ctoon6
|
|
July 16, 2011, 10:06:03 PM |
|
so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?
|
|
|
|
myrkul
|
|
July 16, 2011, 10:09:10 PM |
|
so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?
Yeah, but it's OK. It's for the 'public good'.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 16, 2011, 11:13:13 PM |
|
2) They won't stop unless you either give it to them or prove you cannot give it to them.
The mere fact that hidden volumes exist means you can't prove that you can't. Even if you give them the real one. Right. That's why deniable encryption is useless against torture. It is, however, useful against a court ordering you to provide the keys. My point was that 2) was moot. Either they will accept it, or they won't. Even if you give them the real data. If you don't use any deniable encryption, you can give them the key to any encrypted information you've ever created. The chance that you will get into the situation where people believe you have something you actually don't have is much less if you don't use deniable encryption. If your threat model is torture, deniable encryption is an awful idea. If the torturers find out that you've used deniable encryption and you don't have what they want, they will never stop. If your threat model is a court order, deniable encryption may be useful.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 16, 2011, 11:14:33 PM |
|
so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?
I don't see how you can get from "you probably can't get away with lying" to "they can make up shit". Juries are just not going to be impressed with "you can't prove I didn't forget".
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
myrkul
|
|
July 16, 2011, 11:19:25 PM |
|
2) They won't stop unless you either give it to them or prove you cannot give it to them.
The mere fact that hidden volumes exist means you can't prove that you can't. Even if you give them the real one. Right. That's why deniable encryption is useless against torture. It is, however, useful against a court ordering you to provide the keys. My point was that 2) was moot. Either they will accept it, or they won't. Even if you give them the real data. If you don't use any deniable encryption, you can give them the key to any encrypted information you've ever created. The chance that you will get into the situation where people believe you have something you actually don't have is much less if you don't use deniable encryption. If your threat model is torture, deniable encryption is an awful idea. If the torturers find out that you've used deniable encryption and you don't have what they want, they will never stop. If your threat model is a court order, deniable encryption may be useful. If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 16, 2011, 11:39:37 PM |
|
If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.
I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way. But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
myrkul
|
|
July 16, 2011, 11:42:31 PM |
|
If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.
I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way. But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem. I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page?
|
|
|
|
vector76
Member
Offline
Activity: 70
Merit: 18
|
|
July 16, 2011, 11:54:16 PM |
|
You could have buried a USB thumb drive at a secret location somewhere in Montana and they could torture you until you tell them where. You can't prove that you haven't hidden data that way, any more than you can prove that there is no deniable encryption on your computer.
Using an encryption tool that supports deniable encryption might lead them to suspect that you have hidden data through deniable encryption, but I think it will only slightly increase your risk of torture, because there are many ways of hiding data. If they think you have hidden data somehow, the particular technology won't make that much difference.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 17, 2011, 12:50:22 AM Last edit: July 17, 2011, 01:12:46 AM by JoelKatz |
|
If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.
I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way. But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem. I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page? Deniable encryption means an encryption scheme where there can be zero or more keys which can decrypt different data and wherein an attacker cannot prove that a given key does not decrypt all the data or even that any encrypted data is contained at all. By contrast, in other schemes, one can generally prove that a particular key does in fact decrypt all the data. You can, of course, always claim that you never knew the password or forgot it. But this claim may seem implausible if the encrypted data was found on your own computer or they have other evidence that you created it or accessed it. Deniable encryption may be useful in cases where you are legally compelled to decrypt some data. You can claim you did decrypt that data without actually revealing some data you wish to keep hidden. It cannot be proven that you failed to decrypt all the data. You can cheerfully admit that you created the data and that you can decrypt it. You can present them with one or more encryption keys. You can still keep any data from them by failing to reveal the particular key that decrypts that data. However, if you're being tortured for a decryption key, what you need to be able to do is prove to your torturers that you have enabled them to decrypt all the data. Then they will stop torturing you. With deniable encryption, you cannot do this. So deniable encryption is useful against the "legal compulsion" threat model and worse than useless against the "rubber hose" threat model.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
myrkul
|
|
July 17, 2011, 01:14:26 AM |
|
If your threat model is torture, ANY encryption may be considered deniable. So, you're screwed either way.
I don't follow. Are you talking about the case where they think you know the key and you really don't? Yes, with that issue, you're screwed either way. But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem. I don't think you know what you're talking about. I sure as hell don't. Could you define 'deniable encryption' for me, so we're on the same page? Deniable encryption means an encryption scheme where there can be zero or more keys which can decrypt different data and wherein an attacker cannot prove that a given key does not decrypt all the data or even that any encrypted data is contained at all. By contrast, in other schemes, one can generally prove that a particular key does in fact decrypt all the data. Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 17, 2011, 01:19:24 AM |
|
Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?
Winzip. GPG. Bitlocker.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
NghtRppr
|
|
July 17, 2011, 01:38:53 AM |
|
Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?
Winzip. GPG. Bitlocker. Those random bytes on your hard drive look encrypted to me. I think it's $5 wrench time.
|
|
|
|
myrkul
|
|
July 17, 2011, 01:40:09 AM |
|
Can you give me an example of a non-deniable encryption scheme, that you can prove a particular key decrypts all data?
Winzip. GPG. Bitlocker. Any that is cross platform, and allows file and drive encryption, preferably pre-boot?
|
|
|
|
em3rgentOrdr (OP)
|
|
July 17, 2011, 04:48:15 PM |
|
But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.
But same with regular encryption. You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding...
|
"We will not find a solution to political problems in cryptography, but we can win a major battle in the arms race and gain a new territory of freedom for several years.
Governments are good at cutting off the heads of a centrally controlled networks, but pure P2P networks are holding their own."
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 17, 2011, 04:56:53 PM |
|
But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.
But same with regular encryption. You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding... Right. That's why deniable encryption is useful against the "lawful order" threat model. Say the government finds some encrypted data in my possession. And say they can convince a jury that I have some digital evidence they want. With deniable encryption, they still have to prove that the information they want is in the encrypted data they have. They cannot do this with deniable encryption. If I give them a key and it doesn't decrypt the data they want, they still can't prove that it's because I didn't give them the right key. It's also possible they didn't find every place I might put my data. But it's no help against the "rubber hose" threat model. Claiming "you may be pretty sure I have the data you want, but maybe I hid it someplace you don't know" won't get them to put the rubber hose away. You need to either give them the data they want or convince them that it is impossible for you to do that. Deniable encryption doesn't make either of these any easier and might make the latter much harder.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
em3rgentOrdr (OP)
|
|
July 17, 2011, 05:23:18 PM |
|
But my point is that deniable encryption adds the additional risk that you will know the key and they still won't believe you. That is, deniable encryption has no benefit and adds an additional problem.
But same with regular encryption. You can decrypt your bits in question, but your adversary may still claim that there is still something you're hiding... Right. That's why deniable encryption is useful against the "lawful order" threat model. Say the government finds some encrypted data in my possession. And say they can convince a jury that I have some digital evidence they want. With deniable encryption, they still have to prove that the information they want is in the encrypted data they have. They cannot do this with deniable encryption. If I give them a key and it doesn't decrypt the data they want, they still can't prove that it's because I didn't give them the right key. It's also possible they didn't find every place I might put my data. But it's no help against the "rubber hose" threat model. Claiming "you may be pretty sure I have the data you want, but maybe I hid it someplace you don't know" won't get them to put the rubber hose away. You need to either give them the data they want or convince them that it is impossible for you to do that. Deniable encryption doesn't make either of these any easier and might make the latter much harder. Julian Assange explains the game theory logic as to why Rubberhose encryption may protect you from having to reveal data: What I find interesting, is how this constraint on Alice's behaviour actually protects her from revealing her own keys, because each party, at the outset can make the following observations:
Rubber-hose-squad: We will never be able to show that Alice has revealed the last of her keys. Further, even if Alice has co-operated fully and has revealed all of her keys, she will not be able to prove it. Therefor, we must assume that at every stage that Alice has kept secret information from us, and continue to beat her, even though she may have revealed the last of her keys. But the whole time we will feel uneasy about this because Alice may have co-operated fully. Alice will have realised this though, and so presumably it's going to be very hard to get keys out of her at all.
Alice: (Having realised the above) I can never prove that I have revealed the last of my keys. In the end I'm bound for continued beating, even if I can buy brief respites by coughing up keys from time to time. Therefor, it would be foolish to divulge my most sensitive keys, because (a) I'll be that much closer to the stage where I have nothing left to divulge at all (it's interesting to note that this seemingly illogical, yet entirely valid argument of Alice's can protect the most sensitive of Alice's keys the "whole way though", like a form mathematical induction), and (b) the taste of truly secret information will only serve to make my aggressors come to the view that there is even higher quality information yet to come, re-doubling their beating efforts to get at it, even if I have revealed all. Therefor, my best strategy would be to (a) reveal no keys at all or (b) depending on the nature of the aggressors, and the psychology of the situation, very slowly reveal my "duress" and other low-sensitivity keys.
Alice certainly isn't in for a very nice time of it (although she she's far more likely to protect her data).
