Re: deniability
On Sun, 03 Apr 2011 11:25:46 -0400 gnupg-users-requ...@gnupg.org wrote: Message: 2 Date: Sat, 02 Apr 2011 13:25:43 -0400 From: Robert J. Hansen r...@sixdemonbag.org To: gnupg-users@gnupg.org Subject: Re: Deniability Message-ID: 4d975c17.3020...@sixdemonbag.org My general rule of thumb is that the secret police might be monsters, but they will be *reasonable* monsters. Unfortunately, such *reasonable* monsters (or even 'not such monsters , UK for example) can exploit the throw-keyid feature to obtain the secret keys of anyone (in the UK). Suppose some people are in the habit of sending gnupg encrypted e- mails in the UK If the reasonable British intelligence people decided that they wanted anyone's secret keys and passwords, they could simply do something like following: [1] Anonymously send the person whose keys they want, a throw-keyid encrypted message, which is in reality encrypted to a key of their own choosing that no one else has access to [2] Ask the person to decrypt the message [3] The person will claim, quite truthfully, (and as expected by British intelligence), that he can't, since it probably wasn't encrypted to his key. [4] They can claim, quite plausibly, that he entered the wrong password intentionally so that he would not have to reveal the true contents of the message [5] They can now make a case that in order to know that the person really can't decrypt, they need the secret keys and passwords to every key on the keyring, so that they can, in front of the court, try each one and make sure the message really cannot be decrypted by any of the person's keys. [6] They can even offer the defendant an opportunity to temporarily change the password to anything of his choice, just for the purposes of the demonstration, and then change it back, and decrypt it in front of the judge, but by this time, with some easily available non-invasive stealth video recording technology, they will already have access to the secret key ring, and a functional password to each key. btw, personally I don't think the British are anywhere near this strict about such things, but if they ever did decide to be, the mechanism by which they could make it stick, is there. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 2 April 2011 at 6:25:43 PM, in mid:4d975c17.3020...@sixdemonbag.org, Robert J. Hansen wrote: The real risk is you will come to their attention by doing something *you had no idea was a crime*... which is a much more serious thing. Isn't it a fairly standard maxim that ignorance of the law is no defence? - -- Best regards MFPAmailto:expires2...@ymail.com Can you imagine a world with no hypothetical situations? -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNmFCinhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pPi8D/Rjo 4s+RsPdNr1KWHQFsp1cpxOSgCgRgwbtCQAFcy08ImHuKK1axqNO97mybhRcFQRSZ URC0FO29ApZuPIB7pHi4sgFJ6mNIUBjjM+dB681pgmf/ONIYTZWVtJ3WrjTJav0k rUihupEH61LHs5w00etNo+vFsfjvVvG3gq39qkxP =JG/8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability [SIC]
On Sun, 3 Apr 2011 11:48:13 +0100 MFPA expires2...@ymail.com articulated: Isn't it a fairly standard maxim that ignorance of the law is no defence? http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat quote Ignorantia juris non excusat or ignorantia legis neminem excusat (Latin for ignorance of the law does not excuse or ignorance of the law excuses no one) is a legal principle holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content. In the United States, exceptions to this general rule are found in cases such as Lambert v. California (knowledge of city ordinances) and Cheek v. United States (willfulness requirement in U.S. federal tax crimes). /quote See also: http://en.wikipedia.org/wiki/Plausible_deniability -- Jerry ✌ gnupg.u...@seibercom.net _ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Isn't it a fairly standard maxim that ignorance of the law is no defence? I don't see what this has to do with anything, but assuming for the moment you're serious: In most Western nations ignorance cannot excuse you from the burden of conforming with the law, but it can be used to excuse you from being punished. The term is /mens rea/, or (loosely translated) criminal intent. If you don't have the active intent to do something you know is wrong, then it's pretty hard to get a conviction for doing it. When I was in Mexico a couple of months ago, I got put up against the wall, searched, my bag searched, and my camera searched, because a police officer thought I took a photograph of a bank. (I didn't.) Now, I don't know much about the Mexican system of justice, but I think that even if I had photographed a bank, no Mexican judge would've put me in jail over it: the judge would've let me go with a stern warning. I clearly had no intent to break the law, therefore it's impermissible to put me in jail. If I was in the People's Republic of Berzerkistan and a cop sees me take a photograph of a bank, then it literally *does not matter* that I had no idea it was a crime: I'm still going to do ten to fifteen years in a Berzerkistani prison camp for it. I can't rely on any sort of leeway from the judge (or, for that matter, getting to see a judge at all!). This is what I mean when I say the real risk in an authoritarian regime is that you will come to the secret police's attention by doing something you had no idea was a crime. http://en.wikipedia.org/wiki/Mens_rea ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 03-04-2011 18:31, Robert J. Hansen wrote: If I was in the People's Republic of Berzerkistan and a cop sees me take a photograph of a bank, then it literally *does not matter* that I had no idea it was a crime: I'm still going to do ten to fifteen years in a Berzerkistani prison camp for it. Of course, it didn't occur to you that paying $200 in cash to the cop would make him forget that crime instantly. But that would make you punishable in the US I believe, where it seems to be illegal to bribe a gouvernment official in another country if you are in that other country. Ony way or another, you're screwed. -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability [SIC]
Jerry wrote: On Sun, 3 Apr 2011 11:48:13 +0100 MFPA expires2...@ymail.com articulated: Isn't it a fairly standard maxim that ignorance of the law is no defence? http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat quote Ignorantia juris non excusat or ignorantia legis neminem excusat (Latin for ignorance of the law does not excuse or ignorance of the law excuses no one) is a legal principle holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content. In the United States, exceptions to this general rule are found in cases such as Lambert v. California (knowledge of city ordinances) and Cheek v. United States (willfulness requirement in U.S. federal tax crimes). /quote See also: http://en.wikipedia.org/wiki/Plausible_deniability If I remember correctly, the U.S.Criminal Code is a set of volumes that takes about 4 to 5 feet of shelf space at my public library. This probably does not include the collection of Federal Regulations. It is my understanding that for most bills passed by congress, the congressmen and senators never even read the bills, though they sometimes read the summaries prepared by their assistants. One time I got a copy of a bill because I was urged to oppose it. The bill was illegible because it was the form of a set of amendments to the existing law. So there was page after page of stuff of the form change Page xxx, line yy, change will do to will not do So it is useless to even read that without running it through some kind of text processor to do all those changes. My view is the dolts in congress do not even know what they are voting for or against. Then there are state and municipal laws and regulations. While ignorance may be no excuse, there is now way to be informed either. The turkeys that pass the laws do not even know that, and there is no way we could keep up even if we tried. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:05:01 up 31 days, 4:06, 3 users, load average: 5.14, 4.84, 4.74 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
* Robert J. Hansen r...@sixdemonbag.org [2011-04-02 13:25 -0400]: The real risk is not that you will come to the attention of the secret police by some random accident. The real risk is you will come to their attention by doing something *you had no idea was a crime*... which is a much more serious thing. Or, if you're really paranoid, if the secret police come to visit you about your doing something that wasn't a crime when you did it. That way lies madness, I think. b. -- Breen Mullins b...@sdf.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-03-2011 13:07, Jerome Baum escribió: ... What stops her from sending me real messages with this kind of content? Even non-encrypted? I could reply I don't know what you're talking about, but how does the prosecutor care? The only way I could get out of it is to show I don't have any connection with Alice, but there is no way I could ever do that -- as Sven mention off-list, the mere existence of deniable systems gives me this danger. In fact the existence of criminals gives me the danger of being accused -- it does not make deniable systems a problem. That's very alike with what some people said to me at truecrypt forum, when I asked if there was a way to disable deniability if I don't need it. They said if somebody finds 7-zip in my computer, they could suspect I sent compressed and encrypted messages to somebody (7-zip uses AES for password protected compressed files), it is just they have not found records about it -not yet, but there is when the lead pipe comes into play. Or I could be using some unknown steganographic software (which I might have shredded or ran from the usb drive I lost last year) and the pictures of my family I uploaded to Facebook have hidden messages about an evil plan to take over the world. And keep in mind in UK it is a crime (or fault, or... whatever they call it, something you must not do because you will receive stick instead of carrots) to have an encrypted file and not be able to decrypt it. So if somebody sends an encrypted message to faramir.ch but misstype it and send it to faramir.cl, then I would be already toasted (if I was in UK). But I DO get Robert's point, and what worries me, it's we might get into troubles even if we don't have deniability, we just need to be linked somehow (maybe by unwanted email messages?) to some evil person. And now I think about it, I have an orphan PGP key, I lost the secret key and it is still on keyservers, unrevoked, and without expiration time. Somebody could infer I have not revoked it because I still use it, and that I have the secret key stored in a flash drive somewhere. All Alice needs to do, is to encrypt something to that key and send it to the email address of that key, and then how can I prove I'm not hiding the key? Also, when did Alice turn evil? :) It seems she has been trying to evade paying taxes and to cheat her husband since a long time ago, according to some crypto articles. John Gordon’s After Dinner Speech: http://downlode.org/Etext/alicebob.html ... Now most people in Alice’s position would give up. Not Alice. She has courage which can only be described as awesome. Against all odds, over a noisy telephone line, tapped by the tax authorities and the secret police, Alice will happily attempt, with someone she doesn’t trust, whom she cannot hear clearly, and who is probably someone else, to fiddle her tax returns and to organize a coup d’etat, while at the same time minimizing the cost of the phone call. A coding theorist is someone who doesn’t think Alice is crazy. ... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNlmK5AAoJEMV4f6PvczxAV64H/12BN5KCU9OgZjBeWDWBlim7 QwCoDEcXuViOvLZ525qbRRWUBgR8rARmXqU+TUHEAIB/XK4iKhkHPzPJ6XH4XIZZ 8LJcF3JpSiG4jB1m4p0apgrWEEedi0g04QrwPDDd0HbH/aFou451kzN618+Tlqxt jMhdAXjlU2dmNBR/VZGnuRAn+KykDgU3PH+JB/NC7fKTPq4UERXXSiy3+nWMJ9Gd OANrwzHRYEiyO5IK3DnqTz0h2lbl7n7seUWXIxL1utBdvgYsinXKcbkUk/qXkuJc gyOo8tovaRmb9zQ83zBBn5U4zvvZCi4ibILpuFVk8tcomk9T1r6hNb3Ab8JFOyY= =hage -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J Hansen wrote: The amount of lead pipe a court can swing at you in many ways exceeds the amount of lead pipe organized crime can throw at you. I think the OP was talking about the legal system of civilized countries, not those in Iran, North Korea or the USA. -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J Hansen wrote: If the government *alleges* that you *committed a crime*, the government needs to enter into evidence *how you committed that crime*. The problem is of course the fact that hiding evidence for some crime you commit is itself a crime in the USA. It makes having to prove your innocence via this trick possible. -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Wed, 23 Mar 2011 11:21:26 +0100 Johan Wevers joh...@vulcan.xs4all.nl articulated: Robert J Hansen wrote: If the government *alleges* that you *committed a crime*, the government needs to enter into evidence *how you committed that crime*. Not true. The government only need show that a crime was committed. Exactly how the crime was committed is not a legal requirement; although, it is usually something that a jury wants to hear about. It is the same as charging an individual with murder even though a body cannot be produced. If the government can show that the individual(s) can reasonably be viewed as responsible for the death of another, even without the body, they can be charged with the crime. This again, pertains to USA law. The problem is of course the fact that hiding evidence for some crime you commit is itself a crime in the USA. It makes having to prove your innocence via this trick possible. You have over simplified this. As the defendant in a criminal case you are never required to submit any evidence; however, failure to do say may lead jurors to question your innocents such as when a defendant takes the 5th. ( avails him/her self of the fifth amendment rights against self incrimination) multiple times during a court proceeding. The act of hiding or failing to produce evidence is not a crime if committed by the defendant. This pertains to USA law. How it is adjudicated in other countries is beyond my scope of knowledge. -- Jerry ✌ gnupg.u...@seibercom.net _ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tue, Mar 22, 2011 at 10:34:27PM -0400, Robert J. Hansen wrote: [snip] My own dark suspicion is that what we have always thought of as privacy is nothing more than an inefficiency in information exchange. So long as information exchange has a certain cost threshold, it's not worth my time or effort to share information about you. As that cost threshold diminishes, so too does our privacy. If it cost a penny to leave a YouTube comment, Rebecca Black would have twelve people scattered across the world who had said something bad about her. Since it's free, though... well, she has no privacy anymore, and I feel very sorry for her. An interesting thought. I'm going to keep this one. My suspicion is that we never had anywhere near as much privacy as many believe. A hundred years ago, when nobody had computers or databases or Internets, everyone in town knew your name, your address, your occupation, your family, your approximate economic status, your (ir)religion, your circle of friends, and many past deeds you'd rather have forgotten. We may actually have *more* privacy these days, when so much can be done in secret and only the machines know until someone thinks to ask the right one in the right way. If I'm right, then the only way to restore privacy is to raise the price of information transfer in some way. OpenPGP can be thought of as this: to recover a message the attacker has to undertake actions that involve at least some measure of expense. We can also raise the cost of improper use of information. I don't think there's been enough attention to this. If Alice draws insupportable or downright illogical conclusions about my character or status from my online presence, and on the basis of those conclusions makes decisions on my employment or my insurance premiums or whether I ought to be prosecuted for something, can I punish her *enough to make her stop*? If she's following company policy, can I punish the company *enough to make it stop*? Enough power can make privacy irrelevant. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgphG5EEdqpfH.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tuesday 22 March 2011, David Shaw wrote: On Mar 21, 2011, at 12:13 PM, Jerome Baum wrote: Hauke Laging mailinglis...@hauke-laging.de writes: You know that. And the archive of this mailinglist now knows that you have once claimed to do that. So one may assume that the only recipient is you but that is not a strong technical conclusion from the message itself. When I throw-keyids, what's actually left over? Would there be any way to match the keys from several messages, besides key size and type? Also if one (size, type) appears in all messages, I'd say the conclusion that I'm using encrypt-to-self is pretty safe. In addition to the size and type information, there is also an interesting attack that can be done against speculative key IDs. It doesn't (directly) help a third party know who the recipients are, but it does let any recipient try to confirm a guess as to who another recipient might be. Let's say you encrypt a message to Alice and Baker and hide the key IDs. Alice gets the message and knows there is one other recipient aside from herself. She considers who the message came from and what the message was about and makes an educated guess that the other recipient is Baker. To confirm her guess, all Alice needs to do send a specially rigged speculative key ID message to Baker. If Baker responds, then Alice knows he was the other recipient. Throw-keyids has some good usages (posting a message for pickup in a public place, for example), but it's just a tool. It's important not to rely solely on it. Exactly. The obvious solution to this problem would be to send n copies of the message to the n recipients each time encrypted to exactly one recipient. In fact, that's exactly what KMail does for all BCC'd recipients of an encrypted message. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 23 March 2011 at 3:11:46 AM, in mid:4d8964f2.9080...@sixdemonbag.org, Robert J. Hansen wrote: Written today. I've done a fair bit of digging into this: no such case has ever been presented in a United States court. The case you cited below was not a United States court: it was state court. The phrase, a United States court means, a court operating under federal law passed by Congress. The phrase, a state court means, a court operating under state law passed by a state legislature. A matter of semantics that would be lost on most people in the world. Generally speaking, if I saw a media reference to a U.S court or an American court I would neither know nor care which government body ran that court nor which government body had passed the law that had allegedly been transgressed. - -- Best regards MFPAmailto:expires2...@ymail.com What's another word for synonym? -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNinrJnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pXbYD/3Za Wu7l80AwMHmAKTiZ8OwiMSvVGKa9g69zhWdgTFL7fxZcD/ZOtMbewdVZ2k+qz8RD uLrzRot/Ey3iPdZhGIC0SeYBvvdTzoD534ut40NVFK/s4pHtyaHrJ2ShjOVjFMbR ne3DOTCMvGKdAOhIIGwYYCDk+ZEZNyRo3tAnxki2 =jbRQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 23 March 2011 at 7:14:22 PM, in mid:AANLkTin8mEoxv+SNjeafDEzC46cF=n9wm6pmebujw...@mail.gmail.com, Jeffrey Walton wrote: The first step to remediate the problem is disgorging politicians from their money, which probably will not happen in our lifetime. Presumably it would require politicians to vote it in... - -- Best regards MFPAmailto:expires2...@ymail.com Two wrongs don't make a right. But three lefts do. -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNin2pnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pu/UEAKqd xbQGvh9C4XQEC2meEHUvXCMdJ49HOboKFZmHigNg8lgBkMU9fqXtVS8ux1oy1XQP FyKS187V4ROYZY8W5GDpaNUZscWoVZ1Zdicr8NsyMwUQTQnhtvmYfvNdpDy/Qr7A PclkwQnB5d8WvuFT/Btyie9L+KK8TCaF+6uOeGYE =d/Xv -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
For example, I do genealogy as a hobby, and figuring out how person A was re lated to person B 100 years ago would involve trips to the town in question , and poring over a hand-kept records book in the town hall. These days, t here are a number of websites that have brought that sort of information on line. The information from old town record book is essentially unchanged, but the ability to access it is dramatically easier. Such easy access enab les all sorts of cross-referencing and data mining across multiple database s that were (strictly speaking) possible a hundred years ago, but also extr emely unrealistic. The 23andme.com folks claim that their genetic screening thing is liberating people by connecting them to relatives that they did not know they had. I, for one, have a lot of relatives that I don't want to know. --dan This message is certified orthogonal to the topic of gnupg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 23 March 2011 at 11:11:40 PM, in mid:4d8a7e2c.40...@sixdemonbag.org, Robert J. Hansen wrote: This means the two have as much in common, legally speaking, as the United Kingdom and France. Not forgetting that Scottish law supposedly has more in common with France than English law. - -- Best regards MFPAmailto:expires2...@ymail.com All generalizations are dangerous, even this one. -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNipobnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pDwsD/jTc vEr3TrwvQ6PU5+5kVYiukDtB8iFjykyW1/B9TXeXe2PDFNC7nDkpOO42rHjlvxq4 BZvNX7uwz+a6W6KDwdOOD1iyZg8PkpS7/l0hS/mjIJ4ZgtxZXs/jdVbA2uErMjoS UKdKAh+q1Drjlo4WQvRCmiQcTqassmj4haPmcuCR =ahM+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: If this is a thought experiment in how to crowbar deniability into OpenPGP, I wish you luck. :) If you're looking at actually using a deniable OpenPGP, or recommending others use one, I hope you'll give serious thought to these two things. Part thought experiment, part practical usage. I was thinking more in terms of a German court asking me to turn over evidence -- but then, there still might be a lead pipe involved outside the scope of a court case. I'll keep it in mind when it comes to practical usage, but I do want to keep up the thought experiment. :) -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpkbJBjLGzVA.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
Grant Olson k...@grant-olson.net writes: On 03/21/2011 12:24 PM, Jerome Baum wrote: Yes, per above. But good idea to not use an anonymous group -- this way I can say I was testing stuff. If you want to get really paranoid, post to http://www.pgpboard.com/ via a TOR connection. That makes it difficult to show the message even originated from you. Couldn't I just post to a test group via tor? Posting to that board is like signing a statement yes I am guilty (to some at least). As for tor, I was thinking in terms of measuring some kind of correlation between messages appearing on the board and my computer pulling more power (think increased CPU, etc.) -- or something like that -- all not proof, but given time to collect the data, you can probably get a high chance reading. So I think there are so many channels where you can get this information once you have a suspect, that it isn't worth trying to hide it's me who posted this, and instead just post lots of stuff. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpyZYSRvwBFo.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
David Shaw ds...@jabberwocky.com writes: In addition to the size and type information, there is also an interesting attack that can be done against speculative key IDs. It doesn't (directly) help a third party know who the recipients are, but it does let any recipient try to confirm a guess as to who another recipient might be. Let's say you encrypt a message to Alice and Baker and hide the key IDs. Alice gets the message and knows there is one other recipient aside from herself. She considers who the message came from and what the message was about and makes an educated guess that the other recipient is Baker. To confirm her guess, all Alice needs to do send a specially rigged speculative key ID message to Baker. If Baker responds, then Alice knows he was the other recipient. Would that be by reusing the session key? Or are there other properties that we can mess with? How about, say I know the session key and the public encryption key of the suspect, can't I just encrypt the session key to that public key and see if it comes out the same? Throw-keyids has some good usages (posting a message for pickup in a public place, for example), but it's just a tool. It's important not to rely solely on it. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpfhwPcW0vlp.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Mar 22, 2011, at 10:44 AM, Jerome Baum wrote: David Shaw ds...@jabberwocky.com writes: In addition to the size and type information, there is also an interesting attack that can be done against speculative key IDs. It doesn't (directly) help a third party know who the recipients are, but it does let any recipient try to confirm a guess as to who another recipient might be. Let's say you encrypt a message to Alice and Baker and hide the key IDs. Alice gets the message and knows there is one other recipient aside from herself. She considers who the message came from and what the message was about and makes an educated guess that the other recipient is Baker. To confirm her guess, all Alice needs to do send a specially rigged speculative key ID message to Baker. If Baker responds, then Alice knows he was the other recipient. Would that be by reusing the session key? Or are there other properties that we can mess with? Sorry, yes, that's re-using the session key (didn't mean to be mysterious). Since Alice, as a recipient, can find the session key, she can encrypt a new message to Baker with that session key, prefix it with the unknown recipient's encrypted session key, and send the whole message to Baker. If Baker can read it, then it reveals who the unknown recipient is. Of course, if Baker can't read it, it might tip him off that Alice is probing him... How about, say I know the session key and the public encryption key of the suspect, can't I just encrypt the session key to that public key and see if it comes out the same? Unfortunately there is random data in the encrypted session key format, so the test encryption would not match Baker's encrypted session key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tue, 22 Mar 2011 14:37:16 +, Jerome Baum jer...@jeromebaum.com wrote: Part thought experiment, part practical usage. I was thinking more in terms of a German court asking me to turn over evidence -- but then, there still might be a lead pipe involved outside the scope of a court case. The amount of lead pipe a court can swing at you in many ways exceeds the amount of lead pipe organized crime can throw at you. Let's do this thought experiment again, but this time with a zealous prosecutor who is sincerely doing what she believes to be her job. Further, assume you have a deniable cryptosystem: you can't deny you received the message, but you can neither prove nor disprove having the ability to read it. Alice and Bob are plotting a heinous crime -- terrorism, narcotics trafficking, child exploitation, whatever. They know their communications are being monitored and they are using a deniable cryptosystem. They have also made plans for what to do if either of them ever gets arrested: they will do their best to incriminate someone else, so that the surviving conspirator will have time to go to ground and continue their plans of skulduggery. Alice gets picked up by the cops. Paula Prosecutor interrogates her. Alice says, my co-conspirator was Jerome Baum. This is a lie, of course, but all Alice needs to do is give the police someone to chase after for a few days while Bob goes into hiding. Alice has sent you some innocuous messages through a deniable system in order to make you a good candidate for being made their patsy. Paula hauls you in. Tell us all about your role in $nefarious_crime. You tell Paula that you don't have any role in it. Prove it. Show me those messages. Um... well, you see, it's like this: it's a deniable system, which means there's no way I can prove or disprove ever having the ability to read it. Paula is *not* going to say, oh, well then, I guess I'm out of luck. No, Paula is going to assume you're playing games and Paula's going to start playing hardball the way only a government prosecutor can. Okay. In that case, we're going to have a forensic accountant crawl over your bank accounts and tax records, have a squad of detectives crawling over your personal life, we're going to talk to the media and name you as a subject of the investigation, and you're going to be racking up a thousand euros a day of legal fees. But you can make it stop any time. Just show me those messages. And when you scream, *I CAN'T DO WHAT YOU'RE ASKING ME TO DO!*, Paula will just look at you and say, That's not my problem. Prosecutors play hardball. I would much rather face a gangster in an alleyway who wanted to get my secrets via a lead pipe than I would ever want to face a government prosecutor. I have better odds with the gangster. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
David Shaw ds...@jabberwocky.com writes: On Mar 22, 2011, at 10:44 AM, Jerome Baum wrote: Would that be by reusing the session key? Or are there other properties that we can mess with? Sorry, yes, that's re-using the session key (didn't mean to be mysterious). Since Alice, as a recipient, can find the session key, she can encrypt a new message to Baker with that session key, prefix it with the unknown recipient's encrypted session key, and send the whole message to Baker. If Baker can read it, then it reveals who the unknown recipient is. Is there anything that can be done to mitigate that attack? Obviously, we can't save a list of past session keys, I wouldn't even say we can save the hashes of past session keys (with their random data -- as _both_ are unlikely to appear ever again). Actually thinking about it myself, if the message turns out to be unsigned, and we agreed to _always_ sign our messages (even with just a throw-away key previously agreed on), then it would be a good tip-off and Baker wouldn't answer but instead alert me. How would you go about doing that? I can see three options: 1. Include a secret token -- any way to make GPG aware of this? Otherwise, prone to error. 2. Symmetrically encrypt the original message first, with a known key, and if asymmetric decryption yields an actual text, it's a tip-off. Pretty prone to error, and very tedious. 3. Sign the message using a real key. No deniability for sender. 4. Sign the message using a fake key. If you have the original message signing the fake key as being okay, no deniability for sender. 5. Sign the message using a new fake key every time. Deniability for sender, and you just check whether the uid is correct. This is a bit like #1/secret token, but it would be more obvious when the token is missing (no signature). Still, a bit prone to error. Now, a those were either not deniable or prone to error. Looking at how OTR operates, IIRC it uses a MAC -- right? So just adapt #4 to yield: 6. Sign the message using a fake key that both parties have. The only other person with the this key is okay message is your correspondent, and they can't tell on you as they could have signed the message themselves. Any more problems with this method? -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpd5XGWNuez9.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: On Tue, 22 Mar 2011 14:37:16 +, Jerome Baum jer...@jeromebaum.com wrote: Part thought experiment, part practical usage. I was thinking more in terms of a German court asking me to turn over evidence -- but then, there still might be a lead pipe involved outside the scope of a court case. The amount of lead pipe a court can swing at you in many ways exceeds the amount of lead pipe organized crime can throw at you. Let's do this thought experiment again, but this time with a zealous prosecutor who is sincerely doing what she believes to be her job. Further, assume you have a deniable cryptosystem: you can't deny you received the message, but you can neither prove nor disprove having the ability to read it. Alice and Bob are plotting a heinous crime -- terrorism, narcotics trafficking, child exploitation, whatever. They know their communications are being monitored and they are using a deniable cryptosystem. They have also made plans for what to do if either of them ever gets arrested: they will do their best to incriminate someone else, so that the surviving conspirator will have time to go to ground and continue their plans of skulduggery. Alice gets picked up by the cops. Paula Prosecutor interrogates her. Alice says, my co-conspirator was Jerome Baum. This is a lie, of course, but all Alice needs to do is give the police someone to chase after for a few days while Bob goes into hiding. Alice has sent you some innocuous messages through a deniable system in order to make you a good candidate for being made their patsy. What stops her from sending me real messages with this kind of content? Even non-encrypted? I could reply I don't know what you're talking about, but how does the prosecutor care? The only way I could get out of it is to show I don't have any connection with Alice, but there is no way I could ever do that -- as Sven mention off-list, the mere existence of deniable systems gives me this danger. In fact the existence of criminals gives me the danger of being accused -- it does not make deniable systems a problem. Also, when did Alice turn evil? :) -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpR17FZeWv9c.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
What stops her from sending me real messages with this kind of content? Even non-encrypted? I could reply I don't know what you're talking about, but how does the prosecutor care? If the prosecutor has plaintext of the emails, it makes your claims of innocence much easier to believe. It's when the prosecutor cannot know what the plaintext is that the prosecutor has an incentive to ramp up the pressure immensely. The only way I could get out of it is to show I don't have any connection with Alice Not at all. Imagine if you were using a non-deniable system, such as plain-vanilla OpenPGP. This message was sent via a non-deniable system. There, see? That's a correct signature from Alice, and it was encrypted with my certificate. There! See? She was just sending me a recipe for potato chip dip for my Super Bowl party! The prosecutor is going to be afraid of what she can't see. She has Alice, saying you're in it up to your eyeballs: she has you, claiming innocence: she has a bunch of messages which you say are deniable and you can't prove anything but which Alice says he's lying to you. Really, I feel sympathy for Paula: she's in a terrible spot. Being able to present your messages is a good way of breaking that logjam: suddenly, Paula's wrath turns on Alice for her deceptiveness and deceit. way I could ever do that -- as Sven mention off-list, the mere existence of deniable systems gives me this danger. Not as much as you might think. You could also say that the evidence of disk wiping programs makes it hard for you to claim, but I never had that data in the first place! In reality, if the cops search your hard drive and see Evidence Eliminator, they're going to strongly suspect you of trying to destroy something important: but if the forensicist comes back and says, nope, no evidence he ever downloaded a file wiper, it gives your claims of innocence more weight. Also, when did Alice turn evil? :) She and Bob have been overthrowing governments, committing securities fraud, carrying on a torrid affair without their spouses' knowledge, etc., for a very long time, all despite the fact they've never met face to face, they don't trust each other, and know they're under surveillance by the secret police. As one wag said, a cryptographer is someone who doesn't think Alice and Bob are crazy. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
In reality, if the cops search your hard drive and see Evidence Eliminator... I should add: this is tongue-in-cheek. Please don't take it as a recommendation, suggestion, or anything of the sort. I used EE only for its infamy. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: The prosecutor is going to be afraid of what she can't see. She has Alice, saying you're in it up to your eyeballs: she has you, claiming innocence: she has a bunch of messages which you say are deniable and you can't prove anything but which Alice says he's lying to you. Really, I feel sympathy for Paula: she's in a terrible spot. Being able to present your messages is a good way of breaking that logjam: suddenly, Paula's wrath turns on Alice for her deceptiveness and deceit. I'm saying what if Alice sends me incriminating messages? Like burglary happens at 5am? I can respond I don't know what you're talking about, but how does that help me? I could report her, but I might choose not to bother. (Hmm, is it a requirement if I don't think she's serious?) Not as much as you might think. You could also say that the evidence of disk wiping programs makes it hard for you to claim, but I never had that data in the first place! In reality, if the cops search your hard drive and see Evidence Eliminator, they're going to strongly suspect you of trying to destroy something important: but if the forensicist comes back and says, nope, no evidence he ever downloaded a file wiper, it gives your claims of innocence more weight. See this is exactly the problem. I agree it's true but it shouldn't be -- why is it incriminating that I care about my privacy? Also, when did Alice turn evil? :) She and Bob have been overthrowing governments, committing securities fraud, carrying on a torrid affair without their spouses' knowledge, etc., for a very long time, all despite the fact they've never met face to face, they don't trust each other, and know they're under surveillance by the secret police. I like to think of Alice and Bob as nice fellas, employed at Big Corp and Acme Corp, respectively (just to confuse people, Alice is employed at Big Corp, and Bob at Acme Corp). The only thing they might exchange is messages about Mallice, who is evil anyway and it doesn't matter if we hurt her feelings. In any case I'd love to see that reference to securities fraud. I haven't seen that one before. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpsUHMAAL2ya.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
I don't think anyone was suggesting that adroit use of PGP/GPG is a talisman against those who wield lead pipes and want what they want. Not that there isn't a movie script in that line of thought... --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tue, 22 Mar 2011 18:07:23 +, Jerome Baum jer...@jeromebaum.com wrote: I'm saying what if Alice sends me incriminating messages? Like burglary happens at 5am? I can respond I don't know what you're talking about, Or just fail to respond. If I received a message saying the burglary happens at 5:00am, I would be certain to have a rock-solid alibi for 5:00am, and I might even go to the police with it. but how does that help me? I could report her, but I might choose not to bother. (Hmm, is it a requirement if I don't think she's serious?) The general rule in the United States is that no one has a duty to help the police, but there are a lot of caveats. There's a fine line between no duty to help the police and accomplice to a crime. See this is exactly the problem. I agree it's true but it shouldn't be -- why is it incriminating that I care about my privacy? In the United States there are several different thresholds for evidence. Simplified a lot, there are the kinds of evidence the police can use to justify investigating you, and the kinds of evidence that can be offered in court to convict you. If the police have cause to investigate you and they see a counterforensic tool on your hard drive, that can be justification for further investigation -- in exactly the same way that if I was being investigated for murder and they discovered I owned the exact kind of weapon that was used in the killing, that fact could justify further investigation. However, the fact you had a counterforensic tool, *by itself*, would probably not rise to the level of something that would be admissible at trial -- the same way that, if I was charged with stabbing someone to death, the fact I own a shotgun would be inadmissible. There would need to be evidence of it being used unlawfully, like for instance, evidence spoilation. Again, this is extremely quick and dirty. The Federal Rules of Evidence are big, confusing, clunky, ungainly, and difficult to understand. If you're concerned about United States law regarding the admissibility of evidence, you really need to consult with a lawyer. In any case I'd love to see that reference to securities fraud. I haven't seen that one before. http://downlode.org/Etext/alicebob.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Mar 22, 2011, at 12:01 PM, Jerome Baum wrote: David Shaw ds...@jabberwocky.com writes: On Mar 22, 2011, at 10:44 AM, Jerome Baum wrote: Would that be by reusing the session key? Or are there other properties that we can mess with? Sorry, yes, that's re-using the session key (didn't mean to be mysterious). Since Alice, as a recipient, can find the session key, she can encrypt a new message to Baker with that session key, prefix it with the unknown recipient's encrypted session key, and send the whole message to Baker. If Baker can read it, then it reveals who the unknown recipient is. Is there anything that can be done to mitigate that attack? Obviously, we can't save a list of past session keys, I wouldn't even say we can save the hashes of past session keys (with their random data -- as _both_ are unlikely to appear ever again). Actually thinking about it myself, if the message turns out to be unsigned, and we agreed to _always_ sign our messages (even with just a throw-away key previously agreed on), then it would be a good tip-off and Baker wouldn't answer but instead alert me. Hmm. I'm not sure you and I are on the same page with this attack. I don't think that Alice's rigged message to Baker necessarily needs to be forged to come from the original sender. Alice can send the message to Baker as herself, with no special signing or other trickery to fool Baker about the origin of the message. She can even sign it (as herself) if she wants. The contents of the message just need to be something Baker would naturally reply to. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: However, the fact you had a counterforensic tool, *by itself*, would probably not rise to the level of something that would be admissible at trial -- the same way that, if I was charged with stabbing someone to death, the fact I own a shotgun would be inadmissible. There would need to be evidence of it being used unlawfully, like for instance, evidence spoilation. Wasn't there that case where the fact that someone (a now convicted child molester nonetheless, but let's ignore that fact) had some OpenPGP implementation on their computer was admitted into a US court and appeals didn't overturn that admission? Anyway, we're getting off-topic. We've already determined that using a deniable system might be a bad idea. The thought experiment continues... -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpE9uomeXWOi.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
David Shaw ds...@jabberwocky.com writes: Hmm. I'm not sure you and I are on the same page with this attack. I don't think that Alice's rigged message to Baker necessarily needs to be forged to come from the original sender. Alice can send the message to Baker as herself, with no special signing or other trickery to fool Baker about the origin of the message. She can even sign it (as herself) if she wants. The contents of the message just need to be something Baker would naturally reply to. Yeah I got a bit carried off there. So any way to counter that, besides keeping a list of (hash(cryptd-text), hash(session-key | random-parts)) to warn you if one is reused? Obviously that is a pretty dumb way, so is there any way at all to counter a session-key-reuse attack? -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpczBvUIKomF.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tue, 22 Mar 2011 19:14:20 +, Jerome Baum jer...@jeromebaum.com wrote: Wasn't there that case where the fact that someone (a now convicted child molester nonetheless, but let's ignore that fact) had some OpenPGP implementation on their computer was admitted into a US court and appeals didn't overturn that admission? Several of them. In all cases I'm aware of, it was alleged the individuals were using OpenPGP to conceal their activity in a crime. Covering up a criminal offense is, itself, almost always a criminal offense. If the government alleges, this person used OpenPGP to cover up the crime and make life difficult on the FBI, the government must do two things: (a) enter into evidence the fact the accused has access to OpenPGP, and (b) convince the jury the accused used OpenPGP in an attempt to foil a police investigation. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Mar 22, 2011, at 3:17 PM, Jerome Baum wrote: David Shaw ds...@jabberwocky.com writes: Hmm. I'm not sure you and I are on the same page with this attack. I don't think that Alice's rigged message to Baker necessarily needs to be forged to come from the original sender. Alice can send the message to Baker as herself, with no special signing or other trickery to fool Baker about the origin of the message. She can even sign it (as herself) if she wants. The contents of the message just need to be something Baker would naturally reply to. Yeah I got a bit carried off there. So any way to counter that, besides keeping a list of (hash(cryptd-text), hash(session-key | random-parts)) to warn you if one is reused? Obviously that is a pretty dumb way, so is there any way at all to counter a session-key-reuse attack? Probably the easiest way is to not send messages with speculative key IDs encrypted to more than one recipient. :) That ensures that Alice knows as little as possible about the other recipients (including whether there are any in the first place). It does put an additional burden on the sender, though, as they now need to send out more messages (which might be hard for some senders). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Sure it is, we practice encryption and the people with lead pipes magically disappear. We don't know why. We just know they do. That is deniability. I dont know what you are talking about. DISCLAIMER: This email and any files transmitted with it may be privileged, confidential, and contain health information that is legally protected. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless permitted to do so by law or regulation. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution, is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. Frank Spruill 1701 Light Street Baltimore MD 21230 --- On Tue, 3/22/11, d...@geer.org d...@geer.org wrote: From: d...@geer.org d...@geer.org Subject: Re: Deniability To: Robert J. Hansen r...@sixdemonbag.org Cc: gnupg-users@gnupg.org gnupg-users@gnupg.org Date: Tuesday, March 22, 2011, 2:47 PM I don't think anyone was suggesting that adroit use of PGP/GPG is a talisman against those who wield lead pipes and want what they want. Not that there isn't a movie script in that line of thought... --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
David Shaw ds...@jabberwocky.com writes: Probably the easiest way is to not send messages with speculative key IDs encrypted to more than one recipient. :) That ensures that Alice knows as little as possible about the other recipients (including whether there are any in the first place). It does put an additional burden on the sender, though, as they now need to send out more messages (which might be hard for some senders). So assuming that's done, or assuming that _Mallory_ ;) is not in CC, are there other problems? Obviously, from the perspective of a thought experiment and assuming a world-wide destruction of lead pipes. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpLOKWpJECzg.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 22 March 2011 at 7:20:59 PM, in mid:1af4381f560480656e49ea2843098672@localhost, Robert J. Hansen wrote: If the government alleges, this person used OpenPGP to cover up the crime and make life difficult on the FBI, the government must do two things: (a) enter into evidence the fact the accused has access to OpenPGP, and (b) convince the jury the accused used OpenPGP in an attempt to foil a police investigation. Assuming you have nothing illegal to hide, there is nothing wrong with using whatever tools may be at your disposal to keep your personal affairs away from investigators. Maybe ill-advised in certain circumstances but definitely not wrong. There is no requirement to prove your innocence. - -- Best regards MFPAmailto:expires2...@ymail.com Never trust a dog with orange eyebrows -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNiRfSnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pEewD/21E t5OjFlLwDMUeDg4C/3F5OQqvQJn0ce8YlRDOmklt/0HzaeLkwy3qkBw7lTLtCIUB vDEWozktHThJj74/kr8VVd9b9gwBmXRQz3644ZsC6Ud0POtyTggGGQuprLRmuzj5 sGn36etbaDs8q7C7orzb7IZll2KyuC4FNjtGqpeY =ILt4 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/11 5:42 PM, MFPA wrote: Assuming you have nothing illegal to hide And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: On 3/22/11 5:42 PM, MFPA wrote: Assuming you have nothing illegal to hide And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' So, if the goverment alleges I have something to hide, then it is clear that I do? Boy am I happy I don't live in the U.S. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgp2CFhpyXorj.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Tue, Mar 22, 2011 at 6:11 PM, Jerome Baum jer...@jeromebaum.com wrote: Robert J. Hansen r...@sixdemonbag.org writes: On 3/22/11 5:42 PM, MFPA wrote: Assuming you have nothing illegal to hide And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' So, if the goverment alleges I have something to hide, then it is clear that I do? Boy am I happy I don't live in the U.S. You don't have to live in the US to be subject to its arm and partial justice. Just ask some of the folks at Guantánamo Bay. Jeff ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Jeffrey Walton noloa...@gmail.com writes: On Tue, Mar 22, 2011 at 6:11 PM, Jerome Baum jer...@jeromebaum.com wrote: Robert J. Hansen r...@sixdemonbag.org writes: On 3/22/11 5:42 PM, MFPA wrote: Assuming you have nothing illegal to hide And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' So, if the goverment alleges I have something to hide, then it is clear that I do? Boy am I happy I don't live in the U.S. You don't have to live in the US to be subject to its arm and partial justice. Just ask some of the folks at Guantánamo Bay. Err, this is not the kind of direction I wanted this to take. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpYZ6dn0KsYK.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 22 March 2011 at 9:52:39 PM, in mid:4d891a27.4000...@sixdemonbag.org, Robert J. Hansen wrote: On 3/22/11 5:42 PM, MFPA wrote: Assuming you have nothing illegal to hide And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' Oops. Mea culpa; I misread it as ... to cover up _a_ crime... - -- Best regards MFPAmailto:expires2...@ymail.com The truth is rarely pure and never simple -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJNiSsRnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pCN8EAK83 b/YneYjUiIqm8OjBTm8bv87kHCeVXZgbn36TkDfOsvMfHwNRjC88N0e16MMH5IC0 3imYU40lQtyUyuiH1DHxUD7o+6hBXgbXiN+DlIEhuU7ykVPOlfl1N7AjfxM+aq5m 9SnlWZ0OxJaY95HPoynu4CeL17OL0NQPA+BPXxnm =x+Cn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 6:11 PM, Jerome Baum wrote: So, if the goverment alleges I have something to hide, then it is clear that I do? Boy am I happy I don't live in the U.S. This is cheap ad-hominem. I said nothing of the sort. If the government *alleges* that you *committed a crime*, the government needs to enter into evidence *how you committed that crime*. If the crime is evidence spoilation, then yes, the government can enter into evidence the fact you possessed the tools required to spoil evidence. It doesn't mean you're guilty of evidence spoilation: it only means the jury might find that fact to be interesting and relevant, and for that reason it should be presented to them. If I'm accused of stabbing someone to death, the government gets to enter into evidence the fact I own a knife exactly like the one they allege was used to murder someone. This is no different. I honestly do not understand where you're coming from. It seems as if you're deliberately trying to twist around what I'm saying. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: On 3/22/2011 6:11 PM, Jerome Baum wrote: So, if the goverment alleges I have something to hide, then it is clear that I do? Boy am I happy I don't live in the U.S. This is cheap ad-hominem. I said nothing of the sort. If the government *alleges* that you *committed a crime*, the government needs to enter into evidence *how you committed that crime*. And in the context of that conversation it was clear that there was, in fact, something illegal to hide. Quoting: if the government alleges, 'this person used OpenPGP to cover up the crime...' Let's rephrase what you said: From the government alleging 'this person used a OpenPGP to hide evidence of his crime' it was clear that there was, in fact, evidence of his crime. One step further: From the government alleging 'this person used OpenPGP to hide evidence of his crime' it was clear that he committed the crime. And another step: From the government alleging something, it was clear that he committed the crime. Where were you involved? Quoting dictionary.reference.com: ad hominem: attacking an opponent's character rather than answering his argument. If the crime is evidence spoilation, then yes, the government can enter into evidence the fact you possessed the tools required to spoil evidence. It doesn't mean you're guilty of evidence spoilation: it only means the jury might find that fact to be interesting and relevant, and for that reason it should be presented to them. If I'm accused of stabbing someone to death, the government gets to enter into evidence the fact I own a knife exactly like the one they allege was used to murder someone. This is no different. I honestly do not understand where you're coming from. It seems as if you're deliberately trying to twist around what I'm saying. I guess we are talking about different trials. I am talking about a trial pertaining to the original crime (child abuse), into which he has gpg installed was entered as evidence, under the argument that he might have encrypted his pictures with gpg -- we don't have the picture, but he might have done this. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpFuRZ6SlySF.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Err, this is not the kind of direction I wanted this to take. Even as a 99.44% pure lurker, me neither. Might I suggest to those who want to argue what the plusses and minuses are of hiding that it might be good to read Daniel Solove's (new) Yale Press book, _Nothing to Hide_, or the paper of the same name which preceded it? Personally, I do think privacy and security are a zero sum game in the main, i.e., I agree with Ed Giorgio's commentary in the New Yorker (The Spymaster, January 21, 2008) to that effect. I don't like it, but what I like is irrelevant. If zero-summed-ness is an actual fact of nature, then I'll choose more privacy and less security as the Internet-of-Things approaches. --dan A conservative is a socialist who worships order. A liberal is a socialist who worships safety. -- Victor Milan', 1999 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 7:34 PM, Jerome Baum wrote: Let's rephrase what you said: From the government alleging 'this person used a OpenPGP to hide evidence of his crime' it was clear that there was, in fact, evidence of his crime. Yes: it's a tautology. A prosecutor is not allowed to make an allegation in court for which they do not have evidence. If the prosecutor says, this person used OpenPGP to hide evidence of his crime, the prosecutor must be able to present the spoiled evidence and demonstrate it was connected to a crime: otherwise that allegation is barred from the courtroom. How that evidence should be interpreted, how much weight it should be given, etc., is solely the purview of the jury. But if the government says, this person used a bloody knife to murder someone, then yes, that's evidence there's a dead body that was killed with a knife, because otherwise no judge would allow the prosecutor to make that claim. Where were you involved? Quoting dictionary.reference.com: ad hominem: attacking an opponent's character rather than answering his argument. It's everything-the-government-does-is-evil claptrap that I have no patience for. I am no particular fan of the government, but to think that it would so nakedly act in such a way is ridiculous. I guess we are talking about different trials. I am talking about a trial pertaining to the original crime (child abuse), into which he has gpg installed was entered as evidence To repeat what I told you earlier: *there was no such trial*. This is an urban legend in the community. No one has ever been able to produce a citation for me. I've asked, quite a lot of times, and I've done my own digging in Westlaw trying to find it. To the best of my knowledge, it doesn't exist. What exist instead are different trials for evidence spoilation and related charges, in which the defendant's possession of those tools is directly related to the charge. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: To repeat what I told you earlier: *there was no such trial*. When did you tell me this? This is an urban legend in the community. No one has ever been able to produce a citation for me. I've asked, quite a lot of times, and I've done my own digging in Westlaw trying to find it. To the best of my knowledge, it doesn't exist. What exist instead are different trials for evidence spoilation and related charges, in which the defendant's possession of those tools is directly related to the charge. http://news.cnet.com/Minnesota-court-takes-dim-view-of-encryption/2100-1030_3-5718978.html We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him, The Internet use might be, but the existence of an encryption program on his computer, considering there was absolutely _no_ evidence of encrypted imagery, was certainly not relevant to the case. The guy was convicted, and for the right reasons, but the encryption software shouldn't have been allowed. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgp7Mvbu1iiJ7.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
If I'm right, then the only way to restore privacy is to raise the price of information transfer in some way. OpenPGP can be thought of as this: to recover a message the attacker has to undertake actions that involve at least some measure of expense. Perhaps you are correct. My own definition of privacy evolves, but as of now is this: Privacy is the effective capacity to misrepresent oneself. and, semi-orthogonally, Security is the absence of unmitigatable surprise. YMMV, --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 10:16 PM, d...@geer.org wrote: Personally, I do think privacy and security are a zero sum game in the main, i.e., I agree with Ed Giorgio's commentary in the New Yorker (The Spymaster, January 21, 2008) to that effect. I think the best counterargument to this is that it's very easy to come up with massive invasions of privacy that really do little to nothing for our security. The airport security examples more or less write themselves... My own dark suspicion is that what we have always thought of as privacy is nothing more than an inefficiency in information exchange. So long as information exchange has a certain cost threshold, it's not worth my time or effort to share information about you. As that cost threshold diminishes, so too does our privacy. If it cost a penny to leave a YouTube comment, Rebecca Black would have twelve people scattered across the world who had said something bad about her. Since it's free, though... well, she has no privacy anymore, and I feel very sorry for her. If I'm right, then the only way to restore privacy is to raise the price of information transfer in some way. OpenPGP can be thought of as this: to recover a message the attacker has to undertake actions that involve at least some measure of expense. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 10:29 PM, Jerome Baum wrote: To repeat what I told you earlier: *there was no such trial*. When did you tell me this? Quoting: Wasn't there that case where the fact that someone ... had some OpenPGP implementation on their computer was admitted into a US court and appeals didn't overturn that admission? In all cases I'm aware of, it was alleged the individuals were using OpenPGP to conceal their activity in a crime. Covering up a criminal offense is, itself, almost always a criminal offense. Written today. I've done a fair bit of digging into this: no such case has ever been presented in a United States court. The case you cited below was not a United States court: it was state court. The phrase, a United States court means, a court operating under federal law passed by Congress. The phrase, a state court means, a court operating under state law passed by a state legislature. I suspect you meant, a court somewhere in the United States, which could mean either. We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him, Imagine this: I'm being accused of premeditated murder. Apparently, I ran over a man with a car with the specific intent of killing him. When the police arrest me, they discover in my apartment I have a sniper rifle, a hangman's noose, a straight razor, some food that has ground glass mixed into it, and a how-to manual for committing murders with all of those tools. (Note that generally speaking none of these are illegal in the United States.) The state wants to enter all of those things into evidence to support the claim that I committed my crime with extreme premeditation, that I had the specific and deliberate intent to kill. Under your theory, that should be barred. Me, I think that's kind of weird. Seems to me like this is the sort of thing the jury should be allowed to hear and decide for themselves. Likewise, in this case the prosecution was alleging something. The judge believed -- and the appellate court agreed -- that the presence of PGP was relevant to those allegations. If you don't know what specific fact this evidence was presented to demonstrate, then you can't say the evidence shouldn't have been admitted. We know it was connected to a criminal trial, but we don't know specifically what the evidence was introduced to prove. It could've been something as simple as, the defendant is technically sophisticated, as evidenced by The guy was convicted, and for the right reasons, but the encryption software shouldn't have been allowed. I can't argue against this. This is your emotional reaction to the situation, and nobody can argue against emotions. All that I can say is that, as a matter of law, the decision makes sense and seems rational. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 10:59 PM, d...@geer.org wrote: Perhaps you are correct. Unlikely, but you're kind to say so. I'll be happy if my mistakes can just be interesting. :) My own definition of privacy evolves, but as of now is this: This is very good: I need to think on this. May I borrow this and present it to others (with attribution)? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: Imagine this: I'm being accused of premeditated murder. Apparently, I ran over a man with a car with the specific intent of killing him. When the police arrest me, they discover in my apartment I have a sniper rifle, a hangman's noose, a straight razor, some food that has ground glass mixed into it, and a how-to manual for committing murders with all of those tools. (Note that generally speaking none of these are illegal in the United States.) The state wants to enter all of those things into evidence to support the claim that I committed my crime with extreme premeditation, that I had the specific and deliberate intent to kill. Under your theory, that should be barred. Me, I think that's kind of weird. Seems to me like this is the sort of thing the jury should be allowed to hear and decide for themselves. Likewise, in this case the prosecution was alleging something. The judge believed -- and the appellate court agreed -- that the presence of PGP was relevant to those allegations. Actually, I didn't say those tools being in your home should be barred. I agree with what you write below -- there are reasons to include evidence and in this case it would be to describe your character (be that technical sophistication or intent to murder).I would differentiate between what's actually relevant (and would help the jury make a better decision), and what's not. A guy with a handbook on murder likely has a higher chance of murdering. A guy with encryption software hopefully doesn't have a higher chance of molesting a child. Plus, I am arguing that a court in the U.S. (thanks for the note on wording btw) made a bad decision. How does the fact that the judge believed his decision was right support your argument that the court (i.e. judge) made the correct decision? As for the appeals court, I have heard (obviously no first-hand experience) that they are very conservative when it comes to turning over a court's decision, and in this matter I would be as well -- when the evidence wasn't relevant to the conviction and likely didn't influence the jury. If you don't know what specific fact this evidence was presented to demonstrate, then you can't say the evidence shouldn't have been admitted. We know it was connected to a criminal trial, but we don't know specifically what the evidence was introduced to prove. It could've been something as simple as, the defendant is technically sophisticated, as evidenced by So, how does technical sophistication have to do with whether or not the guy molested the child? One connection I can see is he could have hid that information from us, so we don't have it -- but then, how is that kind of no-evidence speculation relevant? Of course, this is a straw man. To justify it, while I didn't read any first-hand source, if you follow the discussion there are some references to the appeals court's decision which mention that the prosecution was suggesting what I said (he could have ...). -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpVOBET37rMA.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
(snip big discussion that should have stopped long ago) We've gone way too far off-topic I think. I'll happily continue the debate off-list, but otherwise I suggest we close this thread and agree to disagree, probably to the relief of other gnupg-users readers. Feel free to have a final word if you want, but I'll post no further messages about this on gnupg-users. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgp7fBn8n4VOP.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/22/2011 11:50 PM, Jerome Baum wrote: A guy with encryption software hopefully doesn't have a higher chance of molesting a child. Except that *you don't know what that was entered to prove*. It's quite possible it was not entered to prove he molested a child. If I was a prosecutor, I'd want to argue that he was technically proficient, and enter the existence of PGP to support that claim. If the jury then decides, well, he had PGP on his hard drive, therefore he's probably guilty, then that's the jury being idiots. That doesn't mean the U.S. system is unjust: every nation with a jury system has to deal with juries being idiots. The fact he used PGP was entered into a trial about the abuse of a child: but that doesn't mean that fact was entered into evidence to prove he abused the child -- it could have (and quite likely was) entered for something else. Unless you're looking at the court record, you don't know. How does the fact that the judge believed his decision was right support your argument that the court (i.e. judge) made the correct decision? Because it means four judges, who were quite likely appointed by different governors and have different political beliefs, came to the same opinion about the law. When four judges who don't like each other and squabble constantly unanimously say, the law says this, well, I tend to give that a lot of credit. As for the appeals court, I have heard (obviously no first-hand experience) that they are very conservative when it comes to turning over a court's decision I can't talk about the Minnesota state courts: I haven't studied their system. At the federal level, appellate judges give the trial judge's decisions a great deal of deference when it comes to findings of fact -- the rule of thumb is a factual finding must be as offensive to the senses as a three-day-old mackerel for a factual finding to be overturned -- but zero deference for findings of law. Literally, zero deference. So, how does technical sophistication have to do with whether or not the guy molested the child? You're asking me to demonstrate psychic powers by telling you about a transcript I haven't read. However, as a guess, Minnesota may very well have an enhanced penalty for the use of counterforensic software and/or encryption in the commission of a crime. That's an example of something that wouldn't have any effect on whether the accused committed the abuse, but would be relevant to how harshly he was sentenced -- and it could be entered into evidence on those grounds. That's just a guess. There are many, many, *many* other ways it could've happened. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Deniability
Hi all, I am looking into the plausible deniability issue again that was discussed here in the past. My problem definition: Configure gpg in such a way that when I encrypt a file, be it to someone else or to myself, the recipient(s) can deny being able to decrypt the file in question. An adversary should also be unable to derive information about the recipient(s) -- including their number -- from the encrypted message. Assume I like encrypt-to-self and have it enabled. The obvious way to start is with throw-keyids. Problems: 1. The number of recipients is revealed. 2. If I encrypt to only myself, this is revealed. I could generate some bogus keys and throw out the secrets, effectively making them encryption-only keys. Then to solve #2, I just encrypt to such a bogus key in addition to my actual key. I could also set the encrypt-to option for several bogus keys to make the adversary's life more difficult in determining the number of recipients. After seeing a number of encrypted messages, the adversary will know for how many bogus keys I have encrypt-to set. #1 appears again. This could be solved by randomly picking a subset of the bogus keys, possibly as a wrapper around gpg. So, both problems can be solved this way, although it would be annoying to have to put randomly-pick-some-bogus-keys.sh in place. I can imagine there are going to be some relatively simple statistical attacks on this scheme (by looking at algorithms and key-sizes of the recipients). What do you guys think? What problems and solutions are there? -- Jerome Baum jer...@jeromebaum.com 0xC58C753A Key fingerprint = A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A Jerome Baum 0x215236DA Key fingerprint = 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpKnxQaEMqvr.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Am Montag 21 März 2011 06:48:07 schrieb Jerome Baum: 2. If I encrypt to only myself, this is revealed. How? -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/21/2011 1:48 AM, Jerome Baum wrote: I can imagine there are going to be some relatively simple statistical attacks on this scheme (by looking at algorithms and key-sizes of the recipients). What do you guys think? What problems and solutions are there? I think you're trying to use a blender as a personal flotation device. OpenPGP is not meant to provide deniable communications. It is concerned primarily with message confidentiality (encryption) and message integrity (signing). Just like blenders blend, PFDs float, and it's unwise to try and make one do the other's job, I think it's unwise to crowbar OpenPGP into being a deniable protocol. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Hauke Laging mailinglis...@hauke-laging.de writes: Am Montag 21 März 2011 06:48:07 schrieb Jerome Baum: 2. If I encrypt to only myself, this is revealed. How? Only one recipient. Remember I use encrypt-to-self. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgppLFTmagoeS.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Robert J. Hansen r...@sixdemonbag.org writes: OpenPGP is not meant to provide deniable communications. It is concerned primarily with message confidentiality (encryption) and message integrity (signing). Just like blenders blend, PFDs float, and it's unwise to try and make one do the other's job, I think it's unwise to crowbar OpenPGP into being a deniable protocol. Deniability is nice, but more generally confusing Mallory is a Good Thing(tm) as she'll have more work to do. Providing deniability seems to imply more work on the part of Mallory. Say the point is not to prove Alice sent Bob a message, but instead Mallory wants to get at the plain-text. If she can't know for sure that Clyde can decrypt it -- or any specific person -- then she'll have to steal several keys before she finds the right one. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpoDv7CzD6kF.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
Jerome Baum jerome at jeromebaum.com wrote on Mon Mar 21 06:48:07 CET 2011 : Configure gpg in such a way that when I encrypt a file, be it to someone else or to myself, the recipient(s) can deny being able to decrypt the file in question. Any adversary would question as to why the recipient continues to receive files undecryptable to him, and also why you are encrypting to additional keys, and to whom do they belong, etc. An adversary should also be unable to derive information about the recipient(s) A simple way to do this using gnupg, would be something like the following: [1] Don't send the file to any recipient who requires deniability. [2] Instead of additionally encrypting the file to another key, additionally encrypt it symmetrically. Gnupg allows this by simply typing: gpg -e -c -a -r (your key) filename [3] Use the throw-keyid option when you encrypt to your key. [4] Post the encrypted file to a newsgroup like comp.pgp.test or other group that allows test postings. [5] Your plausible reason for encrypting conventionally in addition to your key, is your concern that you might one day lose your keyring. [7] Your plausible reason for posting it to a newsgroup, is that you are concerned that 'cloud' organizations might go out of business, and this is a simple inexpensive backup. [8] Your plausible reason for using the throw-keyid option, is that since you are posting publicly, you prefer to remain anonymous. [9] Use a *really good* passphrase (diceware 10 words, [ 7776^10 2^128 ] ), and find a way to securely make it known to the recipient(s). [10] Since you are using such a 'good' passphrase, it is entirely plausible that you could 'forget' it. ;-) *CAVEAT* Consider very carefully who your threat model adversary is. You don't want to do this with Three Letter Agencies or criminals, whereas it might be OK for decent university administrations. :-) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
ved...@nym.hush.com ved...@nym.hush.com writes: Any adversary would question as to why the recipient continues to receive files undecryptable to him, and also why you are encrypting to additional keys, and to whom do they belong, etc. So let's assume I'm not stupid enough to let that adversary know who I'm sending the message to. Two options: 1. Use a newsgroup as you suggest below. 2. Randomly send messages that can't be decrypted to random recipients to obscure matters. The adversary would have to cope with the fact that I have stuff to hide. :) A simple way to do this using gnupg, would be something like the following: [1] Don't send the file to any recipient who requires deniability. Yes, per above. [2] Instead of additionally encrypting the file to another key, additionally encrypt it symmetrically. Why would I do that? That together with [9] that's exactly what gpg does when using asymmetric ciphers. [3] Use the throw-keyid option when you encrypt to your key. Yes, per my original suggestion. [4] Post the encrypted file to a newsgroup like comp.pgp.test or other group that allows test postings. Yes, per above. But good idea to not use an anonymous group -- this way I can say I was testing stuff. [5] Your plausible reason for encrypting conventionally in addition to your key, is your concern that you might one day lose your keyring. I don't find that so plausible but yes, agreed that I can make up a reason. Though I don't see the benefit in symmetric encryption at all for this. [7] Your plausible reason for posting it to a newsgroup, is that you are concerned that 'cloud' organizations might go out of business, and this is a simple inexpensive backup. Yes that, or testing. [8] Your plausible reason for using the throw-keyid option, is that since you are posting publicly, you prefer to remain anonymous. I'd say it's a plausible reason to say I want my privacy. But yes, this is a good reason. [9] Use a *really good* passphrase (diceware 10 words, [ 7776^10 2^128 ] ), and find a way to securely make it known to the recipient(s). Which is what would happen if I used asymmetric ciphers. [10] Since you are using such a 'good' passphrase, it is entirely plausible that you could 'forget' it. ;-) Couldn't I also forget who the key encrypted to? However I might still be forced to surrender the session key, so maybe encrypt-to-self isn't such a good default? Consider very carefully who your threat model adversary is. You don't want to do this with Three Letter Agencies or criminals, whereas it might be OK for decent university administrations. :-) For now just an abstract adverse adversary. :) -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpNxu7Cuodt6.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
Hauke Laging mailinglis...@hauke-laging.de writes: You know that. And the archive of this mailinglist now knows that you have once claimed to do that. So one may assume that the only recipient is you but that is not a strong technical conclusion from the message itself. When I throw-keyids, what's actually left over? Would there be any way to match the keys from several messages, besides key size and type? Also if one (size, type) appears in all messages, I'd say the conclusion that I'm using encrypt-to-self is pretty safe. Then again, I could use that to my advantage if I want to encrypt to a public key of the same size and type! :) -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpflAIYNafTg.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
d...@geer.org d...@geer.org writes: Ah. Spam as a covert channel. Tell me that this isn't already done? You make a point, I should have been clearer. Randomly send messages that can't be decrypted to random recipients _from a list of recipients that have agreed to this_ to obscure matters. It would be a lot of work to try decrypting with each key but the recipient could have a designated trial key with no pass-phrase that is used to decrypt some kind of outer layer. The adversary would still need to steal that key only to verify that _with high probability_, the message was intended for this specific recipient. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgp3jprMeWFW0.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
Jerome Baum jer...@jeromebaum.com writes: (snip talk about a potential solution) At this point however, the scheme gets complicated and impractical. Are there any practical solutions that don't depend on complex implementation on the receiving end? -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpeTAMxGc9wZ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
| | 2. Randomly send messages that can't be decrypted to random recipients |to obscure matters. The adversary would have to cope with the fact |that I have stuff to hide. :) | Ah. Spam as a covert channel. Tell me that this isn't already done? --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deniability
On 03/21/2011 12:24 PM, Jerome Baum wrote: ved...@nym.hush.com ved...@nym.hush.com writes: [4] Post the encrypted file to a newsgroup like comp.pgp.test or other group that allows test postings. Yes, per above. But good idea to not use an anonymous group -- this way I can say I was testing stuff. If you want to get really paranoid, post to http://www.pgpboard.com/ via a TOR connection. That makes it difficult to show the message even originated from you. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On 3/21/2011 10:58 AM, Jerome Baum wrote: Deniability is nice, but more generally confusing Mallory is a Good Thing(tm) as she'll have more work to do. Providing deniability seems to imply more work on the part of Mallory. Say the point is not to prove Alice sent Bob a message, but instead Mallory wants to get at the plain-text. If she can't know for sure that Clyde can decrypt it -- or any specific person -- then she'll have to steal several keys before she finds the right one. Or she'll just have to kidnap Alice or Bob and beat them senseless with a lead pipe until they confess. Deniability is not as useful of a tool as it is often made out to be. There is also a flip side: deniable communications put parties in increased jeopardy. Imagine Mallory kidnaps Charlene, who is uninvolved, because she thinks Charlene is involved. (This sort of thing happens quite a lot in the real world: for instance, in the '70s the Israeli Mossad murdered an innocent Norwegian waiter because they mistakenly identified him as a terrorist.) Charlene declares her innocence. Mallory beats her senseless with a lead pipe. I know you're using a deniable system! Stop denying things and tell me the truth! Charlene tries to prove she didn't receive the message -- but she can't, because it's a deniable system. Mallory keeps on beating her senseless with a lead pipe. Sooner or later, Charlene confesses to anything Mallory suggests, just to make the torture stop. Deniable communications are neat, but there are two huge eight hundred pound gorillas lurking in the room: 1. Deniability doesn't work well against sadists with lead pipes. 2. Deniability means you can't give the sadists a reason to stop. If this is a thought experiment in how to crowbar deniability into OpenPGP, I wish you luck. :) If you're looking at actually using a deniable OpenPGP, or recommending others use one, I hope you'll give serious thought to these two things. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability
On Mar 21, 2011, at 12:13 PM, Jerome Baum wrote: Hauke Laging mailinglis...@hauke-laging.de writes: You know that. And the archive of this mailinglist now knows that you have once claimed to do that. So one may assume that the only recipient is you but that is not a strong technical conclusion from the message itself. When I throw-keyids, what's actually left over? Would there be any way to match the keys from several messages, besides key size and type? Also if one (size, type) appears in all messages, I'd say the conclusion that I'm using encrypt-to-self is pretty safe. In addition to the size and type information, there is also an interesting attack that can be done against speculative key IDs. It doesn't (directly) help a third party know who the recipients are, but it does let any recipient try to confirm a guess as to who another recipient might be. Let's say you encrypt a message to Alice and Baker and hide the key IDs. Alice gets the message and knows there is one other recipient aside from herself. She considers who the message came from and what the message was about and makes an educated guess that the other recipient is Baker. To confirm her guess, all Alice needs to do send a specially rigged speculative key ID message to Baker. If Baker responds, then Alice knows he was the other recipient. Throw-keyids has some good usages (posting a message for pickup in a public place, for example), but it's just a tool. It's important not to rely solely on it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
