Re: [openpgp] Disabling compression in OpenPGP

Alfredo Pironti <alfredo.pironti@inria.fr> Wed, 19 March 2014 17:19 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8B571A070D for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 10:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ClzXXuIGVMu for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 10:19:34 -0700 (PDT)
Received: from mail-oa0-x236.google.com (mail-oa0-x236.google.com [IPv6:2607:f8b0:4003:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id 536E21A073B for <openpgp@ietf.org>; Wed, 19 Mar 2014 10:19:33 -0700 (PDT)
Received: by mail-oa0-f54.google.com with SMTP id n16so8616458oag.41 for <openpgp@ietf.org>; Wed, 19 Mar 2014 10:19:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=luNKqtypSVtyVBR7O29ojxzaKczgvfrAYeavK0EJQgI=; b=UiC0PRCrIE3ot31Ch+27iBO2guwZ6w+IQ356sySSYu98jojvw5LNi7JUbOSvNp1KNl YDTvadlPsSMqOfm4jvr9YZONDTQJmt8kieDeGJWVA0IDmPGXmT2Ah06e+ZVhIwjrRNvw XKecUcoOqSmvyKlfG4uQOHhrX/tRTI8+bN9yE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=luNKqtypSVtyVBR7O29ojxzaKczgvfrAYeavK0EJQgI=; b=Z7gV4e94xLImtxxmf30AsWUlLOSFIeSleIi503cZHl4M4uXpWgX+nZ5CK75cAdyh7Z D+HWfE4/Co9YrfIde7Lz4c2guodIaXpSph0GRR9v1iKZmuj1UbZ1DWS4Elz9zkKz26/q p/hQ1A9c9dBdg12WvbGL+sQeOCYagDUjlLhEHKrs4TuWbd+SZxBarClQ4mg+gbKSgnV7 ldBzVfa6oYE+VGshfkLkIkDZ20QCBvIFyyYpXZ2/YkkHW87B/CFJ1kpMb6+3EhtpZxzi Yx30xpmMVPqEpMSAUTEvBFFXZfUXHCx9GZfqX8LylPqs8eJ/onMTpQkdK2PAZ16maCzD Jm1g==
X-Gm-Message-State: ALoCoQnqcLxtwRTtCE5bW2toTIEvUkxJKCT8otT5pTKS/p13Z8GOtpxoxDK5BcLEpwqD2aC17Ejq
MIME-Version: 1.0
X-Received: by 10.182.28.7 with SMTP id x7mr3012976obg.43.1395249565042; Wed, 19 Mar 2014 10:19:25 -0700 (PDT)
Sender: alfredo@pironti.eu
Received: by 10.76.151.35 with HTTP; Wed, 19 Mar 2014 10:19:24 -0700 (PDT)
X-Originating-IP: [128.93.188.195]
In-Reply-To: <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com> <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com> <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org>
Date: Wed, 19 Mar 2014 18:19:24 +0100
X-Google-Sender-Auth: dS5U-mreaYNFe2suWe5zWa7b8aw
Message-ID: <CALR0uiLnp7znY138vbVajLwTuXapKA+igo8XBegHmxi7PZJSzQ@mail.gmail.com>
From: Alfredo Pironti <alfredo.pironti@inria.fr>
To: Jon Callas <jon@callas.org>
Content-Type: multipart/alternative; boundary=089e015380bab3a6c904f4f8da0f
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/nXvj2947Y0VsqAUpcB6NVTaMqhs
Cc: David Shaw <dshaw@jabberwocky.com>, openpgp@ietf.org
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 17:19:38 -0000

On Wed, Mar 19, 2014 at 5:43 PM, Jon Callas <jon@callas.org> wrote:

> >
> > In general, I see two patterns:
> > - Compression incidentally thwarts some attacks
> > - Compression fundamentally breaks privacy by leaking plaintext entropy
> (see the Wikimedia Foundation case for a quite convincing example)
>
>
> In general, compression does the opposite of your second bullet. It
> *protects* privacy by taking things that are typically not pseudo-random
> (what you're calling entropic) -- e.g. text -- into something that is
> highly pseudo-random.
>

Just to clarify, I was talking in terms of the length side-channel entailed
by compression. If the attacker knows the uncompressed plaintext length,
and can measure the compressed ciphertext length, then some information
about the uncompressed plaintext content is leaked.

It may be not common, but it seems to me that this attacker model is well
within the scope of OpenPGP.


>
> In specific cases, *flaws* in this conversion when combined with an
> interactive protocol can lead to an attack that is in general, not
> applicable to a non-interactive protocol with large amounts of compressed
> data.
>
> But in general, this benefits the defender, as the attacker has no idea
> what the *actual* plaintext is (the compressed data) unless they know the
> base plaintext is, and small inaccuracies in the attackers guess lead to
> large differences.
>
> Of course, I could be wrong. I offered an outline for research where you
> could come up with some results that would be impressive. Why not do some
> work on it?
>
>         Jon
>
>
>