On Tue, Mar 18, 2014 at 7:29 PM, David Shaw <dshaw(_at_)jabberwocky(_dot_)com>
wrote:
On Mar 18, 2014, at 12:00 PM, Alfredo Pironti
<alfredo(_dot_)pironti(_at_)inria(_dot_)fr>
wrote:
Dear list,
It is well known that compressing data before encrypting them leaks much
about the plaintext [1]. Recently, this has been exploited against the TLS
protocol in the so-called CRIME attack [2].
Looking at RFC 4880, section 2.3, I read
“OpenPGP implementations SHOULD compress the message after applying the
signature but before encryption.”
And indeed, gpg faithfully follows the spec by enabling compression by
default.
I have done some preliminary work on password managers that rely on
OpenPGP (gpg, in fact) to encrypt the passwords. Unsurprisingly, it turns
out that compressing the password before encrypting it leaks much of the
password entropy, making dictionary attacks significantly easier to mount.
(In my preliminary experiments I used a password dictionary containing
about 4 million passwords. If the attacker knows the original password
length and its compressed length, then for some combinations of the two the
candidate dictionary entries can reduce to as few as some hundreds.)
I believe similar attacks can be mounted in different contexts where
OpenPGP is used. Hence, I propose to start discussion to amend RFC 4880 to
at least discourage (if not forbid) the use of compression.
It is not my intent to make light of your email, but I'm somewhat amused
as a few years ago there was an attack that could be *avoided* by
compression. See https://www.schneier.com/paper-pgp.pdf for the details.
Damned if you do, damned if you don't?
In that case, compression incidentally thwarted the attack, by inserting
additional packet headers in the encrypted packets, hence letting some
parsing fail when decrypting a chosen ciphertext.
In general, I see two patterns:
- Compression incidentally thwarts some attacks
- Compression fundamentally breaks privacy by leaking plaintext entropy
(see the Wikimedia Foundation case for a quite convincing example)
I would not want to rely on the obfuscation provided by an optional feature
of OpenPGP to ensure secrecy. If a decryption oracle is found, it should be
systematically fixed -- also for users who decide not to use compression.
On the other hand, at least making compression disabled by default would
protect those users who are unaware of the interaction between compression
and encryption. Those who are aware of it could always explicitly enable
compression.
Cheers,
Alfredo
Note that the use of compression in OpenPGP (at least in the public key
context) is under the control of the recipient. If a given recipient
doesn't want compression used on messages to their key, they can set a
preference reflecting that, and all OpenPGP implementations will not
compress when encrypting a message to that key.
David
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp