[1936] in cryptography@c2.net mail archive
Speaking of rubber hoses [was Re: Storage encryption tools]
daemon@ATHENA.MIT.EDU (Julian Assange)
Wed Dec 10 22:52:59 1997
To: "James A. Donald" <jamesd@echeque.com>
cc: coderpunks@toad.com, cryptography@c2.net
From: Julian Assange <proff@iq.org>
In-Reply-To: "James A. Donald"'s message of "Tue, 9 Dec 1997 22:39:40 -0800 (PST)"
Date: 11 Dec 1997 00:12:21 +1100
"James A. Donald" <jamesd@echeque.com> writes:
> At 09:20 AM 12/3/97 -0800, David Honig wrote:
> > > > I notice that "F-Secure" also provides automatic fileset encryption
> > > > at logon/off.
>
> James A. Donald:
> > > The problem here is that in the event of an abrupt power down, for
> > > example a police raid, you are stuffed.
>
> At 02:49 AM 12/8/97 +5, James Caldwell wrote:
> > As it is with most commercial products.
>
> Not true: On most storage products, the encrypted partition remains
> encrypted at all times. It is decrypted on the fly when a file is
> read, and encrypted on the fly when a file is written. In the event
> of an abrupt power down the password is lost from memory, and the
> encrypted partition is unreadable, unless the police extract the
> secret password from the owner, perhaps by means of a rubber hose.
Speaking of rubber hose cryptography, here is a copy of some recent
correspondence concerning that subject:
I've finished defining the sets. I haven't described how they tie in
with the rest of marutukku yet (i.e aspects and keying) or the
algorithim employed. Does all this look like Archimedes Plutonium
sci.logic babble, or does it reveal something useful in terms of
understanding what I'm doing? Parts of this will become part of the
documentation set, so its important we get it right - keeping in mind
I'm still not convinced about the statistical properties of the chosen
algorithim against STM attacks.
--
I have designed a `cryptographically deniable' (other wise known as
rubber-hose-proof - a `rubber hose' being the beating weapon of choice
for pass-phrase extraction) file system. the file system has 0-n keys,
each of which divulges different data. This is essence of the
deniability scheme, whereby one can divulge the "duress" key which
will only decrypt pre-meditated "duress" information, i.e love letters
pertaining to some illicit, but otherwise harmless liason, as opposed
to Russian SS30 launch codes. The file-system has the following
property:
If K_r is the set of all keys used in a particular instance of
the encrypted file system, and each key in K_r decrypts
particular data within that system, then given any sub-set
(K_d) of keys from K_r, it is not possible to infer the
existence of any key in K_r not of K_d. i.e it is not possible
to infer that K_r != K_d
If you can infer that some data within the system has been encrypted
with a key not in K_d, then you can of course infer that a key not in
K_d encrypted it (which must be from ~(K_r . K_d), so the
file system has the following additional property (obvious really):
It is not possible to infer the presence of any data in the
system that is not either (a) random unused data, or (b)
data encrypted with a key from the set K_d;
From an isolated information-theory point of view, the system appears
to have perfect cryptographic deniability - but when you look at the
physical implementation (on magnetic media like hard-drives), the
whole issue becomes rather more "interesting".
The problem with most magnetic media is that it is good at recording.
Not what you have just written to it, but all that you have ever
written to it. It is possible to retrieve multiply over-written data
i.e data that has been over-written 12 times is retrievable). I'm not
making this up, this is an established art. Examine National Security
Patent #5,264,794. This will also tell you why hard-disk manufactures
don't use this process to increase the bit-density of their platters.
5,264,794
Nov. 23, 1993
Method of measuring magnetic fields on magnetically recorded
media using a scanning tunnelling microscope and magnetic
probe
ABST:
The present invention discloses a method of measuring magnetic
fields on magnetically recorded media. The method entails replacing
the metal tip typically used with a scanning tunnelling microscope with
a flexible thin-film nickel of iron magnetic probe. The present
invention describes a mathematical equation that relates probe
position to magnetic field strength. In order to establish a tunnelling
current between the magnetic probe and the magnetically recorded
media, any protective layer on the magnetically recorded media is
removed. The magnetic probe and the magnetically recorded media may be
coated with at least three-hundred angstroms of gold in order to
reduce spurious probe deflections due to oxide growths on either the
magnetic probe or the magnetically recorded media. The scanning
tunnelling microscope is designed to maintain a constant tunnelling
current between the probe and the item being scanned. The present
invention uses the scanning tunnelling microscope to scan the recording
tracks of magnetically recorded media. Any change in the magnetic
field of the magnetically recorded media will cause a change in the
tunnelling current. The microscope will change the position of the
probe in order to maintain a constant tunnelling current. These changes
in position are recorded as an image. A mathematical equation that
relates probe position to magnetic field strength is then used to
extract the magnetic fields of the magnetically recorded media from
the recorded image of probe positions.
ASSIGNEE-AT-ISSUE: The United States of America as represented by the
Director, National Security Agency, Washington, District of Columbia
This was state-of-art 6 years ago.
Past "layers" of information, isn't all you can suck off drive
platters. Because magnetic "leakage" occurs into the gaps between
tracks and there is a slow change in chemical composition of the disk
surface over time, its possible to extract two more pieces of
information.
1) how old a particular "layer" (i.e possibly over-written) of
information is.
2) the relative write-use of a particular disk block or disk
area since the platter was born.
The deniability scheme as a whole is complex. I have distilled the
relevant parts down to the the following description (which I've
couched in terms of set theory, which may or may not not be
particularly helpful for statistical/probability analysis). I'm not a
mathematician by training or particularly familiar with the couching
real-world problems in terms of set theory. I'm afraid my model
must seem awfully convoluted and inelegant as a result.
I have discovered a number of impracticable but theoretically valid
solutions to the media analysis problem. Impracticable because they
all seem to embody moving about large amounts of data, or keeping huge
reordering/re-scrambling tables in memory. I have discovered other
(practicable) algorithms which are so complex that I am not entirely
comfortable they are not infact vulnerable to some form of clever
statistical attack I have not yet anticipated.
The problem is, in some sense, an optimisation problem, on five
(broadly defined) variables/goals:
1) maximise resistance to statistical and other attacks which
can be used to show that K_r != K_d
2) minimise the number of bytes read/written to the disk that
don't pertain to conventional requests for writing/reading
information (i.e additional read/writes can be used in
staving off statistical attacks)
3) minimise the amount of memory used. Some solutions to 1.
involve huge (mostly impracticable) re-mapping tables.
4) minimise the amount of disk space used. (see 3.)
5) minimise the separation of sequentially written data.
This is important, because the more "randomly" the data is
placed on the disk, the greater the time spent by the drive
head moving to-and-fro as opposed to reading/writing the
data it was instructed to. This can slow the speed of
information write/retrieval down over 1000 x. Solutions to
this problem involve only randomising data bytes only on
modulo n boundaries where n is of a reasonable size (e.g 256k),
or on small boundaries (e.g modulo 512) but all "shuffled" within
a medium sized boundary (e.g 64k) so that re-ordering can occur
in ram based on a pre-generated shuffle table.
First some definitions.
"E of" means "element of".
E_k(p) = c refers to encryption function E, with key k, operates on
plaintext p to produce ciphertext c.
D_k(c) = p refers to encryption function E, with key k, operates on
ciphertext c to produce plaintext p.
i.e
D_k(E_k(p)) = p
"2^n" means "two to the power of n".
"." means intersection
"~" means compliment
"u" means union
"disk block". A region of a magnetic disk (i.e hard-disk) platter that
is used for storing information. Typically, disk blocks are 512
characters (2^12 bits) in length. As an example, a 1 Gigabyte disk
would contain 2,097,152 disk blocks.
P is the set of all possible plain-texts (unencrypted messages). It is
an infinite set. Pn refers to the set of all possible plain-texts
with a length of n bits. Pn has 2^n elements. In practice, n < 2^52.
C is the set of all possible cipher-texts (encrypted messages). It is
an infinite set. Cn refers to the set of all possible cipher-texts
with a length of n bits. Cn has 2^n elements. In practice, n < 2^52.
K is the set of all possible keys. It is an infinite set. Kn refers to
the set of all possible keys with a length of n bits. In practice, n
<= 168 (but the size of K isn't a limiting factor in any event).
a is a positive real. It represents the age of the last disk write,
for a "layer" of an area of cipher text on some sort of magnetic media
(ostensibly calculated from the relative magnetic domain changes in
ferrite (or other metal) molecules on the edges of disk tracks - but
there maybe other chemical-magnetic changes on the disk film that
could also be used analyse the age of a block write). Practically, a <
25 years. (we presume, perhaps foolishly, that the system will be
antiquated by then).
W is the set of all possible written (including over-written)
cipher-texts on the magnetic media. Wn refers to the set of (possibly)
over-written cipher-texts bit lengths of lengths n. W != C because of
an additional element in the elements of W. E of Wn = {E of Cn, a}.
GW is a set. E of GW is a "fuzzy" ordered set of E of W, ordered
numerically by element a of E of W. i.e the first element of an
element of GW has the lowest age. E of GW represents the layers of
ciphertext (including first and over-written layers). E of GW is
"fuzzy" because the probability of element n of E of GW existing is
inversely proportional (not necessarily in any linear manner) to
n. e.g E of GWn = {(prob 1/1}E of Wn, (prob 1/2)E of Wn, (prob 1/3)E
of Wn, (prob 1/4)E of Wn, (prob 1/5)E of Wn .....}. In practice, E of
W contains less than 64 members (i.e its very doubtful even the best
STM techniques can read the 64th over written layer).
e is a positive real. It is proportional to the total number of writes
for any particular disk block. In practice, e < 2^32 and probably
averages only 1-4 on most disks.
B is the set of all possible disk blocks. An element of B is a set
comprised of E of GW and e elements. Bn refers to the set of disk
block whose GW elements are restricted to GWn (i.e the disk block is n
bits in length). E of Bn = {E of GWn, e}. In practice n < 8192.
S (the set of "splits") is the set of all ordered sets of
elements of C. Sn.m is the set of ordered sets of n elements of Cm.
If that seems as clear as mud, E of Sn.m is n x m bits long, and
Sn.m has 2^(n x m) elements.
SW (the set of physical splits) is the set of all ordered sets of
elements of GW, and otherwise follows the semantics of S.
D is the set of all ordered sets of elements of S. Do.n.m is the set of
ordered sets of So.m containing o elements. D represents the first layer
of material written to every possible disk.
DW is the set of all ordered sets of elements of SW. DWo.n.m is the set
of ordered sets of SWo.n.m containing n elements. DW contains all the
information that could ever be retrieved from every disk.
...
--
Prof. Julian Assange |"Don't worry about people stealing your ideas. If your
| Ideas are any good, you'll have to ram them down
proff@iq.org | people's throats." -- Stolen quote from Howard Aiken
proff@gnu.ai.mit.edu | http://underground.org/book
