[Cryptography] Is there a good algorithm providing both compression and encryption at the same time?
Bill Frantz
frantz at pwpconsult.com
Fri May 8 17:23:33 EDT 2015
On 5/7/15 at 5:15 PM, bear at sonic.net (Ray Dillinger) wrote:
>There is absolutely nothing wrong with the "compress then
>encrypt" construction. As folks have pointed out, you must
>never rely on imperfect compression to SERVE AS encryption,
>but encrypting compressed text using a good encryption
>primitive is not worse at hiding its contents than
>encrypting uncompressed text using the same good encryption
>primitive.
>
>We usually accept the opponent knowing approximately how long
>a message is because the encrypted message is that long plus
>the length of a known-length IV and rounded up to a block
>boundary. So I'm not concerned that message length information
>may be only as well hidden as it is with any kind of encryption.
We do have the well known attacks when the attacker can insert
data to be compressed in the stream. In this case, the attacker
can infer the presence of sequences the compressor compresses if
the compressor is adaptive, i.e. changes its compression
dictionary based on the data to be compressed. (N.B. most
general purpose compressors are adaptive.)
These attacks have been sufficient to recover security cookies
from web traffic in repeated, iterated attacks.
Probably compression is safe if each source of data is
compressed separately.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Re: Hardware Management Modes: | Periwinkle
(408)356-8506 | If there's a mode, there's a | 16345
Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos,
CA 95032
More information about the cryptography
mailing list