Re: [openpgp] Disabling compression in OpenPGP

[Alfredo Pironti <alfredo.pironti@inria.fr>]

On Tue, Mar 18, 2014 at 7:29 PM, David Shaw <dshaw@jabberwocky.com> wrote:

> On Mar 18, 2014, at 12:00 PM, Alfredo Pironti <alfredo.pironti@inria.fr>
> wrote:
>
> > Dear list,
> >
> > It is well known that compressing data before encrypting them leaks much
> about the plaintext [1]. Recently, this has been exploited against the TLS
> protocol in the so-called CRIME attack [2].
> >
> > Looking at RFC 4880, section 2.3, I read
> > “OpenPGP implementations SHOULD compress the message after applying the
> signature but before encryption.”
> > And indeed, gpg faithfully follows the spec by enabling compression by
> default.
> >
> > I have done some preliminary work on password managers that rely on
> OpenPGP (gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns
> out that compressing the password before encrypting it leaks much of the
> password entropy, making dictionary attacks significantly easier to mount.
> (In my preliminary experiments I used a password dictionary containing
> about 4 million passwords. If the attacker knows the original password
> length and its compressed length, then for some combinations of the two the
> candidate dictionary entries can reduce to as few as some hundreds.)
> >
> > I believe similar attacks can be mounted in different contexts where
> OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to
> at least discourage (if not forbid) the use of compression.
>
> It is not my intent to make light of your email, but I'm somewhat amused
> as a few years ago there was an attack that could be *avoided* by
> compression.  See https://www.schneier.com/paper-pgp.pdf for the details.
>  Damned if you do, damned if you don't?
>

In that case, compression incidentally thwarted the attack, by inserting
additional packet headers in the encrypted packets, hence letting some
parsing fail when decrypting a chosen ciphertext.

In general, I see two patterns:
- Compression incidentally thwarts some attacks
- Compression fundamentally breaks privacy by leaking plaintext entropy
(see the Wikimedia Foundation case for a quite convincing example)

I would not want to rely on the obfuscation provided by an optional feature
of OpenPGP to ensure secrecy. If a decryption oracle is found, it should be
systematically fixed -- also for users who decide not to use compression.

On the other hand, at least making compression disabled by default would
protect those users who are unaware of the interaction between compression
and encryption. Those who are aware of it could always explicitly enable
compression.

Cheers,
Alfredo


>
> Note that the use of compression in OpenPGP (at least in the public key
> context) is under the control of the recipient.  If a given recipient
> doesn't want compression used on messages to their key, they can set a
> preference reflecting that, and all OpenPGP implementations will not
> compress when encrypting a message to that key.
>
> David
>
>