Slashdot Mirror

← Back to Stories (view on slashdot.org)

Plausible Deniability From Rockstar Cryptographers

Posted by CmdrTaco on from the because-you-can dept.

J. Karl Rove writes "Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can't read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries."

32 of 358 comments (clear)

  1. My foolproof encryption method by Anonymous Coward · · Score: 4, Funny

    Who needs any of this? Just try what I do: write your messages as GW Basic programs. This is so uncrackable that even I can't tell what is in it after I use it.

  2. Just need one other thing by raider_red · · Score: 3, Funny

    A way to deny some of the stupider posts I've made on Slashdot.

    --
    It's good to use your head, but not as a battering ram.
  3. I hope the distros will do their part by MikeCapone · · Score: 4, Interesting

    This thing sounds great, but before it is really useful it needs to be out there in sufficient numbers. I hope that distros will start installing it by default on their default gaim version.

    --
    Treehugger? Treehugger... Treehugger!
  4. I wonder by ab384 · · Score: 4, Funny

    How much later is "later"?

    "Did I just say that I'd walk the dog?"
    "Yes!"
    "Nobody can prove that I just said that."

    1. Re:I wonder by Entrope · · Score: 5, Informative

      "Later" is after the speaker decides that conversation is over. You pick a signing key for your messages, sign it with your normal public key, send messages using the first key, and your correspondent can confirm you are who you claim. When you want to finish the conversation, you publish (at least to your correspondent) the temporary signing key, and anyone who has it can then forge messages that are as trustable as what you said.

    2. Re:I wonder by roystgnr · · Score: 5, Interesting

      What stops your correspondent from sending your messages to something like Stamper before you publish the temporary key? After the temporary key is published it will be possible to forge messages signed by that key, but it won't be possible without the collaboration of the timestamping service to forge messages signed by that key and dated before it's publication.

    3. Re:I wonder by Anonymous Coward · · Score: 4, Interesting

      With Stamper he can prove he received a message before a certain time. What he can't prove is that he hadn't already got the signing key at this time (as nobody will certify the time of the publication of the key). So while he knows these messages were sent by you, he can't prove it to anyone else, as he could have gotten the signing key first, then generated the messages and then send first the messages to Stamper and the key afterwards.

  5. Rockstar Cryptographers? by Chris+Mattern · · Score: 3, Funny

    Does this mean it's going to feature in the next edition of GTA?

    Chris Mattern

  6. Big brother doesn't need proof by Anonymous Coward · · Score: 5, Insightful

    Sometimes Big Brother can 'prove' anything by force. Why do you think he's called Big? Small people need stuff like evidence, proof, and proper legal process. There are many recent examples of Big Brother having his way, proof and fact be damned.

  7. Deniable until they look at your swap partition by G4from128k · · Score: 5, Insightful

    If you create a message, chances are that fragments of the plain text will be in various caches and VM pages on your harddisk. It may not last for very long -- being overwritten by subsequent paging -- but if someone takes your computer soon after, they may find incriminating junk on the HD.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:Deniable until they look at your swap partition by Mr.Ned · · Score: 4, Informative

      That's why you have encrypted swap. On OpenBSD it's as simple as setting the sysctl 'vm.swapencrypt.enable=1'; there are HOWTOs for other operating systems. Look for the device mapper on Linux, for example.

  8. Re:a little information would be nice by chill · · Score: 4, Informative

    It authenticates and creates a "conversation". This allows you to be certain the person on the other end is who you think it is. DH key exchange is performed.

    Then, messages sent during that conversation are encrypted using disposable session keys. (128-bit AES w/SHA-1 HMAC).

    Think of it as an authentication tunnel down which you send encrypted messages. The message encryption is in no way related to the authentication, and the disposable session keys mean they have no re-use value.

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  9. how about dual-plaintext messages? by man_ls · · Score: 4, Interesting

    I really want a cryptosystem where I can enter, say, two different plaintexts (of similar length, I imagine) and then there are two keys: the private key, and the decoy key.

    If required to give up "your private key" then give up the decoy key. The decoy plaintexts decrypts, and you're done. The real plaintext is still hidden away.

    Does anything like this exist?

    1. Re:how about dual-plaintext messages? by myowntrueself · · Score: 3, Interesting

      "Does anything like this exist?"

      Its called 'steganography'

      What you do is you have a huge stash of embarassing hardcore porn, say 'bukkake bloopers 2000'

      You use steganography to hide your real naughtyness inside those images and encrypt the image archive.

      When someone insists that you decrypt it, you naturally get really embarassed but finally relent.

      They see what you are 'hiding' and maybe laugh in your face; but they don't detect the stegged content (which would, presumably, be *far* worse than 'bukkake bloopers 2000' but what *that* could be I cannot imagine).

      --
      In the free world the media isn't government run; the government is media run.
    2. Re:how about dual-plaintext messages? by Speare · · Score: 3, Interesting

      I thought of the duress keyphrase, too. While we're randomly thinking, I once imagined that a good keyphrase (decoy or otherwise) would be the full text to the Fourth Amendment. Then recite the keyphrase only under oath before a Judge. Worth a shot, anyway.

      --
      [ .sig file not found ]
    3. Re:how about dual-plaintext messages? by Qzukk · · Score: 3, Interesting

      Yes, its called "Phonebook Encryption". Not sure why. It's written by familiar faces though.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:how about dual-plaintext messages? by corbettw · · Score: 3, Funny

      What you do is you have a huge stash of embarassing hardcore porn, say 'bukkake bloopers 2000'

      They see what you are 'hiding' and maybe laugh in your face

      There's a joke in there somewhere, I just know it...

      --
      God invented whiskey so the Irish would not rule the world.
    5. Re:how about dual-plaintext messages? by cutecub · · Score: 4, Interesting
      The only conceptually similar system I know about is the, now defunct, rubberhose.

      Rubberhose was a plausibly-deniable disk encryption system which allowed you to create 2 distinct encrypted file systems which occupied the same disk space.

      One would be the decoy and have harmless boring info, the other would be the "real" file system.

      If you were compelled to give up the passphrase to the filesystem, you could give up the decoy passphrase.

      The implementation was tricky, because neither file system could "know" about the other, otherwise, an enemy would know you were hiding the "real" file system and could imprison or torture you into giving up the passphrase.

      Since the stakes were high, Rubberhose had features to thwart forensic disk-surface analysis. A percentage of disk blocks from both file systems would be randomly repositioned on the drive, to ensure that the more heavily used "real" file system didn't stand out in any statistical way.

      I'd love to see something similar revived.

      -Sean

    6. Re:how about dual-plaintext messages? by foniksonik · · Score: 4, Funny

      It's true. 2000 was a horrible year for bukkake.... very embarassing... now 1999, that was vintage bukkake.. ;-p I've got some I'm saving for my wedding night.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
  10. Excellent! by boodaman · · Score: 4, Interesting

    Wonderful stuff if it does everything it is supposed to do. I can't wait to check it out.

    I've often wondered about this when it comes to forensics testimony. For example, even if you have my computer with some incriminating evidence on there, how can you prove beyond reasonable doubt that I put it there? I would think that unless you have a video tape of me typing the incriminating evidence on the keyboard, and can prove that the tape was made at the time in question and is unaltered, is the only way to prove anything.

    Computers can be programmed to do anything at anytime, including carrying on a "conversation". You can also easily create an incriminating e-mail message that looks like it was sent, but it never was. Ditto log files, etc. For example, Apache log files are text: it would be trivial to create a script that spoofed a log file with your IP address as the incriminating info...but then how does the plaintiff prove that isn't how it was created?

  11. This is great... by Duncan3 · · Score: 3, Interesting

    Not sure for _who_, but it's great.

    I can see some people having huge use for this, drug dealers, chat room stalkers, and of course all communications between an executive and their broker ;) Any place you need to be able to say "I didn't say that" later - where woulkd that be except a courtroom???

    I can't think of any good reason for _me_ to use it tho. Maybe I'm just not shadey enough.

    --
    - Adam L. Beberg - The Cosm Project - http://www.mithral.com/
  12. Plausible "yeah right" by Bronster · · Score: 4, Insightful

    Let me get this straight - it can be proved that you

    a) created a plausible deniability capable link; and

    b) intentionally released the key to said link so that someone else could impersonate you later.

    Frequently all that's needed is the fact that you communicated with somebody for evidence - not the specifics of what you said. Sure maybe you just called them up and did some heavy breathing down the line - there's no proof you actually _spoke_, but any jury in the world would convict you.

    Of course you work around that by creating a new link every hour to the same person, and maybe or maybe not using it - but it still shows you're in communication with them. There's no way around that.

    Nice idea, but don't think your child pornography dealing down this link is going to somehow get you off the hook.

