Re: [openpgp] Disabling compression in OpenPGP

Gregory Maxwell <gmaxwell@gmail.com> Wed, 19 March 2014 23:41 UTC

Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB661A0803 for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8crpm0SFpdEy for <openpgp@ietfa.amsl.com>; Wed, 19 Mar 2014 16:41:07 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 08CFF1A044D for <openpgp@ietf.org>; Wed, 19 Mar 2014 16:41:06 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id gl10so43322lab.14 for <openpgp@ietf.org>; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=r+C/RDU6/5gHm8LKd1mNpOyM9vLBGxvZLKwhiLN5Tmg=; b=hSqj67UT08mJRiiGiQnoEIOz5m+9NamBl5+k8IRsisn5CNhTnqqlk4AIDYahPiqWGg yu4f5rX6Q8jCWi7XJhtGlNGMmVJWAGhwQTIn5XGn3S3NZg6u1KqQNxrcRIh5fgPwdUPT 57uRn3suKgF5VR4xWGh4QWVaHAoP36EsmYnWZguV1KYhVaFk0Lh8DAqgQAY5arpGn9Jn Q6QQQAOFVT3U0Vz93mmgM2N2K36SM2GI+fKu4kGcDSp2VPRiaRe/9DLrW6i2CR2TVNUg XkiWZwOlu4e/EiJRNh7AlM7heLlPppzd16Ojz3s8yiynMFZgaK+UFOaGEWdsrfdJIoiM WHoQ==
MIME-Version: 1.0
X-Received: by 10.152.246.43 with SMTP id xt11mr3838166lac.34.1395272457661; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
Received: by 10.112.184.226 with HTTP; Wed, 19 Mar 2014 16:40:57 -0700 (PDT)
In-Reply-To: <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <95BD0817-D762-41DD-8444-A0C4F7AF1003@jabberwocky.com> <CALR0uiL0-Xp8E=F3idtzBkmRNLk7K_M_cqMt+i2HdNqaNkwn=w@mail.gmail.com> <849778F8-1C16-4FF8-A039-6363C158BD1F@callas.org> <20140319204047.GC30999@savin> <DE00E9BD-1D37-4750-B156-BBDC4B59DB7F@callas.org> <CAAS2fgQZPPrdehcs6TxmYikmyyfxOJqAdngaFk5=PcSGEGnejA@mail.gmail.com> <20140319214118.GA17419@savin> <CAAS2fgQotHyN=CFKoWO_aUdP8bhkSixEqSDQcALZ35mG+tk1tA@mail.gmail.com> <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org>
Date: Wed, 19 Mar 2014 16:40:57 -0700
Message-ID: <CAAS2fgS+rVEe_gB_6WgtUZ4Z8ADz-LcMp_wm+ioWRVpSSuEWSA@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Jon Callas <jon@callas.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/uhylrefC0gXpY--75hVWzBnLGZ4
Cc: "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 23:41:10 -0000

On Wed, Mar 19, 2014 at 3:58 PM, Jon Callas <jon@callas.org> wrote:
> It is! It's a really cool failure mode, and I think you should write it up and submit it to some security conference.

Its old and well known and unsurprising to people who actually work on
cryptographic software.

No amount of presentations at security conferences will actually
protect users, however, unless the default and recommended behavior
changes.

> Please give other cases.

The original post in this thread gave another case, I was adding
another example case where security was compromised in practice.

In the original post PGP is used to encrypt messages containing a
password to access some service, just a password management use— (this
is something that I also happen to do, so I'm doubtful that it's that
fringe an application).  The poster points out that knoweldge of the
size leaks a considerable amount of information about the password.

> In the usual case, Alice sends a free-form message to a set of recipients. There's no leak in this case.

