On Wed, Mar 19, 2014 at 03:58:50PM -0700, Jon Callas wrote:
It is! It's a really cool failure mode, and I think you should write it up
and submit it to some security conference.
However, as I said, it's an exception case. It's also an exception case that
you didn't explain very well. Let me try to help:
Zelda is collecting some ballots. The ballots are all text and constant
length. The voters, Vernon_i, will each edit the text ballots with their
votes, but the resultant ballots will remain constant length.
If the ballots are encrypted with compression, there may be information leaks
because the different patterns of voting in the ballot. In the simplest case
where there is only one item on the ballot, it is possible that vote can be
discerned despite the raw plaintext being constant length.
I think I got that more or less right.
However, there are two workarounds for this:
1. Zelda adds a no-compression preference to her key.
2. The voting system uses the "-z 0" option in a gpg command.
I don't want a workaround; I want default behavior that is reasonably
safe for users. Removing default compression is a step forward in that
regard.
However, there are still many people who consider default compression a
feature and *rely* on it for their system.
Care to elaborate on how they rely on it? That seems highly suspect to me.
tar -c source-tree | gpg key >source-tree.pgp.gz
This is also what at PGP Corp we called a "PGP Zip" file, which was
implemented as a PGP encrypted tarball. It's done all the time in back-end
systems, and very likely the second largest use of PGP, where signing files
is the most. It's a really useful idiom.
You're asking for a change to the standard. You're not really doing that,
even. You're asking for a change to the default behavior to software that's
been around for 20+ years because you have a wonderful edge condition, for
which there are not only per-message but per-key workarounds.
I'm really sorry your ballots got spoiled. But you can fix that with zero
changes to software nor protocol.
Your example isn't much of a failure; the tarball will end up maybe 2x
larger than it should have been, someone might investigate, and they'll
change the command to:
tar -c source-tree | gzip | gpg key >source-tree.pgp.gz
or something. This is a *very* low-consequence failure mode.
--
'peter'[:-1]@petertodd.org
00000000000000004ec562299f1cd08a38fdea8f0d612fce3923203df379c0b3
signature.asc
Description: Digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp