ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Disabling compression in OpenPGP

2014-03-19 17:59:07

On Mar 19, 2014, at 3:04 PM, Gregory Maxwell <gmaxwell(_at_)gmail(_dot_)com> 
wrote:

It's a very highly surprising failure mode which leaks information
about the plaintext by encoding it into the size, one which baffels
otherwise expert users of the sort who would post to the openpgp list
to exclaim "What's being leaked by compression? Really, I don't get
it."

It is! It's a really cool failure mode, and I think you should write it up and 
submit it to some security conference.

However, as I said, it's an exception case. It's also an exception case that 
you didn't explain very well. Let me try to help:

Zelda is collecting some ballots. The ballots are all text and constant length. 
The voters, Vernon_i, will each edit the text ballots with their votes, but the 
resultant ballots will remain constant length.

If the ballots are encrypted with compression, there may be information leaks 
because the different patterns of voting in the ballot. In the simplest case 
where there is only one item on the ballot, it is possible that vote can be 
discerned despite the raw plaintext being constant length.

I think I got that more or less right.

However, there are two workarounds for this:

1. Zelda adds a no-compression preference to her key.
2. The voting system uses the "-z 0" option in a gpg command.


Voting isn't the only case where compression leaks data about the
plain-text, it's just one where I know that it cause and actual
compromise, with actual expert users, in actual practice.

Please give other cases.

In the usual case, Alice sends a free-form message to a set of recipients. 
There's no leak in this case.


There are a great many people who use gpg to encrypt a small number of
control messages (e.g. for updating route registries and such) where
compression can leak information about the content.

You're stretching it here. If those messages vary in length, there's not much 
of a leak. In many cases, the real thing you're doing is *signing* the control 
messages; in the specific example you give (route registries) the actual 
content of the message may not even be secret. But I know I'm quibbling.

The workarounds here are:

1. Add a no-compression flag to the receiving key.
2. Add "-z 0" to the command line that generates those messages.

However, there are still many people who consider default compression a 
feature and *rely* on it for their system.

Care to elaborate on how they rely on it? That seems highly suspect to me.


tar -c source-tree | gpg key >source-tree.pgp.gz

This is also what at PGP Corp we called a "PGP Zip" file, which was implemented 
as a PGP encrypted tarball. It's done all the time in back-end systems, and 
very likely the second largest use of PGP, where signing files is the most. 
It's a really useful idiom.

You're asking for a change to the standard. You're not really doing that, even. 
You're asking for a change to the default behavior to software that's been 
around for 20+ years because you have a wonderful edge condition, for which 
there are not only per-message but per-key workarounds.

I'm really sorry your ballots got spoiled. But you can fix that with zero 
changes to software nor protocol. 

        Jon


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp