Slashdot Mirror

← Back to Stories (view on slashdot.org)

Plausible Deniability From Rockstar Cryptographers

Posted by CmdrTaco on from the because-you-can dept.

J. Karl Rove writes "Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can't read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries."

11 of 358 comments (clear)

  1. Big brother doesn't need proof by Anonymous Coward · · Score: 5, Insightful

    Sometimes Big Brother can 'prove' anything by force. Why do you think he's called Big? Small people need stuff like evidence, proof, and proper legal process. There are many recent examples of Big Brother having his way, proof and fact be damned.

  2. Deniable until they look at your swap partition by G4from128k · · Score: 5, Insightful

    If you create a message, chances are that fragments of the plain text will be in various caches and VM pages on your harddisk. It may not last for very long -- being overwritten by subsequent paging -- but if someone takes your computer soon after, they may find incriminating junk on the HD.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:Deniable until they look at your swap partition by Vitriol+Angst · · Score: 2, Insightful

      Next version of OS X will have encrypted swap and cache if you choose to enable it.

      Best if you just don't get the notice of the black helicopters in the first place. Make lots of friends.

      --
      >>"ad space available -- low rates!!!"
  3. Plausible "yeah right" by Bronster · · Score: 4, Insightful

    Let me get this straight - it can be proved that you

    a) created a plausible deniability capable link; and

    b) intentionally released the key to said link so that someone else could impersonate you later.

    Frequently all that's needed is the fact that you communicated with somebody for evidence - not the specifics of what you said. Sure maybe you just called them up and did some heavy breathing down the line - there's no proof you actually _spoke_, but any jury in the world would convict you.

    Of course you work around that by creating a new link every hour to the same person, and maybe or maybe not using it - but it still shows you're in communication with them. There's no way around that.

    Nice idea, but don't think your child pornography dealing down this link is going to somehow get you off the hook.

  4. Re:I wonder by Anonymous Coward · · Score: 1, Insightful

    You have to trust the Stamper service. It could be compromised, which normally would only alter timestamps on messages that were already registered. However, after the key is published, the content of any message can be changed as well, or whole new messages can be created and then falsely timestamped. If Stamper becomes a preferred way of verifying anything, it will become an attractive target for COVERT cracking -- those who crack it will try to keep the cracking secret so they can change timestamps on messages of particular interest.

    Recall Savannah.gnu.org was cracked a month or more before they found out about it.

    So Stamper doesn't add security, it adds "authority", which if compromised could be used against you fraudulently.

  5. prosecutors don't have to prove 100% by davidwr · · Score: 2, Insightful

    The prosecutor only has to prove "beyond a reasonable doubt." Some jurors will convict if they think there's less than 1 in a million chance that you are in fact innocent. Others may convict if they think it's 1 in 10 or less.

    Before DNA typing, people were convicted of rape based on blood type, sometimes-foggy eyewitness accounts, supposed motive, a personality type that "fit the profile" plus lack of an alibi. Many of these people were in fact guilty. While we've come a long way with DNA, other crimes are prosecuited with a lower standard of proof and juries do convict. Heck, there are people who think Scott Peterson is innocent and there are some remotely possible scenarios in which he is in fact not guilty.

    As for technical things...
    A well-armed prosecutor will anticipate your arguements in advance and be prepared to knock them down as best he can. You think a wardriver did the dirty deed? Better hope the prosecutor didn't plant wifi-sniffers in the streets around your house and they register zero 802.11 activity. Actually, you better hope he DID plant sniffers and those sniffers caught the bad guy. Better hope that he didn't get a warrant to use thermal sensors to show someone was sitting at your PC at the time, and that the very same person came out to pick up the morning paper 10 hours later, and that very same person's photograph looks very much like you.

    Our justice system will never be perfect. We'll always let a few guilty people go and convict a few innocent people. The only other options are to let a LOT of guilty people go and spare the innocent or lock up a LOT of innocent people and ensure no guilty person walks free.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Deniability? So What? by Anonymous Coward · · Score: 1, Insightful

    Deniability is meaningless when only suspicion is necessary.

    This appears to have far, far more disadvantages than advantages. All those forged messages can still be used against you in the court of public opinion, which has never needed proof in order to condemn. And tyrants only need to dislike you to execute you. They can dislike you for any reason at all, even for generating suspicion.

    I suspect that this would protect someone only in an American court of law. Maybe.

  7. really... by grahamsz · · Score: 2, Insightful

    I haven't read the spec in detail, but i thought that the session key used is signed with your real non-transient private key.

    With that in mind i still don't see how anyone could forge any packets from me without knowing my key.

  8. Re:how about dual-plaintext messages? by shakah · · Score: 2, Insightful
    An interesting article about a cryptosystem along the lines of what you asked about:
    http://theory.lcs.mit.edu/~rivest/chaffing.txt

    An excerpt:

    I note that it is possible for a stream of packets to contain more than one subsequence of ``wheat'' packets, in addition to the chaff packets. Each wheat subsequence would be recognized separately using a different authentication key. One interesting consequence of this is that if law enforcement were to demand to see an authentication key so it could identify the wheat, the sender could yield up one such key that identifies a wheat subsequence containing an innocuous message as the wheat, and leaving everything else as ``chaff''. The real message would still be buried in the chaff. This is reminiscent of the technique of ``deniable encryption'' proposed by Canetti et al. (1997).
  9. LOL, implement this in Bit-torrent and gnutella by james_in_denver · · Score: 2, Insightful

    and watch the RIAA and MPAA literally EXPLODE!!!!

  10. Re:The burden of proof by farnz · · Score: 2, Insightful
    The aim is to get secure messaging to the same level of deniability as insecure, so there are three attack scenarios:
    1. My end logs messages, yours doesn't.
    2. Your end log messages, mine doesn't.
    3. Both ends log messages.
    Obviously, if neither end logs messages, the argument is that neither of us sent messages in the first place; part of the point of the scheme is that there's no way to show after the fact that you and I both had the key, and knew it belong to each other. All the logging party in the middle has is a stack of encrypted messages, and no way to show that you or I ever had the key. They can prove that they have the encryption key, but that doesn't help with evidence, as you and I both claim that we've not got encryption or decryption keys. This is the most common scenario, and leaves you no worse off than you were with plaintext messages, since you've got as much denability as before, but the investigator cannot read the messages you sent.

    In scenarios 1 and 2, the person who didn't log messages claims that they never had the decryption key; again, we can prove that they had the encryption key, but not that they could read the messages. So, as the party that didn't log the messages, you claim that you never received them, and that the party who logged the messages forged them. Again, no worse off than plain text messaging, since the possibility of forgery is identical, but this time a key is needed to read the messages

    In scenario 3, you're doomed anyway, but you would be with plain text messaging too.

    Thus, no matter where the attacker is, your privacy and security is always at the same level as it would be with OpenPGP type messaging, and deniability at the same level as plaintext messaging.

    --
    I appear to have a blog. Odd.