Interesting People mailing list archives
more on Can you be compelled to give a password?
From: David Farber <dave () farber net>
Date: Wed, 9 Aug 2006 05:36:25 -0400
Begin forwarded message: From: Lauren Weinstein <lauren () vortex com> Date: August 8, 2006 8:56:14 PM EDT To: dave () farber net Cc: lauren () vortex com Subject: Re: [IP] more on Can you be compelled to give a password? Dave, I wonder how long all of these fascinating, sophisticated techniques will hold up when persons are threatened with: a) Lengthy extended prison terms for not coughing up exactly the demanded data with no screwing around ... and/or: b) Coercive techniques of the sort that the White House implied they could continue to use (as noted in the signing statement for an anti-torture bill) at their discretion --Lauren-- Lauren Weinstein lauren () vortex com or lauren () pfir org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, IOIC - International Open Internet Coalition - http://www.ioic.net Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com - - -
Begin forwarded message: From: Ed Gerck <edgerck () nma com> Date: August 8, 2006 5:49:21 PM EDT To: Ariel Waissbein <wata.34mt () coresecurity com> Cc: Cryptography <cryptography () metzdowd com> Subject: Re: [IP] more on Can you be compelled to give a password? Ariel Waissbein wrote:Please notice that a second "distress" password becomes useless if thewould-be user of this password has access to the binaries (that is, the encrypted data), e.g., because he will copy them before inserting the password and might even try to reverse-engineer the decryption software before typing anything. So I'm not sure what is the setting here.The worst-case setting for the user is likely to be when the coercer can do all that you said and has the time/resources to do them. However, ifthe distress password is strong (ie, not breakable within the time/ resources available to the coercer), the distress password can be used (for example)to create a key that decrypts a part of the code in the binary data thatsays the distress password expired at an earlier date -- whereas the access password would create a key that decrypts another part of the code. There are other possibilities as well. For example, if the binary data contains code that requires connection to a server (for example, to supply the calculation of some function), that server can prevent any further access, even if the access password is entered, after the distress password is given. The data becomes inaccessible even if the coercer has the binary data.Another possibility is to combine the above with threshold cryptography.Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo () metzdowd com ------------------------------------- You are subscribed as lauren () pfir org To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting- people/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Can you be compelled to give a password? David Farber (Aug 08)
- <Possible follow-ups>
- more on Can you be compelled to give a password? David Farber (Aug 09)