On Wed, Mar 19, 2014 at 10:58 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
On Mar 19, 2014, at 3:04 PM, Gregory Maxwell <gmaxwell(_at_)gmail(_dot_)com>
wrote:
It's a very highly surprising failure mode which leaks information
about the plaintext by encoding it into the size, one which baffels
otherwise expert users of the sort who would post to the openpgp list
to exclaim "What's being leaked by compression? Really, I don't get
it."
It is! It's a really cool failure mode, and I think you should write it up
and submit it to some security conference.
However, as I said, it's an exception case. It's also an exception case that
you didn't explain very well. Let me try to help:
Zelda is collecting some ballots. The ballots are all text and constant
length. The voters, Vernon_i, will each edit the text ballots with their
votes, but the resultant ballots will remain constant length.
If the ballots are encrypted with compression, there may be information leaks
because the different patterns of voting in the ballot. In the simplest case
where there is only one item on the ballot, it is possible that vote can be
discerned despite the raw plaintext being constant length.
I think I got that more or less right.
However, there are two workarounds for this:
1. Zelda adds a no-compression preference to her key.
2. The voting system uses the "-z 0" option in a gpg command.
Voting isn't the only case where compression leaks data about the
plain-text, it's just one where I know that it cause and actual
compromise, with actual expert users, in actual practice.
Please give other cases.
This discussion reminds me (trivially) of the example of university or
job acceptance or rejection letters. In most cases the size of the
envelope usually reveals the content of the message, since an
acceptance letter will come with all sorts of additional forms etc.
There are many cases where the size of the message reveals something
about the content, compression or no compression.
Less trivially - voting systems online are really hard. I remember
that _Applied Cryptography_ devoted a whole chapter to the issue.
In this case compression unexpectedly (for the users) added to the
message frustrated efforts at secrecy that were based on assumptions
about message length. It is worth someone writing up this
experience (I can't find any documentation of it online). I think it
is a bit of a stretch to say that compression itself is bad. It just
happened to be unhelpful in this case. As you note above, Jon, the
key used for voting could have had no compression preference and all
would have been well.
N.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp