From: Martin Janzen <janzen@idacom.hp.com> Date: Fri, 27 May 94 14:43:02 MDT Most compression programs add a characteristic signature to the beginning of the compressed output file. If a cryptanalyst guesses that you may be compressing before encrypting, wouldn't this make his job easier? To me, this sounds as though you're adding a known bit of "plaintext" to the start of each message. In short, you are right, compression algorithms often _do_ include a magic number at the begining. However, compression algorithms intended for cryptographic applications don't have to include a magic number. This is especialy true if the crypto system is never used without the compression algorithm. And if magic numbers are unavoidable, then they can be put at the end, and the system run in CFB or CBC modes. Alternatively, a random block can be prepended to the plaintext, and then exored with each of the folowing plaintext blocks (thus creating a garanteed flat distribution for the first bytes of the plain text). Finaly, the state of the art in cryptanalysis (as far as I know), sugests that modern crypto systems aren't as vulnerable to known plaintext as past systems. The best attacks I know of (differential, and linear cryptanalysis) require masive (about 2^30 blocks for DES) amounts of known, or chosen, plaintext -- though miniscule relative to the key size (2^56 again for DES). j'