On Tue, Jan 29, 2013 at 9:40 PM, Thor Lancelot Simon <[email protected]> wrote: > ...despite all the attacks we've seen on compresion-before-encryption, and > all the timing > atatacks we've seen on encryption, [...] > > ..we haven't really seen any known-plaintext key recovery attacks facilitated > by timing > analysis of compressors applied prior to encryption?
Yup! It is. But as you reason, compression must leak some data through timing (and power) side channels. BTW, it's not compression before encryption that's the problem -as if we could compress after encryption instead :)- but compression without discrimination, often because compression occurs at layers that don't know what to compress. Compression in SSH, TLS, IPsec -- all bad. Compression at the app layer can be OK. Sending compressed image files is fine, say, but compressing everything is not. FYI, in the HTTPbis WG they are considering using forms of stateful compression (hop-by-hop) for HTTP/2.0 so that things that repeat frequently in HTTP traffic can be compressed safely, like cookies and URL prefixes. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
