Dear list,
It is well known that compressing data before encrypting them leaks much
about the plaintext [1]. Recently, this has been exploited against the TLS
protocol in the so-called CRIME attack [2].
Looking at RFC 4880, section 2.3, I read
“OpenPGP implementations SHOULD compress the message after applying the
signature but before encryption.”
And indeed, gpg faithfully follows the spec by enabling compression by
default.
I have done some preliminary work on password managers that rely on OpenPGP
(gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns out that
compressing the password before encrypting it leaks much of the password
entropy, making dictionary attacks significantly easier to mount. (In my
preliminary experiments I used a password dictionary containing about 4
million passwords. If the attacker knows the original password length and
its compressed length, then for some combinations of the two the candidate
dictionary entries can reduce to as few as some hundreds.)
I believe similar attacks can be mounted in different contexts where
OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to
at least discourage (if not forbid) the use of compression.
I welcome comments and suggestions.
Alfredo Pironti
[1] Kelsey, J.: Compression and information leakage of plaintext. In: Fast
Software Encryption. pp. 263–276 (2002)
[2] See, e.g.: http://en.wikipedia.org/wiki/CRIME_%28security_exploit%29
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp