mgraffam@mhv.net
Fri, 27 Mar 1998 18:44:59 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 27 Mar 1998, Eric Murray wrote:
> mgraffam@mhv.net writes:
> > In this way, if an attacker decides to use rubber-hose cryptanalysis
> > against our hero, he can provide the attacker with the authentication
> > key for C(I) and the cipher key to decrypt that stream, yielding I and
> > keeping S secret. Other chaff can be added from /dev/urandom if need
> > be.
>
>
> If the attacker guesses that there's more than one plaintext
> stream, what's to prevent him from continuing the rubber
> hose cryptanalysis until he's gotten the keys to both C(I) and C(S)?
> Or does the deniability rest on convincing the attacker
> that C(S) is merely chaff for C(I)?
Yes, I admit this is a problem. But I do not think it is unique to this
scheme. In any deniable encryption system, there is nothing to stop a
the attacker from continuing the beating "just to be sure." As far as
I can see, the best we can do is to wipe clean any profile of the two
streams. Make both distributions looks as close as possible to each
other while hiding their contents, and let the lot of it stick together.
Ideally, this would be implemented in a way such that a whole lot of data
is in that file. Everything from S and I to the Bard's Sonnets and other
other stuff we can throw in there. Preferrably, this would be used in an
ordinary way, merged with the OS so that much generic file retrieval would
be through this garbage dump of data. This way, it is prefectly reasonable
for this file to be large, and it would not be out of the ordinary in the
least for this file to be hundreds of times the size of S.
A continued beating would still get S. Even if we created a system were
all evidence of S were hidden, a rubber hose can still get S. Hit a man
hard enough, and for a long enough period of time, and he'll tell you
his most sensitive and secret S, and probably the neighbor's too if he
can.
I figure the best we can do is to hide the contents of S with crypto and
hide its existence through other means. Traditional stego works well
for this latter goal, but it does not give us a way to cough up something
meaningful in place of S, which could be very handy.
In short, certainly the existence of S needs to be hidden, and it would be
best to do hide it in plain sight as it were, in a big junk pile with
everything else on the drive.
Indexing this huge mess of data to allow for a practical system to work
with is certainly a challenge, and in all likelyhood impossible given the
parameters of the system.
Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
Let your life be a counter-friction to stop the machine.
Henry David Thoreau "Civil Disobedience"
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBNRw6BAKEiLNUxnAfAQGb2AQAmQw8YGWKfeXF609VoAOWaVOwLdOQwhih
GV6s/Ko+1sJC1eaXRedjO+a41l6ku4Hbbc5Jv/a8mgRv2O+QLhPX9L2tBGVcVHtQ
OrR4XAIW9/U5KXzot7yt1F7TOnR/8LJe5aq3glXwrIb/P5c1LwxOLgcNa91Bmzua
gL0w9f07oFw=
=yVIb
-----END PGP SIGNATURE-----
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:21 ADT