[dm-crypt] cryptsetup, LUKS, plausible deniability

[dm-crypt] cryptsetup, LUKS, plausible deniability

[Ivan Stankovic]

Hi everyone,

I'd like to start a discussion about plausible deniability for LUKS (see
http://code.google.com/p/cryptsetup/issues/detail?id=7).

As has already been said in a comment on the issue above, even having
an option to hide/encrypt LUKS header would be helpful. One approach is to
just encrypt the normal LUKS header with a header key, which is not very
user-friendly as one would now have to remember/store both the passphrase and
the header key (one might as well use plain dmcrypt with a single key).

I guess the goal here would be to have LUKS features (multiple passphrases,
ease of use, key splitting...) implemented in such a way that nobody can prove
that you're using encryption. Thoughts?


-- 
Ivan Stankovic, pokemon@fly.srk.fer.hr

"Protect your digital freedom and privacy, eliminate DRM, 
learn more at http://www.defectivebydesign.org/what_is_drm"

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

I think this is the wrong approach. LUKS is not designed to hide
at all and trying to make it capable of doing so is very likely
a lot harder than to use something else, esoecially as several
solutions are already available. 

Incidentially, using plain dm-crypt with a single zero-overwrite 
of the decrypted device already works very well. I, for example,
use plain dm-crypt with a random key and zero overwrite to
erase devices and partitions. This is indistinguishable from
a denied encrypted volume. It is not feasible to hide the 
encrypted data istelf, so this is as far as it goes. 

If you want more, use TrueCrypt, but I would be very careful
with plausible deniablility anyways. Your protection is primarily
that they cannot force you to give up your keys. If you live
in a country were they can, I propose to very seriously consider
leaving that country for good. See also http://xkcd.com/538/
This _is_ realistic.
  
Arno



On Sat, Sep 12, 2009 at 11:53:45PM +0200, Ivan Stankovic wrote:
> Hi everyone,
> 
> I'd like to start a discussion about plausible deniability for LUKS (see
> http://code.google.com/p/cryptsetup/issues/detail?id=7).
> 
> As has already been said in a comment on the issue above, even having
> an option to hide/encrypt LUKS header would be helpful. One approach is to
> just encrypt the normal LUKS header with a header key, which is not very
> user-friendly as one would now have to remember/store both the passphrase and
> the header key (one might as well use plain dmcrypt with a single key).
> 
> I guess the goal here would be to have LUKS features (multiple passphrases,
> ease of use, key splitting...) implemented in such a way that nobody can prove
> that you're using encryption. Thoughts?
> 
> 
> -- 
> Ivan Stankovic, pokemon@fly.srk.fer.hr
> 
> "Protect your digital freedom and privacy, eliminate DRM, 
> learn more at http://www.defectivebydesign.org/what_is_drm"
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Tommaso]

> On Sat, Sep 12, 2009 at 11:53:45PM +0200, Ivan Stankovic wrote:
>> I'd like to start a discussion about plausible deniability for LUKS (see
>> http://code.google.com/p/cryptsetup/issues/detail?id=7).

I think that plausible deniability would be a good thing, even if it is
somewhat difficult to rely upon (the xkcd strip explains this well
ihih), and maybe it goes beyond the scopes of LUKS. Nonetheless it would
be nice to have such an option.

One thing I'd like to address however, regarding a possible future
implementation of truecrypt-style "hidden devices". If you'll ever plan
to do such a thing, remember that they are absolutely useless (except
maybe for USB sticks) until it will be not possible to use something
different from FAT16 for the host device. I tell you this because I had
many, many difficulties using a hidden device for my home, until at last
I had to abandon the idea.

[dm-crypt] OT: spam?

[Tommaso]

Is it normal that every time I send a message on this list I receive an
invite to join the "Katte-DK" Yahoo Group?

Yahoo! Groups wrote:
> Hello elisapippo@tiscali.it,
>
> We have received your request to join the Katte-DK
> group hosted by Yahoo! Groups, a free, easy-to-use community service.
>  ...

Re: [dm-crypt] OT: spam?

[Rick Moritz]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

Ah, that's the cause behind those invites I've been receiving.

On Sun, Sep 13, 2009 at 11:07 AM, Tommaso <elisapippo@tiscali.it> wrote:

> Is it normal that every time I send a message on this list I receive an
> invite to join the "Katte-DK" Yahoo Group?
>
> Yahoo! Groups wrote:
> > Hello elisapippo@tiscali.it,
> >
> > We have received your request to join the Katte-DK
> > group hosted by Yahoo! Groups, a free, easy-to-use community service.
> >  ...
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>



-- 
Rick rocks.

[-- Attachment #2: Type: text/html, Size: 1133 bytes --]

Re: [dm-crypt] OT: spam?

[Heinz Diehl]

At Sun, 13 Sep 2009 11:07:04 +0200,
Tommaso wrote:

> Is it normal that every time I send a message on this list I receive an

I have already received _over 100_ of this messages in the past 3 weeks.
They are now sorted out by a procmail rule.

Re: [dm-crypt] OT: spam?

[Arno Wagner]

Ah, theres these things come from. I have been wondering
for some time, but was to lazy to follow up.

Arno

On Sun, Sep 13, 2009 at 11:07:04AM +0200, Tommaso wrote:
> Is it normal that every time I send a message on this list I receive an
> invite to join the "Katte-DK" Yahoo Group?
> 
> Yahoo! Groups wrote:
> > Hello elisapippo@tiscali.it,
> >
> > We have received your request to join the Katte-DK
> > group hosted by Yahoo! Groups, a free, easy-to-use community service.
> >  ...
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Sun, Sep 13, 2009 at 10:56:53AM +0200, Tommaso wrote:
> > On Sat, Sep 12, 2009 at 11:53:45PM +0200, Ivan Stankovic wrote:
> >> I'd like to start a discussion about plausible deniability for LUKS (see
> >> http://code.google.com/p/cryptsetup/issues/detail?id=7).
> 
> I think that plausible deniability would be a good thing, even if it is
> somewhat difficult to rely upon (the xkcd strip explains this well
> ihih), and maybe it goes beyond the scopes of LUKS. Nonetheless it would
> be nice to have such an option.

I agree, but "nice" and "worth the effort" are two different things.
Andin addition, with LUKS is very likely not possible to go beyond
what plain dm-crypt offers. Use that.

> One thing I'd like to address however, regarding a possible future
> implementation of truecrypt-style "hidden devices". If you'll ever plan
> to do such a thing, remember that they are absolutely useless (except
> maybe for USB sticks) until it will be not possible to use something
> different from FAT16 for the host device. I tell you this because I had
> many, many difficulties using a hidden device for my home, until at last
> I had to abandon the idea.

It is basically not possible to have a hidden volume or any hidden
datya without raising suspicion. The entropy of the encryoted data
cannopt be hidden and some seemingly random data will always be
presend in the presence of a hidden volume. You can only claim
that this data is not a hidden volume, and you can do the same
already with a plain dm-crypt device. 

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Ivan Stankovic]

On Sun, Sep 13, 2009 at 08:36:02PM +0200, Arno Wagner wrote:
> > One thing I'd like to address however, regarding a possible future
> > implementation of truecrypt-style "hidden devices". If you'll ever plan
> > to do such a thing, remember that they are absolutely useless (except
> > maybe for USB sticks) until it will be not possible to use something
> > different from FAT16 for the host device. I tell you this because I had
> > many, many difficulties using a hidden device for my home, until at last
> > I had to abandon the idea.
> 
> It is basically not possible to have a hidden volume or any hidden
> datya without raising suspicion. The entropy of the encryoted data
> cannopt be hidden and some seemingly random data will always be
> presend in the presence of a hidden volume. You can only claim
> that this data is not a hidden volume, and you can do the same
> already with a plain dm-crypt device. 

... but not with LUKS. And this is what I'm looking for: having
all the benefits and convenience of LUKS but without the revealing
signature. Making sure that other components of the system do well
with respect to deniability is, of course, the user's problem.

-- 
Ivan Stankovic, pokemon@fly.srk.fer.hr

"Protect your digital freedom and privacy, eliminate DRM, 
learn more at http://www.defectivebydesign.org/what_is_drm"

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Sun, Sep 13, 2009 at 09:44:31PM +0200, Ivan Stankovic wrote:
> On Sun, Sep 13, 2009 at 08:36:02PM +0200, Arno Wagner wrote:
> > > One thing I'd like to address however, regarding a possible future
> > > implementation of truecrypt-style "hidden devices". If you'll ever plan
> > > to do such a thing, remember that they are absolutely useless (except
> > > maybe for USB sticks) until it will be not possible to use something
> > > different from FAT16 for the host device. I tell you this because I had
> > > many, many difficulties using a hidden device for my home, until at last
> > > I had to abandon the idea.
> > 
> > It is basically not possible to have a hidden volume or any hidden
> > datya without raising suspicion. The entropy of the encryoted data
> > cannopt be hidden and some seemingly random data will always be
> > presend in the presence of a hidden volume. You can only claim
> > that this data is not a hidden volume, and you can do the same
> > already with a plain dm-crypt device. 
> 
> ... but not with LUKS. And this is what I'm looking for: having
> all the benefits and convenience of LUKS but without the revealing
> signature. Making sure that other components of the system do well
> with respect to deniability is, of course, the user's problem.

Basically, you cannot get this with LUKS. You would need to give
up all plausibility checking, for one thing. That would change
the characteristics too much. I think you should stop trying
to fit a round peg into a square hole. LUKS was never designed
to hide.

Of course, if you are really desperate to do this against all 
advice, you are always welcome to fork...

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Rick Moritz]

[-- Attachment #1: Type: text/plain, Size: 3917 bytes --]

A solution to this issue may be the option to load an external LUKS header.
This could be on an encrypted USB device and therefore not trivially linked
to the actual disk. The option, if not there already, could also aid with
some troubleshooting or backup procedures.
On the other hand plausible deniability is extremely hard, and requires
security measures beyond the dimensions of user friendliness. Therefore
losing the LUKS feature-set should be a least concern. Using a
steganographic approach is more suitable, especially when large amounts of
encrypted, apparently scientificallly used data are used as background noise
- inserting some small amount of hidden extra information into that should
be quite hard to detect, if the system is properly designed not to log
"incriminating" operations on mounts that are supposed to contain other
data.
The problem with encryption is that you mostly need to do it properly in
order for it to work - LUKS is by design not the proper way to do plausible
deniability, and the penalties incurred are not reasonably overcome. Without
steganographic approaches plausible deniability should not be considered to
be realistically achievable. And even then it may not work out.
Plain dm-crypt is the way to if you expect your attacker to be lazy and and
not very creative - believing that you're keeping disks full of not very
random data is in many scenarios unlikely.

I'd like to point to my first line again though: Is it possible to load an
external LUKS header? This may be an approach to superficially adress the
original issue.

On Mon, Sep 14, 2009 at 5:32 AM, Arno Wagner <arno@wagner.name> wrote:

> On Sun, Sep 13, 2009 at 09:44:31PM +0200, Ivan Stankovic wrote:
> > On Sun, Sep 13, 2009 at 08:36:02PM +0200, Arno Wagner wrote:
> > > > One thing I'd like to address however, regarding a possible future
> > > > implementation of truecrypt-style "hidden devices". If you'll ever
> plan
> > > > to do such a thing, remember that they are absolutely useless (except
> > > > maybe for USB sticks) until it will be not possible to use something
> > > > different from FAT16 for the host device. I tell you this because I
> had
> > > > many, many difficulties using a hidden device for my home, until at
> last
> > > > I had to abandon the idea.
> > >
> > > It is basically not possible to have a hidden volume or any hidden
> > > datya without raising suspicion. The entropy of the encryoted data
> > > cannopt be hidden and some seemingly random data will always be
> > > presend in the presence of a hidden volume. You can only claim
> > > that this data is not a hidden volume, and you can do the same
> > > already with a plain dm-crypt device.
> >
> > ... but not with LUKS. And this is what I'm looking for: having
> > all the benefits and convenience of LUKS but without the revealing
> > signature. Making sure that other components of the system do well
> > with respect to deniability is, of course, the user's problem.
>
> Basically, you cannot get this with LUKS. You would need to give
> up all plausibility checking, for one thing. That would change
> the characteristics too much. I think you should stop trying
> to fit a round peg into a square hole. LUKS was never designed
> to hide.
>
> Of course, if you are really desperate to do this against all
> advice, you are always welcome to fork...
>
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>



-- 
Rick rocks.

[-- Attachment #2: Type: text/html, Size: 4783 bytes --]

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Mon, Sep 14, 2009 at 09:28:21AM +0200, Rick Moritz wrote:
> A solution to this issue may be the option to load an external LUKS header.
> This could be on an encrypted USB device and therefore not trivially linked
> to the actual disk. The option, if not there already, could also aid with
> some troubleshooting or backup procedures.

I like this idea. It could basically be a commandline option
giving a file that contains the header and keyslots. There would
also be need for an option to write this information to file,
something people have been asking for anyways for backup purposes.
Add an option that allows selectiion between ignoring a header
and assuming there is no header, and the backup issue is silved
at the same time.

> On the other hand plausible deniability is extremely hard, and requires
> security measures beyond the dimensions of user friendliness. 

Indeed.

> Therefore
> losing the LUKS feature-set should be a least concern. Using a
> steganographic approach is more suitable, especially when large amounts of
> encrypted, apparently scientificallly used data are used as background noise
> - inserting some small amount of hidden extra information into that should
> be quite hard to detect, if the system is properly designed not to log
> "incriminating" operations on mounts that are supposed to contain other
> data.

It may be better to hide the encryption on the first place and go
the steganographic way completely.

> The problem with encryption is that you mostly need to do it properly in
> order for it to work - LUKS is by design not the proper way to do plausible
> deniability, and the penalties incurred are not reasonably overcome. Without
> steganographic approaches plausible deniability should not be considered to
> be realistically achievable. 

Or worth anything, see my last post.

> And even then it may not work out.
> Plain dm-crypt is the way to if you expect your attacker to be lazy and and
> not very creative - believing that you're keeping disks full of not very
> random data is in many scenarios unlikely.

Actually, the "not very random" property is about as difficult to see as
breaking the encryption. Encrypted data looks very random. You could, for
example, carry around several files with high-quality noise (run it through
a crypto-hash for better properties) and one among them is actually your
encrypted data file. Distinguishing the file type is about as hard as
breaking the encryption.

> I'd like to point to my first line again though: Is it possible to load an
> external LUKS header? This may be an approach to superficially adress the
> original issue.

Not at the moment. There is a note in the LUKS on-disk format document
I believe, that states that backup and restore of headers is planned.

