Crypto, Winnowing and Chaffing (fwd)

mgraffam@mhv.net
Fri, 27 Mar 1998 17:19:41 -0500 (EST)

• Next message: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"
• Previous message: Jim Gillogly: "Re: Chaffing and Winnowing"
• Next in thread: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"
• Reply: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"

-----BEGIN PGP SIGNED MESSAGE-----

I would like some comments on an idea that I've been playing with,
recently sparked by Rivest's article.

First, I would like to note that I do not have the same intentions with
this idea as Rivest did. Rivest wishes to not encrypt the data due to
export. I'm more interested in deniable encryption, and as such actually
encrypting the data is perfectly acceptable.

Suppose that I have two streams of plaintext I (innocuous) and S
(sensitive). If I run some cipher (C) on them, them C(I) becomes the
chaff for C(S). Blocks can be MACed and placed into a file for archival
or transmission. It is important to note that C(I)'s MACs are not random,
but are derived in the same way as C(S)'s, but with a different cipher
key and a different authentication key.

In this way, if an attacker decides to use rubber-hose cryptanalysis
against our hero, he can provide the attacker with the authentication
key for C(I) and the cipher key to decrypt that stream, yielding I and
keeping S secret. Other chaff can be added from /dev/urandom if need
be.

In this scenario, the "blocks" need not be small, in fact the block
can just be the whole file, as the confidentiality is lended by C()
and not the chaffing.

I propose using a cipher to insure that any residual footprint of
I and S be wiped away. To achieve this without crypto would mean very
small blocks and this is not practical.

Of course, to be convincing the I stream would need to be somewhat
sinister or controversial. It would not be convincing to pull the Bard's
Sonnets out of the ciphertext, but pulling love letters or porn might
be.

Finally, key management might be difficult. Having to memorize 4 keys (2
for the ciphers, and 2 authentication keys) may lead to data lose.
My solution to this is to take two passphrases. Hash the passphrase,
giving H and then hash half of H yielding H'. H' can be used for the
authentication key, and the hash of the second half of H can be used
for the cipher.

What do people think about this? Where did I go wrong :)

Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
Let your life be a counter-friction to stop the machine.
                                Henry David Thoreau "Civil Disobedience"

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBNRwmAwKEiLNUxnAfAQEZzQQAlyAVMdpRw6OxpaUVhP+M94C24gUnkjkv
JOuxKtHsJ9NHL/eQLJAV0bTvHllJftPiBvCFD/teQ17USdjszfwq0vr99TUUtjMz
SDAwj2jTfbTEWOjpHyqBSsvTa+wHN+eRBUQYZP/e1mI9K55p/xgZax7AR7gO855Y
8nqudHlVr9E=
=zQ4o
-----END PGP SIGNATURE-----

• Next message: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"
• Previous message: Jim Gillogly: "Re: Chaffing and Winnowing"
• Next in thread: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"
• Reply: Eric Murray: "Re: Crypto, Winnowing and Chaffing (fwd)"