  13. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  14. Perl-ize this with that 25 line P2P by fuzzy12345 · · Score: 4, Funny

    Quick, someone, anyone. Combine this with yesterday's P2P In 15 Lines of Perl: http://developers.slashdot.org/article.pl?sid=04/1 2/15/1953227&tid=95&tid=156&tid=1

    --

    Everybody's a libertarian 'till their neighbour's becomes a crack house.
  15. Ah... so that explains this IM conversation... by Anonymous Coward · · Score: 3, Funny

    BillG: So, did the donation to the SCO fund to kill Linux go through?

    SBallmer: Yep, sure did. And we even explained the need for us to buy one of their licenses for unlimited computers. You know, for our in-house independent benchmarking company. You know, the whole "Get the Facts" campaign?

    BillG: I see... but this SCO thing doesn't look like it's going to work. We need to go after them in even more indirect ways to avoid more antitrust sanctions. With Ashcroft gone, we may get a harder wrist-slap than last time.

    SBallmer: We're already getting the puppet companies set up now. They have applied for tons of patents that could destroy Linux. We simply buy a perpetual license to all patents for a cool billion, and we're set.

    BillG: How can companies apply for patents that already exist in Linux? What about prior art?

    SBallmer: Don't worry, there's plenty of critical new or rewritten code since the patent applications that violates them. We've even guessed what Linux might add in the future, and patented that as well!

    BillG: But if those lawsuits fail.. then what?

    SBallmer: Well, we're working on getting the GPL ruled illegal. We're also going to deal a blow to all open source operating systems by our deals with bios manufacturers to only run operating systems who have paid their license to get the code signed. (Don't worry, they listen to our piles of money - if they obey us, they money keeps coming)

    BillG: So, you want the computer to be like an xbox, then? We might want to start drafting legislation for mod chips to prevent people from using linux.. er.. pirated copies of windows longhorn without the subscription/expiration feature. After all, we don't want people to use windows without paying their subscriptions...

    SBallmer: Already in the works. Prebought PCs will include a 3 year subscription to Longhorn Home/Crippled Edition. After this 3 years is up, the people buy a new computer rather than renewing their license (for an old computer, mind you) for another 3 years. The money from Intel and Dell is already pouring in. We can't allow mod chips because people would just use that to load the Corporate Edition.

  16. One Really Good Use by Thunderstruck · · Score: 3, Interesting

    Is for folks in Law Firms. An option like this can permit a lawyer to communicate over the internet with a client in a secure way (because getting my client to go through the process of encrypting stuff with GPG is unlikely at best) ... but where intercepted be useless as evidence in court.

    I gotta have it.

    --
    Trying to use sarcasm in text-based forums does not work.
  17. holy grail of file sharing by Mantorp · · Score: 3, Funny

    a while back there was a story up here about a gaim plugin as a p2p app, couple it with this and you can say "It wasn't me" that downloaded that Shaggy album.

  18. Re:a little information would be nice by farnz · · Score: 4, Informative
    It uses PGP to share a key between two or more people; it then uses that key to authenticate the conversation. The difference between this and OpenPGP is that OpenPGP authenticates that the owner of a given OpenPGP key sent a message. This scheme proves that someone with the shared key sent the message.

    Thus, I can create a key that I send to my friend. He and I discuss things, both using that key for encryption. When we've finished, we publish the key used for the conversation, and anyone can now add to the conversation. Thus, while we keep the key secret between us, we're assured of a private conversation; when we publish the key, anyone can add to it, thus giving the denability

    --
    I appear to have a blog. Odd.
  19. This is great! by lawpoop · · Score: 3, Interesting

    What I would like to see is some kind of encrypted, p2p, email/IM replacement that doesn't rely on centralized servers. I realise what I've said is redundant -- P2P that doesn't rely on servers, but I'm trying to be clear. Messages would get routed through webs of trust, and if you lose your keys, you can have your new keys signed by people you know in real life. This would totally eliminate spam and ensure privacy and authentication for communcations.

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
    1. Re:This is great! by legirons · · Score: 3, Interesting

      "What I would like to see is some kind of encrypted, p2p, email/IM replacement that doesn't rely on centralized servers"

      Well why not go looking for them then, rather than writing it on slashdot. Many exist. Even something like InvisibleNet's IIP (invisible IRC proxy) would do lots of what you want, Konspire2B would do more, there are more encrypted P2P and chat tools than you can shake a stick at, plus protocols that offer what you want with many different clients. Or go all the way and try GNUNet (replacement for freenet) and such like.

