On Mar 18, 2014, at 12:00 PM, Alfredo Pironti
<alfredo(_dot_)pironti(_at_)inria(_dot_)fr> wrote:
Dear list,
It is well known that compressing data before encrypting them leaks much
about the plaintext [1]. Recently, this has been exploited against the TLS
protocol in the so-called CRIME attack [2].
Looking at RFC 4880, section 2.3, I read
“OpenPGP implementations SHOULD compress the message after applying the
signature but before encryption.”
And indeed, gpg faithfully follows the spec by enabling compression by
default.
I have done some preliminary work on password managers that rely on OpenPGP
(gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns out that
compressing the password before encrypting it leaks much of the password
entropy, making dictionary attacks significantly easier to mount. (In my
preliminary experiments I used a password dictionary containing about 4
million passwords. If the attacker knows the original password length and its
compressed length, then for some combinations of the two the candidate
dictionary entries can reduce to as few as some hundreds.)
I believe similar attacks can be mounted in different contexts where OpenPGP
is used. Hence, I propose to start discussion to amend RFC 4880 to at least
discourage (if not forbid) the use of compression.
It is not my intent to make light of your email, but I'm somewhat amused as a
few years ago there was an attack that could be *avoided* by compression. See
https://www.schneier.com/paper-pgp.pdf for the details. Damned if you do,
damned if you don't?
Note that the use of compression in OpenPGP (at least in the public key
context) is under the control of the recipient. If a given recipient doesn't
want compression used on messages to their key, they can set a preference
reflecting that, and all OpenPGP implementations will not compress when
encrypting a message to that key.
David
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp