Re: [openpgp] Disabling compression in OpenPGP

On Wed, Mar 19, 2014 at 01:47:01PM -0700, Jon Callas wrote:
> > That's the job of encryption, and modern encryption does that job very
> > well.
> >
> > I strongly support turning off compression by default. That the length
> > of the data being encrypted is leaked is pretty easy for a non-advanced
> > user to figure out - just compare the encrypted and unencrypted file
> > lengths, or for that matter, just think about it rationally. But the
> > fact that information on the contents of the file is being leaked too -
> > exactly what encryption is supposed to prevent - is not at all obvious.
> What's being leaked by compression? Really, I don't get it.
>
> Consider an OpenPGP blob that is compressed and encrypted. Consider that it 
> is intercepted by whatever means. What's the leak?
>
> Here's an example, where an unknown plaintext is encrypted both to a key, and 
> to a passphrase:
>
> -----BEGIN PGP MESSAGE-----
> Comment: GPGTools - http://gpgtools.org
>
> hQEOA2EbpgyFsrXlEAQAs63hznff9WCrq9xpT5s8dbmoabOQpfV/Crzaqn5diiCp
> x1kyqqTCpSJQ648O3bF3GYq0KfqWhzc3S+rK7yrSpSA8UDWWifVfSBKmVDvYUD/g
> GPURwlTKtUp00MzlKrT083oq/aQEotO/7botgihpEbWPrEO3ZZIFwwxmNfwUUtED
> /jyNjMfPTmeLYvPdMLFiy+AuMbGnE3L0M9+iTLJZHW6Hb/hn0TLJk69RdDkmyiql
> VaZNYE+9l1AiZpEVddmoKOTPPV0EtzeNqVZtVr3yCH0rBrN54GjHoWAnD8/IhuX8
> T11kixGJhs1228xlhK+3UTp15VGrKNQsLoGpUd45iewPjCYEAwMCe35rGZQc7xjR
> gk41KuP8CsROH0ulK1pzm/zH2gZbzhY068np63ZvnfxTQyaYBV+MRAhN2NOF1XkW
> 4QtFr2bfJCYiCzS6vuwxjRicfU9kwHaI+G3XfJGXVB/qtcgEV7JWG81VDnU2zKSh
> h1KATe/zU5zJ7RM6mwrL37Ve4SY5tLPvpxSahu8fRffeU8/pBeQCcZyKa7ZGxiFB
> xjFLBB2a3N77Bf0VZ+nRS9nE6SpTEx8tF8b8l3qMa+lzJKVZk7cP2Yc0POHtBCT6
> F2TlnMDEvRvFmbz+3Z592OCXaZoBG6fU7VKALzZ/kl6usm6mvKAtrbNQfTk5MM38
> fqwUrcLOHpxWVNKcDvmOGdsODq5lX2coHfsix8aBoRBz/q1HiOGV3F0C9hudag01
> P199G1PCYuxzX9OvJPKEZnzf6+jEZ3vE8dhkRZPrhs/Xo7A7ryj++GSKFCSyVaHk
> PryGNgJnAp82uimr9FYT8Wmwoy42o1pPCAyVoquowHxpXAgADhmwpk0wbbE5vaD/
> 81uh1843VRySOpuQCkIkI7PhIy3HBbs349FVLKnC07VF0vMHzW3QeY9JVZJH6RlJ
> DQP0G2TjBaneHRPhdoNKzWLhTfKuaDo9FkJaaTzeB/gVKnPfovcdDjZefmflCQXR
> PvtYDsms4m5slCo/MTToM4oGuBBZqqcLIv5ZSRWYr/Gu2w9ZLkysb92dtfJe4+nw
> y2Bqk9UKInw3WAbAs0rCUlPBpAOFxNHdjkzjthGx6P3W5ZI+nG9aXyB1XNeHaTYL
> /Sx0SEFU1fmlKaIynY4reM3qJjjXi/PAWn5piTrH/G0LI3CUEgXa3Mw3sG3ArbAw
> PleXVP3QWt8jf418bDA4BLH4DFhYLQk2Ayss1M/snoRip/iUqKEu0OsUJtaspHDY
> Xt2bksh35paCav0rEtGfhxC0ks7UTdRQDP4l9tX24unQZfWAEfZkPhQPh+mkDA+H
> 3u6VfmN+5QXqph8//Qk7LSTsiBgG+EswRpqDRhNjV2ibCWjMmggtJZyKq/oOsQpS
> oCQqkpgjrv+GSGCgEwIKeUZfnTtVTpKX0EiDjUTQ5Cuq1VR+NsIfHdo2ZSVQ0+mS
> D9sGjILD87c80Pcfd3i9NtZoZqX46p4CVOReaFEvll1X9YqEaX4uDPCPoubSHsqR
> EfqIT2AYRegF1Grjr16YTzqiqkfL/4lOKQHyRwGLjq8pag888IXdbKIxWbXtMESs
> =Uqr6
> -----END PGP MESSAGE-----
>
> What's the leak? What's the vuln?
Having a completely unknown plaintext is the best case; having
plaintexts that are not completely unknown to the attacker is both
common, and reasonable to defend against.

If I knew that the plaintext was either 1KB worth of uncompressable binary 
garbage,
or 1KB worth of text, it'd be pretty easy for me to figure out if I was
looking at garbage or text.

Gregory Maxwell's example of the Wikipedia vote's privacy being broken
by compression-by-default shows this is a real world risk that users are
not thinking about.

-- 
'peter'[:-1]@petertodd.org
000000000000000067c4c46a5fa2d2686559607d14450497efb2826234b18d87

signature.asc
Description: Digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp