the "crime" attack on TLS

Nikos Mavrogiannopoulos nmav at
Fri Sep 14 11:41:17 CEST 2012

On Fri, Sep 14, 2012 at 6:03 AM, Phil Pennock
<help-gnutls-phil at> wrote:

> One thing I noted is that the attack relies upon compression working,
> while DEFLATE uses a new Huffman tree for each compression block.  So if
> you end a _compression_ block any time you switch sensitivity level
> within the stream, you protect different parts of the cleartext from
> each other and this attack shouldn't work.

The issue is that you cannot easily determine when the sensitivity
level changes. E.g. if TLS is used for a VPN, how are one user's data
distinguished from another's? Is it enough to assume that data of
different sensitivity are included in different records?

> Both GnuTLS and OpenSSL use Z_SYNC_FLUSH to get a complete set of data
> for sending, while still being in a compression block.  Z_FULL_FLUSH is
> needed to end a compression block,
> or to end the compression with Z_FINISH.
> OpenSSL has BIO_flush() which will end up using Z_FINISH to end a
> compression block, with the side-effect of also flushing down to the
> wire level which would be unfortunate performance wise.
> I couldn't find anything similar in GnuTLS and was wondering if a new
> control call to end a compression block, starting a new one, would be
> useful for senders who want to be able to use compression but split
> contexts at security boundaries within the stream?

GnuTLS operates much differently than openssl. It's operation is
comparable to unix sockets. You provide data for sending in each
record. That data is then compressed. I'm thinking whether it makes
sense to use Z_FULL_FLUSH on each record boundary, or drop compression


More information about the Gnutls-devel mailing list