Field
The present invention relates generally to protecting message data that is compressed and encrypted.
Background
An attack may be made on a secure connection (for example, SSL/TLS) that uses compression because the length of the encrypted and compressed message may be exploited to discover information. When an attacker can control some text in the uncompressed message, the attacker can cycle through digits (or bytes) until he finds one that results in the shortest encrypted message. For example, an encrypted message may include a tag like “secret=4528715.” When the attacker's inserted uncompressed message is “secret=4”, the compression will be better than for the other possible digits, such as “secret=0”, and thus the length of the encrypted message will be shorter. After discovering the first digit, the attacker can cycle through the next possible digits (or bytes) until he finds one that results in a shorter length, e.g. “secret=45”. The attacker can then cycle through the next digit (or byte), until all of the sensitive information has been discovered.
There is therefore a need for a technique for protecting a message that is both compressed and encrypted such that the length of the compressed message can not be determined from the compressed and encrypted data stream.