I think its debatable if free form messages are actually the most
common usage of PGP in practice. But thats not here or there, while
working on security the worst cases are usually more important.  In
the usual case no one cares to sniff your email at all and even if
they do you're not saying anything important, not using encryption
saves cpu cycles and avoids compatibility problems. ... but it isn't
the usual cases that we need to protect against.

> The workarounds here are:
> 1. Add a no-compression flag to the receiving key.
> 2. Add "-z 0" to the command line that generates those messages.

These aren't actual workarounds because they do not address the
problem that an otherwise highly conscious user would be unaware that
they need to take these steps.  Would you also respond with "Add
--cipher aes" if I were complaining that ROT13 was not a good default
cipher? :)

>> Care to elaborate on how they rely on it? That seems highly suspect to me.
> tar -c source-tree | gpg key >source-tree.pgp.gz
> This is also what at PGP Corp we called a "PGP Zip" file, which was implemented as a PGP encrypted tarball. It's done all the time in back-end systems, and very likely the second largest use of PGP, where signing files is the most. It's a really useful idiom.

Okay, I think you're using a different definition of rely.  Obviously
if you don't upgrade software nothing changes. Its not unusual that
upgrading software changes behavior. If you upgraded to a version that
didn't compress by default, the end result would be those backups
would be larger.  You'd either not notice and care or you would, and
then after some hunting for the release notes you'd twilddle a knob
and nothing irreparable happens.

> I'm really sorry your ballots got spoiled.

This was years ago (IIRC 2006), I don't care about the event anymore.
I brought it up as a real world example of where this behavior
compromised the security the users reasonably expected.  Not just a
theoretical weakness to counter the claims that the compression harms
nothing, but an actual example of where it happened.

Can you show anything as remotely strong for the assertion that
compression improves security?

On Wed, Mar 19, 2014 at 4:08 PM, ianG <iang@iang.org> wrote:
> Clearly, compression leaks info if there is some understanding of the
> structure of the message.  Sure.  But OpenPGP is typically used to ship
> lots of large documents around, and people are accustomed to getting the
> compression bounty for free.
>
> So there is a sense that in order to protect the very few who might fall
> for this case, we'll end up disadvantaging a wider population who might
> actually suffer more.

Well, there are compromises such as padding the post-compression size
to a common interval.

I'm not a super big fan of that because you still may be invisibly
doomed by compression, but I assume (eek) that the cases where the
leaks are really fatal are ones where the messages tend to be quite
small.

> The assumption here is that constant length is somehow more secure than
> inconstancy.

It's generally fairly intuitive to users who are being thoughtful that
the length of the message is a side-channel. In the case of the
Wikimedia ballots the people who set it up thought of that, and
arranged it so that ballots were permutations.

> Then you get the same problem;  *length leaks some info*.  This seems to
> be with or without compression, so is this just a case of choosing ones
> pathology?

The distinction being that the leak happens at a level which is
immediately visible to the thoughtful user vs in a way which is pretty
thoroughly hidden and ...

> There is no fundamental way to overcome the flaw of length in a packet

which can't be completely fixed without unreasonable costs, as you note.

One shouldn't decline to make improvements in some things because
other things cannot be improved.

One point here is that it's non-deterministic too in that you could
test and confirm that your ballots all showed up the same size but the
users system has a different compression preference or library
(deflate is not deterministic, the encoder has freedom) and they're no
longer the same size when the users use them.

> I see this in my work all the time.  Error packets are 10 bytes long,
> success is like 500 bytes.  This is leaking info ... my only solution is
> to make all packets like 1024 bytes, but some of my packets are longer.
>  How far do I go?  Answer:  I've got better things to worry about right
> now.  YMMV.

Padding to reduce the leakage is interesting even if it doesn't
eliminate it entirely because its cheap, and obscures the least
significant bits which often (ahem, assumptions) are the greatest
entropy leak.

At some point it's indeed too costly to fix and not worth it. But I
argue that getting the details as right as possible is why people
should be using standards and popular software and not just encrypting
everything on their own.