Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:21 ADT
Eric Murray (ericm@lne.com)
Fri, 27 Mar 1998 15:23:32 -0800 (PST)
mgraffam@mhv.net writes:
> Suppose that I have two streams of plaintext I (innocuous) and S
> (sensitive). If I run some cipher (C) on them, them C(I) becomes the
> chaff for C(S). Blocks can be MACed and placed into a file for archival
> or transmission. It is important to note that C(I)'s MACs are not random,
> but are derived in the same way as C(S)'s, but with a different cipher
> key and a different authentication key.
>
> In this way, if an attacker decides to use rubber-hose cryptanalysis
> against our hero, he can provide the attacker with the authentication
> key for C(I) and the cipher key to decrypt that stream, yielding I and
> keeping S secret. Other chaff can be added from /dev/urandom if need
> be.
If the attacker guesses that there's more than one plaintext
stream, what's to prevent him from continuing the rubber
hose cryptanalysis until he's gotten the keys to both C(I) and C(S)?
Or does the deniability rest on convincing the attacker
that C(S) is merely chaff for C(I)?
-- Eric Murray Chief Security Scientist N*Able Technologies www.nabletech.com (email: ericm at lne.com or nabletech.com) PGP keyid:E03F65E5
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:21 ADT