[9228] in cryptography@c2.net mail archive
Re: Compression side channel
daemon@ATHENA.MIT.EDU (Hadmut Danisch)
Sun Sep 9 17:30:34 2001
From: Hadmut Danisch <hadmut@danisch.de>
Date: Sun, 9 Sep 2001 21:21:29 +0200
To: cryptography@wasabisystems.com
Message-ID: <20010909212129.A2332@danisch.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <4.1.20010908224150.020e9e20@pop.ix.netcom.com>
On Sat, Sep 08, 2001 at 10:45:14PM -0400, John Kelsey wrote:
>
> where the encryption preserves length (e.g., RC4 encryption). Suppose
> someone is sending a secret S in these messages, and the attacker gets
> to choose some prefix or suffix to send, e.g.
>
> X[0] = S+suffix[0]
> X[1] = S+suffix[1]
> ...
Good point. The mistake seems to be mixing a (non-compressible)
secret and a (compressible, possibly attacker-chosen) message in one
compression run. It seems to be a good idea to compress every
logical part of the plaintext separately (and to compress only
things which are compressible).
Hadmut
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
