You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
By Phunda Mental<br />
As I'm sure most of us know by now, the<br />
world is getting to be a scary place. We are<br />
getting placed in bondage against our wills<br />
when there is little or no evidence that any<br />
crime was committed, or that anyone (other<br />
than the Feds' sense of order) was somehow<br />
harmed.<br />
With the latest examples of injustice, such<br />
as those endured by Bernie S. a n d Kevin Mitnick,<br />
it is no stretch of the imagination to envision<br />
a case in which a person is held in<br />
prison fo r failing to reveal her encryption key.<br />
Certainly a warrant can be legally obtained for<br />
such a key, and this makes sense when we understand<br />
cryptography merely as a way to lock<br />
away secrets. The problem with this model is<br />
that the very same bits that serve us as locks<br />
also serve us as identification. If a law enforcement<br />
officer obtains the keys to our files,<br />
he can also "prove" to our associates that "he<br />
is us." He can sign digital contracts in our<br />
names, and even sign digital confessions for<br />
us. A scary proposition.<br />
It is for these reasons that I began looking<br />
for a way to pull one over on Joe Officer. Simply<br />
hoping against hope that the government<br />
will keep itself away from our keys is probably<br />
naive.<br />
What we would like to have is a system<br />
where if Joe Officer demands the key to our<br />
ciphertext file, wc can choose to supply one of<br />
many keys. One key might reveal a love letter<br />
to his wife, the other might reveal the complcted<br />
works of Shakespeare. A third key<br />
might give us our secret documents. This is<br />
usually called deniable encryption. This term<br />
usually carries the added stipulation that user<br />
be able to invent keys on the fly, when pressure<br />
is applied by enforcement to reveal a<br />
meaningful text. I don't find this idea to be<br />
that great though because this assumes that<br />
the decryption is done in a black box; in other<br />
words that law enforcement isn't watching us<br />
and looking at our programs. They would see<br />
us invent a key for a given plaintext.<br />
Instead of this, I find it preferable to decide<br />
beforehand what plaintexts will be available.<br />
In this way, law enforcement sees us<br />
apply a key with a given algorithm, the plaintext<br />
simply appears out ofthat. No specialized<br />
calculations specifically for deniability need<br />
to take place. The enemy would know that we<br />
probably have a means to extract other data<br />
sets, but any additional data in there can legitimately<br />
be said to exist to frustrate cryptanalysis,<br />
in the terms we will use, this data is just<br />
junk chaff. I call this type of system a "cushioned"<br />
encryption system, that is, we set up an<br />
alibi to fall back on beforehand. But before<br />
we consider this method, let's look at the simplest<br />
method of deniability.<br />
The most obvious way to achieve this is<br />
with a one-time pad. An OTP has the property<br />
that a key can be constructed to reveal any<br />
possible message of length N from ciphertext<br />
(also of length N). To achieve this feat, however,<br />
our key also needs to be N bytes in<br />
length. This might be OK for a few bytes here<br />
and there that we can remember the pad (key)<br />
for, but in this case why not just memorize the<br />
plaintext and be done with it?<br />
We can store all of the pads on disk, but<br />
not only is this troublesome to work with, Joe<br />
Officer can simply confiscate all of the pads.<br />
Even if the pads are encrypted with PGp, he<br />
just demands the key to the pads instead of to<br />
our secret document.<br />
One-time pads just aren't going to cut it.<br />
Enter Ron Rivest. Rivest, most widely<br />
known for his work on the RSA public key algorithm,<br />
recently introduced a small paper on<br />
a method of data confidentiality that he calls<br />
"winnowing and chaffing."<br />
The basic wlc method is discussed in<br />
[RlV98] and is a really interesting idea. Rivest<br />
proposed it as a method of achieving confidentiality<br />
without encryption: the plaintext is<br />
transmitted in the clear. See Rivest's paper for<br />
how this is done - ifthe material in this article<br />
Page 20 2600 Magazine Fall 1998