So no, Rubberhose encryption doesn't guarantee that you won't be tortured infinitely, but for very serious confidential information, it may lead to a preferred situation where the torturers simply give up, and decided to not waste time and resources in trying to extract info from you, considering that the opportunity cost of those expensive and highly skilled torturers could be better spent elsewhere on easier subject. They will instead just leave you locked up indefinitely and use you as a bargaining chip for prisoner exchange negotiations, as that may be better for them then simply killing you. Anway, Rubberhose isn't the only type of deniable encryption. There are other methods of deniable encryption which may be better suited. For instance, you encrypt a jpeg. Then you cooperate with your tortuers to decrypt that jpeg. The tortuers are then satisfied at this point. However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg. According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section: In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that the data is encrypted, or that they are able to decrypt it[citation needed]. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.
Normally ciphertexts decrypt to a single plaintext and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.
|
"We will not find a solution to political problems in cryptography, but we can win a major battle in the arms race and gain a new territory of freedom for several years.
Governments are good at cutting off the heads of a centrally controlled networks, but pure P2P networks are holding their own."
|
|
|
em3rgentOrdr (OP)
|
|
July 17, 2011, 05:32:12 PM |
|
so really the whole thread is pointless? the government can just take you and make up shit and just detain you forever?
Yeah, but it's OK. It's for the 'public good'. There you go. Both of you hit the nail on the head. Little serfs, please stop wasting your time debating on internet forums about deniable encryption. Get thee back to the farm and produce more resources for you to share with master.
|
"We will not find a solution to political problems in cryptography, but we can win a major battle in the arms race and gain a new territory of freedom for several years.
Governments are good at cutting off the heads of a centrally controlled networks, but pure P2P networks are holding their own."
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
July 17, 2011, 05:37:25 PM Last edit: July 17, 2011, 06:21:24 PM by JoelKatz |
|
Anway, Rubberhose isn't the only type of deniable encryption. There are other methods of deniable encryption which may be better suited. For instance, you encrypt a jpeg. Then you cooperate with your tortuers to decrypt that jpeg. The tortuers are then satisfied at this point. However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg. According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section:
I don't see how this helps you. You decrypt the JPG and it appears innocuous. Even if they erroneously conclude that you therefore didn't hide the information they're after in that particular JPG, how does that help you? Again, this helps against the "lawful order" threat model. They command you to decrypt the JPG and have reason to believe you can do so. So you do so. They have what they want but still can't use it. You win. But against the "rubber hose" threat model, it's useless. They now mistakenly believe that the information they want is not in the JPG, but they have no reason to stop torturing you. I don't buy the 'James Bond' argument that you might resist torture until you can escape, be released somehow, or the torturers find better things to do. That might apply to .001% of cases, maybe.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
em3rgentOrdr (OP)
|
|
July 17, 2011, 05:53:05 PM |
|
Anway, Rubberhose isn't the only type of deniable encryption. There are other methods of deniable encryption which may be better suited. For instance, you encrypt a jpeg. Then you cooperate with your tortuers to decrypt that jpeg. The tortuers are then satisfied at this point. However, what they don't know is that you actually used stenography to embeded secret encrypted data inside the relatively innocuous jpeg. According to the wikipedia entry, deniable encryption includes such a scheme I just described in the following bolded section:
I don't see how this helps you. You decrypt the JPG and it appears innocuous. Even if they erroneously conclude that you therefore didn't hide the information they're after in that particular JPG, how does that help you? because you want a preferred situation whereby they don't obtain the very important encrypted data and they hopefully give up on torturing you indefinitely. Again, this helps against the "lawful order" threat model. They command you to decrypt the JPG and have reason to believe you can do so. So you do so. They have what they want but still can't sue it. You win.
We obviously agree here. But against the "rubber hose" threat model, it's useless. They now mistakenly believe that the information they want is not in the JPG, but they have no reason to stop torturing you.
No they don't. They think they got sensitive jpeg out of you and send it to their superiors and mistakenly report that they successfully obtained confidential enemy info. I don't buy the 'James Bond' argument that you might resist torture until you can escape, be released somehow, or the torturers find better things to do. That might apply to .001% of cases, maybe.
I didn't imply you would be a magical Houdini who can escape any jail given enough time. But prisoner exchanges happen all times in most wars, according to game theory this is often a rationally preferred decision for both parties. Admittedly, I have never been tortured and don't have a clue what goes on in government torture camps, but I do know prisoner swaps occur all the time. Just google prisoner swap or prisoner exchange.
|
"We will not find a solution to political problems in cryptography, but we can win a major battle in the arms race and gain a new territory of freedom for several years.
Governments are good at cutting off the heads of a centrally controlled networks, but pure P2P networks are holding their own."
|
|
|
|