The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:repudiability

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pgpfan:repudiability [2020/06/08 21:05] – created b.walzerpgpfan:repudiability [2021/06/05 01:10] (current) – [Untrusted Correspondent] more articles to refer to. b.walzer
Line 1: Line 1:
-======Repudiability======+======Deniability======
  
-Repudiability is also known as deniability. As far as I can determine, the idea came out of nowhere. It wasn't really an issue anyone worried about and then it was a feature. We know that PGP doesn't have this feature because it was used as the example in the [[pgpfan:off_the_record|Off the Record]] proposal. So it seems appropriate to use PGP as a practical example.+Deniability is also known as repudiability or plausible deniability. As far as I can determine, the idea came out of nowhere. It wasn't really an issue anyone worried about and then it was a feature. I will use PGP as the practical example((PGP was used as the counter example in the [[pgpfan:off_the_record|Off the Record]] proposal which first popularized the idea of deniability)).
  
-If you send signed and encrypted PGP message to someone then these two entities can gain knowledge of your signed message:+When you use public key cryptography to encrypt a message, there is no way for the recipient to be sure it is from you. Normally you address that problem by cryptographically signing the message. In some situations, you might only want the recipient of your message to have access to the connection between your identity and your message.
  
-  - The person you sent it to. +Deniability is intended to break or weaken the connection between a cryptographically signed message and your identityIt must still allow the message recipient(s) to be certain that the message is from you, thus preserving the value of the signature. The goal here is to allow an electronically communicated message to be completely "off the record" in the sense the [[wp>Source_(journalism)#Using_confidential_information|phrase is used in journalism]].
-  - Someone who manages to compromise the encryption.+
  
-Repudiability is intended to prevent those entities from causing you problems due to that knowledge by breaking or weakening the connection between the message and your cryptographic identity. Your cryptographic identity is normally based on some data that it is expected that only you have access to. In the case of PGP that data is your private key which is required to generate the signature. For this to potentially matter, your signed message would have to be linked to your cryptographic identity. +=====Applicability=====
- +
-In a PGP context that would involve at least one of: +
- +
-  - Direct access to your private key. +
-  - Someone who "knows" you through possession of your public key and an exchange of messages. +
-  - Some sort of more complicated argument involving the PGP web of trust. +
- +
-The first instance is the most definite. It also implies that both you and your correspondent have been compromised. The others provide no definite cryptographic proof of identity.+
  
 In the event that someone can come up with a tie between you and your cryptographic identity then this is what they will face when attempting to link it to your physical identity: In the event that someone can come up with a tie between you and your cryptographic identity then this is what they will face when attempting to link it to your physical identity:
Line 22: Line 13:
   - Very few people understand cryptographic signatures well enough to even believe that such a thing is possible.   - Very few people understand cryptographic signatures well enough to even believe that such a thing is possible.
   - There is no cultural context for the application of cryptographic signatures.   - There is no cultural context for the application of cryptographic signatures.
-   + 
-For something like a court case if it is email then the normal email evidence process would be followed with an extra decryption step. There would be no incentive to add an extra complicated step that might be challenged.+As an example; email evidence used in something like a court case would follow the regular email evidence process. There would be no incentive to add an extra complicated step that might be challenged.
  
 In a personal communications situation the people involved will know each other. If the reporter is part of the group then it would come down to how the others felt about you and them. If it was an outsider then the report would be treated as an unsubstantiated rumour. A technical proof would be ignored as redundant. In a personal communications situation the people involved will know each other. If the reporter is part of the group then it would come down to how the others felt about you and them. If it was an outsider then the report would be treated as an unsubstantiated rumour. A technical proof would be ignored as redundant.
  
-Note that PGP user has complete control over how much their cryptographic identity is linked to their physical identity. A good example of this is seen with PGP use on the [[wp>Darknet_market#Customer_interactions|darknets]]Customers create separate PGP identity for use on the darknets. They often accept the default to sign messages as presented by their tool because it doesn't matter. The PGP identity (public key) is never distributed so the signature has no value. This is an advantage of the simple and straightforward way PGP deals with [[pgpfan:identity|identities]].+Ironically the very existence of deniability feature draws attention to the existence of the cyptographic signatures used in a particular messaging system and would tend to reinforce the value of such signatures. 
 + 
 +====Trusted Correspondent==== 
 + 
 +Far and away the most common case is where you can trust the one you are messaging withIf you are using system that can sign messages then you will have the capability and the motivation to encrypt any messages that have the potential to embarrass you. For this case, deniability only has potential value when that encryption fails. 
 + 
 +Here we need to make a distinction between the harm from revealing that a particular person said something and what was actually said. After the failure of encryption, usually most of the harm will be due to the facts that are revealed. Most facts can be verified in some other way than by a cryptographic signature. 
 + 
 +====Untrusted Correspondent==== 
 + 
 +This could be considered the true "off the record" case. The one you are messaging with might use your message and cryptographic signature in a way that could cause you problems. In this case, most people would be best off: 
 + 
 +  - Not connecting their identity to their cryptographic identity(([[pgpfan:signedanon|Signed Anonymous Messages]])), or 
 +  - Not signing their messages at all(([[pgpfan:anonymous|Anonymous Encrypted Messages]])). 
 + 
 +... rather than having to try to weaken the effect of a cryptographic signature. Our practical example, PGP, works well in this case as it allows both options. Deniability can be seen here as a compromise solution for a problem that need not exist. 
 + 
 +It is not really certain that deniability is even completely possible in this case. The cryptographic signature has still proven whatever it can prove. Whatever indication that the system has given your correspondent of your identity can be recorded somehow, even if just in their memory. It's similar to the difference between someone getting your letter and hearing you say something to them in person.
  
 =====Forgeability===== =====Forgeability=====
  
-Forgeability is a part of repudiability. The idea is to make things so that even if someone does link your signed message to your cryptographic identity you can then falsely claim that the message is a forgery. Some amount of information is leaked to make this possible, either to just your correspondent(s) or to anyone that has access to your signed unencrypted message. To be clearthis is even intended to cover the case where your correspondent reveals your signed messages to others.+The method of establishing deniability used in practice involves leaking information so that someone can forge a message after the message has been transferred and verified by the recipient(s). 
 + 
 +The fundamental problem here is that the mere possibility of forging a message does not in any way prove that a message was forged. Forgeability uses a simple technical approach to create a much more complicated question of credibility. 
 + 
 +In practice you would have to at least imply that your message was a forgery created by someone using a complicated and obscure technical process. This has obvious ethical issues and is unlikely to work, either in the court of public opinion or court of law. Most media is relatively easy to forge but false claims of such forgery are quite rare which suggests that such claims don't tend to work outFabricated evidence of a forgery could work, but the risk is much higher. 
 + 
 +Consider the case where a corpus of encrypted email is publicly leaked but it is not possible to decrypt that email at that time. Should it then become possible to decrypt the email later then it can be shown that the email existed before it was possible for anyone to forge it. Forgeability is thus negated. An entity that is saving encrypted messages in hope of future decryption only has to generate proof of the existence of those emails at the time of intercept to negate any forgeability. In general, proof that a message existed before it was possible to forge it negates forgeability. 
 + 
 +There is a potential problem of implied intent. Forgeability involves a deliberate act of data leakage. Say you get caught skulking around in the dark with burglary tools in an area with recent breakins. Providing solid proof that you always carry such tools would increase the level of suspicionnot decrease it. 
 + 
 +In the same way, using a system that is deliberately designed to allow you to say something then deny having said it might also cause extra suspicion. The concept is quite easy to understand, as opposed to the stuff about public key based signatures.
  
-The fundamental problem with the concept of forgeability is:+Consider the situation if someone were to actually forge a message from you using the method you have explicitly made possible. When claiming the forgery you would have to work against the same suspicion. 
  
-**The mere possibility of forging a message does not in any way prove that a message was forged.**+====Forgeability Light====
  
-In practice you would have to falsely accuse someone of the forgery. That someone would very possibly have to be a friendIt would be a serious accusation with serious consequences. In a social context the penalty could be exclusion from the groupIn a legal context the penalty could be actual jail time. If your accusation was not successful the penalty would fall back on you.+Instead of releasing the information required to forge your signature to everyone who gets access to the unencrypted messages, you can just release that information to your correspondentsThis eliminates the potential problems caused be allowing just anyone to forge your signatureIt does however greatly reduce the number of people you might suggest had forged that signature. If you try to suggest that your boyfriend Nathan might of forged your signature you will have a bad time when it comes out that the most technical thoughts Nathan ever has relate to the healing power of crystals.
  
-It is much better and safer to just claim that the problematic statement is not what it seems. You might of been joking. You might of been misunderstood.+=====Conclusion=====
  
-A system that supports forgeability will have the ability to falsely claim a forgery as a known featureSo in practice you might actually be worse off with such system should you decide to do that.+Forgeability as used for deniability would rarely be applicableThe most likely instance where it would be relevant would be in the case of compromised endpoint. In that situation you have a plausible way to claim a forgery and thus denyabliliy becomes redundant.
  
-In PGP context you could claim someone had gained access to your private key. That argument might actually have some force in a case where someone's private key was compromised to defeat the encryption.+Deniablity is one of those things that seems like good idea in theory. In practice it has very little value. It is unlikely that the feature is worth the extra risk of the complexity it would take to implement it.
  
-Most media is relatively easy to forge. But yet false claims of such forgery are quite rare which suggests that such claims don't tend to work out. False claims of fabricated evidence rarely go anywhere in court for example. Claiming that someone created a forgery using an obscure technical process does not seem any more likely to succeed.+[[pgpfan:index|PGP FAN Index]]
  
-Repudiability is one of those things that seems like a good idea in theory. In practice it has very little value. It is unlikely that the feature is worth the extra complexity it would take to implement it. 
  
pgpfan/repudiability.1591650336.txt.gz · Last modified: 2020/06/08 21:05 by b.walzer