Slashdot Mirror
Plausible Deniability From Rockstar Cryptographers
J. Karl Rove writes "Nikita Borisov and Ian Goldberg
(of many, many other projects) have released
Off the Record Messaging
for
Gaim.
Encrypt an IM, prove (at the
time) that it came from you, and deny it later. The
authentication works only when the message is sent; anybody
can forge all the messages he wants afterwards (toolkit included).
Captured or archived messages prove nothing. And forward
secrecy means Big Brother can't read your messages even if
he wiretaps you AND grabs your computer later on. All the gooey goodness
of crypto, with none of the consequences!
They have a
protocol
spec, source
code, and Debian
and Fedora
binaries."
Who needs any of this? Just try what I do: write your messages as GW Basic programs. This is so uncrackable that even I can't tell what is in it after I use it.
Or is your FP plausibly deniable? ;)
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
A way to deny some of the stupider posts I've made on Slashdot.
It's good to use your head, but not as a battering ram.
This thing sounds great, but before it is really useful it needs to be out there in sufficient numbers. I hope that distros will start installing it by default on their default gaim version.
Treehugger? Treehugger... Treehugger!
How much later is "later"?
"Did I just say that I'd walk the dog?"
"Yes!"
"Nobody can prove that I just said that."
Does this mean it's going to feature in the next edition of GTA?
Chris Mattern
I think cross-client compatible encryption is more important at the moment. Jabber offers OpenPGP, but the development of the gaim plugin that also does this has stalled a while ago. Bummer. As long as only gaim talks to gaim with a particular encryption, it won't get used on a wide scale.
Is there an Internet Cafe at Guantanamo?
Sometimes Big Brother can 'prove' anything by force. Why do you think he's called Big? Small people need stuff like evidence, proof, and proper legal process. There are many recent examples of Big Brother having his way, proof and fact be damned.
If you create a message, chances are that fragments of the plain text will be in various caches and VM pages on your harddisk. It may not last for very long -- being overwritten by subsequent paging -- but if someone takes your computer soon after, they may find incriminating junk on the HD.
Two wrongs don't make a right, but three lefts do.
It authenticates and creates a "conversation". This allows you to be certain the person on the other end is who you think it is. DH key exchange is performed.
Then, messages sent during that conversation are encrypted using disposable session keys. (128-bit AES w/SHA-1 HMAC).
Think of it as an authentication tunnel down which you send encrypted messages. The message encryption is in no way related to the authentication, and the disposable session keys mean they have no re-use value.
-Charles
Learning HOW to think is more important than learning WHAT to think.
I really want a cryptosystem where I can enter, say, two different plaintexts (of similar length, I imagine) and then there are two keys: the private key, and the decoy key.
If required to give up "your private key" then give up the decoy key. The decoy plaintexts decrypts, and you're done. The real plaintext is still hidden away.
Does anything like this exist?
Wonderful stuff if it does everything it is supposed to do. I can't wait to check it out.
I've often wondered about this when it comes to forensics testimony. For example, even if you have my computer with some incriminating evidence on there, how can you prove beyond reasonable doubt that I put it there? I would think that unless you have a video tape of me typing the incriminating evidence on the keyboard, and can prove that the tape was made at the time in question and is unaltered, is the only way to prove anything.
Computers can be programmed to do anything at anytime, including carrying on a "conversation". You can also easily create an incriminating e-mail message that looks like it was sent, but it never was. Ditto log files, etc. For example, Apache log files are text: it would be trivial to create a script that spoofed a log file with your IP address as the incriminating info...but then how does the plaintiff prove that isn't how it was created?
Not sure for _who_, but it's great.
;) Any place you need to be able to say "I didn't say that" later - where woulkd that be except a courtroom???
I can see some people having huge use for this, drug dealers, chat room stalkers, and of course all communications between an executive and their broker
I can't think of any good reason for _me_ to use it tho. Maybe I'm just not shadey enough.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Let me get this straight - it can be proved that you
a) created a plausible deniability capable link; and
b) intentionally released the key to said link so that someone else could impersonate you later.
Frequently all that's needed is the fact that you communicated with somebody for evidence - not the specifics of what you said. Sure maybe you just called them up and did some heavy breathing down the line - there's no proof you actually _spoke_, but any jury in the world would convict you.
Of course you work around that by creating a new link every hour to the same person, and maybe or maybe not using it - but it still shows you're in communication with them. There's no way around that.
Nice idea, but don't think your child pornography dealing down this link is going to somehow get you off the hook.
Comment removed based on user account deletion
Quick, someone, anyone. Combine this with yesterday's P2P In 15 Lines of Perl: http://developers.slashdot.org/article.pl?sid=04/1 2/15/1953227&tid=95&tid=156&tid=1
Everybody's a libertarian 'till their neighbour's becomes a crack house.
BillG: So, did the donation to the SCO fund to kill Linux go through?
SBallmer: Yep, sure did. And we even explained the need for us to buy one of their licenses for unlimited computers. You know, for our in-house independent benchmarking company. You know, the whole "Get the Facts" campaign?
BillG: I see... but this SCO thing doesn't look like it's going to work. We need to go after them in even more indirect ways to avoid more antitrust sanctions. With Ashcroft gone, we may get a harder wrist-slap than last time.
SBallmer: We're already getting the puppet companies set up now. They have applied for tons of patents that could destroy Linux. We simply buy a perpetual license to all patents for a cool billion, and we're set.
BillG: How can companies apply for patents that already exist in Linux? What about prior art?
SBallmer: Don't worry, there's plenty of critical new or rewritten code since the patent applications that violates them. We've even guessed what Linux might add in the future, and patented that as well!
BillG: But if those lawsuits fail.. then what?
SBallmer: Well, we're working on getting the GPL ruled illegal. We're also going to deal a blow to all open source operating systems by our deals with bios manufacturers to only run operating systems who have paid their license to get the code signed. (Don't worry, they listen to our piles of money - if they obey us, they money keeps coming)
BillG: So, you want the computer to be like an xbox, then? We might want to start drafting legislation for mod chips to prevent people from using linux.. er.. pirated copies of windows longhorn without the subscription/expiration feature. After all, we don't want people to use windows without paying their subscriptions...
SBallmer: Already in the works. Prebought PCs will include a 3 year subscription to Longhorn Home/Crippled Edition. After this 3 years is up, the people buy a new computer rather than renewing their license (for an old computer, mind you) for another 3 years. The money from Intel and Dell is already pouring in. We can't allow mod chips because people would just use that to load the Corporate Edition.
Is for folks in Law Firms. An option like this can permit a lawyer to communicate over the internet with a client in a secure way (because getting my client to go through the process of encrypting stuff with GPG is unlikely at best) ... but where intercepted be useless as evidence in court.
I gotta have it.
Trying to use sarcasm in text-based forums does not work.
a while back there was a story up here about a gaim plugin as a p2p app, couple it with this and you can say "It wasn't me" that downloaded that Shaggy album.
Thus, I can create a key that I send to my friend. He and I discuss things, both using that key for encryption. When we've finished, we publish the key used for the conversation, and anyone can now add to the conversation. Thus, while we keep the key secret between us, we're assured of a private conversation; when we publish the key, anyone can add to it, thus giving the denability
I appear to have a blog. Odd.
What I would like to see is some kind of encrypted, p2p, email/IM replacement that doesn't rely on centralized servers. I realise what I've said is redundant -- P2P that doesn't rely on servers, but I'm trying to be clear. Messages would get routed through webs of trust, and if you lose your keys, you can have your new keys signed by people you know in real life. This would totally eliminate spam and ensure privacy and authentication for communcations.
Computers are useless. They can only give you answers.
-- Pablo Picasso
The key seems to be the "disposable key" part.
With normal public-key crypto, you sign with your actual private key, and you encrypt with the recipients actual public key. This means that if someone gets hold of the recipients private key, then can decrypt the messages, and because your public key is, well, public, they can prove that you wrote the message.
In this system, you generate throw-away keys, and exchange them securely when you start communicating. After you are done communicating, you can just throw away the keys, or you can publish them if you want. They are of no use, really. Someone can decrypt your communication, but they can't prove that it was you that wrote it, and once you publish the key, anyone else can forge messages that look like they were part of the conversation.
During the conversation, you have the security, authentication and non-repudiation that you are looking for - you can be sure that the other party is who they say that they are, that all messages are actually from them, and that only you can read those messages.
As soon as the conversation is over, you give away the keys and all bets are off - there is no longer a way to prove the identity of the person who sent the message since anyone can now forge messages that appear to be part of the conversation.
Messages sent _before_ transmitting the temporary session key are presumed to be authentic, while messages sent _after_ the temporary session key could have been forged. Not insurmountabe, but something to think about.
Now I just need something interesting enough to talk about to merit the install :o
STOP. You're being farmed.
1. Receive message from your boss insisting you carry out some risky or unwise instructions.
2. * Disaster *
3. Boss disavows his earlier orders. Guess who is the fall guy?
My rights don't need management.
The prosecutor only has to prove "beyond a reasonable doubt." Some jurors will convict if they think there's less than 1 in a million chance that you are in fact innocent. Others may convict if they think it's 1 in 10 or less.
Before DNA typing, people were convicted of rape based on blood type, sometimes-foggy eyewitness accounts, supposed motive, a personality type that "fit the profile" plus lack of an alibi. Many of these people were in fact guilty. While we've come a long way with DNA, other crimes are prosecuited with a lower standard of proof and juries do convict. Heck, there are people who think Scott Peterson is innocent and there are some remotely possible scenarios in which he is in fact not guilty.
As for technical things...
A well-armed prosecutor will anticipate your arguements in advance and be prepared to knock them down as best he can. You think a wardriver did the dirty deed? Better hope the prosecutor didn't plant wifi-sniffers in the streets around your house and they register zero 802.11 activity. Actually, you better hope he DID plant sniffers and those sniffers caught the bad guy. Better hope that he didn't get a warrant to use thermal sensors to show someone was sitting at your PC at the time, and that the very same person came out to pick up the morning paper 10 hours later, and that very same person's photograph looks very much like you.
Our justice system will never be perfect. We'll always let a few guilty people go and convict a few innocent people. The only other options are to let a LOT of guilty people go and spare the innocent or lock up a LOT of innocent people and ensure no guilty person walks free.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What with the price of RAM these days? Sorry, but even with a lot of RAM there's not any reason why one shouldn't have swap. What happens when you do overrun your RAM just that one time?
Besides, swap in 'nix isn't used unless you need to. Most of the time my laptop (256MB RAM) doesn't run into swap at all, so chances are I don't have to worry about that.
And as to the temp files, etc... if you do have the RAM to spare and you're really paranoid, mount a nice big 512MB ramdisk on loopback and a quick reboot will permanently lose anything you might not want to keep around (not to mention the speed advantages of RAMdisk vs Physical drivespace).
I can see how I'd want to encrypt my stuff. It might bore someone to death. Here's a real-life example of an IM from this morning. (I'm at work so I use Trillian on Windows NT5.1.)
Me: Dude
Friend: Yo
Me: Whassup?
Friend: Nothing
Friend: You?
Me: Nothing
Friend: Dude
Me: Yo
Friend: How's work?
Me: Work?
Friend: You at home?
Me: Oh.
Me: No, work.
Me: Fine
Me: How's J? She still there?
Friend: Fine. No left with C.
Me: BRB
Friend: Kewl
The Kai's Semi-Updated Website Thingy
I haven't read the spec in detail, but i thought that the session key used is signed with your real non-transient private key.
With that in mind i still don't see how anyone could forge any packets from me without knowing my key.
In a criminal case, your old messages would be a legitimate starting point for an investigation and likely enough on their own to justify a search. To get a warrant, the police don't have to prove you sent the incriminating messages, they just have to persuade a judge that it is reasonable to suppose that you did.
I tried to compile it on Suse 9.1 and it crapped all over itself.
Anyone gotten it to run compile/run on Suse 9.1?
GAIM already offers two encryption plugins. It's cool to see another implementation being created.
gaim encryption uses RSA. There's also gaim-e which uses GPG.
I've used gaim encryption and it works very well. It requires the plugin to be installed on both ends but once that's done, it autodetects that both ends support it and enables encryption.
Oh, there's a binary available for windows and both source and packages for linux.
And, it's in portage!
emerge gaim-encryption
To which the jury's usual response is "Quilty!"
No, that's the response when comfortable toilet paper is presented as evidence.
Wow, that was an interesting and clever paper. At the very end of the paper though they consider the situation with email. In particular the question is asked if an encryption system which works for an asynchronos system like email but doesn't allow outsiders to prove authorship is possible.
The solution proposed is to use ring signatures which only permit proof that one of the parties to the communication (secret) wrote the message. As the authors note this solution still suffers from the defect that a third party who manages to obtain the plaintext of a message can still prove that it was created by one of the participants. This can be partially protected against by encrypting the signature part of the message (assuming the message itself was not already so encrypted) to the recipient but if the recipients private keys are ever comprimised (a subpeona, confiscation of computer by law enforcement) this protection vanishes.
The authors contend that no system using a non-interactive protocol can both provide authentication to the parties involved but resist proof of authorship by at least one of the parties in the case of key comprimise. I don't believe this is correct and while I can not provide a full system which demonstrates this property I can provide a sketch of how one might work and it would be an intriguing problem to design a cryptographic system with these properties.
Suppose at some time t0 Bob creates a public private key pair together with time stamp attesting to the time of creation. This time stamp, and the key itself could be authenticated by Bob signing with his conventional non-repuditory long-lived key. Let us call the key parts Public and Private. Suppose also that we can discover a one way function S with an associated function (not necessarily one-way) P with the following property. If we apply the one way function S to Private and the function P to Public we create a new public/private key-pair, i.e., S(Private) is the private key associated with public key P(Public). If we could find such suitable functions we could design a cryptosystem with the requisite properties.
Every time a fixed interval of time passes, say an hour, Bob applies the one-way function S to Private storing the new result and forgetting the original key. Thus after 1 hour Bob has the key S(Private) after two hours S(S(Private)) and so forth. Now when Alice chooses to send Bob a message she chooses for what period of time Bob is capable of authenticating that message. If she thinks he will read it immediatly she might choose an hour, if he is out of town perhaps a week. After composing the message Alice computes some sort of signature/authentication (Ring signature etc..). Now alice computes the number of hours that will have passed between the creation time stamp of Bob's public key and the time her authentication period ends. She then applies the function P to Public once for every hour and uses the result to encrypt her signature. She then appends the encrypted signature, and the unencrypted time it will expire to the message and sends it to Bob. If the communication is to be secret she could then encrypt the entire message authentican and all with her favorite encryption scheme.
So long as Bob recieves the message from Alice before the authentican period has ended he has no trouble decrypting the authenticating signature. Bob simply computes the number of hours from the current time until the authentication period ends, applies S to Private that many times (not forgetting the current value of private in this case) and uses the result to decrypt Alice's authentication since the properties of the functions guarantee this is the corresponding private key to the public key alice used for encryption. Once decrypted the signature authenticates Alice's message and then is discarded by Bob (If a ring signature is used Bob can create the same signature at any time if he has the message plaintext so has no incentive to keep the decrypted signature).
However, once the
If you liked this thought maybe you would find my blog nice too:
and watch the RIAA and MPAA literally EXPLODE!!!!
For those you want to know how to use encrypted swap paritions on Linux here is how:
/dev/hdb as your swap partition (you can actually use any partition or even a flat file) then type:
/dev/loop0 /dev/hdb
/dev/loop0 doesn't work, try loop1 or loop2 etc. (you are looking for an unused loopback device. If you are already using loopback devices, then you probably already know how to do this stuff)
/dev/loop0
/dev/loop0
PS: Your computer will not operate any slower than when using plain swap. I kid you not.
