Re: [openpgp] Disabling compression in OpenPGP
Nicholas Cole <nicholas.cole@gmail.com> Thu, 20 March 2014 07:53 UTC
Return-Path: <nicholas.cole@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C36BF1A0674 for <openpgp@ietfa.amsl.com>; Thu, 20 Mar 2014 00:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wXQNX5HAJw4 for <openpgp@ietfa.amsl.com>; Thu, 20 Mar 2014 00:53:32 -0700 (PDT)
Received: from mail-ee0-x236.google.com (mail-ee0-x236.google.com [IPv6:2a00:1450:4013:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 493C11A066E for <openpgp@ietf.org>; Thu, 20 Mar 2014 00:53:32 -0700 (PDT)
Received: by mail-ee0-f54.google.com with SMTP id d49so314484eek.27 for <openpgp@ietf.org>; Thu, 20 Mar 2014 00:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=CtqTsObcUbqp/4pPiC04vCgYY2oFgrrbxMSjRSwts48=; b=r7L4oqufLwaCsc93nkWVhCG/94F0zm6zZ+kgI+N2dUwlqu2xWuxYfn83Frz0G9QL/U CRcowyG+5YXP/Fcd1jFLGMr50zfB4fN2wbFDofxuYTZYfOjqQOu5vhDOtibG91C7sBmN +Qu01BJh/lcmeNa74aGE7WPXurQlysQG3EHhMxgypVVqwvU83IA6/fT2BK874x844w/0 r3BDrWXeO2tg7evbT5iuGe7ZnbdV/08LtbNlfZf9PzpKfcv2RuIIrYjbAWeOAgsf2vQ1 9ud2115IKa6Vu57FTc8HAADe45W9WxamMQMmslE0sqJ2dFljOLhhunz0Ud9e7ZRveVNa qrrA==
MIME-Version: 1.0
X-Received: by 10.15.31.137 with SMTP id y9mr40306798eeu.12.1395302002826; Thu, 20 Mar 2014 00:53:22 -0700 (PDT)
Received: by 10.14.80.135 with HTTP; Thu, 20 Mar 2014 00:53:22 -0700 (PDT)
In-Reply-To: <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com> <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com> <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org> <20140319204047.GC30999@savin> <DE00E9BD-1D37-4750-B156-BBDC4B59DB7F@callas.org> <CAAS2fgQZPPrdehcs6TxmYikmyyfxOJqAdngaFk5=PcSGEGnejA@mail.gmail.com> <20140319214118.GA17419@savin> <CAAS2fgQotHyN=CFKoWO_aUdP8bhkSixEqSDQcALZ35mG+tk1tA@mail.gmail.com> <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
Date: Thu, 20 Mar 2014 07:53:22 +0000
Message-ID: <CAAu18hc7Ldn4s8nk-d=kcVBQH_PTmdhKMycO6LqUFr1sDUe5yg@mail.gmail.com>
From: Nicholas Cole <nicholas.cole@gmail.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/RlkgZtqvd6K1wGBi2Qqnhh9Jjhs
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 07:53:34 -0000
On Wed, Mar 19, 2014 at 10:58 PM, Jon Callas <jon@callas.org> wrote: > > On Mar 19, 2014, at 3:04 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote: > >> It's a very highly surprising failure mode which leaks information >> about the plaintext by encoding it into the size, one which baffels >> otherwise expert users of the sort who would post to the openpgp list >> to exclaim "What's being leaked by compression? Really, I don't get >> it." > > It is! It's a really cool failure mode, and I think you should write it up and submit it to some security conference. > > However, as I said, it's an exception case. It's also an exception case that you didn't explain very well. Let me try to help: > > Zelda is collecting some ballots. The ballots are all text and constant length. The voters, Vernon_i, will each edit the text ballots with their votes, but the resultant ballots will remain constant length. > > If the ballots are encrypted with compression, there may be information leaks because the different patterns of voting in the ballot. In the simplest case where there is only one item on the ballot, it is possible that vote can be discerned despite the raw plaintext being constant length. > > I think I got that more or less right. > > However, there are two workarounds for this: > > 1. Zelda adds a no-compression preference to her key. > 2. The voting system uses the "-z 0" option in a gpg command. > > >> Voting isn't the only case where compression leaks data about the >> plain-text, it's just one where I know that it cause and actual >> compromise, with actual expert users, in actual practice. > > Please give other cases. This discussion reminds me (trivially) of the example of university or job acceptance or rejection letters. In most cases the size of the envelope usually reveals the content of the message, since an acceptance letter will come with all sorts of additional forms etc. There are many cases where the size of the message reveals something about the content, compression or no compression. Less trivially - voting systems online are really hard. I remember that _Applied Cryptography_ devoted a whole chapter to the issue. In this case compression unexpectedly (for the users) added to the message frustrated efforts at secrecy that were based on assumptions about message length. It is worth someone writing up this experience (I can't find any documentation of it online). I think it is a bit of a stretch to say that compression itself is bad. It just happened to be unhelpful in this case. As you note above, Jon, the key used for voting could have had no compression preference and all would have been well. N.
- [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Simon Josefsson
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP David Shaw
- Re: [openpgp] Disabling compression in OpenPGP Andrey Jivsov
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Florian Weimer
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Nicholas Cole
- Re: [openpgp] Disabling compression in OpenPGP Werner Koch
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Werner Koch
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Hauke Laging
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell