Interesting People mailing list archives

more on Can you be compelled to give a password?

From: David Farber <dave () farber net>
Date: Tue, 8 Aug 2006 19:21:14 -0400



Begin forwarded message:

From: Ed Gerck <edgerck () nma com>
Date: August 8, 2006 5:49:21 PM EDT
To: Ariel Waissbein <wata.34mt () coresecurity com>
Cc: Cryptography <cryptography () metzdowd com>
Subject: Re: [IP] more on Can you be compelled to give a password?

Ariel Waissbein wrote:

Please notice that a second "distress" password becomes useless if the
would-be user of this password has access to the binaries (that is,the
encrypted data), e.g., because he will copy them before inserting the
password and might even try to reverse-engineer the decryptionsoftware
before typing anything. So I'm not sure what is the setting here.


The worst-case setting for the user is likely to be when the coercer can
do all that you said and has the time/resources to do them. However, if

the distress password is strong (ie, not breakable within the time/resourcesavailable to the coercer), the distress password can be used (forexample)

to create a key that decrypts a part of the code in the binary data that

says the distress password expired at an earlier date -- whereas theaccess

password would create a key that decrypts another part of the code.

There are other possibilities as well. For example, if the binary data

contains code that requires connection to a server (for example, tosupply

the calculation of some function), that server can prevent any further

access, even if the access password is entered, after the distresspasswordis given. The data becomes inaccessible even if the coercer has thebinary data.


Another possibility is to combine the above with threshold cryptography.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List

Unsubscribe by sending "unsubscribe cryptography" tomajordomo () metzdowd com



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Current thread:

more on Can you be compelled to give a password? David Farber (Aug 08)
- <Possible follow-ups>
- more on Can you be compelled to give a password? David Farber (Aug 09)