[Full-disclosure] Encrypted files and the 5th amendment
Thor (Hammer of God)
thor at hammerofgod.com
Tue Jul 12 23:05:05 BST 2011
Actually, there is no way to tell if the there is another encrypted volume in existence or not. One might stipulate that there "could" be if the filesize is obvious, but when you get into gig size files that are storing small amounts of data, that argument loses value.
You actually cannot even prove that it is encrypted data at all. Filename ~021289a.dat could be encrypted data, but there is no way to tell. What is more important in these cases is that one cannot prove that another volume exists. One can, however, prove that the password was given and the data was decrypted. If I have a 1 meg file that mounts to 200k, I don't have to prove anything about that. I could have gotten the file from you, and you could have giving me that password that allowed me access.
And this is where I think the danger of legal precedence comes in... If this "sticks" and she is compelled to give up her password, the data retrieved means nothing, yet you and I have more of our constitutional rights infringed upon. To me, it is far more important to establish requirements for probably cause to exist on its own before using the presence of encrypted data as a means by which one can legally compel an alleged party to provide said evidence.
@Christian, that is where I think the "solution" lies. Otherwise, we will find ourselves in the same position as the UK- if they can't prove you are guilty with the evidence required for prosecution, then they have a back-up law where they can still put you in jail with no evidence at all if you don't give over your keys. That is totally fuct IMO. You can have a blob of binary data on your system, and if they claim it is encrypted data, and you don't give them the key to decrypt it, you can go to jail even if it is not encrypted freaking data.
> -----Original Message-----
> From: Tim [mailto:tim-security at sentinelchicken.org]
> Sent: Tuesday, July 12, 2011 2:21 PM
> To: Michael Holstein
> Cc: Thor (Hammer of God); full-disclosure at lists.grok.org.uk
> Subject: Re: [Full-disclosure] Encrypted files and the 5th amendment
> > > Tim, I actually use TruCrypt now to do exactly what you speak of. I pre-
> allocate a fixed virtual disk, and use one passcode for one section of data and
> a different passcode for a different section of data. It is impossible to
> determine if the disk is set up in this manner, and impossible to tell which
> section of data is being used. It is actually quite easy to do.
> > >
> > All fine and dandy until the authorities say "Your honor, the
> > defendant is using nested encryption, we didn't find the
> > $self_incriminating_evidence so he obviously hasn't complied with our
> > request".
> > double-edged sword.
> Yeah, exactly. Any investigator worth their salt will be able to tell the
> partition that got decrypted is not big enough to account for encrypted disk
> space. That's where the one-time pad can create true plausible deniability, if
> used correctly. Any ciphertext of length N can decrypt to any plaintext of
> length N. Too bad it is too much of a pain to implement in practice.
> Thor: maybe you could make the investigator's job harder through a
> combination of compression and encryption with a similar dual-partition
> scheme as you're using with trucrypt.
Full-Disclosure is hosted and sponsored by Secunia.