IETF Logo Mail Archive

Re: [openpgp] Deprecating compression support

James Howard <james.howard@jhu.edu> Mon, 18 March 2019 16:35 UTC

Return-Path: <prvs=9739a0164=james.howard@jhu.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A009F131132 for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 09:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jhu.edu header.b=Nd4fppTJ; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=livejohnshopkins.onmicrosoft.com header.b=tvUtnmyH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYirhcjnZ_Le for <openpgp@ietfa.amsl.com>; Mon, 18 Mar 2019 09:35:01 -0700 (PDT)
Received: from IronEB2.johnshopkins.edu (ironeb2.johnshopkins.edu [162.129.199.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9D7A12788D for <openpgp@ietf.org>; Mon, 18 Mar 2019 09:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=jhu.edu; i=@jhu.edu; q=dns/txt; s=jhuiron; t=1552926900; x=1584462900; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=wCjN7Fy+d1w70mcjAJ8T7pVaNNuHuCgGwG1nFE9uhrc=; b=Nd4fppTJtJUOj68PI7AYc20glB9G7orbIYsDaIA1sAukKSPO7oc0AJGR 8Y3AE2I6DAIUUGcwLyCeIIgN2Glz9sOBIboG8hMKIjFIKZodRB+HMOSlE DBIOC7iBggmljmWAknD3DJh9cL0l79SMdMHRtgSfCnNPNtzB5KQsUYxge I=;
IronPort-Data: A9a23:82UxkqlYoRaWlAqfhbNAGRbo5mJPLRPurspz2KjqYX0GODweGkDUK9 VKMmPbWsuDV1oV6QSLyJhcZif/2+qciVDsxsaQcR9ItoljS4ByFsBD0UmzmTiUKgh9uTmjkg 6RwAkUEqIS07r0afPof9burtn/fgIKtY703SKUtWXAp8Aw747ILhQ0ybIJ3FYeJrDkro0fzH eG6QmB0ecraMFz/dUOIeCvKgP9YEZiVlrrnfAdZlY1G2rdw/4RQ/+AkaMYPCb48eNrKC1Lmq 6uOZEO2ZZTpJwPOV4MjBBh009L8c8OHEEnd5NWzAfqC3kEwCYxijJQ3dmtCK+gStYfyK/SE3 7bWZWBTLJ2roTu67DzDtT3dLV0t6l8Azc8pmoag5K7aAOAt0TIIgNtii7xqDWFQHhl8Q+mRJ YDFrAclKYU9fWovTDaCSiYAFReK7SDIOyN6zW2lmed5Ssbj2cSf0FXz8AtQThWar86wW0c7H HVW2xvA+NWn9XCdpt2pRg+CcQAUqwa87kKHh6fIGKlhQQEMUBiocPoiJzNOaSu2vE01hVVC4 SBJxFKh3WVUdvvcIuOl117LgmBbYCq0+KRboOoMfiPguE7e/8S1C253bw1laIY5QBXADny5f XhU39By5yEfrby8kGXdnqQs6oKprF2nbT9+1bA6h9RP9hgA1hgzjT3KFDaktPsMOAR1fZnZw ArKGj6oGBDh1ZysPfAutg5ONtXQLoWI65bRVeAP583Kmp+XJTDOZTQ3lMFxU9GpHF3Z0b+D0 mDLBoQBjPlm3shOrwMt74gh2dX6xq8Ax3a/6JB3s4WJbhxUkFAOblCaTxp54A2WoTbKdmYoC Ew7NKAS49WVyyfVNyyZ++clB5xNQKlZr+uBC3KVSoKUzgRXKm07BL/18bpWuJqArWHivBy1q dk1NK/tIbtpJL1R/JD/Q5N48+cTlR/qOPYcK54d2xUKABW6NVfra5Rtt8/zBPMV6JuggzOx1 XU3kmpRJn2spnZJuIlU7WmRlBPuwnPYB5BimnTYENklTfHTIvmm/vpIelX6MBpr6djA1wHuu TzWur7xXOU+c8bzBOIO+DD4cJo0o/6cHZpDIUi1aVkDfCN6WrIaoCdAB2mKAi5Cg9sTnZAvG Ovntgyc0UmMWuqQW0=
IronPort-PHdr: 9a23:fSl2Lx+ts5gsZf9uRHKM819IXTAuvvDOBiVQ1KB+0+4UIJqq85mqBk HD//Il1AaPAdyDraodw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHc BFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94DPbwlSmDaxfK55IQ mrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVr NYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4L tqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfVzBPDI2/YY sADeQOPedEoIbyvFYOogeyBQy2Ce/z0DJFhHn71rA63eQ7FgHG2RQtEdYUv3TRstr1L7oZX+ KyzKjG1zrDde5Z0ir65YjKaB8hpO+DXalqfcrRzkkuGRnKjk+NpoH+PTOV1vkNv3KF4OV9SO KikmgqoBx/rDiow8cjkIjJhoQNx1/a+yV22oc1JdmiREFmf9GoCIdfuDucN4tqXMwiWXpnuD sgyrwGo5K0ZjQFxI4hxx/ec/CHcpaH4g7tVOqLJjd4nn1ldbSijBix6Uit0vDwWtWu3FpXrS