Arno

 
> On Mon, Sep 14, 2009 at 5:32 AM, Arno Wagner <arno@wagner.name> wrote:
> 
> > On Sun, Sep 13, 2009 at 09:44:31PM +0200, Ivan Stankovic wrote:
> > > On Sun, Sep 13, 2009 at 08:36:02PM +0200, Arno Wagner wrote:
> > > > > One thing I'd like to address however, regarding a possible future
> > > > > implementation of truecrypt-style "hidden devices". If you'll ever
> > plan
> > > > > to do such a thing, remember that they are absolutely useless (except
> > > > > maybe for USB sticks) until it will be not possible to use something
> > > > > different from FAT16 for the host device. I tell you this because I
> > had
> > > > > many, many difficulties using a hidden device for my home, until at
> > last
> > > > > I had to abandon the idea.
> > > >
> > > > It is basically not possible to have a hidden volume or any hidden
> > > > datya without raising suspicion. The entropy of the encryoted data
> > > > cannopt be hidden and some seemingly random data will always be
> > > > presend in the presence of a hidden volume. You can only claim
> > > > that this data is not a hidden volume, and you can do the same
> > > > already with a plain dm-crypt device.
> > >
> > > ... but not with LUKS. And this is what I'm looking for: having
> > > all the benefits and convenience of LUKS but without the revealing
> > > signature. Making sure that other components of the system do well
> > > with respect to deniability is, of course, the user's problem.
> >
> > Basically, you cannot get this with LUKS. You would need to give
> > up all plausibility checking, for one thing. That would change
> > the characteristics too much. I think you should stop trying
> > to fit a round peg into a square hole. LUKS was never designed
> > to hide.
> >
> > Of course, if you are really desperate to do this against all
> > advice, you are always welcome to fork...
> >
> > Arno
> > --
> > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> > arno@wagner.name
> > GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> > 338F
> > ----
> > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> >
> > If it's in the news, don't worry about it.  The very definition of
> > "news" is "something that hardly ever happens." -- Bruce Schneier
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
> 
> 
> 
> -- 
> Rick rocks.

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Sven Eschenberg]

On a short sidenote:

It is not just realistic but certainly common practice - no matter which
country you live in - I have no doubts about it at all. Leaving won't help
at all, well except if you were to move to antarctica or the moon or
something. *g*

-Sven

On Sun, September 13, 2009 00:22, Arno Wagner wrote:
> If you want more, use TrueCrypt, but I would be very careful
> with plausible deniablility anyways. Your protection is primarily
> that they cannot force you to give up your keys. If you live
> in a country were they can, I propose to very seriously consider
> leaving that country for good. See also http://xkcd.com/538/
> This _is_ realistic.
>
> Arno
>

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Sun, Sep 13, 2009 at 10:13:03AM +0200, Milan Broz wrote:
> (this time replying private intentionally:-)
> 
> Arno Wagner wrote:
> > I think this is the wrong approach. LUKS is not designed to hide
> > at all and trying to make it capable of doing so is very likely
> > a lot harder than to use something else, esoecially as several
> > solutions are already available. 
> 
> Hi Arno,
> thanks for this answer - I had some conversation with Ivan
> and told him to ask in list to prove that it is not good idea
> - my opinion was exactly the same - LUKS is not designed for this.

Indeed.
 
> > Incidentially, using plain dm-crypt with a single zero-overwrite 
> > of the decrypted device already works very well. I, for example,
> > use plain dm-crypt with a random key and zero overwrite to
> > erase devices and partitions. This is indistinguishable from
> > a denied encrypted volume. It is not feasible to hide the 
> > encrypted data istelf, so this is as far as it goes. 
> 
> Exactly. And you can even map "hidden volume" this way - format fake
> (full) encrypted device, and when you activate hidden volume, mask this
> part with zero or error mapping to prevent overwrite. (Detecting correct
> key and offset for hidden volume is easy - something like returning
> correct signature with blkid and scan some expected offsets). But this
> require hide also all traces of mounting/scanning for/whatever such volume
> in host system etc. And I am very skeptic about this mode.

I have had a superficial look at this some time ago. The very least 
you need to do is wipe all logs, as some messages about the hidden
volume may well end in some of them. In addition, there may be
dangling symlinks, leftover devices in /dev/mapper/<...> and
other hints that your large "random overwrite" area is actually
in use. Of course the presence of some specialized handling 
software is a strong hint. I think in most cases you will miss
something. 

> > If you want more, use TrueCrypt
> ...
> BTW idea was also allow to use other on-disk formats in libcryptsetup
> (than LUKS), in future - new API should allow it.
> 
> First candidate was Truecrypt (for now, just to open container, not
> format), unfortunately their non GPL-compatible license will not allow me
> to implement that without risk of violating license. (basically I need
> only on-disk data structures in header but without reading their code it
> is impossible...)
> 
> Do you think that I should try to somehow integrate Truecrypt containers
> compatibility (for open)? Would it be useful?

I don't think so. Maybe write a wrapper about their own utilities
that has a LUKS-compatible commandline and can either call LUKS
or the Truecrypt stuff, depending on a small format detector.
That would probably be sufficient for most uses and far less effort
that to support a foreign format.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Milan Broz]

Arno Wagner wrote:
>> Do you think that I should try to somehow integrate Truecrypt containers
>> compatibility (for open)? Would it be useful?
> 
> I don't think so. Maybe write a wrapper about their own utilities
> that has a LUKS-compatible commandline and can either call LUKS
> or the Truecrypt stuff, depending on a small format detector.
> That would probably be sufficient for most uses and far less effort
> that to support a foreign format.

Well, so when the mail is in list, I'll add more thoughts here :-)
- support some foreign format should not be such problem, the
stacking of several dmcrypt devices is more complicated problem here
- truecrypt is not in all distros (because of licence), it is not meant
as replacement for its tools but just simple utility to allow mount such device
- TC uses dm-crypt anyway through dmsetup wrapper and such wrapper
is not possible for libcryptsetup use

But the license is showstopper here anyway.

Milan

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Sitaram Chamarty]

On Sun, Sep 13, 2009 at 3:52 AM, Arno Wagner <arno@wagner.name> wrote:

> If you want more, use TrueCrypt, but I would be very careful
> with plausible deniablility anyways. Your protection is primarily
> that they cannot force you to give up your keys. If you live
> in a country were they can, I propose to very seriously consider
> leaving that country for good. See also http://xkcd.com/538/
> This _is_ realistic.

Indeed.  I also find that TC's plausible deniability has been touted
so often in so many fora that even some moderately tech savvy border
control types would have heard of it.  If I were to find TC on a
machine I'd assume there was a hidden volume -- so in a way TC is
making things *worse* for plausible deniability, putting at risk even
the people who genuinely don't have a hidden volume.

It's hard to publicise these things without these sorts of side
effects, so I'll shut up now :-)

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Mario 'BitKoenig' Holbe]

Arno Wagner <arno@wagner.name> wrote:
> On Sat, Sep 12, 2009 at 11:53:45PM +0200, Ivan Stankovic wrote:
>> I guess the goal here would be to have LUKS features (multiple passphrases,
>> ease of use, key splitting...) implemented in such a way that nobody can prove
>> that you're using encryption. Thoughts?

That's not plausible deniability.
That's probably not even one of the prerequisites for plausible
deniability (it *may be* a prerequisite of one specific kind of
implementation of plausible deniability - the truecrypt style): If there
is storage with lots of random-looking data on it, I'd consider this
proof enough for the use of encryption - especially in scenarios where
plausible deniability makes sense.

> If you want more, use TrueCrypt, but I would be very careful
> with plausible deniablility anyways. Your protection is primarily
> that they cannot force you to give up your keys. If you live
> in a country were they can, I propose to very seriously consider
> leaving that country for good. See also http://xkcd.com/538/

That's exactly the reason for plausible deniability. You know they are
able to force you to give them your key(s), so you prepare some keys to
give them (along with some data which makes some sense to be encrypted)
and the system gives you the ability to plausibly deny the existence of
more keys. Just in the hope they stop cutting your extremities after the
6th finger because you convinced them.


regards
   Mario
-- 
The secret that the NSA could read the Iranian secrets was more
important than any specific Iranian secrets that the NSA could
read.                           -- Bruce Schneier

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Mon, Sep 14, 2009 at 01:25:48PM +0200, Mario 'BitKoenig' Holbe wrote:
> Arno Wagner <arno@wagner.name> wrote:
[...]
> > If you want more, use TrueCrypt, but I would be very careful
> > with plausible deniablility anyways. Your protection is primarily
> > that they cannot force you to give up your keys. If you live
> > in a country were they can, I propose to very seriously consider
> > leaving that country for good. See also http://xkcd.com/538/
> 
> That's exactly the reason for plausible deniability. You know they are
> able to force you to give them your key(s), so you prepare some keys to
> give them (along with some data which makes some sense to be encrypted)
> and the system gives you the ability to plausibly deny the existence of
> more keys. Just in the hope they stop cutting your extremities after the
> 6th finger because you convinced them.

I would say plausible deniability has the potential to make
them continue even after you have given them everything, after
all you could have hidden more with the "plausible deniability
thing". 

On a related note, there has been a lot of evidence that
torture does not work (foremost the French in Aleria, that 
failed to find the headquaters of the resistance for years,
despite torturing resistance fighters). For one thing people
are likely to give you false information. This leads me to the
conclusion that most torturers and their bosses are actually
not interested in information, but in the cruelty itself. 

So I would say that plausible deniability is of very low value
in practice and may have potential negative value in some
situations. With plausible deniability they are sure to 
torture you untill you are completely broken, while without 
it, you can give them everything in a way they can actually
verify. It is possible that you have information that still
merits being protected under these circumstances, but I don't.
Plausible deniability basically assumes the life of the person
having the key is worth less than the information.

Arno 
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Mario 'BitKoenig' Holbe]

Arno Wagner <arno@wagner.name> wrote:
> On Mon, Sep 14, 2009 at 01:25:48PM +0200, Mario 'BitKoenig' Holbe wrote:
>> and the system gives you the ability to plausibly deny the existence of
>> more keys. Just in the hope they stop cutting your extremities after the
> I would say plausible deniability has the potential to make
> them continue even after you have given them everything, after

Of course. For me (if I'd be in that business) just the presence of a
system offering plausible deniability capabilities would be enough to
simply assume they are used and thus continue pressing out keys of the
suspect :)

However, not offering such capabilities is only one strategy in the game
- and not a very cooperative one: it exposes the users of systems that
*do* offer such capabilities. Thus, the other way around is more
cooperative: if all major products would support plausible deniability,
the fact that some suspect uses one specific system loses this
indication.


regards
   Mario
-- 
File names are infinite in length where infinity is set to 255 characters.
                                -- Peter Collinson, "The Unix File System"

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[test532]

> Arno Wagner <arno@wagner.name> wrote:
> > On Mon, Sep 14, 2009 at 01:25:48PM +0200, Mario 'BitKoenig' Holbe wrote:
> >> and the system gives you the ability to plausibly deny the existence of
> >> more keys. Just in the hope they stop cutting your extremities after the
> >
> > I would say plausible deniability has the potential to make
> > them continue even after you have given them everything, after
> 
> Of course. For me (if I'd be in that business) just the presence of a
> system offering plausible deniability capabilities would be enough to
> simply assume they are used and thus continue pressing out keys of the
> suspect :)

That is the beauty of a dm-crypt that supported even just the very elegant 
external luks header feature that Rick mentioned. dm-crypt comes with 
practically every linux. Therefor, having dm-crypt installed on one's system 
means nothing. Potentially, even only with the feature that Rick came up with, 
dm-crypt would be better at plausible deniability than TrueCrypt. This is 
because having TrueCrypt installed on your system pretty much guarantees that 
you have an encrypted volume. Having dm-crypt on your system means nothing. 
Probably less than a percent of people with dm-crypt installed actually use 
it, since at least my distro (SuSE) installs it by default.

> 
> However, not offering such capabilities is only one strategy in the game
> - and not a very cooperative one: it exposes the users of systems that
> *do* offer such capabilities. Thus, the other way around is more
> cooperative: if all major products would support plausible deniability,
> the fact that some suspect uses one specific system loses this
> indication.
> 
> 
> regards
>    Mario
> 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Mario 'BitKoenig' Holbe]

Sarah Dean <sdean12@sdean12.org> wrote:
> On Mon, 14 Sep 2009 20:04:48 -0400, test532@codingninjas.org wrote:
>>external luks header feature that Rick mentioned. dm-crypt comes with 
>>practically every linux. Therefor, having dm-crypt installed on one's system 
>>means nothing.

dm-crypt on a system together with lots of random-like data just means
something more.

> By extending his arguments, Argo seems to be arguing that having

test532-x7YzxCmVBxG9yJkKvVJcdA was just quoting wrong: it was me, not
Arno.

> dm-crypt included with Linux distros means that *every* Linux user may
> be subject to being tortured to death, on the basis that they *must*
> have something to hide, and are just being "stubborn"/"enjoy the
> waterboarding"?

And: no, this was not what I meant. What I meant was simply that if I
would be in that business I would just assume this and do so.

> It's a little like taking the view that our kitchen-knife owner is a
> serial killer - and the fact that he's still alive simply means we just
> haven't tortured him long enough to get "the truth"?!

Yes. If you are thinking about plausible deniability *for a reason*,
this is a (better: *the*) typical scenario in your mind.


regards
   Mario
-- 
... aber nur deshalb blueht Autoritaet, weil die meisten Menschen
Feiglinge und manche Menschen Diebe sind.
                                              -- Robert A. Wilson

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Debian User]

On Wed, Sep 16, 2009 at 09:32:39PM +0200, Mario 'BitKoenig' Holbe wrote:
> Sarah Dean <sdean12@sdean12.org> wrote:
> > On Mon, 14 Sep 2009 20:04:48 -0400, test532@codingninjas.org wrote:
> >>external luks header feature that Rick mentioned. dm-crypt comes with 
> >>practically every linux. Therefor, having dm-crypt installed on one's system 
> >>means nothing.
> 
> dm-crypt on a system together with lots of random-like data just means
> something more.

Indeed. And the presence of encrypted/random data can be tested for
with relatively low effort. 

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[test532]

I blank out with random data any hard drive I no longer use (as it is too 
small, too slow, Etc). These are filled with just that, random data; No 
encrypted data left on those drives.

=

plausible deniability


> On Wed, Sep 16, 2009 at 09:32:39PM +0200, Mario 'BitKoenig' Holbe wrote:
> > Sarah Dean <sdean12@sdean12.org> wrote:
> > > On Mon, 14 Sep 2009 20:04:48 -0400, test532@codingninjas.org wrote:
> > >>external luks header feature that Rick mentioned. dm-crypt comes with
> > >>practically every linux. Therefor, having dm-crypt installed on one's
> > >> system means nothing.
> >
> > dm-crypt on a system together with lots of random-like data just means
> > something more.
> 
> Indeed. And the presence of encrypted/random data can be tested for
> with relatively low effort.
> 
> Arno
> 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

I do the same. In fact I use dm-crypt with a random key
and non-crypto randomness (mersenne-twister) for this.

For full drives it works. The discussion at hand is about 
"random" areas that only cover part of a drive that is
still in use.

Arno



On Thu, Sep 17, 2009 at 02:26:37PM -0400, test532@codingninjas.org wrote:
> I blank out with random data any hard drive I no longer use (as it is too 
> small, too slow, Etc). These are filled with just that, random data; No 
> encrypted data left on those drives.
> 
> =
> 
> plausible deniability
> 
> 
> > On Wed, Sep 16, 2009 at 09:32:39PM +0200, Mario 'BitKoenig' Holbe wrote:
> > > Sarah Dean <sdean12@sdean12.org> wrote:
> > > > On Mon, 14 Sep 2009 20:04:48 -0400, test532@codingninjas.org wrote:
> > > >>external luks header feature that Rick mentioned. dm-crypt comes with
> > > >>practically every linux. Therefor, having dm-crypt installed on one's
> > > >> system means nothing.
> > >
> > > dm-crypt on a system together with lots of random-like data just means
> > > something more.
> > 
> > Indeed. And the presence of encrypted/random data can be tested for
> > with relatively low effort.
> > 
> > Arno
> > 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[test532]

> I do the same. In fact I use dm-crypt with a random key
> and non-crypto randomness (mersenne-twister) for this.
> 
> For full drives it works. The discussion at hand is about
> "random" areas that only cover part of a drive that is
> still in use.
Really? Where in the thread other than in your email just now does it say we 
were only talking specifically about 'areas that only cover part of a drive'? 
Nowhere. You may want to discontinue assuming that everyone uses dm-crypt only 
like yourself.

> 
> Arno
> 
> On Thu, Sep 17, 2009 at 02:26:37PM -0400, test532@codingninjas.org wrote:
> > I blank out with random data any hard drive I no longer use (as it is too
> > small, too slow, Etc). These are filled with just that, random data; No
> > encrypted data left on those drives.
> >
> > =
> >
> > plausible deniability
> >
> > > On Wed, Sep 16, 2009 at 09:32:39PM +0200, Mario 'BitKoenig' Holbe wrote:
> > > > Sarah Dean <sdean12@sdean12.org> wrote:
> > > > > On Mon, 14 Sep 2009 20:04:48 -0400, test532@codingninjas.org wrote:
> > > > >>external luks header feature that Rick mentioned. dm-crypt comes
> > > > >> with practically every linux. Therefor, having dm-crypt installed
> > > > >> on one's system means nothing.
> > > >
> > > > dm-crypt on a system together with lots of random-like data just
> > > > means something more.
> > >
> > > Indeed. And the presence of encrypted/random data can be tested for
> > > with relatively low effort.
> > >
> > > Arno
> >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Tue, Sep 15, 2009 at 09:04:24PM +0100, Sarah Dean wrote:
> On Mon, 14 Sep 2009 22:56:44 +0200, Arno Wagner wrote:
> 
> >So I would say that plausible deniability is of very low value
> >in practice and may have potential negative value in some
> >situations.
> 
> To say it's of low value in practice is a pretty sweeping statement -
> whether it's of low value in practice is largely dependant on the
> scenario.

I would say that in most practical scenarios it is of low or 
negative value. And yes, it is a sweeping statement that I 
consider justified.

> Like any security tool, it is just a tool; in some cases it may a great
> asset, in some a liability.
> 
> A locked door can keep a murderer out until the police arrive, but it
> can also prevent someone from exiting a burning building.
> 
> >With plausible deniability they are sure to 
> >torture you untill you are completely broken, while without 
> >it, you can give them everything in a way they can actually
> >verify.
> 
> OTOH, the knowledge that "the beatings" (or in our more enlighted
> times, the waterboarding or another form of torture) will continue -
> regardless of whether or not you give an attacker anything, may well
> work *against* any form of torture.
> 
> There's no incentive to hand over your keys, since it won't achieve (or
> stop) anything.

True. But how does plausible deniability factor into
your comment? If you are that hard, you can just use
ordinary encryption and refuse to give the keys.
 
> >It is possible that you have information that still
> >merits being protected under these circumstances, but I don't.
> >Plausible deniability basically assumes the life of the person
> >having the key is worth less than the information.
> 
> Although the information may or may be "worth the life of the persion",
> I don't agree that any such assumption is made.
> 
> I'm a little uncertain as to the alternative you're prompting? Even if
> you stored all your data in plaintext (practically the same scenario
> presented after handing over an encrypted volume's key) - or even if
> you have a system which where it is possible to *prove* no further data
> is hidden away - what's to stop an attacker assuming that you've simply
> hidden your encrypted data elsewhere (e.g. a USB flash drive), and
> continues the torture on the basis they "simply haven't found it yet"?
> 

The alternative is not to give valuable data to people that
are unter threat of torture. A technological solution is not
adequate here. People cannot give away what they do not have.
Plausible deniability means they can claim they do not have the
data, but they do have it, and there is the problem in the 
first place.

An the other way round, if people already have data this critical,
make sure they do not come under threat of torture.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Mario 'BitKoenig' Holbe]

Arno Wagner <arno@wagner.name> wrote:
> On Tue, Sep 15, 2009 at 09:04:24PM +0100, Sarah Dean wrote:
>> There's no incentive to hand over your keys, since it won't achieve (or
>> stop) anything.
> True. But how does plausible deniability factor into
> your comment? If you are that hard, you can just use
> ordinary encryption and refuse to give the keys.

