Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06.

Published byLondon Overfield Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06."— Presentation transcript:

1 1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06

2 2 Problem Statement Alice broadcasts encrypted messages over a public channel Eve can see ciphertext and coerces Alice before and/or after communication –Demands that Alice sends a particular message –Demands plaintext & receipt to compare with ciphertext Encryption is often a “committing” process How can Alice signal coercion to Bob yet still avoid reprisal by Eve?

3 3 Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol Shared key K: (L-bit head) 10110101…101001 (N bit tail) Alice Bob Shared private channel (e.g. synchronized SecurID units) L-bit message M: 01001101… Shared key K: 10110101… Ciphertext C: 11111000… || 101001 (N bit tail of K) Check N-bit tail against K Accept message Reject message What happens if Eve forces L-bit message beforehand? - Alice corrupts N-bit tail What happens if Eve specifies ALL bits beforehand? - Eve must guess N-bit tail correctly (P = 2 -N ) Later, Alice gives Eve “receipt” with some K -All Ks equally plausible! -Can correspond to any plaintext – free or forced

4 4 Rivest: Chaffing & Winnowing Encryption-free privacy mechanism via std authentication mechanism (keyed HMAC) m-bit Message M: Split into m 1-bit packets:(i, M i, HMAC(K AB, i || M i )) (1, 1, HMAC(K AB, 1 || 1)) (2, 0, HMAC(K AB, 2 || 0)) (3, 1, HMAC(K AB, 3 || 1)) Alice Bob Shared session authentication key K AB Send in the clear Check HMACs and throw away unauthenticated packets (1, 0, Random) (2, 1, Random) (3, 0, Random) Now Alice adds “chaff” Hard for Eve to calculate HMAC without K AB Eve cannot tell wheat from chaff! Multiple simultaneous chaff streams with K ABi Alice & Bob can claim any K ABi is the real one! 101… Bob will throw chaff away (bad MAC) Plausible deniability for precomputed plaintexts

5 5 Summary & Practical Considerations Methods to exploit degrees of freedom in key/private randomness to generate multiple plausible explanations for communication –Choose forged plaintext at time of encryption –Choose forged plaintext at time of coercion –Some resistant to coercion beforehand (uncoercible) and others resistant to coercion only afterwards (deniable) Must use the method all the time or an adversary may coerce you with a more restricted mechanism Multiple coercion targets must coordinate stories Cleanest option for post-facto coercion: just delete or forget key & randomness

6 6 Backup

7 7 Other Methods Clayton & Danezis: Plausibly Deniable Routing Steganography –Steganography is information hiding Example: low-order pixel bits in image contain string –Weak: security through obscurity –Stronger: “keyed” steganography Example: keyed hash selects pixels to encode with –Plausible deniability in steganography Rely on security by obscurity: claim the cover text is the message Parallel steganographic methods: claim that one of n methods is correct Keyed steganographic methods with multiple keys: claim that one of n keys is correct

Download ppt "1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Quantum Key Establishment Wade Trappe. Talk Overview Quantum Demo Quantum Key Establishment.

Quantum Key Establishment Wade Trappe. Talk Overview Quantum Demo Quantum Key Establishment.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Single Photon Quantum Encryption Rob Grove April 25, 2005.

Single Photon Quantum Encryption Rob Grove April 25, 2005.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

Similar presentations

Ads by Google