1996-10-14 - Re: Binding Cryptography - a fraud-det…

Header Data

From: peter.allan@aeat.co.uk (Peter M Allan)
To: peter.allan@aeat.co.uk
Message Hash: feaea482a4ea1092bdfe45263fa20154c534bcdcce104c9e914ea96106678010
Message ID: <9610141247.AA19937@clare.risley.aeat.co.uk>
Reply To: N/A
UTC Datetime: 1996-10-14 12:47:22 UTC
Raw Date: Mon, 14 Oct 1996 05:47:22 -0700 (PDT)

Raw message

From: peter.allan@aeat.co.uk (Peter M Allan)
Date: Mon, 14 Oct 1996 05:47:22 -0700 (PDT)
To: peter.allan@aeat.co.uk
Subject: Re: Binding Cryptography - a fraud-det...
Message-ID: <9610141247.AA19937@clare.risley.aeat.co.uk>
MIME-Version: 1.0
Content-Type: text/plain



 
       
1)  What's in it for the user ?

    A voluntary scheme that offers nothing for the user won't be used.

    A compulsory scheme gains nothing for anyone (to be shown later).

    Even standardisation for its own sake (making it popular for being
    popular, regardless of merit) won't do much.  DOS and driving on the
    right are not universal.

2)  What happens when the Feds recover meaningless data ?

    You could ban unrecognised data, with sampling by a TRP.
    You mean I'm called to the Police Station to explain my .qfx file ?
       
3)  Are you going to ban all messages that might contain stego-data ?

    Ban here means flag as "session keys may differ".

4)  How will you detect and punish gangs who share a private key ?


  > Eric Verheul  [everheul@mail.rijnhaave.nl]
    
     Hal Finney[SMTP:hal@rain.org] wrote:
     >Another flaw with schemes of this time (in terms of failing to meet
     >their goals) is that they cannot detect superencryption and other
     >forms of non-standard encryption of the message body proper.  All
     >they can really do is verify from the outside that the same session
     >key is encrypted for the two recipients (the intended recipient and
     >the Government Access to Keys Party - let's not abuse the term by
     >calling him a Trusted Third Party).  But they can't be sure that the
     >session key is sufficient information to decrypt the message.

  > We offered a solution for the *first* task not for the *second*; the
  > point is that criminals(!) do not gain any real advantage from using
  > the system in that way as they - among other things - still face the
  > key-management problem. The above discussions are only relevant in
  > countries where the use of crypto outside the structure would be
  > prohibited. BTW, it is by such discussions that I believe such a ban
  > is ineffective and in fact counterproductive.

I'm still puzzled as to what the point of the scheme is if
   other encryption is legal
or other encryption is undetectable.
It makes as much sense as a law against successful unaided suicide.


Here are 2 suggested solutions to the criminals' key management problem
allowing them to exploit Binding Cryptography.


Plan 1)

Ronald wishes to send a secret message to Margaret via a BC scheme.

He first chooses a session key and encrypts his message with it.
He hides the message in a stego file and signs it.

The session key he chose he now encrypts (ElGamal) with Margaret's pubkey.
He decrypts this with his own privkey to get a different session key.  Call this S.
(Cheats who trust each other could share a keypair so the message will not
appear to go to himself.)

He encrypts the signed stegofile with key S and sends it to himself
and Margaret and a few TRPs.

All observers agree the session key S was used all round.
The message even looks innocent if sampled by the TRP.

The stegocontent is only readable by Margaret's privkey
(reading the key-to-Ronald field).

This can be beaten by enforcing a random session key as opposed
to a derived one.  Make S be the output of a hash for which Ronald
proves in ZK that he knows the input.
(It is not clear from your description that you do this.)



Plan 2)


Use signed stego.

Base key exchange on Diffie-Hellman with the first cyphertext variable 
in the ElGamal scheme.   G=g**k

Or base key exchange on something internal to the stego, as desired.


Get half-baked politicians to see GAK isn't a vote winner and only
wastes money.  Unicorn says convincing government is impossible, but
if they care about nothing else, they listen for where the votes are.

Anyone wanting to find GAK-neutral work to think about could follow
a few of the IETF's working groups.  Why make something obnoxious ?


Peter Allan   peter.allan@aeat.co.uk





Thread