PPS: this works in mandrake and suse.
make sure module cryptoloop is loaded:
> modprobe cryptoloop
assuming you want to use
>losetup -e aes256
if
you will be prompted for a passphrase. type lots of random characters (at least 20. the more the merrier). You don't need to remember it because you can use a different one each time you reboot. I like to click random keys on the keyboard for about 45 seconds.
then type
>mkswap
this formats the partition on the other side of the loopback device to be a swap file. (remember that loop0 is being encrypted prior to the data ever hitting the disk)
and then type
>swapon
this mounts the swap partition to be a swap file.
you now have an encrypted swap partition all mounted and available as virtual memory. Use 'top' to confirm this.
This swap will not automount at boot this way, unless you put the aforementioned steps into a boot script of some kind. You can deny it or make a script to do it for you. Just make sure you use a random key each time.
I have been using encrypted swap paritions for a few years and I'm never going back.
(hint you can also make encrypted volumns using almost the same steps)
The nifty thing is that since you don't know the keys you use for your swap parition you have plausible deniability.
No one has a right to their *own* opinion. They have a right to the TRUTH.
One of the things that's particularly endemic to the Slashdot community is the "black/white" point of view - the idea that something is secure, or not, it's white or it's black.
_ Election%20Night.htm)
But that's not how security is! It's all shades of grey, and the darker the shade of grey, the worse off things are.
Nothing is ever bulletproof, and seldom is anything ever wide-ass open to the world. It's somewhere in between.
I have a remote-desktop package integrated with one of my apps. It makes for very easy tech support, and I've got it built right into the menu system of my most popular application, so that customers using my software package have access to instantaneous, high-quality tech support.
To prevent users from popping up on my development system anytime they have a question, I put a password in place. It requires a small, 4-digit numeric code, and it changes every day.
By slashdot standards, this is terrible security. It's numeric. No letters, just numbers. The code changes every day, but only based on the day of year. It can easily be predicted, if one has any understanding of the underlying, otherwise very simple algorithm used to guess these numbers.
Anybody with a packet sniffer could crack it with one support session.
But, in this case, it really doesn't matter. The worst that will happen is that your computer's desktop will appear on my screen without my Windows VM.
You could DOS me with 10,000 VM screens, but it would take a very short amount of time for me to block the port number for the VPN and kill that.
So, what's the purpose for improving security? It's secure enough. And that's the point. Many people around here will have a cow if something is potentially crackable, while sitting behind physical locks that can be compromised with an expired credit card.
Gosh! Somebody could pull out their credit card, slide it through the gap between the door and the jamb, and break into your home!
In a black/white world, your home would only be considered safe if it had 1/4 inch steel plate exterior, and locks that the NSA would have serious trouble with.
In the real (shades of grey) world, a deadbolt and a solid-core door is usually good enough, and people live with the odds. Heck, even in the worst ranked neighborhood, you have about a 3.5 to 4 percent chance of getting burgled in a given year. (http://www.ojp.usdoj.gov/bjs/glance/burg.htm) I almost never lock my back door, and I've never had a problem with it.
That's good enough security for most, as evidenced by the fact that the most important issue was national security or "the war in Iraq" in the recent election. (http://www.rasmussenreports.com/Issue%20Clusters
Notice that individual household crime isn't even on the list (unless you include the 6% "domestic issues", despite the relative insecurity of the average home.
Brought home to me by the book "Secrets and Lies" by Bruce Schneier, this world is not a black and white world. Relative risk must be evaluated, and the equation must be brought to something we can all live with.
PS: Link to sites with A tags appears to be broken on slashdot. I tried numerous times to post links to the aforementioned sites and could not do so.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I'd imagine it's set up so you automatically give the key to the person you were corresponding with. So there's every possibility they could have written the message (supposedly from you) themselves.
I am trolling