Possible security weaknesses incurred by compression before encryption

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Tue Feb 25 15:11:02 CET 2003

[sorry steven - this is for the list, of course]

On Tue, 2003-02-25 at 13:03, gnupg+Steven.Murdoch at cl.cam.ac.uk wrote:
> It is commonly thought that compressing data before encrypting it is a good
> idea since it increases the unicity distance, however a paper by John Kelsey
> presented at FSE 2002 show how that in the vast majority of circumstances
> compression adds no security and that in some circumstances it substantially
> decreases security.
> The paper is online at:
> http://link.springer.de/link/service/series/0558/bibs/2365/23650263.htm

[pity. Is this available for free somewhere? I have access through the
university, but not everybody...]

A very interesting paper. The place to discuss this could be the ietf
opengpg mailing list, perhaps.

A few thoughts.

 - the exact size of the input is unlikely to be available in usual
applications of gpg
 - approx. knowledge of the input size is very likely to be available:
Most mails are text/plain or text/html; most people tend to write their
mails encoded always in the same style (always text/plain, always html
mixed) and in the same language.
 - some expected substrings may be easily available: people tend to
include a Subject header even with encrypted mail (worse: they are
perhaps not even aware that the Subject isn't encrypted), people may
switch to encrypted mail during a discussion (I know that I do this when
discussing accounts and needing to transmit passwords after some
introducing mails), and then quote part of the previos messages. So some
substrings might be expected, others might be easily guessed. Also, some
fixed strigs are almost always included in encrypted mails - especially
with MIME ('-----BEGIN PGP SIGNATURE-----' or 'Content-Encoding:')

While I don't feel threatened through all this, people using gpg to
encrypt serious secrets (and where enemies and attacks are actually to
be expected) should probably think a bit. 

Outside of PGP/GPG: I think that the example from the paper with the
encrypted video stream is probably the most likely one - it doesn't
require knowledge of the compression ratio and it could be that it is
realistically carried out by somebody just staring at the flashing
lights on the switch/hub.

General remark: I felt that the authors were not clear enough in all
cases about what exactly the attackers are supposed to know.

-- vbi

featured link: http://fortytwo.ch/gpg/intro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 502 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20030225/501972ad/attachment.bin

More information about the Gnupg-devel mailing list