Crypted Disk Question

[Poul-Henning Kamp]

In message <20030516155153.GY3896 at geekpunk.net>, "Brandon D. Valentine" writes:
>On Thu, May 15, 2003 at 11:23:52PM -0700, Terry Lambert wrote:
>> > 
>> > You might just aswell claim GEOM is useless because they could
>> > always torture the password out of you - both views are equally
>> > meritless.
>
>Which password will they torture out of you?  =)

1.  We're talking about GBDE here, not GEOM.

2.  Which choices the user under duress makes, should not be dictated
    by GBDE or any other cryptographic facility.

    GBDE tries to leave the maximum number of options open for the
    user, including: change passphrase, destroy pass-phrase and
    destroy all master-key material.

>There are disk encryption schemes which utilize multiple keys, each key
>unlocking a different layer of information.  These systems are designed,
>at least in part, to facilitate the partial release of information in a
>coercion scenario.  Outwardly there is no way to determine whether the
>key you have been given fully unlocked the disk or whether you were only
>given partial access.

This is BS.

If nothing else, we learned from the Iranian Embassy Hostage incident,
that the "Ohh, all adversaries are clueless" assumption is not
valid.

If somebody gets caught with a disk which contains a lump of data
crypted with a multi-level facility, the adversary will know that
it is a multi-level facility and the pressure to hand over key
material will not cease until the adversary is satisfied that there
is no more levels of protection.

If the adversary has a mistaken belief about what is on the disk,
for instance expecting it to contain details of WMD, instead of the
p0rn collection it has, then the pressure will be kept up, because
the user can not prove that it does in fact not have a further level
of encryption.

GBDE takes the opposite approach:  There is only a single level,
but the user has the ability to nuke the master-key material out
of existence with a swift operation.  I also have a number of
ideas for modes where GBDE is "mined" so that if certain criteria
are not fulfilled, it will selfdestruct the master-key bits.

If you manage to activate the master-key destruction before the
attacker has gotten a bit for bit copy of the disk, you can yield
your passphrase to the attacker (when you judge the time and
circumstances for doing so is optimal), and the attacker  will
immediately discover that you gave the correct pass-phrase, that
it is useless to them, but most importantly that no other pass-phrase
will be helpful either.  The attacker therefore nolonger has that
as a reason to apply undue force on the user.

>Just because the court orders you to unlock your disk you can choose not
>to do so.  You will be held in contempt of court, possibly charged with
>obstruction of justice and most definitely jailed until you produce the
>key material.  But, if the privacy of the contents of your disk is worth
>more to you than your freedom, you can continue to deny the court's
>request.

Using the GBDE approach, they will have to settle for "destruction
of evidence".  Typically they will have to prove that you did so
deliberately, this is generally a rather soft punishment, since
they may not even be able to prove what the evidence you destroyed
were, if indeed it was evidence in the first place.

>However, hiding information from a court of law is generally not the
>goal of encryption of this sort.

That, my friend, depends a lot on who you are, what circumstances
you are in, and what you are hiding.

Cryptographic tools should be as general as possible, and support
as many possible uses as possible, and not make assumptions about
what life in the real world are if it can be avoided.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.