That's wrong. With plausible deniability you (or your companions) don't
need to be so hard as you need to be without. Since with p.d. you can be
*sure* your torture will not stop just because you give them one more
key (because you cannot proof it was the last, it wouldn't be plausible
deniable then), giving them more doesn't give you a benefit. Without
p.d. it gives you a benefit to tell them more. Thus, without p.d. you
need to be harder not to tell your secrets: torture would be over then.


regards
   Mario
-- 
Ho ho ho! I am Santa Claus of Borg. Nice assimilation all together!

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Arno Wagner]

On Wed, Sep 16, 2009 at 09:41:28PM +0200, Mario 'BitKoenig' Holbe wrote:
> Arno Wagner <arno@wagner.name> wrote:
> > On Tue, Sep 15, 2009 at 09:04:24PM +0100, Sarah Dean wrote:
> >> There's no incentive to hand over your keys, since it won't achieve (or
> >> stop) anything.
> > True. But how does plausible deniability factor into
> > your comment? If you are that hard, you can just use
> > ordinary encryption and refuse to give the keys.
> 
> That's wrong. With plausible deniability you (or your companions) don't
> need to be so hard as you need to be without. Since with p.d. you can be
> *sure* your torture will not stop just because you give them one more
> key (because you cannot proof it was the last, it wouldn't be plausible
> deniable then), giving them more doesn't give you a benefit. Without
> p.d. it gives you a benefit to tell them more. Thus, without p.d. you
> need to be harder not to tell your secrets: torture would be over then.

Hmm. Difficult so say and better not to be in such a situation in
the first place. I guess it will depend on the details of the 
situation.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Moji]

Arno Wagner wrote:
> On Mon, Sep 14, 2009 at 01:25:48PM +0200, Mario 'BitKoenig' Holbe wrote:
>> Arno Wagner <arno@wagner.name> wrote:
> [...]
>>> If you want more, use TrueCrypt, but I would be very careful
>>> with plausible deniablility anyways. Your protection is primarily
>>> that they cannot force you to give up your keys. If you live
>>> in a country were they can, I propose to very seriously consider
>>> leaving that country for good. See also http://xkcd.com/538/
>> That's exactly the reason for plausible deniability. You know they are
>> able to force you to give them your key(s), so you prepare some keys to
>> give them (along with some data which makes some sense to be encrypted)
>> and the system gives you the ability to plausibly deny the existence of
>> more keys. Just in the hope they stop cutting your extremities after the
>> 6th finger because you convinced them.
> 
> I would say plausible deniability has the potential to make
> them continue even after you have given them everything, after
> all you could have hidden more with the "plausible deniability
> thing". 
> 
> On a related note, there has been a lot of evidence that
> torture does not work (foremost the French in Aleria, that 
> failed to find the headquaters of the resistance for years,
> despite torturing resistance fighters). For one thing people
> are likely to give you false information. This leads me to the
> conclusion that most torturers and their bosses are actually
> not interested in information, but in the cruelty itself. 
> 
> So I would say that plausible deniability is of very low value
> in practice and may have potential negative value in some
> situations. With plausible deniability they are sure to 
> torture you untill you are completely broken, while without 
> it, you can give them everything in a way they can actually
> verify. It is possible that you have information that still
> merits being protected under these circumstances, but I don't.
> Plausible deniability basically assumes the life of the person
> having the key is worth less than the information.

Many countries can and do torture people, but this is not true for all
countries.
So I do not think that everything should have to pass the "What if
torture" filter in order for it to be considered a valid idea.

Plausible deniability has legal ramifications that are beneficial in
those more litigious societies, to which many people belong.
This shifts the burden of proof to the opposing attorney/agency to prove
that random data represents information that you are obscuring.
Something that should be cryptologically difficult as long as the
algorithm you used is sound.

-MJ

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[Mario 'BitKoenig' Holbe]

Moji <lordmoji@gmail.com> wrote:
> Plausible deniability has legal ramifications that are beneficial in
> those more litigious societies, to which many people belong.

In which ones?

> This shifts the burden of proof to the opposing attorney/agency to prove
> that random data represents information that you are obscuring.

In which country is it possible for you to get convicted for something
they assume but cannot proof because you don't give them the key to
prove it on the one hand while it is not possible for them to force you
to give them more on the other hand?


regards
   Mario
-- 
I've never been certain whether the moral of the Icarus story should
only be, as is generally accepted, "Don't try to fly too high," or
whether it might also be thought of as, "Forget the wax and feathers
and do a better job on the wings."            -- Stanley Kubrick

Re: [dm-crypt] cryptsetup, LUKS, plausible deniability

[test532]

In the UK there is a law and it is being enforced. The pigs can force you to 
give them your encryption key or throw you in jail. It is illegal to withhold 
the key. If there is reasonable doubt that you even have a key, then you are 
much better off and will probably remain free.

> Moji <lordmoji@gmail.com> wrote:
> > Plausible deniability has legal ramifications that are beneficial in
> > those more litigious societies, to which many people belong.
> 
> In which ones?
> 
> > This shifts the burden of proof to the opposing attorney/agency to prove
> > that random data represents information that you are obscuring.
> 
> In which country is it possible for you to get convicted for something
> they assume but cannot proof because you don't give them the key to
> prove it on the one hand while it is not possible for them to force you
> to give them more on the other hand?
> 
> 
> regards
>    Mario
>