"Boyle Owen" <[EMAIL PROTECTED]> writes: > >-----Original Message----- > >From: Arthur Chan [mailto:[EMAIL PROTECTED] > > > >Hi Boyle, > >I've been debating with myself over whether to encrypt > >everything, that's a > >cogent argument you have offered. I have a few questions myself : > >(1) assuming an openssl encrypted packet is bigger than a > >plain text one, > > Why would you assume this? Essentially; > > encrypted_text = f(plain_text, key) > > where f() is a mathematical function. I guess the 2nd law of > thermodynamics ("entropy increases") would tend to cause the output > to increase but not necessarily by much. In the simple case of a > substitutional cipher, the encrypted text would be precisely the > same size as the plain text. SSL-enciphered data is always somewhat larger than the plaintext. The overhead is from three sources:
(1) the record header (5 bytes) (2) the MAC (16-20 bytes) (3) block cipher padding (if applicable). Note that all of this overhead is roughly fixed with respect to the record size (block cipher padding depends on the record size mod the block size). So, small records have enormous amounts of overhead (as high as 20 or more times for single-byte records). For large records the overhead is largely irrelevant. (e.g. 20/15000) If you're doing bulk data transfer you should always use large records. > >would mod_gzip shrink it significantly to warrant the effort? > Zipping algorithms work by replacing repetitive sequences in the > input with shorter instructions to regenerate them (e.g. 1000 blue > pixels -> "1 blue pixel x 1000"). Compression works best with highly > structured input data (bitmaps, WAV files, human language etc). With > random data, it can't make much difference and will even cause the > file to grow! (try repeatedly zipping a file to see this happening). One would apply mod_gzip PRIOR to encryption, so it will work unless the data is already pre-compressed (e.g. a GIF or a JPG). -Ekr ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
