Deniability

[Jerome Baum]

David Shaw <dshaw at jabberwocky.com> writes:

> In  addition  to the  size  and type  information,  there  is also  an
> interesting attack that  can be done against speculative  key IDs.  It
> doesn't (directly) help a third party know who the recipients are, but
> it does  let any recipient  try to confirm  a guess as to  who another
> recipient might be.

> Let's say  you encrypt a message to  Alice and Baker and  hide the key
> IDs.  Alice  gets the message and  knows there is  one other recipient
> aside from herself.  She considers  who the message came from and what
> the  message was  about and  makes an  educated guess  that  the other
> recipient is Baker.  To confirm her  guess, all Alice needs to do send
> a  specially rigged  speculative key  ID message  to Baker.   If Baker
> responds, then Alice knows he was the other recipient.

Would that be by reusing the  session key? Or are there other properties
that we can mess with?

How about, say  I know the session key and the  public encryption key of
the suspect, can't I just encrypt the session key to that public key and
see if it comes out the same?

> Throw-keyids has some  good usages (posting a message  for pickup in a
> public place, for example), but  it's just a tool.  It's important not
> to rely solely on it.

-- 
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 880 bytes
Desc: not available
URL: </pipermail/attachments/20110322/936900cb/attachment.pgp>