[Cryptography] Compression before encryption?

Phillip Hallam-Baker phill at hallambaker.com
Mon Jan 12 11:01:52 EST 2015

On Fri, Jan 9, 2015 at 1:51 PM, Christoph Anton Mitterer <
calestyo at scientia.net> wrote:

> On Fri, 2015-01-09 at 13:22 +0100, Stephan Neuhaus wrote:
> > I have come across the recommendation to "compress before you encrypt",
> > on the grounds that this makes plaintext recognition through frequency
> > analysis much harder.
> Compression before encryption may be used as an oracle when plain text
> injection is possible...
> See CRIME/BREACH attacks and the principle behind them.

I think it is a bad idea to take too much from HTTPS experience. The
problem is much narrower and much more general.

First the HTTPS attack: if you put active code into a system and you allow
someone to manipulate one part of a message, this may allow them to deduce
other parts of the message. Well we could blame the compression but the
real problem here is the active code and the use of bearer tokens for
authentication: Get rid of one or the other or expect the pain to recur.

If you are using active code then you should assume that EVERY part of
EVERY message that the active code can initiate is disclosed to the code.

But turning off compression is a much easier fix than changing the way
cookies work. So we take the easy route as always and will wonder why it
breaks again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150112/09feecc1/attachment.html>

More information about the cryptography mailing list