Obama's "Justice" Department wants to force you to decrypt your DjWVBeXx4ZHsvGME

[ctoon6]

so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?

[1713875435]

1713875435

[myrkul]

so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?

Yeah, but it's OK. It's for the 'public good'.

[JoelKatz]

2) They won't stop unless you either give it to them or prove you cannot give it to them.

The mere fact that hidden volumes exist means you can't prove that you can't. Even if you give them the real one.

Right. That's why deniable encryption is useless against torture. It is, however, useful against a court ordering you to provide the keys.

My point was that 2) was moot. Either they will accept it, or they won't. Even if you give them the real data.

If you don't use any deniable encryption, you can give them the key to any encrypted information you've ever created. The chance that you will get into the situation where people believe you have something you actually don't have is much less if you don't use deniable encryption.

If your threat model is torture, deniable encryption is an awful idea. If the torturers find out that you've used deniable encryption and you don't have what they want, they will never stop.

If your threat model is a court order, deniable encryption may be useful.

[JoelKatz]

so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?

I don't see how you can get from "you probably can't get away with lying" to "they can make up shit". Juries are just not going to be impressed with "you can't prove I didn't forget".

[myrkul]

2) They won't stop unless you either give it to them or prove you cannot give it to them.

The mere fact that hidden volumes exist means you can't prove that you can't. Even if you give them the real one.

Right. That's why deniable encryption is useless against torture. It is, however, useful against a court ordering you to provide the keys.

My point was that 2) was moot. Either they will accept it, or they won't. Even if you give them the real data.

If you don't use any deniable encryption, you can give them the key to any encrypted information you've ever created. The chance that you will get into the situation where people believe you have something you actually don't have is much less if you don't use deniable encryption.

If your threat model is torture, deniable encryption is an awful idea. If the torturers find out that you've used deniable encryption and you don't have what they want, they will never stop.

If your threat model is a court order, deniable encryption may be useful.

If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.

[JoelKatz]

If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.

I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way.

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

[myrkul]

If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.

I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way.

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page?

[vector76]

You could have buried a USB thumb drive at a secret location somewhere in Montana and they could torture you until you tell them where.  You can't prove that you haven't hidden data that way, any more than you can prove that there is no deniable encryption on your computer.

Using an encryption tool that supports deniable encryption might lead them to suspect that you have hidden data through deniable encryption, but I think it will only slightly increase your risk of torture, because there are many ways of hiding data.  If they think you have hidden data somehow, the particular technology won't make that much difference.

[JoelKatz]

If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.

I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way.

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page?

Deniable encryption means an encryption scheme where there can be zero or more keys which can decrypt different data and wherein an attacker cannot prove that a given key does not decrypt all the data or even that any encrypted data is contained at all. By contrast, in other schemes, one can generally prove that a particular key does in fact decrypt all the data. You can, of course, always claim that you never knew the password or forgot it. But this claim may seem implausible if the encrypted data was found on your own computer or they have other evidence that you created it or accessed it.

Deniable encryption may be useful in cases where you are legally compelled to decrypt some data. You can claim you did decrypt that data without actually revealing some data you wish to keep hidden. It cannot be proven that you failed to decrypt all the data. You can cheerfully admit that you created the data and that you can decrypt it. You can present them with one or more encryption keys. You can still keep any data from them by failing to reveal the particular key that decrypts that data.

However, if you're being tortured for a decryption key, what you need to be able to do is prove to your torturers that you have enabled them to decrypt all the data. Then they will stop torturing you. With deniable encryption, you cannot do this.

So deniable encryption is useful against the "legal compulsion" threat model and worse than useless against the "rubber hose" threat model.

[myrkul]

If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.

I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way.

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page?

Deniable encryption means an encryption scheme where there can be zero or more keys which can decrypt different data and wherein an attacker cannot prove that a given key does not decrypt all the data or even that any encrypted data is contained at all. By contrast, in other schemes, one can generally prove that a particular key does in fact decrypt all the data.

Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?

[JoelKatz]

Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?

Winzip. GPG. Bitlocker.

[NghtRppr]

Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?

Winzip. GPG. Bitlocker.

Those random bytes on your hard drive look encrypted to me. I think it's $5 wrench time.

[myrkul]

Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?

Winzip. GPG. Bitlocker.

Any that is cross platform, and allows file and drive encryption, preferably pre-boot?

[em3rgentOrdr]

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

But same with regular encryption.  You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding...

[ctoon6]

http://en.wikipedia.org/wiki/Steganography

never let them know the existence of such messages/data in the first place.

[JoelKatz]

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

But same with regular encryption.  You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding...

Right.

That's why deniable encryption is useful against the "lawful order" threat model. Say the government finds some encrypted data in my possession. And say they can convince a jury that I have some digital evidence they want. With deniable encryption, they still have to prove that the information they want is in the encrypted data they have. They cannot do this with deniable encryption. If I give them a key and it doesn't decrypt the data they want, they still can't prove that it's because I didn't give them the right key. It's also possible they didn't find every place I might put my data.

But it's no help against the "rubber hose" threat model. Claiming "you may be pretty sure I have the data you want, but maybe I hid it someplace you don't know" won't get them to put the rubber hose away. You need to either give them the data they want or convince them that it is impossible for you to do that. Deniable encryption doesn't make either of these any easier and might make the latter much harder.

[em3rgentOrdr]

But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.

But same with regular encryption.  You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding...

Right.

That's why deniable encryption is useful against the "lawful order" threat model. Say the government finds some encrypted data in my possession. And say they can convince a jury that I have some digital evidence they want. With deniable encryption, they still have to prove that the information they want is in the encrypted data they have. They cannot do this with deniable encryption. If I give them a key and it doesn't decrypt the data they want, they still can't prove that it's because I didn't give them the right key. It's also possible they didn't find every place I might put my data.

