Deniability

[David Shaw]

On Mar 21, 2011, at 12:13 PM, Jerome Baum wrote:

> Hauke Laging <mailinglisten at hauke-laging.de> writes:
> 
>> You know that. And the archive of this mailinglist now knows that you have 
>> once claimed to do that. So one may assume that the only recipient is you but 
>> that is not a strong technical conclusion from the message itself.
> 
> When I throw-keyids,  what's actually left over? Would  there be any way
> to match the keys from several messages, besides key size and type? Also
> if one (size, type) appears in all messages, I'd say the conclusion that
> I'm using encrypt-to-self is pretty safe.

In addition to the size and type information, there is also an interesting attack that can be done against speculative key IDs.  It doesn't (directly) help a third party know who the recipients are, but it does let any recipient try to confirm a guess as to who another recipient might be.

Let's say you encrypt a message to Alice and Baker and hide the key IDs.  Alice gets the message and knows there is one other recipient aside from herself.  She considers who the message came from and what the message was about and makes an educated guess that the other recipient is Baker.  To confirm her guess, all Alice needs to do send a specially rigged speculative key ID message to Baker.  If Baker responds, then Alice knows he was the other recipient.

Throw-keyids has some good usages (posting a message for pickup in a public place, for example), but it's just a tool.  It's important not to rely solely on it.

David