>     and how to compress data that is then encrypted using OpenPGP.
> Now, I will admit to misinterpreting this (I think) and assumed you
> meant compressing after application of PGP.  That’s, of course, silly,

I meant compress-then-encrypt, of course.


PS: Your MUA is terrible, it doesn't preserve quotations.