Re: [openpgp] Disabling compression in OpenPGP

Alfredo Pironti <alfredo.pironti@inria.fr> Tue, 18 March 2014 18:09 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF911A074D for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 11:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NyA4g64LAqZu for <openpgp@ietfa.amsl.com>; Tue, 18 Mar 2014 11:08:50 -0700 (PDT)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A2EEA1A0757 for <openpgp@ietf.org>; Tue, 18 Mar 2014 11:08:03 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wo20so7243379obc.19 for <openpgp@ietf.org>; Tue, 18 Mar 2014 11:07:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=g1lvzgqcRo0UoZkceWoV4LgQJ5zmkepKk+isQAtyaCY=; b=hCOBH4TXt1gb2oBoKedGQvRFL3j28ORbwufrC8f2AYOWkzLEHrgNKXQz4/ieH1Qj0N H28lgTpAv0G7sNjSCnCJoBci9sM1h+LEVsJovbE+k9/O7FmUE2OBNaGsgg58yDcy9xW1 IIdWWZDmG3J+1gAlWejTLpPc4jsb843GJhgq4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=g1lvzgqcRo0UoZkceWoV4LgQJ5zmkepKk+isQAtyaCY=; b=QRkiWC7QLgRICIJPUDp7QnIKvafhmGueM9deIZRa/dpY5vdWpf9W/pV10kIsyESKhk 5i+TNommboPP5muRnBoQnHPTcVwpYvsUuO3QqYKcHK4KW0lIOARI+4dAmH2BZM3S22a4 ZZqLeK4uGcPu+TDreKAJ/KNjnLZVLG0i/jOsYmKGmXvMrw5RUnE+VxGZQzx0xr1Sd7h8 vGeRxHE1aOHJQk8Thdy2LCRePK2pXRcb/LAhBdEg+c3VliWXaNqSfOtZgF7kuf9Yrkgz g0bzCxyFl/peKZE973elomRWTeyxpXWZGtKwFmYy7Okz6OUfxKt2zXyRRwylbyG8r428 d68Q==
X-Gm-Message-State: ALoCoQmA7wZCWQPMdoNfHI8m9ZNokeabdFt9qz8jzXTNU8l887q94+kn88dOhBEzotMzJmsRd0ca
MIME-Version: 1.0
X-Received: by 10.182.102.134 with SMTP id fo6mr25298019obb.10.1395166075008; Tue, 18 Mar 2014 11:07:55 -0700 (PDT)
Sender: alfredo@pironti.eu
Received: by 10.76.151.35 with HTTP; Tue, 18 Mar 2014 11:07:54 -0700 (PDT)
X-Originating-IP: [128.93.161.197]
In-Reply-To: <87wqfre9lz.fsf@latte.josefsson.org>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <CAAS2fgS6_-4S4b-Dg2XeZdQjLUOx6=XQMmz53R53kyK_U+D_Pw@mail.gmail.com> <87wqfre9lz.fsf@latte.josefsson.org>
Date: Tue, 18 Mar 2014 19:07:54 +0100
X-Google-Sender-Auth: 2JCrMSnNF-ckJBsTn_CidDec6ws
Message-ID: <CALR0uiK-vOAC5kbMewMnhv5+C330=KVhvHoV=3dR2bPTSTd6DA@mail.gmail.com>
From: Alfredo Pironti <alfredo.pironti@inria.fr>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary=089e0149c3804dced004f4e56a17
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/cfOAhtkt0hB2gfEMsDlHsJczT9Q
Cc: Gregory Maxwell <gmaxwell@gmail.com>, openpgp@ietf.org
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 18:09:19 -0000

On Tue, Mar 18, 2014 at 5:48 PM, Simon Josefsson <simon@josefsson.org>wrote;wrote:

> Gregory Maxwell <gmaxwell@gmail.com> writes:
>
> > On Tue, Mar 18, 2014 at 9:00 AM, Alfredo Pironti
> > <alfredo.pironti@inria.fr> wrote:
> >> I believe similar attacks can be mounted in different contexts where
> OpenPGP
> >> is used. Hence, I propose to start discussion to amend RFC 4880 to at
> least
> >> discourage (if not forbid) the use of compression.
> >
> > OpenPGP compression (well, the unawareness there-of) compromised the
> privacy
> > of the Wikimedia Foundation board election a couple years ago.  Users
> publically
> > submitted ballots encrypted to the election officials, the ballots
> > were constant length
> > but the compression trivially revealed information about their content.
> >
> > If it isn't disabled it may be useful to quantize the size somewhat
> > for a minor overhead
> > in order to reduce the information leak somewhat.
>

Deterministic quantization may do in principle, but it seems to me harder
to deploy than just disabling compression, because of backward
compatibility issues and unpredictable compression ratio.

Looking at TLS, in practice compression has been disabled everywhere (with
a proposal of completely removing it in TLS 1.3), and it seems not have had
particularly negative effects.


>
> TLS allow implementations to randomly pad messages to mitigate these
> attacks, could something similar be what OpenPGP needs?
>

I'd refrain to use random padding, because it does not protect against
repeated sampling: if you encrypt the same plaintext (say, a password) over
and over, the shortest encrypted message will soon give you a hint of the
plaintext length [1].

Alfredo


>
> /Simon
>

[1] http://hal.inria.fr/hal-00732449