Presentation on theme: "1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06."— Presentation transcript:
1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06
2 Problem Statement Alice broadcasts encrypted messages over a public channel Eve can see ciphertext and coerces Alice before and/or after communication –Demands that Alice sends a particular message –Demands plaintext & receipt to compare with ciphertext Encryption is often a “committing” process How can Alice signal coercion to Bob yet still avoid reprisal by Eve?
3 Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol Shared key K: (L-bit head) … (N bit tail) Alice Bob Shared private channel (e.g. synchronized SecurID units) L-bit message M: … Shared key K: … Ciphertext C: … || (N bit tail of K) Check N-bit tail against K Accept message Reject message What happens if Eve forces L-bit message beforehand? - Alice corrupts N-bit tail What happens if Eve specifies ALL bits beforehand? - Eve must guess N-bit tail correctly (P = 2 -N ) Later, Alice gives Eve “receipt” with some K -All Ks equally plausible! -Can correspond to any plaintext – free or forced
4 Rivest: Chaffing & Winnowing Encryption-free privacy mechanism via std authentication mechanism (keyed HMAC) m-bit Message M: Split into m 1-bit packets:(i, M i, HMAC(K AB, i || M i )) (1, 1, HMAC(K AB, 1 || 1)) (2, 0, HMAC(K AB, 2 || 0)) (3, 1, HMAC(K AB, 3 || 1)) Alice Bob Shared session authentication key K AB Send in the clear Check HMACs and throw away unauthenticated packets (1, 0, Random) (2, 1, Random) (3, 0, Random) Now Alice adds “chaff” Hard for Eve to calculate HMAC without K AB Eve cannot tell wheat from chaff! Multiple simultaneous chaff streams with K ABi Alice & Bob can claim any K ABi is the real one! 101… Bob will throw chaff away (bad MAC) Plausible deniability for precomputed plaintexts
5 Summary & Practical Considerations Methods to exploit degrees of freedom in key/private randomness to generate multiple plausible explanations for communication –Choose forged plaintext at time of encryption –Choose forged plaintext at time of coercion –Some resistant to coercion beforehand (uncoercible) and others resistant to coercion only afterwards (deniable) Must use the method all the time or an adversary may coerce you with a more restricted mechanism Multiple coercion targets must coordinate stories Cleanest option for post-facto coercion: just delete or forget key & randomness
7 Other Methods Clayton & Danezis: Plausibly Deniable Routing Steganography –Steganography is information hiding Example: low-order pixel bits in image contain string –Weak: security through obscurity –Stronger: “keyed” steganography Example: keyed hash selects pixels to encode with –Plausible deniability in steganography Rely on security by obscurity: claim the cover text is the message Parallel steganographic methods: claim that one of n methods is correct Keyed steganographic methods with multiple keys: claim that one of n keys is correct