Deniable Encryption
   HOME

TheInfoList



OR:

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
and
steganography Steganography ( ) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, ...
, plausibly deniable encryption describes
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
data exists. The users may convincingly deny that a given piece of data is encrypted, or that they are able to decrypt a given piece of encrypted data, or that some specific encrypted data exists. Such denials may or may not be genuine. For example, it may be impossible to prove that the data is encrypted without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
.


Function

Deniable encryption makes it impossible to prove the existence of the plaintext message without the proper decryption key. This may be done by allowing an encrypted message to be decrypted to different sensible plaintexts, depending on the
key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (map ...
used. This allows the sender to have
plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to denial, deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. Th ...
if compelled to give up their encryption key. The notion of "deniable encryption" was used by
Julian Assange Julian Paul Assange ( ; Hawkins; born 3 July 1971) is an Australian editor, publisher, and activist who founded WikiLeaks in 2006. WikiLeaks came to international attention in 2010 when it published a series of leaks provided by U.S. Army inte ...
and Ralf Weinmann in the
Rubberhose filesystem In computing, rubberhose (also known by its development codename Marutukku) is a deniable encryption archive containing multiple file systems whose existence can only be verified using the appropriate cryptographic key. Name and history The pr ...
and explored in detail in a paper by
Ran Canetti Ran Canetti (Hebrew: רן קנטי) is a professor of Computer Science at Boston University. and the director of the Check Point Institute for Information Security and of the Center for Reliable Information System and Cyber Security. He is also ...
,
Cynthia Dwork Cynthia Dwork (born June 27, 1958) is an American computer scientist at Harvard University, where she is Gordon McKay Professor of Computer Science, Radcliffe Alumnae Professor at the Radcliffe Institute for Advanced Study, and Affiliated Professo ...
,
Moni Naor Moni Naor ( he, מוני נאור) is an Israeli Israeli may refer to: * Something of, from, or related to the State of Israel * Israelis, citizens or permanent residents of the State of Israel * Modern Hebrew, a language * ''Israeli'' (news ...
, and
Rafail Ostrovsky Rafail Ostrovsky is a distinguished professor of computer science and mathematics at UCLA and a well-known researcher in algorithms and cryptography. Biography Rafail Ostrovsky received his Ph.D. from MIT in 1992. He is a member of the editoria ...
in 1996.


Scenario

Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires a trusted third party. A possible scenario works like this: #Bob suspects his wife Alice is engaged in adultery. That being the case, Alice wants to communicate with her secret lover Carl. She creates two keys, one intended to be kept secret, the other intended to be sacrificed. She passes the secret key (or both) to Carl. #Alice constructs an innocuous message M1 for Carl (intended to be revealed to Bob in case of discovery) and an incriminating love letter M2 to Carl. She constructs a cipher-text C out of both messages, M1 and M2, and emails it to Carl. #Carl uses his key to decrypt M2 (and possibly M1, in order to read the fake message, too). #Bob finds out about the email to Carl, becomes suspicious and forces Alice to decrypt the message. #Alice uses the sacrificial key and reveals the innocuous message M1 to Bob. Since it is impossible for Bob to know for sure that there might be other messages contained in C, he might assume that there ''are'' no other messages (alternatively, Bob may not be familiar with the concept of plausible encryption in the first place, and thus may not be aware it is even possible for C to contain more than one message). Another possible scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and must not be able to read each other's instructions. Bob will receive the message first and then forward it to Carl. #Alice constructs the ciphertext out of both messages, M1 and M2, and emails it to Bob. #Bob uses his key to decrypt M1 and isn't able to read M2. #Bob forwards the ciphertext to Carl. #Carl uses his key to decrypt M2 and isn't able to read M1.


Forms of deniable encryption

Normally, ciphertexts decrypt to a single plaintext that is intended to be kept secret. However, one form of deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and plausibly claim that it is what they encrypted. The holder of the ciphertext will not be able to differentiate between the true plaintext, and the bogus-claim plaintext. In general, one
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
cannot be decrypted to all possible
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
s unless the key is as large as the
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
, so it is not practical in most cases for a ciphertext to reveal no information whatsoever about its plaintext. However, some schemes allow decryption to decoy plaintexts that are close to the original in some metric (such as
edit distance In computational linguistics and computer science, edit distance is a string metric, i.e. a way of quantifying how dissimilar two strings (e.g., words) are to one another, that is measured by counting the minimum number of operations required to tr ...
). Modern deniable encryption techniques exploit the fact that without the key, it is infeasible to distinguish between ciphertext from
block cipher In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
s and data generated by a
cryptographically secure pseudorandom number generator A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely kno ...
(the cipher's pseudorandom permutation properties). This is used in combination with some
decoy A decoy (derived from the Dutch ''de'' ''kooi'', literally "the cage" or possibly ''ende kooi'', " duck cage") is usually a person, device, or event which resembles what an individual or a group might be looking for, but it is only meant to lu ...
data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This is a form of
steganography Steganography ( ) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, ...
. If the user does not supply the correct key for the truly secret data, decrypting it will result in apparently random data, indistinguishable from not having stored any particular data there. One example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer can be decrypted with a different encryption key. Additionally, special "
chaff Chaff (; ) is the dry, scaly protective casing of the seeds of cereal grains or similar fine, dry, scaly plant material (such as scaly parts of flowers or finely chopped straw). Chaff is indigestible by humans, but livestock can eat it. In agri ...
layers" are filled with random data in order to have
plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to denial, deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. Th ...
of the existence of real layers and their encryption keys. The user can store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either
random In common usage, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. Ind ...
ized (in case they belong to chaff layers), or
cryptographic hash A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...
es of strings identifying the blocks. The
timestamp A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...
s of these files are always randomized. Examples of this approach include
Rubberhose filesystem In computing, rubberhose (also known by its development codename Marutukku) is a deniable encryption archive containing multiple file systems whose existence can only be verified using the appropriate cryptographic key. Name and history The pr ...
and PhoneBookFS. Another approach used by some conventional
disk encryption software Disk encryption software is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption. Compared to access controls commonly enforced by a ...
suites is creating a second encrypted
volume Volume is a measure of occupied three-dimensional space. It is often quantified numerically using SI derived units (such as the cubic metre and litre) or by various imperial or US customary units (such as the gallon, quart, cubic inch). The de ...
within a container volume. The container volume is first formatted by filling it with encrypted random data, and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable.
LibreCrypt FreeOTFE is a discontinued open source computer program for on-the-fly disk encryption (OTFE). On Microsoft Windows, and Windows Mobile (using FreeOTFE4PDA), it can create a virtual drive within a file or partition, to which anything written is ...
and
BestCrypt BestCrypt, developed bJetico is a commercial disk encryption app available for Windows, Linux, macOS and Android. BestCrypt comes in two editions: BestCrypt Volume Encryption to encrypt entire disk volumes; BestCrypt Container Encryption to ...
can have many hidden volumes in a container;
TrueCrypt TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file, or encrypt a partition or the whole storage device (pre-boot authentication). On 28 May ...
is limited to one hidden volume.


Detection

The existence of hidden encrypted data may be revealed by flaws in the implementation. It may also be revealed by a so-called
watermarking attack In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption key. Problem description Disk encryption suites g ...
if an inappropriate cipher mode is used. The existence of the data may be revealed by it 'leaking' into non-encrypted disk space where it can be detected by
forensic Forensic science, also known as criminalistics, is the application of science to Criminal law, criminal and Civil law (legal system), civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standard ...
tools. Doubts have been raised about the level of plausible deniability in 'hidden volumes' – the contents of the "outer" container filesystem have to be 'frozen' in its initial state to prevent the user from corrupting the hidden volume (this can be detected from the access and modification timestamps), which could raise suspicion. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data.


Drawbacks

Possession of deniable encryption tools could lead attackers to continue torturing a user even after the user has revealed all their keys, because the attackers could not know whether the user had revealed their last key or not. However, knowledge of this fact can disincentivize users from revealing any keys to begin with, since they will never be able to prove to the attacker that they have revealed their last key.


Deniable authentication

Some in-transit encrypted messaging suites, such as
Off-the-Record Messaging Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bi ...
, offer
deniable authentication In cryptography, deniable authentication refers to message authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event. ...
which gives the participants
plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to denial, deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. Th ...
of their conversations. While deniable authentication is not technically "deniable encryption" in that the encryption of the messages is not denied, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular. This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (see
hash-based message authentication code In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
(HMAC)), they are also able to
forge A forge is a type of hearth used for heating metals, or the workplace (smithy) where such a hearth is located. The forge is used by the smith to heat a piece of metal to a temperature at which it becomes easier to shape by forging, or to th ...
messages in the conversation. This is used in conjunction with
perfect forward secrecy In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key ...
to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages.


Software

*
OpenPuff OpenPuff Steganography and Watermarking, sometimes abbreviated OpenPuff or Puff, is a Free Software, free steganography tool for Microsoft Windows created by Cosimo Oliboni and still maintained as independent software. The program is notable for b ...
, freeware semi-open-source steganography for MS Windows. *
LibreCrypt FreeOTFE is a discontinued open source computer program for on-the-fly disk encryption (OTFE). On Microsoft Windows, and Windows Mobile (using FreeOTFE4PDA), it can create a virtual drive within a file or partition, to which anything written is ...
,
opensource Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized so ...
transparent disk encryption for MS Windows and PocketPC PDAs that provides both deniable encryption and
plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to denial, deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. Th ...
. Offers an extensive range of encryption options, and doesn't need to be installed before use as long as the user has administrator rights. *
Off-the-Record Messaging Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bi ...
, a cryptographic technique providing true deniability for instant messaging. * Rubberhose, defunct project (last release in 2000, not compatible with modern Linux distributions) *
StegFS StegFS is a free steganographic file system for Linux based on the ext2 filesystem. It is licensed under the GPL. It was principally developed by Andrew D. McDonald and Markus G. Kuhn. The last version of StegFS is 1.1.4, released February 14, ...
, the current successor to the ideas embodied by the Rubberhose and PhoneBookFS filesystems. * VeraCrypt (a successor to a discontinued
TrueCrypt TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file, or encrypt a partition or the whole storage device (pre-boot authentication). On 28 May ...
), an on-the-fly disk encryption software for Windows, Mac and Linux providing limited deniable encryptionTrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X, and Linux - Hidden Volume
/ref> and to some extent (due to limitations on the number of hidden volumes which can be created)
plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to denial, deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. Th ...
, without needing to be installed before use as long as the user has full administrator rights. * Vanish, a research prototype implementation of self-destructing data storage.


See also

* * * * * * * *


References


Further reading

* * * {{DEFAULTSORT:Deniable Encryption Cryptography