deniability

Jerome Baum jerome at jeromebaum.com
Mon Mar 21 17:24:11 CET 2011 

"vedaal at nym.hush.com" <vedaal at nym.hush.com> writes:

> Any adversary would question as to why the recipient continues to 
> receive files undecryptable to him, and also why you are encrypting 
> to additional keys, and to whom do they belong, etc.

So let's assume I'm not stupid enough to let that adversary know who I'm
sending the message to. Two options:

1. Use a newsgroup as you suggest below.

2. Randomly send  messages that can't be decrypted  to random recipients
   to obscure  matters. The adversary would  have to cope  with the fact
   that I have stuff to hide. :)

> A simple way to do this using gnupg, would be something like the 
> following:
>
> [1] Don't send the file to any recipient who requires deniability.

Yes, per above.

> [2] Instead of additionally encrypting the file to another key, 
> additionally encrypt it symmetrically.

Why would I do that? That together with [9] that's exactly what gpg does
when using asymmetric ciphers.

> [3] Use the throw-keyid option when you encrypt to your key.

Yes, per my original suggestion.

> [4] Post the encrypted file to a newsgroup like comp.pgp.test or 
> other group that allows test postings.

Yes, per above. But good idea to  not use an anonymous group -- this way
I can say I was testing stuff.

> [5] Your plausible reason for encrypting conventionally in addition 
> to your key, is your concern that you might one day lose your 
> keyring.

I don't  find that so  plausible but  yes, agreed that  I can make  up a
reason. Though  I don't see the  benefit in symmetric  encryption at all
for this.

> [7] Your plausible reason for posting it to a newsgroup, is that 
> you are concerned that 'cloud' organizations might go out of 
> business, and this is a simple inexpensive backup.

Yes that, or testing.

> [8] Your plausible reason for using the throw-keyid option, is that 
> since you are posting publicly, you prefer to remain anonymous.

I'd say  it's a plausible  reason to say  "I want my privacy".  But yes,
this is a good reason.

> [9] Use a *really good* passphrase (diceware 10 words, [ 7776^10 > 
> 2^128 ] ), and find a way to securely make it known to the 
> recipient(s).

Which is what would happen if I used asymmetric ciphers.

> [10] Since you are using such a 'good' passphrase, it is entirely 
> plausible that you could 'forget' it. ;-)

Couldn't I also forget who the  key encrypted to?  However I might still
be forced to  surrender the session key, so  maybe encrypt-to-self isn't
such a good default?

> Consider very carefully who your threat model adversary is. 
> You don't want to do this with Three Letter Agencies or criminals, 
> whereas it might be OK for decent university administrations.  :-)

For now just an abstract adverse adversary. :)

-- 
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 880 bytes
Desc: not available
URL: </pipermail/attachments/20110321/00df584d/attachment.pgp>

More information about the Gnupg-users mailing list