Re: [openpgp] Disabling compression in OpenPGP

[Jon Callas <jon@callas.org>]

On Mar 19, 2014, at 3:04 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote:

> It's a very highly surprising failure mode which leaks information
> about the plaintext by encoding it into the size, one which baffels
> otherwise expert users of the sort who would post to the openpgp list
> to exclaim "What's being leaked by compression? Really, I don't get
> it."

It is! It's a really cool failure mode, and I think you should write it up and submit it to some security conference.

However, as I said, it's an exception case. It's also an exception case that you didn't explain very well. Let me try to help:

Zelda is collecting some ballots. The ballots are all text and constant length. The voters, Vernon_i, will each edit the text ballots with their votes, but the resultant ballots will remain constant length.

If the ballots are encrypted with compression, there may be information leaks because the different patterns of voting in the ballot. In the simplest case where there is only one item on the ballot, it is possible that vote can be discerned despite the raw plaintext being constant length.

I think I got that more or less right.

However, there are two workarounds for this:

1. Zelda adds a no-compression preference to her key.
2. The voting system uses the "-z 0" option in a gpg command.


> Voting isn't the only case where compression leaks data about the
> plain-text, it's just one where I know that it cause and actual
> compromise, with actual expert users, in actual practice.

Please give other cases.

In the usual case, Alice sends a free-form message to a set of recipients. There's no leak in this case.

> 
> There are a great many people who use gpg to encrypt a small number of
> control messages (e.g. for updating route registries and such) where
> compression can leak information about the content.

You're stretching it here. If those messages vary in length, there's not much of a leak. In many cases, the real thing you're doing is *signing* the control messages; in the specific example you give (route registries) the actual content of the message may not even be secret. But I know I'm quibbling.

The workarounds here are:

1. Add a no-compression flag to the receiving key.
2. Add "-z 0" to the command line that generates those messages.

>> However, there are still many people who consider default compression a feature and *rely* on it for their system.
> 
> Care to elaborate on how they rely on it? That seems highly suspect to me.
> 

tar -c source-tree | gpg key >source-tree.pgp.gz

This is also what at PGP Corp we called a "PGP Zip" file, which was implemented as a PGP encrypted tarball. It's done all the time in back-end systems, and very likely the second largest use of PGP, where signing files is the most. It's a really useful idiom.

You're asking for a change to the standard. You're not really doing that, even. You're asking for a change to the default behavior to software that's been around for 20+ years because you have a wonderful edge condition, for which there are not only per-message but per-key workarounds.

I'm really sorry your ballots got spoiled. But you can fix that with zero changes to software nor protocol. 

	Jon