Compression makes the attack very difficult to perform, because PGP does not output anything for the attacker to use if decompression fails.
Basically, the compression problem is as follows :
Is there some way to insert random data into a compressed message and ensure that the decompressor will not choke on it and die ?
If so, the attack would become workable even with compression enabled. It actually does work, on the off chance that the random data does not mess up the decompressor - that only seems to happen when the message is very very short though.
Please, read the paper and not the articles.
News articles are written designed to get you attention, not inform you.
The attack has nothing to do with including the plaintext of an encrypted message, it is a chosen - ciphertext attack aginst the the CFB chaining mode used in PGP/OpenPGP.
They _have_ known about it for a while, and a new version of the standard addresses it. Not to mention that signing and compression mitigate the attack as it is . . .
Slashdot Mirror
Compression makes the attack very difficult to perform, because PGP does not output anything for the attacker to use if decompression fails. Basically, the compression problem is as follows : Is there some way to insert random data into a compressed message and ensure that the decompressor will not choke on it and die ? If so, the attack would become workable even with compression enabled. It actually does work, on the off chance that the random data does not mess up the decompressor - that only seems to happen when the message is very very short though.
Please, read the paper and not the articles. News articles are written designed to get you attention, not inform you. The attack has nothing to do with including the plaintext of an encrypted message, it is a chosen - ciphertext attack aginst the the CFB chaining mode used in PGP/OpenPGP. They _have_ known about it for a while, and a new version of the standard addresses it. Not to mention that signing and compression mitigate the attack as it is . . .