Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 07 Jul 2022 07:04:22 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Demi Marie Obenour <demi@...isiblethingslab.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: DO NOT OPEN PREVIOUS MAIL Re: 
 Denial of service in  GnuPG

* Demi Marie Obenour:

> Was adding compression to PGP even a good idea in the first place?

In the mid-90s, it was widely believed that compression was required as
part of a good implementation because it was assumed that it made
cryptanlysis more difficult.  Applied Cryptography recommended it:

| 10.6 Compression, Enciding, And Encryption

| Using a data compression algorithm together with an encryption
| algorithm makes sense for two reasons:
|
|   Cryptanalysis relies on exploiting redundancies in the plaintext;
|   compressing a file before encryption reduces these redundancies.
|
|   Encryption is time-consuming; compression a file before encryption
|   speeds up the entire process.
|
| The important thing to remeber si to compress before encryption.  If
| the encryption algorithm is any good, the ciphertext will not be
| compressible; it will look like random data.  (This makes a reasonable
| test of an encryption algorithm; if the ciphertext can be compressed,
| then the algorithm probably isn't very good.)
|
| If you are going to add any type of transmission encoding or error
| detection and recovery, remember to add that after encryption.  If
| there is noise in the communications path, decryption's
| error-extension properties will only make that noise worse. […]

The performance advice was likely based on the relative performance of a
3DES implementation in software and a some simple LZW77 compressor.
Even at the time, it probably wasn't true for IDEA algorithm on most
CPUs, and the situation only got better for encryption after that.

The first rationale, regarding cryptanalysis, has always been total
bunk: effective compression introduces a weakness into any encryption
scheme.  You are pretty much guaranteed to end up with viable adaptive
choosen plaintext attacks if data is combined from multiple sources.
For variable-bit-rate voice compression, it's possible to infer some
information on phonemes in the cleartext just based on the bit rate.

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.