Re: [openpgp] Disabling compression in OpenPGP
Gregory Maxwell <gmaxwell@gmail.com> Wed, 19 March 2014 23:41 UTC
Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB661A0803 for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8crpm0SFpdEy for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:41:07 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 08CFF1A044D for <openpgp@ietf.org>; Wed, 19 Mar 2014 16:41:06 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id gl10so43322lab.14 for <openpgp@ietf.org>; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=r+C/RDU6/5gHm8LKd1mNpOyM9vLBGxvZLKwhiLN5Tmg=; b=hSqj67UT08mJRiiGiQnoEIOz5m+9NamBl5+k8IRsisn5CNhTnqqlk4AIDYahPiqWGg yu4f5rX6Q8jCWi7XJhtGlNGMmVJWAGhwQTIn5XGn3S3NZg6u1KqQNxrcRIh5fgPwdUPT 57uRn3suKgF5VR4xWGh4QWVaHAoP36EsmYnWZguV1KYhVaFk0Lh8DAqgQAY5arpGn9Jn Q6QQQAOFVT3U0Vz93mmgM2N2K36SM2GI+fKu4kGcDSp2VPRiaRe/9DLrW6i2CR2TVNUg XkiWZwOlu4e/EiJRNh7AlM7heLlPppzd16Ojz3s8yiynMFZgaK+UFOaGEWdsrfdJIoiM WHoQ==
MIME-Version: 1.0
X-Received: by 10.152.246.43 with SMTP id xt11mr3838166lac.34.1395272457661; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
Received: by 10.112.184.226 with HTTP; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
In-Reply-To: <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com> <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com> <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org> <20140319204047.GC30999@savin> <DE00E9BD-1D37-4750-B156-BBDC4B59DB7F@callas.org> <CAAS2fgQZPPrdehcs6TxmYikmyyfxOJqAdngaFk5=PcSGEGnejA@mail.gmail.com> <20140319214118.GA17419@savin> <CAAS2fgQotHyN=CFKoWO_aUdP8bhkSixEqSDQcALZ35mG+tk1tA@mail.gmail.com> <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
Date: Wed, 19 Mar 2014 16:40:57 -0700
Message-ID: <CAAS2fgS+rVEe_gB_6WgtUZ4Z8ADz-LcMp_wm+ioWRVpSSuEWSA@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Jon Callas <jon@callas.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/uhylrefC0gXpY--75hVWzBnLGZ4
Cc: "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 23:41:10 -0000
On Wed, Mar 19, 2014 at 3:58 PM, Jon Callas <jon@callas.org> wrote: > It is! It's a really cool failure mode, and I think you should write it up and submit it to some security conference. Its old and well known and unsurprising to people who actually work on cryptographic software. No amount of presentations at security conferences will actually protect users, however, unless the default and recommended behavior changes. > Please give other cases. The original post in this thread gave another case, I was adding another example case where security was compromised in practice. In the original post PGP is used to encrypt messages containing a password to access some service, just a password management use— (this is something that I also happen to do, so I'm doubtful that it's that fringe an application). The poster points out that knoweldge of the size leaks a considerable amount of information about the password. > In the usual case, Alice sends a free-form message to a set of recipients. There's no leak in this case. I think its debatable if free form messages are actually the most common usage of PGP in practice. But thats not here or there, while working on security the worst cases are usually more important. In the usual case no one cares to sniff your email at all and even if they do you're not saying anything important, not using encryption saves cpu cycles and avoids compatibility problems. ... but it isn't the usual cases that we need to protect against. > The workarounds here are: > 1. Add a no-compression flag to the receiving key. > 2. Add "-z 0" to the command line that generates those messages. These aren't actual workarounds because they do not address the problem that an otherwise highly conscious user would be unaware that they need to take these steps. Would you also respond with "Add --cipher aes" if I were complaining that ROT13 was not a good default cipher? :) >> Care to elaborate on how they rely on it? That seems highly suspect to me. > tar -c source-tree | gpg key >source-tree.pgp.gz > This is also what at PGP Corp we called a "PGP Zip" file, which was implemented as a PGP encrypted tarball. It's done all the time in back-end systems, and very likely the second largest use of PGP, where signing files is the most. It's a really useful idiom. Okay, I think you're using a different definition of rely. Obviously if you don't upgrade software nothing changes. Its not unusual that upgrading software changes behavior. If you upgraded to a version that didn't compress by default, the end result would be those backups would be larger. You'd either not notice and care or you would, and then after some hunting for the release notes you'd twilddle a knob and nothing irreparable happens. > I'm really sorry your ballots got spoiled. This was years ago (IIRC 2006), I don't care about the event anymore. I brought it up as a real world example of where this behavior compromised the security the users reasonably expected. Not just a theoretical weakness to counter the claims that the compression harms nothing, but an actual example of where it happened. Can you show anything as remotely strong for the assertion that compression improves security? On Wed, Mar 19, 2014 at 4:08 PM, ianG <iang@iang.org> wrote: > Clearly, compression leaks info if there is some understanding of the > structure of the message. Sure. But OpenPGP is typically used to ship > lots of large documents around, and people are accustomed to getting the > compression bounty for free. > > So there is a sense that in order to protect the very few who might fall > for this case, we'll end up disadvantaging a wider population who might > actually suffer more. Well, there are compromises such as padding the post-compression size to a common interval. I'm not a super big fan of that because you still may be invisibly doomed by compression, but I assume (eek) that the cases where the leaks are really fatal are ones where the messages tend to be quite small. > The assumption here is that constant length is somehow more secure than > inconstancy. It's generally fairly intuitive to users who are being thoughtful that the length of the message is a side-channel. In the case of the Wikimedia ballots the people who set it up thought of that, and arranged it so that ballots were permutations. > Then you get the same problem; *length leaks some info*. This seems to > be with or without compression, so is this just a case of choosing ones > pathology? The distinction being that the leak happens at a level which is immediately visible to the thoughtful user vs in a way which is pretty thoroughly hidden and ... > There is no fundamental way to overcome the flaw of length in a packet which can't be completely fixed without unreasonable costs, as you note. One shouldn't decline to make improvements in some things because other things cannot be improved. One point here is that it's non-deterministic too in that you could test and confirm that your ballots all showed up the same size but the users system has a different compression preference or library (deflate is not deterministic, the encoder has freedom) and they're no longer the same size when the users use them. > I see this in my work all the time. Error packets are 10 bytes long, > success is like 500 bytes. This is leaking info ... my only solution is > to make all packets like 1024 bytes, but some of my packets are longer. > How far do I go? Answer: I've got better things to worry about right > now. YMMV. Padding to reduce the leakage is interesting even if it doesn't eliminate it entirely because its cheap, and obscures the least significant bits which often (ahem, assumptions) are the greatest entropy leak. At some point it's indeed too costly to fix and not worth it. But I argue that getting the details as right as possible is why people should be using standards and popular software and not just encrypting everything on their own.
- [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Simon Josefsson
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP David Shaw
- Re: [openpgp] Disabling compression in OpenPGP Andrey Jivsov
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Florian Weimer
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Jon Callas
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Peter Todd
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell
- Re: [openpgp] Disabling compression in OpenPGP Nicholas Cole
- Re: [openpgp] Disabling compression in OpenPGP Werner Koch
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP Werner Koch
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Alfredo Pironti
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP ianG
- Re: [openpgp] Disabling compression in OpenPGP Hauke Laging
- Re: [openpgp] Disabling compression in OpenPGP Gregory Maxwell