Compression side channel
Hadmut Danisch
hadmut at danisch.de
Sun Sep 9 15:21:29 EDT 2001
On Sat, Sep 08, 2001 at 10:45:14PM -0400, John Kelsey wrote:
>
> where the encryption preserves length (e.g., RC4 encryption). Suppose
> someone is sending a secret S in these messages, and the attacker gets
> to choose some prefix or suffix to send, e.g.
>
> X[0] = S+suffix[0]
> X[1] = S+suffix[1]
> ...
Good point. The mistake seems to be mixing a (non-compressible)
secret and a (compressible, possibly attacker-chosen) message in one
compression run. It seems to be a good idea to compress every
logical part of the plaintext separately (and to compress only
things which are compressible).
Hadmut
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list