Deniability

David Shaw dshaw at jabberwocky.com
Tue Mar 22 20:37:08 CET 2011


On Mar 22, 2011, at 3:17 PM, Jerome Baum wrote:

> David Shaw <dshaw at jabberwocky.com> writes:
> 
>> Hmm.  I'm not sure you and I are on the same page with this attack.  I
>> don't think that Alice's rigged  message to Baker necessarily needs to
>> be  forged to  come  from the  original  sender.  Alice  can send  the
>> message to Baker as herself, with no special signing or other trickery
>> to fool Baker  about the origin of the message.  She  can even sign it
>> (as herself) if  she wants.  The contents of the  message just need to
>> be something Baker would naturally reply to.
> 
> Yeah I got a bit carried off  there. So any way to counter that, besides
> keeping a list  of (hash(cryptd-text), hash(session-key | random-parts))
> to warn you if one is reused? Obviously that is a pretty dumb way, so is
> there any way at all to counter a session-key-reuse attack?

Probably the easiest way is to not send messages with speculative key IDs encrypted to more than one recipient. :)

That ensures that Alice knows as little as possible about the other recipients (including whether there are any in the first place).  It does put an additional burden on the sender, though, as they now need to send out more messages (which might be hard for some senders).

David



More information about the Gnupg-users mailing list