Re: [openpgp] Disabling compression in OpenPGP

Peter Todd <pete@petertodd.org> Wed, 19 March 2014 23:12 UTC

Return-Path: <pete@petertodd.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE991A07DF for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJDUgAExlxIQ for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:12:55 -0700 (PDT)
Received: from outmail149101.authsmtp.com (outmail149101.authsmtp.com [62.13.149.101]) by ietfa.amsl.com (Postfix) with ESMTP id A10551A07DB for <openpgp@ietf.org>; Wed, 19 Mar 2014 16:12:54 -0700 (PDT)
Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2JNCCQt044083; Wed, 19 Mar 2014 23:12:12 GMT
Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s2JNC8tQ041662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 19 Mar 2014 23:12:10 GMT
Date: Wed, 19 Mar 2014 19:12:30 -0400
From: Peter Todd <pete@petertodd.org>
To: Jon Callas <jon@callas.org>
Message-ID: <20140319231230.GA10573@savin>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com> <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com> <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org> <20140319204047.GC30999@savin> <DE00E9BD-1D37-4750-B156-BBDC4B59DB7F@callas.org> <CAAS2fgQZPPrdehcs6TxmYikmyyfxOJqAdngaFk5=PcSGEGnejA@mail.gmail.com> <20140319214118.GA17419@savin> <CAAS2fgQotHyN=CFKoWO_aUdP8bhkSixEqSDQcALZ35mG+tk1tA@mail.gmail.com> <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline
In-Reply-To: <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: e671c915-afbb-11e3-b802-002590a15da7
X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aQdMdwsUFVQGAgsB AmIbWVdeUV97WGI7 bAxPbAVDY01GQQRq WVdMSlVNFUsrA2Z/ dRZaMxl2dgNAejBx bUBhXD4OWkN7Jk98 R1MFQz9UeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhE/ BwI1Jz8pCH1zKT9c SAUMK11aSkEOBiQx XAsDGjNnHEtNYD0+ KSQJEjYB
X-Authentic-SMTP: 61633532353630.1023:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 76.10.178.109/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system.
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/ZWZADxXnNz6dVAFRU7Ik1FRQOQg
Cc: Gregory Maxwell <gmaxwell@gmail.com>, "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 23:12:57 -0000

On Wed, Mar 19, 2014 at 03:58:50PM -0700, Jon Callas wrote:
>> It is! It's a really cool failure mode, and I think you should write it up and submit it to some security conference.
> 
> However, as I said, it's an exception case. It's also an exception case that you didn't explain very well. Let me try to help:
> 
> Zelda is collecting some ballots. The ballots are all text and constant length. The voters, Vernon_i, will each edit the text ballots with their votes, but the resultant ballots will remain constant length.
> 
> If the ballots are encrypted with compression, there may be information leaks because the different patterns of voting in the ballot. In the simplest case where there is only one item on the ballot, it is possible that vote can be discerned despite the raw plaintext being constant length.
> 
> I think I got that more or less right.
> 
> However, there are two workarounds for this:
> 
> 1. Zelda adds a no-compression preference to her key.
> 2. The voting system uses the "-z 0" option in a gpg command.

I don't want a workaround; I want default behavior that is reasonably
safe for users. Removing default compression is a step forward in that
regard.

> >> However, there are still many people who consider default compression a feature and *rely* on it for their system.
> > 
> > Care to elaborate on how they rely on it? That seems highly suspect to me.
> > 
> 
> tar -c source-tree | gpg key >source-tree.pgp.gz
> 
> This is also what at PGP Corp we called a "PGP Zip" file, which was implemented as a PGP encrypted tarball. It's done all the time in back-end systems, and very likely the second largest use of PGP, where signing files is the most. It's a really useful idiom.
> 
> You're asking for a change to the standard. You're not really doing that, even. You're asking for a change to the default behavior to software that's been around for 20+ years because you have a wonderful edge condition, for which there are not only per-message but per-key workarounds.
> 
> I'm really sorry your ballots got spoiled. But you can fix that with zero changes to software nor protocol. 

Your example isn't much of a failure; the tarball will end up maybe 2x
larger than it should have been, someone might investigate, and they'll
change the command to:

   tar -c source-tree | gzip | gpg key >source-tree.pgp.gz

or something. This is a *very* low-consequence failure mode.

-- 
'peter'[:-1]@petertodd.org
00000000000000004ec562299f1cd08a38fdea8f0d612fce3923203df379c0b3