"Dave Paris" <[EMAIL PROTECTED]> writes: > In addition to Owen's salient points about compression working efficiently > on repetitive strings in plaintext/binary data (e.g. whitespace in a Word > document) and not on random data (e.g. encrypted data), some encryption > algorithms can actually be weakened by compressing the resulting data, > giving a cryptanalyzer clues to the inner workings of the algorithm. No reasonable encryption algorithm will be weakened this way.
> As for SSL packets being larger - they're not to any appreciable degree - > for the exact reason Owen pointed out below. Even symmetric cipher > algorithms don't produce appreciably larger amounts of data. For example, > using Chained Block Cipher (CBC) mode will only increase the amount of data > by 8 bytes from adding an Initialization Vector (IV) to the beginning of the > ciphertext and padding the end of the ciphertext to get a complete final > block (with an 8 byte block cipher like Blowfish, the largest amount of > padding will only be 7 bytes). So, at most, you've added 15 bytes to even > the largest amount of plaintext data using Blowfish in CBC mode. There are > a few exotic exceptions here, like interleaved chaining block ciphers which > will add an IV (of the same size as above) per parallel operation (so if > you've got four parallel encryption operations using interleaved CBC, you're > adding 24 bytes at the beginning of the ciphertext). However, these are > exceptionally rare and typically limited to proprietary > implementations/applications. You're forgetting the MAC. > Addressing one other misconception here.. a packet can contain up to 1500 > bytes - including headers (assuming your network handles MTUs of 1500, some > are less (like ATM @ 53 bytes [48 bytes of payload w/5 bytes of header), > some are more (like Frame Relay @ up to 4500 bytes), but hey, not many > desktops are connected with ATM or Frame, so we'll call the connection > standard ethernet with a MTU of 1500. The PMTU is largely irrelevant here since SSL records can be much larger than the MTU. What's relevant here is the size of the SSL stream vis a vis the plaintext stream. -Ekr ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
