Deniable encryption

In cryptography and steganography, deniable encryption is encryption that allows its users to assuredly abjure that the abstracts is encrypted, or that they are able to break itcitation needed. Such acceptable denials may or may not be genuine. For example, although suspicions ability abide that the abstracts is encrypted, it may be absurd to prove it after the cooperation of the users. If the abstracts is encrypted, the users absolutely may not be able to break it. Deniable encryption serves to attenuate an attacker's aplomb either that abstracts is encrypted, or that the being in control of it can break it and accommodate the associated plaintext.

Normally ciphertexts break to a individual plaintext and appropriately already decrypted, the encryption user cannot affirmation that he encrypted a altered message. Deniable encryption allows its users to break the ciphertext to aftermath a altered (innocuous but plausible) plaintext and assert that it is what they encrypted. The holder of the ciphertext will not accept the agency to differentiate amid the accurate plaintext, and the bogus-claim plaintext.

Function

Deniable encryption allows an encrypted bulletin to be decrypted to altered alive plaintexts, depending on the key used, or contrarily makes it absurd to prove the actuality of the absolute bulletin after the able encryption key. This allows the sender to accept believable deniability if accountable to accord up his or her encryption key. The angle of "deniable encryption" was acclimated by Julian Assange and Ralf Weinmann in the Rubberhose filesystem1 and explored in detail in a cardboard by Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky2 in 1996.

Scenario

Deniable encryption allows the sender of an encrypted bulletin to abjure sending that message. This requires a trusted third party. A accessible book works like this:

Alice is the wife of Bob, who suspects his wife is affianced in adultery. She wants to acquaint with her abstruse lover Carl. She creates two keys, one advised to be kept secret, the added advised to be sacrificed. She passes the abstruse key (or both) to Carl.

Alice constructs an banal bulletin M1 for Carl (intended to be appear to Bob in case of discovery) and an incriminating adulation letter M2 to Carl. She constructs a cipher-text C out of both letters M1, M2 and emails it to Carl.

Carl uses his key to break M2 (and possibly M1, in adjustment to apprehend the affected bulletin too).

Bob finds out about the email to Carl, becomes apprehensive and armament Alice to break the message.

Alice uses the sacrificial key and reveals the banal bulletin M1 to Bob. Since Bob does not apperceive the added key, he has to accept that there is no added bulletin M2.

Another accessible book involves Alice sending the aforementioned ciphertext (some abstruse instructions) to Bob and Carl, to whom she has handed altered keys. Bob and Carl are to accept altered instructions and accept not to be able to apprehend anniversary added instructions. Bob will accept the bulletin aboriginal and again advanced it to Carl.

Alice constructs the ciphertext out of both letters M1, M2 and emails it to Bob.

Bob uses his key to break M1 and isn't able to apprehend M2.

Bob assiduously the ciphertext to Carl.

Carl uses his key to break M2 and isn't able to apprehend M1.

Modern forms of deniable encryption

Modern deniable encryption techniques accomplishment the pseudorandom about-face backdrop of absolute block ciphers, authoritative it cryptographically absurd to prove that the ciphertext is not accidental abstracts generated by a cryptographically defended pseudorandom amount generator. This is acclimated in aggregate with some allurement abstracts that the user would allegedly wish to accumulate arcane that will be appear to the attacker, claiming that this is all there is. This anatomy of deniable encryption is sometimes referred to as steganography. The user can accumulation any incorrect key for the truly-secret data, which will aftereffect in allegedly accidental data, duplicate from not accepting stored any accurate abstracts there.

One archetype of deniable encryption is a cryptographic filesystem that employs a abstraction of abstruse "layers", area anniversary band would be decrypted with a altered encryption key. Additionally, appropriate "chaff layers" are abounding with accidental abstracts in adjustment to accept believable deniability of the actuality of absolute layers and their encryption keys. The user will abundance allurement files on one or added layers while abstinent the actuality of others, claiming that the blow of amplitude is taken up by crust layers. Physically, these types of filesystems are about stored in a individual agenda consisting of equal-length files with filenames that are either randomized (in case they accord to crust layers), or cryptographic hashes of strings anecdotic the blocks. The timestamps of these files are consistently randomized. Examples of this admission cover Rubberhose filesystem and PhoneBookFS.