      People are always posting "oh if only there was a distributed deniable torrented video blogging system with a pseudononymous web-of-trust" or something, yet I never see you on my Konspire2B client. Just download the damn things and see what they do, some of the apps are really quite cool.

  20. Re:a little information would be nice by stolen.identity · · Score: 3, Informative

    The key seems to be the "disposable key" part.

    With normal public-key crypto, you sign with your actual private key, and you encrypt with the recipients actual public key. This means that if someone gets hold of the recipients private key, then can decrypt the messages, and because your public key is, well, public, they can prove that you wrote the message.

    In this system, you generate throw-away keys, and exchange them securely when you start communicating. After you are done communicating, you can just throw away the keys, or you can publish them if you want. They are of no use, really. Someone can decrypt your communication, but they can't prove that it was you that wrote it, and once you publish the key, anyone else can forge messages that look like they were part of the conversation.

    During the conversation, you have the security, authentication and non-repudiation that you are looking for - you can be sure that the other party is who they say that they are, that all messages are actually from them, and that only you can read those messages.

    As soon as the conversation is over, you give away the keys and all bets are off - there is no longer a way to prove the identity of the person who sent the message since anyone can now forge messages that appear to be part of the conversation.

  21. Is this expanded problem solveable? by logicnazi · · Score: 3, Interesting

    Wow, that was an interesting and clever paper. At the very end of the paper though they consider the situation with email. In particular the question is asked if an encryption system which works for an asynchronos system like email but doesn't allow outsiders to prove authorship is possible.

    The solution proposed is to use ring signatures which only permit proof that one of the parties to the communication (secret) wrote the message. As the authors note this solution still suffers from the defect that a third party who manages to obtain the plaintext of a message can still prove that it was created by one of the participants. This can be partially protected against by encrypting the signature part of the message (assuming the message itself was not already so encrypted) to the recipient but if the recipients private keys are ever comprimised (a subpeona, confiscation of computer by law enforcement) this protection vanishes.

    The authors contend that no system using a non-interactive protocol can both provide authentication to the parties involved but resist proof of authorship by at least one of the parties in the case of key comprimise. I don't believe this is correct and while I can not provide a full system which demonstrates this property I can provide a sketch of how one might work and it would be an intriguing problem to design a cryptographic system with these properties.

    Suppose at some time t0 Bob creates a public private key pair together with time stamp attesting to the time of creation. This time stamp, and the key itself could be authenticated by Bob signing with his conventional non-repuditory long-lived key. Let us call the key parts Public and Private. Suppose also that we can discover a one way function S with an associated function (not necessarily one-way) P with the following property. If we apply the one way function S to Private and the function P to Public we create a new public/private key-pair, i.e., S(Private) is the private key associated with public key P(Public). If we could find such suitable functions we could design a cryptosystem with the requisite properties.

    Every time a fixed interval of time passes, say an hour, Bob applies the one-way function S to Private storing the new result and forgetting the original key. Thus after 1 hour Bob has the key S(Private) after two hours S(S(Private)) and so forth. Now when Alice chooses to send Bob a message she chooses for what period of time Bob is capable of authenticating that message. If she thinks he will read it immediatly she might choose an hour, if he is out of town perhaps a week. After composing the message Alice computes some sort of signature/authentication (Ring signature etc..). Now alice computes the number of hours that will have passed between the creation time stamp of Bob's public key and the time her authentication period ends. She then applies the function P to Public once for every hour and uses the result to encrypt her signature. She then appends the encrypted signature, and the unencrypted time it will expire to the message and sends it to Bob. If the communication is to be secret she could then encrypt the entire message authentican and all with her favorite encryption scheme.

    So long as Bob recieves the message from Alice before the authentican period has ended he has no trouble decrypting the authenticating signature. Bob simply computes the number of hours from the current time until the authentication period ends, applies S to Private that many times (not forgetting the current value of private in this case) and uses the result to decrypt Alice's authentication since the properties of the functions guarantee this is the corresponding private key to the public key alice used for encryption. Once decrypted the signature authenticates Alice's message and then is discarded by Bob (If a ring signature is used Bob can create the same signature at any time if he has the message plaintext so has no incentive to keep the decrypted signature).

    However, once the

    --

    If you liked this thought maybe you would find my blog nice too: