Deniable encryption
Encyclopedia
In cryptography
and steganography
, deniable encryption is encryption
that allows its users to convincingly deny
that the data is encrypted, or that they are able to decrypt it. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.
Normally ciphertexts decrypt to a single plaintext
and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.
used, or otherwise makes it impossible to prove the existence of the real message without the proper encryption key. This allows the sender to have plausible deniability
if compelled to give up his or her encryption key.
The notion of "deniable encryption" was used by Julian Assange
and Ralf Weinmann in the Rubberhose filesystem and explored in detail in a paper by Ran Canetti, Cynthia Dwork
, Moni Naor
, and Rafail Ostrovsky
in 1996.
Another possible scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and have not to be able to read each other instructions. Bob will receive the message first and then forward it to Carl.
properties of existing block cipher
s, making it cryptographically infeasible to prove that the ciphertext is not random data generated by a cryptographically secure pseudorandom number generator
. This is used in combination with some decoy
data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This form of deniable encryption is sometimes referred to as steganography
.
One example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer would be decrypted with a different encryption key. Additionally, special "chaff
layers" are filled with random data in order to have plausible deniability
of the existence of real layers and their encryption keys. The user will store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either random
ized (in case they belong to chaff layers), or cryptographic hash
es of strings identifying the blocks. The timestamp
s of these files are always randomized. Examples of this approach include Rubberhose filesystem
and PhoneBookFS.
Another approach utilized by some conventional disk encryption software
suites is creating a second encrypted volume
within a container volume. The container volume is first formatted by filling it with encrypted random data, and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable. Concerns have, however, been raised for the level of plausible deniability in hiding information this way – the contents of the "outer" container filesystem (in particular the access or modification timestamps on the data stored) could raise suspicions as a result of being frozen in its initial state to prevent the user from corrupting the hidden volume. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data. FreeOTFE
and BestCrypt
can have many hidden volumes in a container; TrueCrypt
is limited to one hidden volume.
tools that may detect non-random encrypted data. Vulnerability to chi-squared
randomness test
has also been suggested: encrypted data, after each write operation, should be adjusted to fit a plausible randomness property.
Deniable encryption has also been criticized because of its main inability in defending users from rubber-hose cryptanalysis
. Possession of deniable encryption tools could lead attackers to continue an investigation even after a user pretends to cooperate, providing an expendable password to some decoy data.
, offer malleable encryption
which gives the participants plausible deniability
of their conversations. While malleable encryption is not technically "deniable encryption" in that its ciphertexts do not decrypt into multiple plaintexts, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular.
This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (see HMAC
), he is also able to forge
messages in the conversation. This is used in conjunction with perfect forward secrecy
to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
and steganography
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...
, deniable encryption is encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
that allows its users to convincingly deny
Plausible deniability
Plausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
that the data is encrypted, or that they are able to decrypt it. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.
Normally ciphertexts decrypt to a single plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.
Function
Deniable encryption allows an encrypted message to be decrypted to different sensible plaintexts, depending on the keyKey (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
used, or otherwise makes it impossible to prove the existence of the real message without the proper encryption key. This allows the sender to have plausible deniability
Plausible deniability
Plausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
if compelled to give up his or her encryption key.
The notion of "deniable encryption" was used by Julian Assange
Julian Assange
Julian Paul Assange is an Australian publisher, journalist, writer, computer programmer and Internet activist. He is the editor in chief of WikiLeaks, a whistleblower website and conduit for worldwide news leaks with the stated purpose of creating open governments.WikiLeaks has published material...
and Ralf Weinmann in the Rubberhose filesystem and explored in detail in a paper by Ran Canetti, Cynthia Dwork
Cynthia Dwork
Cynthia Dwork is a distinguished scientist at Microsoft Research who works on distributed computing, cryptography, and e-mail spam prevention....
, Moni Naor
Moni Naor
Moni Naor is an Israeli computer scientist, currently a professor at the Weizmann Institute of Science. Naor received his Ph.D. in 1989 at the University of California, Berkeley. His adviser was Manuel Blum....
, and Rafail Ostrovsky
Rafail Ostrovsky
Rafail Ostrovsky is a professor of computer science and mathematics at UCLA and a well-known researcher in algorithms and cryptography. Prof. Ostrovsky received his Ph.D. from MIT in 1992...
in 1996.
Scenario
Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires a trusted third party. A possible scenario works like this:- AliceAlice and BobThe names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...
is the wife of Bob, who suspects his wife is engaged in adultery. She wants to communicate with her secret lover Carl. She creates two keys, one intended to be kept secret, the other intended to be sacrificed. She passes the secret key (or both) to Carl. - Alice constructs an innocuous message M1 for Carl (intended to be revealed to Bob in case of discovery) and an incriminating love letter M2 to Carl. She constructs a cipher-text C out of both messages M1, M2 and emails it to Carl.
- Carl uses his key to decrypt M2 (and possibly M1, in order to read the fake message too).
- Bob finds out about the email to Carl, becomes suspicious and forces Alice to decrypt the message.
- Alice uses the sacrificial key and reveals the innocuous message M1 to Bob. Since Bob does not know the other key, he has to assume that there is no other message M2.
Another possible scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and have not to be able to read each other instructions. Bob will receive the message first and then forward it to Carl.
- Alice constructs the ciphertext out of both messages M1, M2 and emails it to Bob.
- Bob uses his key to decrypt M1 and isn't able to read M2.
- Bob forwards the ciphertext to Carl.
- Carl uses his key to decrypt M2 and isn't able to read M1.
Modern forms of deniable encryption
Modern deniable encryption techniques exploit the pseudorandom permutationPseudorandom permutation
In cryptography, the term pseudorandom permutation, abbreviated PRP, refers to a function that cannot be distinguished from a random permutation with practical effort.A pseudorandom permutation family is a collection of pseudorandom permutations,...
properties of existing block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s, making it cryptographically infeasible to prove that the ciphertext is not random data generated by a cryptographically secure pseudorandom number generator
Cryptographically secure pseudorandom number generator
A cryptographically secure pseudo-random number generator is a pseudo-random number generator with properties that make it suitable for use in cryptography.Many aspects of cryptography require random numbers, for example:...
. This is used in combination with some decoy
Decoy
A decoy is usually a person, device or event meant as a distraction, to conceal what an individual or a group might be looking for. Decoys have been used for centuries most notably in game hunting, but also in wartime and in the committing or resolving of crimes.-Duck decoy:The term duck decoy may...
data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This form of deniable encryption is sometimes referred to as steganography
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...
.
One example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer would be decrypted with a different encryption key. Additionally, special "chaff
Chaff (radar countermeasure)
Chaff, originally called Window by the British, and Düppel by the Second World War era German Luftwaffe , is a radar countermeasure in which aircraft or other targets spread a cloud of small, thin pieces of aluminium, metallized glass fibre or plastic, which either appears as a cluster of secondary...
layers" are filled with random data in order to have plausible deniability
Plausible deniability
Plausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
of the existence of real layers and their encryption keys. The user will store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either random
Randomness
Randomness has somewhat differing meanings as used in various fields. It also has common meanings which are connected to the notion of predictability of events....
ized (in case they belong to chaff layers), or cryptographic hash
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
es of strings identifying the blocks. The timestamp
Timestamp
A timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
s of these files are always randomized. Examples of this approach include Rubberhose filesystem
MaruTukku
In computing, rubberhose is a deniable encryption archive containing multiple file systems whose existence can only be verified using the appropriate cryptographic key.- Name and history :...
and PhoneBookFS.
Another approach utilized by some conventional disk encryption software
Disk encryption software
To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software that is used to implement the technique...
suites is creating a second encrypted volume
Volume (computing)
In the context of computer operating systems, volume is the term used to describe a single accessible storage area with a single file system, typically resident on a single partition of a hard disk. Similarly, it refers to the logical interface used by an operating system to access data stored on...
within a container volume. The container volume is first formatted by filling it with encrypted random data, and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable. Concerns have, however, been raised for the level of plausible deniability in hiding information this way – the contents of the "outer" container filesystem (in particular the access or modification timestamps on the data stored) could raise suspicions as a result of being frozen in its initial state to prevent the user from corrupting the hidden volume. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data. FreeOTFE
FreeOTFE
FreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...
and BestCrypt
BestCrypt
BestCrypt is a commercial disk encryption program for Windows and Linux, developed by Jetico.-Features:* BestCrypt can create and mount an encrypted virtual drive using AES, Blowfish, Twofish, CAST, and various other encryption methods...
can have many hidden volumes in a container; TrueCrypt
TrueCrypt
TrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...
is limited to one hidden volume.
Detection
The existence of a hidden volume may be revealed by flawed implementations relying on predictable cryptographic items or by some forensicComputer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
tools that may detect non-random encrypted data. Vulnerability to chi-squared
Pearson's chi-squared test
Pearson's chi-squared test is the best-known of several chi-squared tests – statistical procedures whose results are evaluated by reference to the chi-squared distribution. Its properties were first investigated by Karl Pearson in 1900...
randomness test
Randomness tests
The issue of randomness is an important philosophical and theoretical question.Many random number generators in use today generate what are called "random sequences" but they are actually the result of prescribed algorithms and so they are called pseudo-random number generators.These generators do...
has also been suggested: encrypted data, after each write operation, should be adjusted to fit a plausible randomness property.
Deniable encryption has also been criticized because of its main inability in defending users from rubber-hose cryptanalysis
Rubber-hose cryptanalysis
In cryptography, rubber-hose cryptanalysis is the extraction of cryptographic secrets from a person by coercion or torture, in contrast to a mathematical or technical cryptanalytic attack....
. Possession of deniable encryption tools could lead attackers to continue an investigation even after a user pretends to cooperate, providing an expendable password to some decoy data.
Malleable encryption
Some in-transit encrypted messaging suites, such as Off-the-Record MessagingOff-the-record messaging
Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function...
, offer malleable encryption
Malleability (cryptography)
Malleability is a property of some cryptographic algorithms. An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext...
which gives the participants plausible deniability
Plausible deniability
Plausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
of their conversations. While malleable encryption is not technically "deniable encryption" in that its ciphertexts do not decrypt into multiple plaintexts, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular.
This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (see HMAC
HMAC
In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
), he is also able to forge
Forgery
Forgery is the process of making, adapting, or imitating objects, statistics, or documents with the intent to deceive. Copies, studio replicas, and reproductions are not considered forgeries, though they may later become forgeries through knowing and willful misrepresentations. Forging money or...
messages in the conversation. This is used in conjunction with perfect forward secrecy
Perfect forward secrecy
In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.Forward...
to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages.
Software
- OpenPuffOpenPuffOpenPuff Steganography and Watermarking, sometimes abbreviated OpenPuff or Puff, is a freeware steganography tool for Microsoft Windows created by Cosimo Oliboni and still maintained as independent software. The program is notable for being the first steganography tool that:* lets users hide data...
, freeware semi-open-source steganography for MS Windows. - BestCryptBestCryptBestCrypt is a commercial disk encryption program for Windows and Linux, developed by Jetico.-Features:* BestCrypt can create and mount an encrypted virtual drive using AES, Blowfish, Twofish, CAST, and various other encryption methods...
, commercial on-the-fly disk encryptionOTFEOn-the-fly encryption , also known as Real-time Encryption, is a method used by some encryption programs, for example, disk encryption software...
for MS Windows. - FreeOTFEFreeOTFEFreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...
, opensource on-the-fly disk encryptionOTFEOn-the-fly encryption , also known as Real-time Encryption, is a method used by some encryption programs, for example, disk encryption software...
for MS Windows and PocketPC PDAs that provides both deniable encryption and plausible deniabilityPlausible deniabilityPlausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
. Offers an extensive range of encryption options, and doesn't need to be installed before use. - Off-the-Record MessagingOff-the-record messagingOff-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function...
, a cryptographic technique providing true deniability for instant messaging. - PhoneBookFS, another cryptographic filesystem for Linux, providing plausible deniability through chaff and layers. A FUSE implementation. No longer maintained.
- rubberhose. Defunct project (Last release in 2000, not compatible with modern Linux distributions)
- StegFSStegFSStegFS is a free file system for Linux. It is licensed under the GPL. It was principally developed by Andrew D. McDonald and Markus G. Kuhn. It is a steganographic file system based on the ext2 filesystem....
, the current successor to the ideas embodied by the Rubberhose and PhoneBookFS filesystems - TrueCryptTrueCryptTrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...
, which is on-the-fly disk encryptionOTFEOn-the-fly encryption , also known as Real-time Encryption, is a method used by some encryption programs, for example, disk encryption software...
software for Windows, Mac and Linux that provides limited deniable encryption and to some extent (due to limitations on the number of hidden volumes which can be created) plausible deniabilityPlausible deniabilityPlausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
, and doesn't need to be installed before use as long as the user has full administrator rights - VanishVanish (computer science)Vanish is a project at the University of Washington which endeavors to "give users control over the lifetime of personal data stored on the web." The project proposes to allow a user to enter information that he or she will send out across the internet, thereby relinquishing control of it...
- a research prototype implementation of self-destructing data storage - ScramDisk 4 Linux - A free softwareFree softwareFree software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
suite of tools, for GNU/Linux systems, which can open and create scramdisk and truecrypt container.
See also
- Chaffing and winnowingChaffing and winnowingChaffing and winnowing is a cryptographic technique to achieve confidentiality without using encryption when sending data over an insecure channel. The name is derived from agriculture: after grain has been harvested and threshed, it remains mixed together with inedible fibrous chaff. The chaff...
- Deniable authenticationDeniable authenticationIn cryptography, deniable authentication refers to authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event....
- Plausible deniabilityPlausible deniabilityPlausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
- Rubber-hose cryptanalysisRubber-hose cryptanalysisIn cryptography, rubber-hose cryptanalysis is the extraction of cryptographic secrets from a person by coercion or torture, in contrast to a mathematical or technical cryptanalytic attack....
- SteganographySteganographySteganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...
- Unicity distanceUnicity distanceIn cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e...