Re: [openpgp] Disabling compression in OpenPGP

Gregory Maxwell <gmaxwell@gmail.com> Sun, 13 April 2014 22:52 UTC

Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F0C1A0251 for <openpgp@ietfa.amsl.com>; Sun, 13 Apr 2014 15:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09EtpCzq-Nvv for <openpgp@ietfa.amsl.com>; Sun, 13 Apr 2014 15:52:57 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id CAE311A0241 for <openpgp@ietf.org>; Sun, 13 Apr 2014 15:52:56 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id pn19so5047654lab.6 for <openpgp@ietf.org>; Sun, 13 Apr 2014 15:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=DfUavmWG9CBXWcGKKj6szfazrVkduEJs2xpXoimyzhw=; b=G5daFlAs2xpO3zHF8fGbjyXQxywxHldng6kxwYnJzRRl4Mlr0LaK8WrvAob5ZNd0Lu Ue32H4DhKPq8J/7cq3LS8HRsapHwmWTGhbYZILyojQrY5BqaXbtnaGgxnWJvZsSJnGLH tNAKP6obcVQLJf3vakjepKJ37rhZk/tw/rwidHLmcokx2OOlJKh/ZRhjUdtttp4RRDb7 unxehxF2Jpcwkisr5yD3QWaw3VNGAzzBW2ETRRDFvD/rWxbljtitrWl8tFV/SaurLU8f HKHA1RZJPPC5texrPs2KZPZXyVETI+gfa4q4CQClNT13llLVgm/le/TZDqQncMxG6poL wslw==
MIME-Version: 1.0
X-Received: by 10.152.203.129 with SMTP id kq1mr27173891lac.6.1397429573989; Sun, 13 Apr 2014 15:52:53 -0700 (PDT)
Received: by 10.112.89.68 with HTTP; Sun, 13 Apr 2014 15:52:53 -0700 (PDT)
In-Reply-To: <1581476.osxlhUbTDj@inno>
References: <CALR0uiJG6GcngWMUkg6NrP7_4uwf8+QDn6aMF-qonOpRMLdo3w@mail.gmail.com> <E1E355B9-0906-43DC-BACD-D4A1350C537F@callas.org> <CAAu18hc7Ldn4s8nk-d=kcVBQH_PTmdhKMycO6LqUFr1sDUe5yg@mail.gmail.com> <1581476.osxlhUbTDj@inno>
Date: Sun, 13 Apr 2014 15:52:53 -0700
Message-ID: <CAAS2fgSdwk0Vfz3CsmbmOHtLvHmQKxXJN1h9Pi0-VXnH_d2HuQ@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Hauke Laging <mailinglisten@hauke-laging.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/z7FYZPtnEAKz9VSVdXvAKpLmKfY
Cc: "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>
Subject: Re: [openpgp] Disabling compression in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 22:52:59 -0000

On Sun, Apr 13, 2014 at 3:30 PM, Hauke Laging
<mailinglisten@hauke-laging.de> wrote:
>> There are many cases where the size of the message reveals something
>> about the content, compression or no compression.
> Would it help to have to possibility to add a certain amount of
> (ignored) random data to an encrypted packet?
> In that case an OpenPGP application could – regardless of compression –
> be configured (in appropriate situations) to create packets which e.g.
>
> a) have a certain minimum length
> b) have a length which is a multiple of a block size (e.g. 1K, 2K but
> not 1234 bytes)

Yes, I believe many of the most devastating cases would be addressed
by quantizing the sizes. There may still be cases where the user is
compromised— where the revealing data is only a single bit and where
the sizes put it near a quantization threshold, but the number of
cases where the user's privacy is quietly compromised would be fewer.

I continue to hold the view that an implementation which expects
perfectly informed users to be aware of and avoid subtle,
unadvertised, and format specific information leaks will (and, as I
pointed out, has) fail to produce real users with the advertised and
expected level of security. The great challenge of a general tool is
that you cannot assume a narrow threat model or a sophisticated user.
In some cases the attacker may even be the party specifying the
protocol, relying on subtle behavior the underlying trusted components
(like openpgp) to compromise the system. As a result perfect security
is almost certantly impossible, but there are implementation
optimizations like disabling compression for small messages, where it
is never very useful and sometimes actively harmful, and quantizing
sizes which can provide a practical improvement in a world where users
aren't perfect and attackers don't play nice. I think these
optimizations should be well specified and recommended at the SHOULD
level.

As an aside, I note that RFC6562 SHOULD NOTs variable rate compression
for the application of secure VoIP for highly sensitive information.