Re: [openpgp] Deprecating compression support

Justus Winter <justuswinter@gmail.com> Mon, 18 March 2019 17:16 UTC

Return-Path: <justuswinter@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F66F130E00 for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 10:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4uwU9RwWvqGF for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A8651200D8 for <openpgp@ietf.org>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id z11so5354305wmi.0 for <openpgp@ietf.org>; Mon, 18 Mar 2019 10:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:in-reply-to:references:date:message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=d5wztlGJYDeuXHydiBmyeGUg1qNylZB/oYDMiKcn04/3kcMpNzpq5JcfPVUX76SuvA hEDIX+5ORLR4F+udQJV4RnqU9+sGhrJSYwA2iFicqTyHPA5V9D2xxBGbhSoX9tfMi3/q CbX9dJvIUUgA2dp6Vfn7aotmWi8cXs7HhLDjejLWBLhKk5c8yy0WgsZGP3uqid8mh7ix 458iJRMmZSdhPIg+EZpmHYTVz4z6DhCkiGB7uYjvuYtbKbWPfnUMEmmPkI3SW0ZJccik OwyrBcdU99HjHe3b/tywrCSyyN4EKQ75kgybaog77Bk4M1NAqyPXGotQPJlYlXZlFeko cMSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version; bh=pWt/Uazrb1phEqb4/a3oKQK/SopB/ZyTWHItrbbtbHI=; b=GwXekiGnKq+PRM1j0GkQergarwjNqw5YMjQyINLwPXNoFHZWYstfODEPJy8ii9Jj1j cnEQOBq9bsSmzpS1F4blHPU8oKZhtXQpWN9v/u+89z/cZsvb33bJ3cr4tEAnHD47IJ0b zUlNNpL30tcKJoX0o1FvttiejKN4mzfigBE7OmqB/RAyn3VoPwkMo9HboH0BcB5jFfs2 lKVw/V6Ip2PNmqVu67tBfSnjPBxOx8F9YpwmMpKc9HmyhnzhoJP1QJ083clEq/eeXHl8 gbqSY4/wnCR7q1kj9RxTJaIVpgBVsekcccOGBGfsO6rO573m+9lvB9JRlAdNfReOUaER 5wMw==
X-Gm-Message-State: APjAAAVSshez/DXu8tNHKFgEEqHNIaz95XjzQezEqfSepZ5xbai6gz95 pIhWAliWlxT3iMcFTpByr0w=
X-Google-Smtp-Source: APXvYqzmDVIzXA7CHYRkyQ13waGVh/p+GB2HxXgzbyCZAwwMU649r3qGVjlmwSqpJoLNtdEe/2+APA==
X-Received: by 2002:a1c:7306:: with SMTP id d6mr12411716wmb.40.1552929359827; Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
Received: from localhost (port-92-193-68-206.dynamic.qsc.de. [92.193.68.206]) by smtp.gmail.com with ESMTPSA id c10sm10250170wrr.1.2019.03.18.10.15.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Mar 2019 10:15:59 -0700 (PDT)
From: Justus Winter <justuswinter@gmail.com>
To: James Howard <james.howard@jhu.edu>, "openpgp\@ietf.org" <openpgp@ietf.org>
In-Reply-To: <EF1FF15B-1DDE-4259-93ED-6A2F49809157@jhu.edu>
References: <871s3475dy.fsf@europa.jade-hamburg.de> <EF1FF15B-1DDE-4259-93ED-6A2F49809157@jhu.edu>
Date: Mon, 18 Mar 2019 18:15:56 +0100
Message-ID: <87y35c5cj7.fsf@europa.jade-hamburg.de>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/H17ZYCBYPLRrh7WQcTh6gRIOg2k>
Subject: Re: [openpgp] Deprecating compression support
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 17:16:03 -0000

James Howard <james.howard@jhu.edu> writes:

> Hello, long-time lurker, first time caller.  As I read this, this
> morning, I fail to see the advantages.  For instance, let’s look at a
> couple of these issues:
>
>> Compression makes it impossible to reason about the size of a
>> decrypted message,
>
> It’s hard not to look at this and say, good!

What I meant here is that the receiver (i.e. not an adversary) cannot
know in advance how big a decrypted message is by looking at the
encrypted message.  This means that the only safe interface for an
OpenPGP library is a streaming one, and this is perceived as difficult
to use, and/or to increase the complexity of implementations.

> The idea of encryption is the hide information and burying information
> about the length of the message can only be an improvement.

However, compress-then-encrypt leaks the entropy of the plaintext, see
e.g. CRIME, BREACH.

>>   - Compression interacts badly with encryption, see e.g. CRIME,
>>     BREACH, and hiding of EFAIL-style CFB gadgets [0].
>
> I am not sure how valid this is.  For instance, in the paper cited, we
> see the following comments:
>
> > [F]or OpenPGP, we needed to develop more complex exploit techniques
> > upon malleability gadgets because the data is typically compressed
> > before encryption OpenPGP’s plaintext compression significantly
> > complicates our attack.  The difficulty here is to guess a certain
> > amount of compressed plaintext bytes in order to fully utilize the
> > CFB gadget technique. Not knowing enough compressed plaintext bytes
> > is hardly a countermeasure, but makes practical exploitation a lot
> > harder.

You conveniently left out the very next paragraph, which I will cite
here:

> We show how the compression structure can be exploited to create
> exfiltration channels. Interestingly, with the compression in place,
> we can create exfiltration chan- nels even more precisely and remove
> the random data blocks from the resulting plaintext.


> Then there’s this:
>
>>   - The downstream application is in a better position to decide whether
>>     and how to compress data that is then encrypted using OpenPGP.
>
> Now, I will admit to misinterpreting this (I think) and assumed you
> meant compressing after application of PGP.  That’s, of course, silly,

I meant compress-then-encrypt, of course.

Justus

PS: Your MUA is terrible, it doesn't preserve quotations.