Encrypted file-size approximation with multiple recipients

[Daniel Kahn Gillmor]

On 04/02/2014 01:07 PM, Tim Chase wrote:
> 1) I'd missed that GPG conveniently compresses the data before
> encrypting which would explain some of the differences I saw.

 [...]

> in more than half of my use cases (small plain-text/JSON messages)

It sounds to me like you might be setting up some sort of automated
encrypted JSON message-passing scheme.  If so, you should be aware that
if any of the encrypted JSON could be controlled by an attacker, that
attacker could possibly learn information about the other parts of the
message that are not controlled by them when using compression, just by
inspecting the size of the traffic.

This is essentially how the CRIME attack against TLS works, but the
theoretical framework of the attack itself isn't necessarily limited to TLS.

Please make sure you understand the CRIME attack against TLS and your
mechanism's use cases well enough to be certain that a comparable attack
isn't applicable, or just explicitly turn off compression for your
OpenPGP-encrypted data if you can afford the extra bandwidth and are
unsure about the use cases to which other people might put your protocol.

hth,

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140407/9c3f9110/attachment.sig>