Deniability

[David Shaw]

On Mar 22, 2011, at 10:44 AM, Jerome Baum wrote:

> David Shaw <dshaw at jabberwocky.com> writes:
> 
>> In  addition  to the  size  and type  information,  there  is also  an
>> interesting attack that  can be done against speculative  key IDs.  It
>> doesn't (directly) help a third party know who the recipients are, but
>> it does  let any recipient  try to confirm  a guess as to  who another
>> recipient might be.
> 
>> Let's say  you encrypt a message to  Alice and Baker and  hide the key
>> IDs.  Alice  gets the message and  knows there is  one other recipient
>> aside from herself.  She considers  who the message came from and what
>> the  message was  about and  makes an  educated guess  that  the other
>> recipient is Baker.  To confirm her  guess, all Alice needs to do send
>> a  specially rigged  speculative key  ID message  to Baker.   If Baker
>> responds, then Alice knows he was the other recipient.
> 
> Would that be by reusing the  session key? Or are there other properties
> that we can mess with?

Sorry, yes, that's re-using the session key (didn't mean to be mysterious).  Since Alice, as a recipient, can find the session key, she can encrypt a new message to Baker with that session key, prefix it with the unknown recipient's encrypted session key, and send the whole message to Baker.  If Baker can read it, then it reveals who the unknown recipient is.

Of course, if Baker can't read it, it might tip him off that Alice is probing him...

> How about, say  I know the session key and the  public encryption key of
> the suspect, can't I just encrypt the session key to that public key and
> see if it comes out the same?

Unfortunately there is random data in the encrypted session key format, so the test encryption would not match Baker's encrypted session key.

David