ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Disabling compression in OpenPGP

2014-03-19 18:12:57
On Wed, Mar 19, 2014 at 03:58:50PM -0700, Jon Callas wrote:
It is! It's a really cool failure mode, and I think you should write it up 
and submit it to some security conference.

However, as I said, it's an exception case. It's also an exception case that 
you didn't explain very well. Let me try to help:

Zelda is collecting some ballots. The ballots are all text and constant 
length. The voters, Vernon_i, will each edit the text ballots with their 
votes, but the resultant ballots will remain constant length.

If the ballots are encrypted with compression, there may be information leaks 
because the different patterns of voting in the ballot. In the simplest case 
where there is only one item on the ballot, it is possible that vote can be 
discerned despite the raw plaintext being constant length.

I think I got that more or less right.

However, there are two workarounds for this:

1. Zelda adds a no-compression preference to her key.
2. The voting system uses the "-z 0" option in a gpg command.

I don't want a workaround; I want default behavior that is reasonably
safe for users. Removing default compression is a step forward in that
regard.

However, there are still many people who consider default compression a 
feature and *rely* on it for their system.

Care to elaborate on how they rely on it? That seems highly suspect to me.


tar -c source-tree | gpg key >source-tree.pgp.gz

This is also what at PGP Corp we called a "PGP Zip" file, which was 
implemented as a PGP encrypted tarball. It's done all the time in back-end 
systems, and very likely the second largest use of PGP, where signing files 
is the most. It's a really useful idiom.

You're asking for a change to the standard. You're not really doing that, 
even. You're asking for a change to the default behavior to software that's 
been around for 20+ years because you have a wonderful edge condition, for 
which there are not only per-message but per-key workarounds.

I'm really sorry your ballots got spoiled. But you can fix that with zero 
changes to software nor protocol. 

Your example isn't much of a failure; the tarball will end up maybe 2x
larger than it should have been, someone might investigate, and they'll
change the command to:

   tar -c source-tree | gzip | gpg key >source-tree.pgp.gz

or something. This is a *very* low-consequence failure mode.

-- 
'peter'[:-1]@petertodd.org
00000000000000004ec562299f1cd08a38fdea8f0d612fce3923203df379c0b3

Attachment: signature.asc
Description: Digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp