On Sun, Oct 4, 2015 at 10:58 AM, Jeffrey Walton <noloa...@gmail.com> wrote:
> > The takeaway for me is you can't mix compression, any fixed value an > > attacker wishes to learn, and attacker-controlled data, or there will be > a > > compression side-channel. > > Is that necessarily true? > > Deflate violates semantic security by allowing the attacker to gain > information across messages (even though any single message is > secure). So perhaps its the mode of compression ot the way compression > was implemented, and not compression itself. The only property of compression that this class of side-channel attack relies on is that the compression algorithm produces a smaller output for message a || a than a || b (where a and b are of identical length), so really it would seem to be a conceptual problem with mixing compression and encryption. If someone has produced a secure system for "compression side-channel resistant encryption", I haven't seen it. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