Another admission activated by some accepted deejay encryption software suites is creating a additional encrypted aggregate aural a alembic volume. The alembic aggregate is aboriginal formatted by bushing it with encrypted accidental data,3 and again initializing a filesystem on it. The user again fills some of the filesystem with legitimate, but plausible-looking allurement files that the user would assume to accept an allurement to hide. Next, a new encrypted aggregate (the hidden volume) is allocated aural the chargeless amplitude of the alembic filesystem which will be acclimated for abstracts the user in fact wants to hide. Since an antagonist cannot differentiate amid encrypted abstracts and the accidental abstracts acclimated to initialize the alien volume, this close aggregate is now undetectable. Concerns have, however, been aloft for the akin of believable deniability in ambuscade advice this way – the capacity of the "outer" alembic filesystem (in accurate the admission or modification timestamps on the abstracts stored) could accession suspicions as a aftereffect of getting arctic in its antecedent accompaniment to anticipate the user from allurement the hidden volume. This botheration can be alone by instructing the arrangement not to assure the hidden volume, although this could aftereffect in absent data. FreeOTFE4 and BestCrypt can accept abounding hidden volumes in a container; TrueCrypt is bound to one hidden volume

Detection

The actuality of a hidden aggregate may be appear by awry implementations relying on anticipated cryptographic items67 or by some argumentative accoutrement that may ascertain non-random encrypted data.89 Vulnerability to chi-squared randomness analysis has aswell been suggested: encrypted data, after

each

write operation, should be adapted to fit a believable randomness property.10

Deniable encryption has aswell been criticized because of its capital disability in arresting users from rubber-hose cryptanalysis. Possession of deniable encryption accoutrement could advance attackers to abide an analysis even afterwards a user pretends to cooperate, accouterment an dispensable countersign to some allurement data.11

Malleable encryption

Some in-transit encrypted messaging suites, such as Off-the-Record Messaging, action adaptable encryption which gives the participants believable deniability of their conversations. While adaptable encryption is not technically "deniable encryption" in that its ciphertexts do not break into assorted plaintexts, its deniability refers to the disability of an antagonist to prove that the participants had a chat or said annihilation in particular.

This is accomplished by the actuality that all advice all-important to coin letters is added to the encrypted letters – if an antagonist is able to actualize digitally accurate letters in a chat (see HMAC), he is aswell able to coin letters in the conversation. This is acclimated in affiliation with absolute advanced clandestineness to assure that the accommodation of encryption keys of alone letters does not accommodation added conversations or messages.

Software

OpenPuff, freeware semi-open-source steganography for MS Windows.

BestCrypt, bartering on-the-fly deejay encryption for MS Windows.

FreeOTFE, opensource on-the-fly deejay encryption for MS Windows and PocketPC PDAs that provides both deniable encryption and believable deniability.312 Offers an all-encompassing ambit of encryption options, and doesn't charge to be installed afore use.

Off-the-Record Messaging, a cryptographic address accouterment accurate deniability for burning messaging.

PhoneBookFS, addition cryptographic filesystem for Linux, accouterment believable deniability through crust and layers. A FUSE implementation. No best maintained.

rubberhose. Defunct activity (Last absolution in 2000, not accordant with avant-garde Linux distributions)

StegFS, the accepted almsman to the account embodied by the Rubberhose and PhoneBookFS filesystems

TrueCrypt, which is on-the-fly deejay encryption software for Windows, Mac and Linux that provides bound deniable encryption13 and to some admeasurement (due to limitations on the amount of hidden volumes which can be created5) believable deniability, and doesn't charge to be installed afore use as continued as the user has abounding ambassador rights

Vanish - a analysis ancestor accomplishing of self-destructing abstracts storage

ScramDisk 4 Linux - A chargeless software apartment of tools, for GNU/Linux systems, which can accessible and actualize scramdisk and truecrypt container.