dJj8PAum4N2hDJ98SKRPlw8l+g1DuBzQzf9O9JLEAumabGKZMt3KQ8mocSvEjdBiP2llv5ga yKekgh/+Wn9+Tqbqnoq5KZKoN4lg/+Prgrl8G8H+g4PBQBUm2Z9Om9yLHu/Uv0S6hQgPIsiK nWqpXaKNwepq6+HgBazJ4u6w26Dze6yNQYmmQHLE5ddBKHkYfpP1bOLej3A/miglqilyllyP DJMLLgHJnBNHbCkLbnfbpn8UFT1RA/zdJf55JJEL0OPu/8WlLpuNzZCB82LRC0zv76BNlhzI 8SRGGCDrKDPK/MsVKE/P8jLueOaYMNvTbyMfkl5/rgjX8jnl8deLGk3ZkNZ3C9APtmOF+VYX rrgtYPC2gKpBcxQffoiF2CTD5ffWi9UL8h5j0jEoKpEZ/DRpyxgLyGxCq7GYVWaX5AClCUHn fob56JW/YSZyKOLM9tiDsEVaKuS4U5zxGhqBf6y6Z7LurT4iAYt4/j1MNp5+3OjhEz+z10D8 KB026TVWF5hWwIRzos06B+pUxx0EuM0a99g68QKdsGxe5SThohfaHdyfB3EZimWB/aYsqSV1 egXti8KT40R9M1hdQJZhA5U5+llh3FxyWyK74Yi7LNA4Y7uOqI2GD8Id5y017H2bUvyV48TZ 0cG3ehg/td/g3eHMbplFqQjariIaYV2SPWsmeE0mOUsGlaUBM2XKnYCyNMLnDKpMj0sxuRB4 SlDq4qZ04YkZbYcPlDd8HpgFNaRfzqJNXZZSerlnytAQqTmOjed5LkLmMa2iiVSFMJlQwe5z 6nDUA/HW/gxgCWFzlyDRTqakLo//N5rSa5R0o51EeKaFJozbad+B4Iw/GQVqBb0w==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2EnAABex49c/4kZtQpjGgEBAQEBAgEBAQEHAgEBAQGBZYEPL1BrdAQyCoQBg0qPKoIyJYNbgjuDHI1RglIDGBclAQcBAwEYAQoJAoN4RgIghF04EgEBAwEBAQgBAQEBAgEBAmkcDII6KQEUMRw5BQEBAQEBASYBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQIUJAwSAQEYAQEBAQECAQEQERoDAQEsDA8CAQgRAwECKwICAh8GCx0IAgQBEg4UgwABgV0DFQECDJ5aikJxgS+CeAEBBXSBU4I+DQtAAQeBPQcICQGBJQGBSIMThAuCLHKBAj+BOAwTgkyCV0cBAQEBX4EgDYJdMYImiEKBcY1xi381BwKCRwSCFoIJBiNIhAKECYNRB4F8W4hfhGGDQIsHhXiBNogIg0UCBAIEBQIVgTUpIoFWMxolTioBgkEJIgERgU0JAxeDSzOETBWFP0AyTVuHOgGBHgEB
X-IPAS-Result: A2EnAABex49c/4kZtQpjGgEBAQEBAgEBAQEHAgEBAQGBZYEPL1BrdAQyCoQBg0qPKoIyJYNbgjuDHI1RglIDGBclAQcBAwEYAQoJAoN4RgIghF04EgEBAwEBAQgBAQEBAgEBAmkcDII6KQEUMRw5BQEBAQEBASYBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQIUJAwSAQEYAQEBAQECAQEQERoDAQEsDA8CAQgRAwECKwICAh8GCx0IAgQBEg4UgwABgV0DFQECDJ5aikJxgS+CeAEBBXSBU4I+DQtAAQeBPQcICQGBJQGBSIMThAuCLHKBAj+BOAwTgkyCV0cBAQEBX4EgDYJdMYImiEKBcY1xi381BwKCRwSCFoIJBiNIhAKECYNRB4F8W4hfhGGDQIsHhXiBNogIg0UCBAIEBQIVgTUpIoFWMxolTioBgkEJIgERgU0JAxeDSzOETBWFP0AyTVuHOgGBHgEB
X-IronPort-AV: E=Sophos;i="5.58,494,1544504400"; d="xml'?xlsx'72,48?scan'72,48,208,72,48,217?p7s'72,48,208,72,48,217?rels'72,48,208,72,48,217"; a="175109357"
X-Amp-Result: UNKNOWN(File analysis pending)
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: True
Received: from esgmtwex2.win.ad.jhu.edu ([10.181.25.137]) by IronEB2.johnshopkins.edu with ESMTP/TLS/AES256-SHA; 18 Mar 2019 12:34:58 -0400
Received: from ESGMTWEX14.win.ad.jhu.edu (10.181.25.248) by ESGMTWEX2.win.ad.jhu.edu (10.181.25.137) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 18 Mar 2019 12:34:57 -0400
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.173.97.201) by ESGMTWEX14.win.ad.jhu.edu (10.181.25.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 18 Mar 2019 12:34:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=livejohnshopkins.onmicrosoft.com; s=selector1-jhu-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Wf2yF6Trv3UQVNhIzve95s8yDeCvuYChrDMHf0FGixg=; b=tvUtnmyHhdLb7gPfOoGQeo0J9avQADa/Xa2NY/fywm2O+hpQR2UX/mrbLfQYJMJRI7myNcBRPMkNUKpad/6disgjV3fWtC8hf65mQUuCAQevgSKEx661B9jw1Q+RRusYgwhZFe/7++XvsvaEyUKCzK1Cgj6+Ch8Fdo7JeRJdpxw=
