Slashdot Mirror

← Back to Stories (view on slashdot.org)

Plausible Deniability From Rockstar Cryptographers

Posted by CmdrTaco on from the because-you-can dept.

J. Karl Rove writes "Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can't read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries."

18 of 358 comments (clear)

  1. My foolproof encryption method by Anonymous Coward · · Score: 4, Funny

    Who needs any of this? Just try what I do: write your messages as GW Basic programs. This is so uncrackable that even I can't tell what is in it after I use it.

  2. I hope the distros will do their part by MikeCapone · · Score: 4, Interesting

    This thing sounds great, but before it is really useful it needs to be out there in sufficient numbers. I hope that distros will start installing it by default on their default gaim version.

    --
    Treehugger? Treehugger... Treehugger!
  3. I wonder by ab384 · · Score: 4, Funny

    How much later is "later"?

    "Did I just say that I'd walk the dog?"
    "Yes!"
    "Nobody can prove that I just said that."

    1. Re:I wonder by Entrope · · Score: 5, Informative

      "Later" is after the speaker decides that conversation is over. You pick a signing key for your messages, sign it with your normal public key, send messages using the first key, and your correspondent can confirm you are who you claim. When you want to finish the conversation, you publish (at least to your correspondent) the temporary signing key, and anyone who has it can then forge messages that are as trustable as what you said.

    2. Re:I wonder by roystgnr · · Score: 5, Interesting

      What stops your correspondent from sending your messages to something like Stamper before you publish the temporary key? After the temporary key is published it will be possible to forge messages signed by that key, but it won't be possible without the collaboration of the timestamping service to forge messages signed by that key and dated before it's publication.

    3. Re:I wonder by Anonymous Coward · · Score: 4, Interesting

      With Stamper he can prove he received a message before a certain time. What he can't prove is that he hadn't already got the signing key at this time (as nobody will certify the time of the publication of the key). So while he knows these messages were sent by you, he can't prove it to anyone else, as he could have gotten the signing key first, then generated the messages and then send first the messages to Stamper and the key afterwards.

  4. Big brother doesn't need proof by Anonymous Coward · · Score: 5, Insightful

    Sometimes Big Brother can 'prove' anything by force. Why do you think he's called Big? Small people need stuff like evidence, proof, and proper legal process. There are many recent examples of Big Brother having his way, proof and fact be damned.

  5. Deniable until they look at your swap partition by G4from128k · · Score: 5, Insightful

    If you create a message, chances are that fragments of the plain text will be in various caches and VM pages on your harddisk. It may not last for very long -- being overwritten by subsequent paging -- but if someone takes your computer soon after, they may find incriminating junk on the HD.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:Deniable until they look at your swap partition by Mr.Ned · · Score: 4, Informative

      That's why you have encrypted swap. On OpenBSD it's as simple as setting the sysctl 'vm.swapencrypt.enable=1'; there are HOWTOs for other operating systems. Look for the device mapper on Linux, for example.

  6. Re:a little information would be nice by chill · · Score: 4, Informative

    It authenticates and creates a "conversation". This allows you to be certain the person on the other end is who you think it is. DH key exchange is performed.

    Then, messages sent during that conversation are encrypted using disposable session keys. (128-bit AES w/SHA-1 HMAC).

    Think of it as an authentication tunnel down which you send encrypted messages. The message encryption is in no way related to the authentication, and the disposable session keys mean they have no re-use value.

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. how about dual-plaintext messages? by man_ls · · Score: 4, Interesting

    I really want a cryptosystem where I can enter, say, two different plaintexts (of similar length, I imagine) and then there are two keys: the private key, and the decoy key.

    If required to give up "your private key" then give up the decoy key. The decoy plaintexts decrypts, and you're done. The real plaintext is still hidden away.

    Does anything like this exist?

    1. Re:how about dual-plaintext messages? by cutecub · · Score: 4, Interesting
      The only conceptually similar system I know about is the, now defunct, rubberhose.

      Rubberhose was a plausibly-deniable disk encryption system which allowed you to create 2 distinct encrypted file systems which occupied the same disk space.

      One would be the decoy and have harmless boring info, the other would be the "real" file system.

      If you were compelled to give up the passphrase to the filesystem, you could give up the decoy passphrase.

      The implementation was tricky, because neither file system could "know" about the other, otherwise, an enemy would know you were hiding the "real" file system and could imprison or torture you into giving up the passphrase.

      Since the stakes were high, Rubberhose had features to thwart forensic disk-surface analysis. A percentage of disk blocks from both file systems would be randomly repositioned on the drive, to ensure that the more heavily used "real" file system didn't stand out in any statistical way.

      I'd love to see something similar revived.

      -Sean

    2. Re:how about dual-plaintext messages? by foniksonik · · Score: 4, Funny

      It's true. 2000 was a horrible year for bukkake.... very embarassing... now 1999, that was vintage bukkake.. ;-p I've got some I'm saving for my wedding night.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
  8. Excellent! by boodaman · · Score: 4, Interesting

    Wonderful stuff if it does everything it is supposed to do. I can't wait to check it out.

    I've often wondered about this when it comes to forensics testimony. For example, even if you have my computer with some incriminating evidence on there, how can you prove beyond reasonable doubt that I put it there? I would think that unless you have a video tape of me typing the incriminating evidence on the keyboard, and can prove that the tape was made at the time in question and is unaltered, is the only way to prove anything.

    Computers can be programmed to do anything at anytime, including carrying on a "conversation". You can also easily create an incriminating e-mail message that looks like it was sent, but it never was. Ditto log files, etc. For example, Apache log files are text: it would be trivial to create a script that spoofed a log file with your IP address as the incriminating info...but then how does the plaintiff prove that isn't how it was created?

  9. Plausible "yeah right" by Bronster · · Score: 4, Insightful

    Let me get this straight - it can be proved that you

    a) created a plausible deniability capable link; and

    b) intentionally released the key to said link so that someone else could impersonate you later.

    Frequently all that's needed is the fact that you communicated with somebody for evidence - not the specifics of what you said. Sure maybe you just called them up and did some heavy breathing down the line - there's no proof you actually _spoke_, but any jury in the world would convict you.

    Of course you work around that by creating a new link every hour to the same person, and maybe or maybe not using it - but it still shows you're in communication with them. There's no way around that.

    Nice idea, but don't think your child pornography dealing down this link is going to somehow get you off the hook.

  10. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  11. Perl-ize this with that 25 line P2P by fuzzy12345 · · Score: 4, Funny

    Quick, someone, anyone. Combine this with yesterday's P2P In 15 Lines of Perl: http://developers.slashdot.org/article.pl?sid=04/1 2/15/1953227&tid=95&tid=156&tid=1

    --

    Everybody's a libertarian 'till their neighbour's becomes a crack house.
  12. Re:a little information would be nice by farnz · · Score: 4, Informative
    It uses PGP to share a key between two or more people; it then uses that key to authenticate the conversation. The difference between this and OpenPGP is that OpenPGP authenticates that the owner of a given OpenPGP key sent a message. This scheme proves that someone with the shared key sent the message.

    Thus, I can create a key that I send to my friend. He and I discuss things, both using that key for encryption. When we've finished, we publish the key used for the conversation, and anyone can now add to the conversation. Thus, while we keep the key secret between us, we're assured of a private conversation; when we publish the key, anyone can add to it, thus giving the denability

    --
    I appear to have a blog. Odd.