But it's no help against the "rubber hose" threat model. Claiming "you may be pretty sure I have the data you want, but maybe I hid it someplace you don't know" won't get them to put the rubber hose away. You need to either give them the data they want or convince them that it is impossible for you to do that. Deniable encryption doesn't make either of these any easier and might make the latter much harder.

Julian Assange explains the game theory logic as to why Rubberhose encryption may protect you from having to reveal data:

What I find interesting, is how this constraint on Alice's behaviour
actually protects her from revealing her own keys, because each party,
at the outset can make the following observations:

Rubber-hose-squad: We will never be able to show that Alice has
         revealed the last of her keys. Further, even if
         Alice has co-operated fully and has revealed all of
         her keys, she will not be able to prove it.
         Therefor, we must assume that at every stage that
         Alice has kept secret information from us, and
         continue to beat her, even though she may have
         revealed the last of her keys. But the whole time
         we will feel uneasy about this because Alice may
         have co-operated fully. Alice will have realised this
         though, and so presumably it's going to be very hard
         to get keys out of her at all.


Alice:         (Having realised the above) I can never prove that I
         have revealed the last of my keys. In the end I'm
         bound for continued beating, even if I can buy
         brief respites by coughing up keys from time to
         time. Therefor, it would be foolish to divulge my
         most sensitive keys, because (a) I'll be that much
         closer to the stage where I have nothing left to
         divulge at all (it's interesting to note that this
         seemingly illogical, yet entirely valid argument of
         Alice's can protect the most sensitive of Alice's
         keys the "whole way though", like a form
         mathematical induction), and (b) the taste of truly
         secret information will only serve to make my
         aggressors come to the view that there is even
         higher quality information yet to come, re-doubling
         their beating efforts to get at it, even if I have
         revealed all. Therefor, my best strategy would be
         to (a) reveal no keys at all or (b) depending on
         the nature of the aggressors, and the psychology of
         the situation, very slowly reveal my "duress" and
         other low-sensitivity keys.

Alice certainly isn't in for a very nice time of it (although she
she's far more likely to protect her data).

So no, Rubberhose encryption doesn't guarantee that you won't be tortured infinitely, but for very serious confidential information, it may lead to a preferred situation where the torturers simply give up, and decided to not waste time and resources in trying to extract info from you, considering that the opportunity cost of those expensive and highly skilled torturers could be better spent elsewhere on easier subject.  They will instead just leave you locked up indefinitely and use you as a bargaining chip for prisoner exchange negotiations, as that may be better for them then simply killing you.

Anway, Rubberhose isn't the only type of deniable encryption.  There are other methods of deniable encryption which may be better suited.  For instance, you encrypt a jpeg.  Then you cooperate with your tortuers to decrypt that jpeg.  The tortuers are then satisfied at this point.  However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg.  According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section:

In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that the data is encrypted, or that they are able to decrypt it[citation needed]. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.

Normally ciphertexts decrypt to a single plaintext and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.

[em3rgentOrdr]

so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?

Yeah, but it's OK. It's for the 'public good'.

   There you go.  Both of you hit the nail on the head.  Little serfs, please stop wasting your time debating on internet forums about deniable encryption.  Get thee back to the farm and produce more resources for you to share with master.

[JoelKatz]

Anway, Rubberhose isn't the only type of deniable encryption.  There are other methods of deniable encryption which may be better suited.  For instance, you encrypt a jpeg.  Then you cooperate with your tortuers to decrypt that jpeg.  The tortuers are then satisfied at this point.  However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg.  According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section:

I don't see how this helps you. You decrypt the JPG and it appears innocuous. Even if they erroneously conclude that you therefore didn't hide the information they're after in that particular JPG, how does that help you?

Again, this helps against the "lawful order" threat model. They command you to decrypt the JPG and have reason to believe you can do so. So you do so. They have what they want but still can't use it. You win.

But against the "rubber hose" threat model, it's useless. They now mistakenly believe that the information they want is not in the JPG, but they have no reason to stop torturing you.

I don't buy the 'James Bond' argument that you might resist torture until you can escape, be released somehow, or the torturers find better things to do. That might apply to .001% of cases, maybe.

[em3rgentOrdr]

Anway, Rubberhose isn't the only type of deniable encryption.  There are other methods of deniable encryption which may be better suited.  For instance, you encrypt a jpeg.  Then you cooperate with your tortuers to decrypt that jpeg.  The tortuers are then satisfied at this point.  However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg.  According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section:

I don't see how this helps you. You decrypt the JPG and it appears innocuous. Even if they erroneously conclude that you therefore didn't hide the information they're after in that particular JPG, how does that help you?

because you want a preferred situation whereby they don't obtain the very important encrypted data and they hopefully give up on torturing you indefinitely.

Again, this helps against the "lawful order" threat model. They command you to decrypt the JPG and have reason to believe you can do so. So you do so. They have what they want but still can't sue it. You win.

We obviously agree here.

But against the "rubber hose" threat model, it's useless. They now mistakenly believe that the information they want is not in the JPG, but they have no reason to stop torturing you.

No they don't.  They think they got sensitive jpeg out of you and send it to their superiors and mistakenly report that they successfully obtained confidential enemy info.

I don't buy the 'James Bond' argument that you might resist torture until you can escape, be released somehow, or the torturers find better things to do. That might apply to .001% of cases, maybe.

I didn't imply you would be a magical Houdini who can escape any jail given enough time.  But prisoner exchanges happen all times in most wars, according to game theory this is often a rationally preferred decision for both parties.  Admittedly, I have never been tortured and don't have a clue what goes on in government torture camps, but I do know prisoner swaps occur all the time.  Just google prisoner swap or prisoner exchange.