Received: from BN7PR01MB3681.prod.exchangelabs.com (52.132.7.12) by BN7PR01MB3651.prod.exchangelabs.com (52.132.6.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.14; Mon, 18 Mar 2019 16:34:56 +0000
Received: from BN7PR01MB3681.prod.exchangelabs.com ([fe80::c503:10f0:82fc:7605]) by BN7PR01MB3681.prod.exchangelabs.com ([fe80::c503:10f0:82fc:7605%3]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 16:34:56 +0000
From: James Howard <james.howard@jhu.edu>
To: Justus Winter <justuswinter@gmail.com>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] Deprecating compression support
Thread-Index: AQHU3Z6G5c/V3W/7AkK6JS/ITr/vBqYRUrwA
Date: Mon, 18 Mar 2019 16:34:55 +0000
Message-ID: <EF1FF15B-1DDE-4259-93ED-6A2F49809157@jhu.edu>
References: <871s3475dy.fsf@europa.jade-hamburg.de>
In-Reply-To: <871s3475dy.fsf@europa.jade-hamburg.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.18.0.190313
authentication-results: spf=none (sender IP is ) smtp.mailfrom=james.howard@jhu.edu;
x-originating-ip: [63.235.172.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 553814b9-24b8-485e-4917-08d6abbfa7b4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN7PR01MB3651;
x-ms-traffictypediagnostic: BN7PR01MB3651:
x-microsoft-antispam-prvs: <BN7PR01MB3651BBCE731E1D5A55069C1E8E470@BN7PR01MB3651.prod.exchangelabs.com>
x-forefront-prvs: 098076C36C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(39860400002)(376002)(366004)(396003)(189003)(199004)(110136005)(81156014)(71190400001)(3846002)(966005)(6116002)(81166006)(5024004)(256004)(14454004)(71200400001)(53936002)(5660300002)(606006)(88552002)(82746002)(97736004)(786003)(14444005)(8676002)(58126008)(105586002)(316002)(83716004)(106356001)(7066003)(86362001)(44832011)(2501003)(2616005)(75432002)(6306002)(476003)(54896002)(99286004)(446003)(26005)(6512007)(478600001)(2906002)(6486002)(99936001)(66066001)(236005)(25786009)(68736007)(102836004)(6246003)(6436002)(561944003)(36756003)(76176011)(6506007)(53546011)(7736002)(486006)(11346002)(33656002)(229853002)(186003)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR01MB3651; H:BN7PR01MB3681.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: DWuYVn1QezCgKUGWmI5ZY9MTIPXaSQ5snxZrGzwGUMc/KR9XiuCdt/2Mk3cbGoG7clkKsSfAb0/jgsOXmAn8sIXiE/s8Etqdamnq9IBnAPI+Iq3yV5Ds/179jfv5rbk44PAp7fTcbzdZVo8vLbQe8EK3UmPNtgcdSYCCb6UGdL+VIOFqCnRU5vniOG8vld3qkcemoVGJarg2W0dauI/oFy5YL1srIJfFmbFwvypS5q6S8PIpIf5+AOR1aBeQwEskeAYLt0HGVyCQfIw5PBaK9Kcd32NZIe1x/g3GUTl8gfTzxTg3u6pPIWTRIiq9gWs+A9wEwMlvzdnwZnUi1tu3x5p+BcDUr/utDnigbV2jgkDD5GUd6kDrNRpb9cn6VNUOVyxCiaSH3dyFyeFKGD7pb3HXL7J1G5mgRnc/sqKQRoY=
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3635757295_781967524"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 553814b9-24b8-485e-4917-08d6abbfa7b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 16:34:55.9266 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9fa4f438-b1e6-473b-803f-86f8aedf0dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR01MB3651
X-OriginatorOrg: jhu.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pfgBIZatuA_rhSMXe-mgarr-Uf0>
Subject: Re: [openpgp] Deprecating compression support
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 16:43:26 -0000

Hello, long-time lurker, first time caller.  As I read this, this morning, I fail to see the advantages.  For instance, let’s look at a couple of these issues:

 

Compression makes it impossible to reason about the size of a

decrypted message,

 

It’s hard not to look at this and say, good!  The idea of encryption is the hide information and burying information about the length of the message can only be an improvement.

 

  - Compression interacts badly with encryption, see e.g. CRIME,

    BREACH, and hiding of EFAIL-style CFB gadgets [0].

 

I am not sure how valid this is.  For instance, in the paper cited, we see the following comments:

 
[F]or OpenPGP, we needed to develop more complex exploit techniques upon malleability gadgets because the data is typically compressed before encryption
OpenPGP’s plaintext compression significantly complicates our attack.
The difficulty here is to guess a certain amount of compressed plaintext bytes in order to fully utilize the CFB gadget technique. Not knowing enough compressed plaintext bytes is hardly a countermeasure, but makes practical exploitation a lot harder.
 

The problems described in the paper are not compression, but rather the sender drops known plaintext right into the start of the stream.  I mean, it’s not rocket science and in the, e.g., Facebook example, it could be addressed by adding a nonce string to the start of the message.  There are certain streams of thought which have advocated this for years, anyway.  

 

Then there’s this:

 

  - The downstream application is in a better position to decide whether

    and how to compress data that is then encrypted using OpenPGP.

 

Now, I will admit to misinterpreting this (I think) and assumed you meant compressing after application of PGP.  That’s, of course, silly, but since I did the work of showing AES cyphertext to be basically incompressible, I will send it out, anyway.  See the attached Excel spreadsheet for results of pre/post-encryption compression on the Canterbury Corpus.  Nothing here surprising, but data is good!

 

—James

 

From: openpgp <openpgp-bounces@ietf.org> on behalf of Justus Winter <justuswinter@gmail.com>
Date: Monday, March 18, 2019 at 11:25
To: <openpgp@ietf.org>
Subject: [openpgp] Deprecating compression support

 

Hello,

 

I propose to deprecate compression support in OpenPGP.  The reasons

for this are:

 

  - Compression makes it impossible to reason about the size of a

    decrypted message, requiring the use of a streaming interface even

    for seemingly small messages, e.g. emails.  Experience has shown

    that downstream users struggle with the correct use of streaming

    interfaces.

 

  - Compression allows the construction of quines.

 

  - Compression interacts badly with encryption, see e.g. CRIME,

    BREACH, and hiding of EFAIL-style CFB gadgets [0].

 

  - The downstream application is in a better position to decide whether

    and how to compress data that is then encrypted using OpenPGP.

 

  - Compression make the standard more complex, and enlarges the

    trusted computing base of implementations.

 

I realize that we cannot suddenly drop decompression support, but I

would suggest to stop emitting compressed data packets.  If this

proposal gathers traction, I would be happy to suggest a change to the

standard.

 

Cheers,

Justus

 

0: Section 5.3 of https://efail.de/efail-attack-paper.pdf

_______________________________________________

openpgp mailing list

openpgp@ietf.org

https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email