Deniable encryption

Deniable encryption makes it impossible to prove the origin or existence of the plaintext message without the proper decryption key. This may be done by allowing an encrypted message to be decrypted to different sensible plaintexts, depending on the key used. This allows the sender to have plausible deniability if compelled to give up their encryption key. Scenario In some jurisdictions, statutes assume that human operators have access to such things as encryption keys, and governments may enact key disclosure laws that compel individuals to relinquish keys upon request. Countries such as France and Australia give prosecutors wide-ranging power to compel any person to surrender keys to make available any information encountered in the course of an investigation, and failure to comply incurs jail time and/or civil fines. Another example is the United Kingdom's Regulation of Investigatory Powers Act, which makes it a crime not to surrender encryption keys on demand from a government official authorized by the act. According to the Home Office, the burden of proof that an accused person is in possession of a key rests on the prosecution; moreover, the act contains a defense for operators who have lost or forgotten a key, and they are not liable if they are judged to have done what they can to recover a key. In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture⁠‌such as beating that person with a rubber hose, hence the ‌in contrast to a mathematical or technical cryptanalytic attack. An early use of the term was on the sci.crypt newsgroup, in a message posted 16 October 1990 by Marcus J. Ranum, alluding to corporal punishment:[...]the rubber-hose technique of cryptanalysis (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive). Such methods are also euphemistically referred to as "wrench attacks", in reference to an xkcd comic with a similar premise. Deniable encryption allows the sender of an encrypted message to deny sending that message. A possible scenario works like this: • Alice wishes to send a message to Bob but is aware that she may be compelled to decrypt the message for a third party. • Alice uses key 1 (K1) to encrypt a harmless message (M1) into a ciphertext (C). She also uses key 2 (K2) to encrypt a second, secret message (M2) within the same ciphertext for Bob. • If Alice is coerced, through legal or illegal means, into decrypting the ciphertext C, she can provide K1 to reveal the harmless message M1 without disclosing the existence of M2. This approach relies on the attacker being satisfied with the contents of M1. If M1 appears trivial or unconvincing, the attacker may suspect the existence of additional keys and messages and continue to apply pressure. The existence of deniable encryption introduces a paradoxical limitation. Because an attacker can never be certain that a given ciphertext contains only a single key–message pair, they may continue to demand further keys even after one has been revealed. This is particularly problematic in scenarios involving coercion, such as Rubber-hose cryptanalysis, where additional keys and messages may be demanded regardless of whether they actually exist. Another scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and must not be able to read each other's instructions. Bob will receive the message first and then forward it to Carl. • Alice constructs the ciphertext out of both messages, M1 and M2, and emails it to Bob. • Bob uses his key to decrypt M1 and isn't able to read M2. • Bob forwards the ciphertext to Carl. • Carl uses his key to decrypt M2 and isn't able to read M1. ==Forms of deniable encryption==

Normally, ciphertexts decrypt to a single plaintext that is intended to be kept secret. However, one form of deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and plausibly claim that it is what they encrypted. The holder of the ciphertext will not be able to differentiate between the true plaintext, and the bogus-claim plaintext. In general, one ciphertext cannot be decrypted to all possible plaintexts unless the key is as large as the plaintext, so it is not practical in most cases for a ciphertext to reveal no information whatsoever about its plaintext. However, some schemes allow decryption to decoy plaintexts that are close to the original in some metric (such as edit distance). Modern deniable encryption techniques exploit the fact that without the key, it is infeasible to distinguish between ciphertext from block ciphers and data generated by a cryptographically secure pseudorandom number generator (the cipher's pseudorandom permutation properties). This is used in combination with some decoy data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This is a form of steganography. If the user does not supply the correct key for the truly secret data, decrypting it will result in apparently random data, indistinguishable from not having stored any particular data there. Examples Layers One example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer can be decrypted with a different encryption key. Additionally, special "chaff layers" are filled with random data in order to have plausible deniability of the existence of real layers and their encryption keys. The user can store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either randomized (in case they belong to chaff layers), or cryptographic hashes of strings identifying the blocks. The timestamps of these files are always randomized. Examples of this approach include Rubberhose filesystem. Rubberhose (also known by its development codename Marutukku) is a deniable encryption program which encrypts data on a storage device and hides the encrypted data. The existence of the encrypted data can only be verified using the appropriate cryptographic key. It was created by Julian Assange as a tool for human rights workers who needed to protect sensitive data in the field and was initially released in 1997. Container volumes Another approach used by some conventional disk encryption software suites is creating a second encrypted volume within a container volume. The container volume is first formatted by filling it with encrypted random data, and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable. LibreCrypt and BestCrypt can have many hidden volumes in a container; TrueCrypt is limited to one hidden volume. Other software • Cryptee, an open-source, client-side encrypted, cross-platform productivity suite and cloud storage service which offers its users the ability to hide (ghost) folders and photo albums for plausible deniability. • LibreCrypt, open-source transparent disk encryption for MS Windows and PocketPC PDAs that provides both deniable encryption and plausible deniability. Offers an extensive range of encryption options, and doesn't need to be installed before use as long as the user has administrator rights. • Off-the-Record Messaging, a cryptographic technique providing true deniability for instant messaging. • OpenPuff, freeware semi-open-source steganography for MS Windows. • StegFS, the current successor to the ideas embodied by the Rubberhose and PhoneBookFS filesystems. • Vanish, a research prototype implementation of self-destructing data storage. • VeraCrypt (a successor to a discontinued TrueCrypt), an on-the-fly disk encryption software for Windows, Mac and Linux providing limited deniable encryption and to some extent (due to limitations on the number of hidden volumes which can be created It may also be revealed by a so-called watermarking attack if an inappropriate cipher mode is used. The existence of the data may be revealed by it 'leaking' into non-encrypted disk space where it can be detected by forensic tools. Doubts have been raised about the level of plausible deniability in 'hidden volumes' – the contents of the "outer" container filesystem have to be 'frozen' in its initial state to prevent the user from corrupting the hidden volume (this can be detected from the access and modification timestamps), which could raise suspicion. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data. Drawbacks Possession of deniable encryption tools could lead attackers to continue torturing a user even after the user has revealed all their keys, because the attackers could not know whether the user had revealed their last key or not. However, knowledge of this fact can disincentivize users from revealing any keys to begin with, since they will never be able to prove to the attacker that they have revealed their last key. ==Deniable authentication==

Some in-transit encrypted messaging suites, such as Off-the-Record Messaging, offer deniable authentication which gives the participants plausible deniability of their conversations. While deniable authentication is not technically "deniable encryption" in that the encryption of the messages is not denied, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular. This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (see hash-based message authentication code (HMAC)), they are also able to forge messages in the conversation. This is used in conjunction with perfect forward secrecy to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages. ==See also==