Re: [openpgp] Disabling compression in OpenPGP

Alfredo Pironti <alfredo.pironti@inria.fr> Wed, 19 March 2014 15:26 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3F31A0781 for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 08:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EUWXdUjCnUT for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 08:26:14 -0700 (PDT)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF041A077B for <openpgp@ietf.org>; Wed, 19 Mar 2014 08:26:14 -0700 (PDT)
Received: by mail-ob0-f171.google.com with SMTP id wn1so8303918obc.16 for <openpgp@ietf.org>; Wed, 19 Mar 2014 08:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=eypmjrWyRGu6cWHdJw1ODTQJFlAM1WH6VKYAC2SYJXw=; b=YUcykEyyP2W9I+NSDNLTMIe/pe/h80LQN6Hqy87saMOqyd1poVXH0Q0AdZvuUGUWYc /19VJpksFY9tGr6LW3bkeOFEmfQ//SNKSACY+oiWLTavOeXO8IdxHnfNh5LKVBHVONLs 14t1nODhLKTiWPwyj996vfkGKb1L2bMOFrf/A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eypmjrWyRGu6cWHdJw1ODTQJFlAM1WH6VKYAC2SYJXw=; b=BH4Uf6dJGpFMMNyrSUJN473BCOURYB2zUf6FxE1jI9At1IznVu4dBtvmj+g0IcNXrm zpztGgxIuk7FxPK9z1DHdxBJFBD2iS1ZU+9NQ3rTjEZSIs8Bts63x/1NhOThA34YearN VoHy2INmJZwGfcAnv3hccgZWRBH18e/PWcbL7BrO3gsnTIYdWCZDiYUIdfWb5H2yA+6+ GluAoG5QUlNEvxpLpzf8k19S3TFqtEp+FoG9l6rbNLkKOGauj+w2YMVZ/MZ/T4nxdG/T SqeNhYxvjm06CtPJ+cv3OsQbWey+TMiz1QBupkOKGqyaB51Xw/TUbBa/XA5Vc0lWdxQT sW4Q==
X-Gm-Message-State: ALoCoQnFRcprapnBLERfwYQCJtfVSvtHCmlqpA3R0SpQ0xsGFkIyqyWjDWbByYHYbOmcO/61TNxW
MIME-Version: 1.0
X-Received: by 10.60.246.165 with SMTP id xx5mr618546oec.84.1395242765189; Wed, 19 Mar 2014 08:26:05 -0700 (PDT)
Sender: alfredo@pironti.eu
Received: by 10.76.151.35 with HTTP; Wed, 19 Mar 2014 08:26:05 -0700 (PDT)
X-Originating-IP: [128.93.188.195]
In-Reply-To: <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com>
Date: Wed, 19 Mar 2014 16:26:05 +0100
X-Google-Sender-Auth: rHo3xdJLmUJkCg-HBm6aR1gj3pM
Message-ID: <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com>
From: Alfredo Pironti <alfredo.pironti@inria.fr>
To: David Shaw <dshaw@jabberwocky.com>
Content-Type: multipart/alternative; boundary=001a1136989865ce8704f4f74524
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/Q0qWHBGm6Qt85PSkDupC6ZyEVeQ
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 15:26:17 -0000

On Tue, Mar 18, 2014 at 7:29 PM, David Shaw <dshaw@jabberwocky.com> wrote:

> On Mar 18, 2014, at 12:00 PM, Alfredo Pironti <alfredo.pironti@inria.fr>
> wrote:
>
> > Dear list,
> >
> > It is well known that compressing data before encrypting them leaks much
> about the plaintext [1]. Recently, this has been exploited against the TLS
> protocol in the so-called CRIME attack [2].
> >
> > Looking at RFC 4880, section 2.3, I read
> > “OpenPGP implementations SHOULD compress the message after applying the
> signature but before encryption.”
> > And indeed, gpg faithfully follows the spec by enabling compression by
> default.
> >
> > I have done some preliminary work on password managers that rely on
> OpenPGP (gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns
> out that compressing the password before encrypting it leaks much of the
> password entropy, making dictionary attacks significantly easier to mount.
> (In my preliminary experiments I used a password dictionary containing
> about 4 million passwords. If the attacker knows the original password
> length and its compressed length, then for some combinations of the two the
> candidate dictionary entries can reduce to as few as some hundreds.)
> >
> > I believe similar attacks can be mounted in different contexts where
> OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to
> at least discourage (if not forbid) the use of compression.
>
> It is not my intent to make light of your email, but I'm somewhat amused
> as a few years ago there was an attack that could be *avoided* by
> compression.  See https://www.schneier.com/paper-pgp.pdf for the details.
>  Damned if you do, damned if you don't?
>

In that case, compression incidentally thwarted the attack, by inserting
additional packet headers in the encrypted packets, hence letting some
parsing fail when decrypting a chosen ciphertext.

In general, I see two patterns:
- Compression incidentally thwarts some attacks
- Compression fundamentally breaks privacy by leaking plaintext entropy
(see the Wikimedia Foundation case for a quite convincing example)

I would not want to rely on the obfuscation provided by an optional feature
of OpenPGP to ensure secrecy. If a decryption oracle is found, it should be
systematically fixed -- also for users who decide not to use compression.

On the other hand, at least making compression disabled by default would
protect those users who are unaware of the interaction between compression
and encryption. Those who are aware of it could always explicitly enable
compression.

Cheers,
Alfredo


>
> Note that the use of compression in OpenPGP (at least in the public key
> context) is under the control of the recipient.  If a given recipient
> doesn't want compression used on messages to their key, they can set a
> preference reflecting that, and all OpenPGP implementations will not
> compress when encrypting a message to that key.
>
> David
>
>