Plausible Deniability From Rockstar Cryptographers

J. Karl Rove writes "Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can't read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries."

Re:I wonder

[Entrope]

"Later" is after the speaker decides that conversation is over. You pick a signing key for your messages, sign it with your normal public key, send messages using the first key, and your correspondent can confirm you are who you claim. When you want to finish the conversation, you publish (at least to your correspondent) the temporary signing key, and anyone who has it can then forge messages that are as trustable as what you said.

Re:a little information would be nice

[chill]

It authenticates and creates a "conversation". This allows you to be certain the person on the other end is who you think it is. DH key exchange is performed.

Then, messages sent during that conversation are encrypted using disposable session keys. (128-bit AES w/SHA-1 HMAC).

Think of it as an authentication tunnel down which you send encrypted messages. The message encryption is in no way related to the authentication, and the disposable session keys mean they have no re-use value.

-Charles

Re:Deniable until they look at your swap partition

[Mr.Ned]

That's why you have encrypted swap. On OpenBSD it's as simple as setting the sysctl 'vm.swapencrypt.enable=1'; there are HOWTOs for other operating systems. Look for the device mapper on Linux, for example.

Re:a little information would be nice

[farnz]

It uses PGP to share a key between two or more people; it then uses that key to authenticate the conversation. The difference between this and OpenPGP is that OpenPGP authenticates that the owner of a given OpenPGP key sent a message. This scheme proves that someone with the shared key sent the message.

Thus, I can create a key that I send to my friend. He and I discuss things, both using that key for encryption. When we've finished, we publish the key used for the conversation, and anyone can now add to the conversation. Thus, while we keep the key secret between us, we're assured of a private conversation; when we publish the key, anyone can add to it, thus giving the denability

Re:a little information would be nice

[stolen.identity]

The key seems to be the "disposable key" part.

With normal public-key crypto, you sign with your actual private key, and you encrypt with the recipients actual public key. This means that if someone gets hold of the recipients private key, then can decrypt the messages, and because your public key is, well, public, they can prove that you wrote the message.

In this system, you generate throw-away keys, and exchange them securely when you start communicating. After you are done communicating, you can just throw away the keys, or you can publish them if you want. They are of no use, really. Someone can decrypt your communication, but they can't prove that it was you that wrote it, and once you publish the key, anyone else can forge messages that look like they were part of the conversation.

During the conversation, you have the security, authentication and non-repudiation that you are looking for - you can be sure that the other party is who they say that they are, that all messages are actually from them, and that only you can read those messages.

As soon as the conversation is over, you give away the keys and all bets are off - there is no longer a way to prove the identity of the person who sent the message since anyone can now forge messages that appear to be part of the conversation.

WTF?

[phorm]

What with the price of RAM these days? Sorry, but even with a lot of RAM there's not any reason why one shouldn't have swap. What happens when you do overrun your RAM just that one time?

Besides, swap in 'nix isn't used unless you need to. Most of the time my laptop (256MB RAM) doesn't run into swap at all, so chances are I don't have to worry about that.

And as to the temp files, etc... if you do have the RAM to spare and you're really paranoid, mount a nice big 512MB ramdisk on loopback and a quick reboot will permanently lose anything you might not want to keep around (not to mention the speed advantages of RAMdisk vs Physical drivespace).

GAIM Encryption

[SKPhoton]

GAIM already offers two encryption plugins. It's cool to see another implementation being created.

gaim encryption [sourceforge.net] uses RSA. There's also gaim-e [sourceforge.net] which uses GPG.

I've used gaim encryption and it works very well. It requires the plugin to be installed on both ends but once that's done, it autodetects that both ends support it and enables encryption.

Oh, there's a binary available for windows and both source and packages for linux.
And, it's in portage!
emerge gaim-encryption

encrypted swap. quick and simple in linux. HOWTO

[DM9290]

For those you want to know how to use encrypted swap paritions on Linux here is how:
PS: Your computer will not operate any slower than when using plain swap. I kid you not.
PPS: this works in mandrake and suse.

make sure module cryptoloop is loaded:

> modprobe cryptoloop

assuming you want to use /dev/hdb as your swap partition (you can actually use any partition or even a flat file) then type:

>losetup -e aes256 /dev/loop0 /dev/hdb

if /dev/loop0 doesn't work, try loop1 or loop2 etc. (you are looking for an unused loopback device. If you are already using loopback devices, then you probably already know how to do this stuff)

you will be prompted for a passphrase. type lots of random characters (at least 20. the more the merrier). You don't need to remember it because you can use a different one each time you reboot. I like to click random keys on the keyboard for about 45 seconds.

then type

>mkswap /dev/loop0
this formats the partition on the other side of the loopback device to be a swap file. (remember that loop0 is being encrypted prior to the data ever hitting the disk)

and then type

>swapon /dev/loop0
this mounts the swap partition to be a swap file.

you now have an encrypted swap partition all mounted and available as virtual memory. Use 'top' to confirm this.

This swap will not automount at boot this way, unless you put the aforementioned steps into a boot script of some kind. You can deny it or make a script to do it for you. Just make sure you use a random key each time.

I have been using encrypted swap paritions for a few years and I'm never going back.

(hint you can also make encrypted volumns using almost the same steps)

The nifty thing is that since you don't know the keys you use for your swap parition you have plausible deniability.

Re:I hope the distros will do their part

[Threni]

> Right. Because the word of a defendant at trial is worth a lot. (That's
> sarcasm, for the record).

I think that was his point.

> The word of an officer almost always carries more weight than that of the
> accused. I've never seen anyone get out of a ticket for rolling through a stop
> sign just because the only evidence was the testimony of the cop.

In the UK if there's one cop in the cop car and two people in the car being stopped, then the cop is onto a loser and will probably either try it in ("you did realize you were speeding") or let you go.