Slashdot Mirror

← Back to Stories (view on slashdot.org)

Plausible Deniability From Rockstar Cryptographers

Posted by CmdrTaco on from the because-you-can dept.

J. Karl Rove writes "Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can't read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries."

5 of 358 comments (clear)

  1. Re:I wonder by Entrope · · Score: 5, Informative

    "Later" is after the speaker decides that conversation is over. You pick a signing key for your messages, sign it with your normal public key, send messages using the first key, and your correspondent can confirm you are who you claim. When you want to finish the conversation, you publish (at least to your correspondent) the temporary signing key, and anyone who has it can then forge messages that are as trustable as what you said.

  2. Re:a little information would be nice by chill · · Score: 4, Informative

    It authenticates and creates a "conversation". This allows you to be certain the person on the other end is who you think it is. DH key exchange is performed.

    Then, messages sent during that conversation are encrypted using disposable session keys. (128-bit AES w/SHA-1 HMAC).

    Think of it as an authentication tunnel down which you send encrypted messages. The message encryption is in no way related to the authentication, and the disposable session keys mean they have no re-use value.

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. Re:Deniable until they look at your swap partition by Mr.Ned · · Score: 4, Informative

    That's why you have encrypted swap. On OpenBSD it's as simple as setting the sysctl 'vm.swapencrypt.enable=1'; there are HOWTOs for other operating systems. Look for the device mapper on Linux, for example.

  4. Re:a little information would be nice by farnz · · Score: 4, Informative
    It uses PGP to share a key between two or more people; it then uses that key to authenticate the conversation. The difference between this and OpenPGP is that OpenPGP authenticates that the owner of a given OpenPGP key sent a message. This scheme proves that someone with the shared key sent the message.

    Thus, I can create a key that I send to my friend. He and I discuss things, both using that key for encryption. When we've finished, we publish the key used for the conversation, and anyone can now add to the conversation. Thus, while we keep the key secret between us, we're assured of a private conversation; when we publish the key, anyone can add to it, thus giving the denability

    --
    I appear to have a blog. Odd.
  5. Re:a little information would be nice by stolen.identity · · Score: 3, Informative

    The key seems to be the "disposable key" part.

    With normal public-key crypto, you sign with your actual private key, and you encrypt with the recipients actual public key. This means that if someone gets hold of the recipients private key, then can decrypt the messages, and because your public key is, well, public, they can prove that you wrote the message.

    In this system, you generate throw-away keys, and exchange them securely when you start communicating. After you are done communicating, you can just throw away the keys, or you can publish them if you want. They are of no use, really. Someone can decrypt your communication, but they can't prove that it was you that wrote it, and once you publish the key, anyone else can forge messages that look like they were part of the conversation.

    During the conversation, you have the security, authentication and non-repudiation that you are looking for - you can be sure that the other party is who they say that they are, that all messages are actually from them, and that only you can read those messages.

    As soon as the conversation is over, you give away the keys and all bets are off - there is no longer a way to prove the identity of the person who sent the message since anyone can now forge messages that appear to be part of the conversation.