On Tue, Mar 18, 2014 at 5:48 PM, Simon Josefsson
<simon(_at_)josefsson(_dot_)org>wrote:
Gregory Maxwell <gmaxwell(_at_)gmail(_dot_)com> writes:
On Tue, Mar 18, 2014 at 9:00 AM, Alfredo Pironti
<alfredo(_dot_)pironti(_at_)inria(_dot_)fr> wrote:
I believe similar attacks can be mounted in different contexts where
OpenPGP
is used. Hence, I propose to start discussion to amend RFC 4880 to at
least
discourage (if not forbid) the use of compression.
OpenPGP compression (well, the unawareness there-of) compromised the
privacy
of the Wikimedia Foundation board election a couple years ago. Users
publically
submitted ballots encrypted to the election officials, the ballots
were constant length
but the compression trivially revealed information about their content.
If it isn't disabled it may be useful to quantize the size somewhat
for a minor overhead
in order to reduce the information leak somewhat.
Deterministic quantization may do in principle, but it seems to me harder
to deploy than just disabling compression, because of backward
compatibility issues and unpredictable compression ratio.
Looking at TLS, in practice compression has been disabled everywhere (with
a proposal of completely removing it in TLS 1.3), and it seems not have had
particularly negative effects.
TLS allow implementations to randomly pad messages to mitigate these
attacks, could something similar be what OpenPGP needs?
I'd refrain to use random padding, because it does not protect against
repeated sampling: if you encrypt the same plaintext (say, a password) over
and over, the shortest encrypted message will soon give you a hint of the
plaintext length [1].
Alfredo
/Simon
[1] http://hal.inria.fr/hal-00732449
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp