WikiLeaks Insurance File

Now this is an interesting development:

In the wake of strong U.S. government statements condemning WikiLeaks' recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled "insurance."

The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file's size dwarfs the size of all the other files on the page combined. The file has also been posted on a torrent download site.

It's either 1.4 Gig of embarrassing secret documents, or 1.4 Gig of random data bluffing. There's no way to know.

If WikiLeaks wanted to prove that their "insurance" was the real thing, they should have done this:

  1. Encrypt each document with a separate AES key.

  2. Ask someone to publicly tell them to choose a random document.

  3. Publish the decryption key for that document only.

That would be convincing.

In any case, some of the details might be wrong. The file might not be encrypted with AES256. It might be Blowfish. It might be OpenSSL. It might be something else. Some more info here.

EDITED TO ADD (8/9): Weird Iranian paranoia:

An Iranian IT expert warned here on Wednesday that a mysterious download file posted by the WikiLeaks website, labeled as 'Insurance', is likely a spy software used for identifying the information centers of the United States' foes.

"The mysterious file of the WikiLeaks might be a trap for intelligence gathering," Hossein Mohammadi told FNA on Wednesday.

The expert added that the file will attract US opponents and Washington experts can identify their enemy centers by monitoring individuals' or organizations' tendency and enthusiasm for the file.

Posted on August 4, 2010 at 7:52 AM • 217 Comments

Comments

Sean StapletonAugust 4, 2010 8:13 AM

Not a bad strategy if you plan to release the content anyway, and simply want to ensure a nice, safe, broad distribution before the contents are revealed.

NachoAugust 4, 2010 8:32 AM

They might have sent the key to the person/institution they are insuring from. They don't care if anybody else in the world knows if it's true or not, only the person they are protecting themselves from.

TimAugust 4, 2010 8:33 AM

I doubt they want to prove it is the real thing. That makes it too much of a direct threat.

RichAugust 4, 2010 8:40 AM

A cryptography question:

Assume someone very competent (i.e. the NSA) knows the ostensible plaintext (or large chunks of it), the cyphertext, and the encryption method. How easy would it be for them to determine that the cyphertext is indeed the encrypted plaintext?

John JenkinsAugust 4, 2010 8:44 AM

The threat has zero credibility. Those against whom they are "insuring," have no reason to believe that Wikileaks won't release the data anyway, so they have nothing to lose, assuming they care. It's not like the Afghanistan dump actually gave away any information that a well-informed observer didn't already know.

JPAugust 4, 2010 8:51 AM

Rich: That's a known-plaintext attack. If the encryption method is good, then without the key, you can't do what you describe any more easily than you can simply decrypt the ciphertext without the key. (That is to say, not easily at all.)

Patrick G.August 4, 2010 9:17 AM

I think the reason for this encryption differs from other encryption scenarios.

Why would WikiLeaks want to hinder the US-authorities from seeing the documents that were leaked from their own databases. They know what's there. Maybe WikiLeaks even delivered the keys to them.

But WikiLeaks may presume the US-authorities don't want those documents published to a wider public, either because the information is much more sensitive or more recent than the ones already published.

Let's face it, the gloves are off: the US administration and the secret services made clear they are trying to kill WikiLeaks and arrest Assange, so a bit of insurance may help to keep a few overeager agents at bay.

If the wolfs are closing in, playing with fire may become an alternative...

Good Luck.

Justin CAugust 4, 2010 9:17 AM

The open utility "RarCrack" auto-detects the file as an encrypted 7zip archive (precisely how it does this is something I didn't care to investigate, but it jives with the fact that all the other archives were in .7z format), and 7zip claims to natively support AES-256 encryption, so the assumption that AES was actually the cryptosystem used isn't necessarily a bad one.

uk visaAugust 4, 2010 9:34 AM

By sharing the encrypted file WL ensure that the info is shared even if it's not available ie they share the files with numerous people and then only need to publicise the key for it to be available... I think WL are looking to insure that further info isn't kept secret rather than validate anything.

Ian MasonAugust 4, 2010 9:41 AM

The assumption I've heard in all that has been said here, and elsewhere, about this is that 'insurance' means 'blackmail'.

It's quite reasonable to alteratively read 'insurance' as loss insurance, as in: "In case we're raided ensure that the documents we haven't yet released remain available because some curious souls will make safe copies and then all we have to do is release/leak the encryption key."

Carlo GrazianiAugust 4, 2010 9:51 AM

I'll put a $ on "bluff".

Wikileaks has no history of hoarding secrets. What they get, they publish. If they had 1.4GB of the sort of classified documents which they felt the USG would do anything to keep secret, they'd publish them. That's their MO.

Assange is a bit of a drama queen and a publicity seeker. Turning /dev/random output into a little media event is about his speed.

subpatreAugust 4, 2010 10:13 AM

In the rush to prove Wikileaks was ‘something’, Wikileaks published reams of documents with the unredacted names, even home addresses and relatives names, of Afghans who opposed Talliban, supported US or NATO, or in some way helped the current government. Collaborators. These folks will now die or be tortured —really tortured, like with electric drills, battery acid, etcetera— by theBase or Talliban thugs. Not all, but most will.

Not unexpectedly, some of these Afghans are not happy and have threatened Wikileaks founders. In turn, law enforcement have told Wikileaks people ‘what did you expect’, and that although they would protect against and investigate some of the threats,cops were not 24/7 bodyguards.

Now Wikileaks thinks this most recent ploy about unreleased documents will protect them. [For a variety of reasons, one of which is their political perceptions. See the PatrickG and ‘due’ comments] Those familiar with the Stans know it is a matter of culture and justice, and the Wikileaks folks are living on borrowed time.

In a nutshell, Wikileaks' perception of danger from government is wildly exaggerated compared to the far more realistic and probable danger from tribal or familial justice. As time passes, agency threats will diminish farther, while Stan threats will inevitably increase. [Which will further fuel some commenter's political dementia]

davidAugust 4, 2010 10:21 AM

Assange said to Amy Goodman, that this file ist just about making sure those documents will be published. He sais, that it contains what they are about to release one after another and that in case of major difficulties, they will instead just hand out the key for the predistributed file.

Sounds like a plan to me.

BrianAugust 4, 2010 10:45 AM

Interesting thoughts. It could just be random noise. Thanks to the nature of crypto, we would never know.

It is likely encrypted with OpenSSL, but that doesn't exclude the use of AES or Blowfish. We just don't know until we get a key, if ever.

BF SkinnerAugust 4, 2010 10:46 AM

@subpatre "some of these Afghans are not happy and have threatened Wikileaks founders"

Not just the Afghans. DoD is trying to figure out what to do about WikiLeaks, and Wikileaks have engaged the national security aparachiks of MANY nations and corporations.

Ellsberg has said for a while now that Assange was / would be an assination risk.

And when you have bloodthirsty wacko's running around posing as responsible members of our society like Congressman Mike Rogers that "call for execution of Bradley Manning" and would have Ellsberg.

Well I can see Dan's point.

MatthewAugust 4, 2010 10:57 AM

The only reference to aes256 on the site is on a page for TrueCrypt describing how to create an encrypted partition to store data in.
What if they are insuring against the entire site being taken down and this is a copy of the whole site?

HJohnAugust 4, 2010 11:12 AM

@last hope at August 4, 2010 10:56 AM
______

If there is one thing I enjoyed about the otherwise inept Bush was his ability to fry the brains of people who then make irrational accusations like that one.

RHAugust 4, 2010 11:27 AM

It is interesting how quickly Bruce pointed out the challenge with authenticating the contents (once we have the key, we decrypt it all).

However, I don't think decrypting one file is "safe." If this is truly an 'insurance policy' in the movie-plot realm of spy flicks, then any randomly picked file from the insurance could be very unsafe to unleash. And it wouldn't look good for them to say "no, don't pick that one!"

kangarooAugust 4, 2010 11:37 AM

Bruce -- authentication is easy. First, remember that you aren't the target of authentication, the DOD/DOS is. They already have the documents, the threat is general release of the documents.

So, you simply send the decryption key to the DOD/DOS. They download and authenticate. No need for any rigamarole. The whole thing can be authenticated by the threatened parties, since the threat is the release of the key to third parties -- not to them.

StusAugust 4, 2010 11:37 AM

It's probably "take down" insurance. It's everything they've received from every source but haven't processed yet. If the spooks manage to capture most of the people and take down the sites, it's all out there ready to pop. This will become clearer if an "Insurance II" shows up. It will be an ongoing process.

Lamont GranquistAugust 4, 2010 11:40 AM

The comments all miss the point that Assange doesn't have to prove to the public that he has the documents in question, but only has to prove he's got it to his adversaries.

A far easier mechanism of proof would be to just e-mail one of the decrypted documents to the appropriate adversary. That probably already has occurred.

And this does provide some level of deterrence on both sides. Even if Assange later leaks the key, by not taking any action against Assange now that buys his adversaries time. And Assange loses his "insurance" if he leaks the documents.

shrugAugust 4, 2010 11:40 AM

@BF Skinner
I don't why Manning shouldn't be executed, since he deliberately committed treason, but I agree that a congressman shouldn't be "calling for it." Maybe it will turn out that Manning be offered a cabinet position.

Spraying these leaked documents all over is definitely going to ensure that they'll be public. There's still time for them to do a piecemeal, blackmail style thing with individual files as Bruce suggests.

anonAugust 4, 2010 11:43 AM

It could very well be something Wikileaks obtained and have yet to decrypt it themselves. The Afghan video had to be decrypted when they received it as well, so this could be similar. As in they know they have something important and since the heat is on them - they are releasing something from the government that they know will be very significant should Wikileaks "shutdown".

shrugAugust 4, 2010 11:44 AM

Maybe they should blackmail the people who will actually be tortured or killed due to their names being released for the Taliban and friends to see. Who knows if they're doing that or not.

Bruce SchneierAugust 4, 2010 11:44 AM

"They might have sent the key to the person/institution they are insuring from. They don't care if anybody else in the world knows if it's true or not, only the person they are protecting themselves from."

Good point.

Clive RobinsonAugust 4, 2010 11:47 AM

WikiLeaks has released 77,000 documents, yet the original number bandied about was a quater of a million.

Two possabilities, the original estimate was significantly wrong, secondly there is still nearly two hundred thousand documents tucked away somewhere.

Colud this file be the other documents?

As for Pte Manning being a traitor as always that is a matter of opinion and morals.

After the WWII war trials a principle was set of a "morality above the chain of command", that is a soldier who had followed a superiors orders could still be executed for doing their duty if at a later time it could be shown the orders the soldier had been given where either immoral or illegal.

Well the question is what do you as a Private do with orders that conflict with the norms of society, and not just society but politicos are saying ?

Remember as became clear from various trials (remember Charles Graner and Lynndie England and the Memos the Obama admins release of the memos?) it became clear that any junior officer or OR would be either ignored on making justified complaint or "scape goated" for the actions carried out by those further up the chain of command all the way to the very top...

Thus is it surprising that some will assume that the best thing to do is show the rot is still very much there? and still at the top in the administration as publicaly as possible?

Andrew SuffieldAugust 4, 2010 11:53 AM

We know that wikileaks has withheld around 1/5th of the documents they have, to be released later in redacted form or when they are no longer a risk to operations in Afghanistan.

It seems pretty obvious to me that this is what the file will contain: the stuff they haven't released yet. Insurance against them getting shut down by governments before that happens.

Anderer GregorAugust 4, 2010 12:16 PM

An advantage to having just one key for everything over one per document is that this one key can easily be memorized by everyone involved. In other words, even if their adversaries can strip them of internet access, of every electronic device, of every bit of paper, even if just a single one of them survives, it would just be one single phone call or one post card to release these documents to the whole world. A scenario I would have considered crypto movie plot material until a few weeks ago :)

BF SkinnerAugust 4, 2010 12:30 PM

As a tactic to prevent retaliation it doesn't have much to offer. It's no MAD. While the DoD and State want to curtail further disclosure they already consider the data compromised. And as @John Jenkins states the probability of Wikileaks publishing them anyway is high.

@Stus "take down" insurance.
Sometimes people really are just telling the truth. (Not in my experience but so I've been told)
As a contingency to protect against a take down action wide spread dissemination of the file could mitigate against arrests and seizures. But then DoDs and States strategy has to make a priority the identification apprehending and isolating the key holders

(or maybe the gatekeeper...Assange the traveller! During the rectification of the Vuldrini, the traveler came as a large and moving Torg! Then, during the third reconciliation of the last of the McKetrick supplicants, they chose a new form for him: that of a giant Slor! Many Shuvs and Zuuls knew what it was to be roasted in the depths of the Slor that day, I can tell you! )

Or as part of a take down strategy, infiltrate, reencrypt the file with a new non-Wikileak held key, and redistribute it overwriting the file with the old key.

@Bruce 'Good point.'
Depends on what Wikileaks goal is.

DoD and State DON'T really know what other material was disclosed. They really only know what's been published and what Manning may have admitted to.

There's been too much sharing going on since 9/11 and they haven't qualified this as all coming from the same source, and though it was probably Manning; the claim he made that I took away was State Department memos and cables, haven't seen much of those.

So there may be good reason for Assange not to let them know what else he has.
---------------------------------------------------------------------------
@Shrug
First
Treason like conspiracy is a difficult thing to prove. You have to prove intent. And since it is not on his charge sheet....well we don't execute people for the way people loosely use language in this country but for specified and proved acts of malice and neglience. Treason is also not well defined. Your traitor is my hero. It's why they didn't hang Davis or Lee. An extreme example of men of good will disagreeing perhaps.

Second.
As I am going over those intercepts and reports. Much of it should have been declassified years ago (by the governments own rules.) Should a person be put to death because of sloppy administrative work by competent authority? I would argue not.

Third
The Bush and Cheney administration made a practice of disclosing classified data (NOT declassifying and releasing it but leaking it) in order to maitain the publics political will for the conflicts we're still in. ((had a point to make here...what was it...)). Leaking is perennial D.C. game.

Forth
We're not England with it's official secrets act. Our First Ammendment right to free speech superceeds even the Executive's power to keep secrets. It's why the Supreme court ruled in favor of the NYTs publishing the MacNamara Study in the first place. Now freedom to act means you gotta be ready for consequence but there it is.

Now ask me if I think Manning is a hero.

Dunno yet. Depends on his motives. Being a young kid behind the black curtain is a fairly intoxicating experience. You tend to think you know better because you have better access (this is untrue by the way. Sucessive Presidents had the best Intel on Viet Nam and continued to make bad decisions about escalation. That's what the pentagon papers revealed). Did his analysis of what he found mean he made a moral choice to disclose it with even under the threat of going to jail maybe for life? Or was he a vandal looking for bragging rights.

subpatreAugust 4, 2010 12:40 PM

BF Skinner wrote: “Not just the Afghans. DoD is trying to figure out what to do about WikiLeaks, and Wikileaks have engaged the national security aparachiks of MANY nations and corporations . . .”

You have fallen prey to shoddy conspiracy thinking. Stop before you turn into ‘due’ or ‘last hop’ and your keyboard stays slick with spittle.

DoD is figuring out how to stem the leaks and best defend against information in theBase/Talliban hands. Period. That is what it is supposed to do. The information has been stolen, and ANY organization must presume their enemies have it. In this case, it is true, the Talliban downloaded it from Wikileaks. Wikileaks could even just be cover —though it seems improbable— for the espionage.

DoD is doing what they are tasked: analyzing what happened, investigating for similar losses, repairing broken procedures, etcetera. DoD’s concern with Wikileaks is PR. ‘Dirty ops’ on Wikileaks people would make things worse for DoD and do nothing to improve their security. [In case you were not aware, the documents were not taken by Wikileaks.]

The people who ARE going to die because of Wikileaks releases —no exceptions— are a lot of Stan folk. Tens of thousands of them. No Americans will be tracked down and executed, no Brits, Swedes, or even Turks. It is going to be Afghans, Pakistans, and Uzbeks that are now targets for theBase/Talliban. This cannot even be stopped; the deed is done. The only thing that could stop the havoc is a different havoc: the annihilation of pro-Talliban forces, something that is not going to happen.

I am open to other reasonable and logical arguments. But the fact that Wikileaks released all those Stan names, had much more pending release, and is now claiming the documents are ‘insurance’; it all points unmistakably to horribly bad initial judgment and a continuing, politically-inspired disconnect with reality. Wikileaks has some measure of sympathy; they have caught themselves in an inescapable trap, and some —or their families— are going to die for it.

AndrewAugust 4, 2010 1:11 PM

DoD bears some responsibility for the Afghani WikiLeaks -- we gathered the data, we didn't adequately protect it.

This gives us a golden opportunity to win the war in Afghanistan. Let it be known that all the named parties in the leaks are adopted members of the newest, most influential tribe in 'Stan - the Americanstis. If they stay, we protect them like they were Americans - or they can accept a large one time cash payout for the harm we inadvertently did - or if they want to leave, hook them up with visas and settle them in the Stateside home towns of Wikileaks principals. :)

Afghanis are afraid to cooperate with Americans - just as they were afraid to cooperate with Russians, and earlier the British if you read Kipling - because the facts will eventually out and we will go home and leave "collaborators" to their fate. Thus we have the best friends money can buy.

If we want to make and keep friends in a tribal structure, we need to come in at the top and make the Americanstis the dominant tribe in power and influence. How better to start than by lavishly redressing a wrong, generous with our love ($$$ and visas) as with our hate (retaliation and assassination against those who harm 'our' Afghanis.)

Think of it as the Afghanistan equivalent of a privacy warning letter.

DanielAugust 4, 2010 1:47 PM

Is it possible that he has the key set to release as a sort of kill switch, where if he is detained and doesn't log in at regular intervals, the file becomes public?

Bob RobertsAugust 4, 2010 2:01 PM

I downloaded the insurance file from wikipedia and it is only 214.2MB. Anyone know if there are multiple versions floating around?

DoosraAugust 4, 2010 2:08 PM

I am surprised that there is no discussion here of Schneier's proposed 3 part plan. I dont see how it would be more convincing. Can someone explain?

DoosraAugust 4, 2010 2:14 PM

Never mind my question above. I think I got it. An easier step 2 would be to announce that the key will be released based on some pseud-random number that will be known tomorrow, say the last three digits of the number of shares sold at some stock market tomorrow.

CManAugust 4, 2010 2:32 PM

Another option I've not heard anywhere ... perhaps the insurance file is really something that was provided TO/stumbled across by Wikileaks in encrypted form that they aren't able to crack? By putting it out there where world+dog can hack at it they significantly raise the computing power available to crack it (would still take a massive stroke of luck to find the key) or, perhaps, they're hoping someone who HAS the key will recognize such and send it to them ...

shurgAugust 4, 2010 2:59 PM

"perhaps, they're hoping someone who HAS the key will recognize such and send it to them ..."

That's awesome!

jgrecoAugust 4, 2010 4:05 PM

@Bob Roberts at August 4, 2010 2:01 PM

The same thing happened to me the other day, twice in a row. Unfortunately I didn't keep the 214MB version around, but on my third try I got the 1.4GB version. I haven't heard anything officially about a 214MB version, perhaps funny business is going on.

AlbertAugust 4, 2010 5:39 PM

There was speculation before of WikiLeaks being in possession of the Garani massacre video. This might be it. If I were Assange then I would really encrypt it using AES256 and then see if NSA would be able to decrypt it ;-) There has been rumors about NSA putting in a back door into AES so this might be Assange testing if there is any substance in the rumors. Just a guess, but why not?

Then I would use a cron-job to check something every day, like a watchdog. If I didn't give the dog a bone every day it would start barking (screaming out the AES-key).

Dale SwansonAugust 4, 2010 5:43 PM

@Anderer Gregor
The solution to that would be to create a database of all the keys and filenames (which they'd have to have anyway), then encrypt that with a known key memorized by all the members, then release that encrypted database. That way any member can easily release all the keys by just revealing the key to the database of keys.

BF SkinnerAugust 4, 2010 5:49 PM

@patre "fallen prey to shoddy conspiracy thinking. "

Lighten up, Francis.

I haven't seen any names yet but I'm only about 1/10 of the way in. Do the Taliban intend retribution? Yeah. But they did anyway. The threat for specific afghanis haven't changed just the specific vulnerability.

DoD is figuring out how to stem the leaks by removing outlets for the data, and instilling incentives in the people who handle the data to not mishandle it. Look for them attempting to throw the book at Manning.

Look at the calls for treason and execution. I find simplistic solutions to complex problems usually start with calls for a bullet to head. There are smart people in DoD and they are trained to be very, uh, direct.

They could better manage the risk by moving the people you're worrying over - out of harms way.

DoD has been lax in handling class material because they've got to much of it. "Secret is the new confidential. Top Secret is the new Secret".

Wikileaks threat sources are far more powerful than aggrieved Afghans.

Nation states, trans-national corporations, Swiss bankers, Scientologists, Delta Tau Thigh, random nut jobs who hyperventilate over possibilities and the ideal notions they carry around in their head... anyone with motive and power who want to keep thier secrets secret?

I'd put an individual Afghan with a blood feud at the lower end THAT threat likihood scale.

@Andrew "afraid to cooperate with Russians,"

Ummmm. Did you want to re-say this in anyway?

I take your point in that if we were promising individuals safety we should also have protected the the data better or maybe --not have written it down. Or KEPT it beyond it's use by date.

Their fear to trust turns not on the threat, which is a constant, but on the failure of the agency that they put their trust in. Sure I've heard that before somewhere. It's not that the Taliban will kill collaborators..it's us who'er proved untrustworthy and validated their unwillingness to cooperate.

@jgreco "...perhaps..."
What did they say when you asked them?

EdibleAugust 4, 2010 8:35 PM

It could easily be an archive of many singularly encrypted files for distribution if their site gets cut for whatever reason, or if they want to leak a few to prove they are game.

Fascist NationAugust 4, 2010 10:15 PM

But it is a bit easier than that for the NSA to crack. They have a fair to complete idea --depending upon how good the log info from the files Private Manning was looking at are as to what files are in this massive file. They can use them to effectively reverse the process and break the encryption. It might be possible for outsiders to assume at least some of the files are present that have already appeared on wikileaks and use that to circumvent the encryption.

MMcloudAugust 4, 2010 10:15 PM

Has anyone actually seen the names of Afghans listed in some of the documents? Can you point me to where they are? I can't seem to find them. My regex/grep skills were always poor.

JQWAugust 4, 2010 10:20 PM

Publishing individual documents would disclose their sizes, which would perhaps tell the government too much. The problem could be solved by simply breaking the 1.4 GB into 64 KB pieces, and applying the same algorithm you suggested to the chunks. Even if the chosen chunk is video, it should be easy enough to see that it is not random data.

Tom T.August 4, 2010 10:33 PM

No one has mentioned the possibility that WL has given portions of the key using, e. g., Shamir's Secret Sharing, as discussed by Bruce here:
http://www.schneier.com/blog/archives/2010/07/...

Give, say, 100 people parts of the key, with ten (or any other desired number) sufficient to decrypt. Spread those 100 (or other number) around the world and around the spectrum, and you're pretty well "insured", with some assurance that it won't be leaked prematurely....

Tom T. August 4, 2010 10:38 PM

"Additionally, Manning said he sent Assange video showing a deadly 2009 U.S. firefight near the Garani village in Afghanistan that local authorities say killed 100 civilians, most of them children, as well as 260,000 U.S. State Department cables."

The b*stards! Killing 260,000 innocent US State Dept. cables! (Doesn't anyone know how to write a coherent sentence any more, or how to avoid misplaced modifiers?)

Nick PAugust 4, 2010 11:13 PM

It's great to see it happen. I don't know if they are bluffing or not, but I came up with the same method myself last year. I was like, "How to defend against the government wanting to take a leak site down?" Mine was a file encrypted by two different apps with a 256 bit key widely dispersed and mnemonics to memorize the key. Activation would happen via a threshold scheme and would have at least three tamper-resistant crypto card producing/releasing the master key. Interesting to see something similar happen in the real world. ;)

The trick was finding something that they would be so concerned about that they don't attack you. I won't share that part of my plan, as I don't want my mental exercise to invoke the wrath of the US Government. I figure others are correct that WikiLeaks will release information that would damage current operations. When it comes down to it, it's about what the military brass care about or are afraid of, no matter how irrational. If they have something that would scare them, then they have a trump card. Otherwise, they are bluffing others or themselves.

EHAugust 4, 2010 11:28 PM

Fascist Nation:
But it is a bit easier than that for the NSA to crack. They have a fair to complete idea --depending upon how good the log info from the files Private Manning was looking at are as to what files are in this massive file

You don't know that Manning is WL's only source, and I highly doubt that he is.

anonymous cowardAugust 4, 2010 11:59 PM

Seems to be pretty bad insurance. What makes your enemies enemy not want to kill you?

Looks odd, i like their work very much, though.

cipherpunkAugust 5, 2010 12:20 AM

From the precautions that Wikileaks takes as far as not relying on a centralized server for obvious reasons, I would expect the same precautions with respect to this mystery file.

First and foremost, I would be willing to bet that it is not a bluff file. Second, with respect to the extension (AES256), I do not see the purpose to that bit of information being falsified; it's AES256 good luck trying to break that. Finally, I would characterize Assange as being a very cautious individual - specifically he probably has zero trust of anybody who volunteers and assist him with Wikileaks. It is not far fetched that this 1.4 GB file is encrypted multiple times with n keys (onion layer concept). Each key is then distributed to a "trusted" person - that way no one person could unlock the contents of the file. Or perhaps a fairly lengthy random key was generated and split up and distributed.

Hell that is just my $0.02 and I am probably way off and I should just get back on the short bus.

Michael LynnAugust 5, 2010 1:19 AM

@Albert

You do realize that NSA didn't design AES right?

--Michael Lynn

PierreAugust 5, 2010 1:23 AM

Fun that nobody thought about WHAT was sent to WHO.

"AES256" was sent to "NSA".

NSA approved AES256. It would not have approved something that it can't break. Think RSA for example which was known 20 years before being publicly released (the time necessary to crack it).

There is no need to send the key to the NSA. Just saying that AES was involved BOTH protected the U.S. Gov. (very few can read AES on-the-fly) AND allowed the U.S. Gov. to know exactly what would be the cost of harming Wikileaks (as they can read the file before anyone else).

It's surprising to see how many stupid things the 'experts' are ready to publish on a blog about 'security'.

Maybe they could start a career as story-tellers. It pays well, apparently.

Michael LynnAugust 5, 2010 1:55 AM

@Pierre

Do I have that right that you're saying that both AES *and* RSA have been broken? I must have missed that, got a link to that story for me so I can read more.

Ok ok, I should resist sarcasm that borders on mocking, because I'm not trying to be a jerk here but can we all agree that it's probably best to label speculation of this sort as speculation and not lay it out there as if it was widely accepted fact. I mean, unless you do actually have that link.

--Michael Lynn

TordrAugust 5, 2010 2:08 AM

Using secret sharing and multiparty computation wikileaks could distribute the key to a set of participants so that no single participant could decrypt the file, but the group as a whole could decrypt it.

Instead of showing the file to the participants, the computers could verify that the content was actually word files or text files without any one of the participants actually seeing the information or having access to the decrypted information (the decrypted files would also be secret shared).

On the other hand this is just a theoretical verification as running such a distributed protocol would demand terabytes of communication between the participants, and there is currently no program written that could handle this amount of data.

(Note: I have worked extensively on multiparty computation so I know this if feasible on the other hand this solution is not efficient, practical).

Clive RobinsonAugust 5, 2010 3:42 AM

A few points,

One, AES256 is not in of it's self secure outside of a single block of encryption. Depending on what mode you use and how is actually a lot more important.

Two, it may not be a single AES key for the container it could be many (think AES in CTR mode as the key gen to the AES mode that encrypts the container and gets rekeyed from the AES-CTR every file block)

Three, the container it's self may actually provide the key in some way (say hash the first half of the file gives the key to the second half which contains a file with a key to the first half).

There are a number of ways you can play with the encrypted container. For instance at what point do you start decrypting? the file might have been subject to "russian coupling" in some form.

Further let us say that a 512byte block buried in the middle is a "bit map" to reorder some of the file blocks. Another block might likewise be a bit map to "nul" blocks that need to be removed. This process it's self is obviously critical in it's ordering and can be repeated over as multiple rounds...

Or you could use a system such as Ross Anderson's "Dancing Bear".

So you may need to know one heck of a sight more than the AES256 key before you get going.

But we are again assuming just the one "container" and once opened all the cards are shown.

How do we know that it is not a "Russian Doll" with containers within containers, as you open a container you get one or two "taster files" and the next container.

The keys to each container being produced from one or more BBS generators for instance?

This gives wikileaks the way to inflict "death by 1000 cuts" onto both the administration and the Afghanistanies.

Which gives the administration a problem, they push wikileaks and the outer container gets opened they get a black eye for one of their intel files but also a kick in the happy sack because a file with Afghan-US colaborators is revealed.

They DOD might be prepared to take repeated black eyes but are they Administration going to take repeated and very public kicks in the happy sack from the public via the press / internet over "wontanly revealing the names of Afghan's fighting to bring democracy aganst terrorists"...

Thus a cautious and moderatly clever person could keep the US off their back. If they feel they are being threatend they give a single warning to "back off" if the threat does not decrease a key goes out and a couple of more files become public. This could go on and on many many times with containers in containers.

As was once said,

Such is the price of freedom from tyranny.

Russell CokerAugust 5, 2010 4:36 AM

The stated policy of Wikileaks is to release everything that is verified. Their efforts to verify things before publication can take some time.

It seems quite likely that some significant portion of the 1.4G file consists of material that they have not been unable to verify. It also seems likely that some of the material may never be verified and thus never be published unless this "insurance" happens to be used.

Of the data that might never be published unless the insurance is used there is probably some accurate stuff and some fantasy that would be damaging if it was released.

So the organisations who are the target of this insurance will probably be more worried about stuff that WikiLeaks will not actually publish in the normal course of events.

A threat to publish something now rather than later probably isn't going to scare many people, particularly for values of "later" which are not guaranteed to be after the next election. A threat to publish some fantasy and some unverified stuff along with verified accurate data will scare people.

Chris S.August 5, 2010 5:03 AM

I wonder if Assange has really thought through the process of how the key may be released. As long as you're in movie plot mode with this there are all sorts of ways that it may not work out.

If he trusts some people he could pass the key on to them either in whole or in secret parts but this assumes they are not known to be in communication via monitoring.

He could have some cron on a server somewhere that will send out emails but this also assumes that he has hasn't been well monitored. He would have to be very careful about how he sets either of these up so that they can't be disabled.

If I were him I wouldn't assume that I'd have a chance to disclose the key before being "disappeared", and any automated form of disclosure would need to be redundant and pervasive.

Daniel WijkAugust 5, 2010 5:48 AM

Chris S: Im fairly sure there are a handfull or more people that knows the key in the Wikileaks organisation.

I also wouldnt put it past Assange having a cron job or other type of timebomb waiting to release the key if Assange doesnt reset it from time to time...

BF SkinnerAugust 5, 2010 7:07 AM

@fascist nation " a bit easier than that for the NSA to crack"
AES has been authorized for encryption up to the secret level. I doubt they would do that for a weak cypher. DES was never authorized for anything above For Official Use. Problem with weak ciphers is you have to assume your opposition will be able to mount the same capability you have. To put a back door, if it's even sane to talk about a backdoor in an algorythm, in a cipher we ourselves widely use puts us at a much greater risk of total compromise across military and civilian agency by the next Hansen. It makes the system brittle.

@MMcloud "anyone actually seen the names of Afghans "
I have not. I figure the reporters at the Post and Times might have; but all I've heard from people at DoD is there 'might' or 'possibly' be such a disclosure.

@Tom T. "b*stards! Killing 260,000 innocent US State Dept. cables!"
Yeah it's a problem with the form. The hit and run nature of blog coverage is another. Mobile responses are da death of language. (Don't know how Clive does it)

@Nick P "trick was finding something that they would be so concerned about...I won't share that part of my plan"
Ah come on Nick...wha'd'ya find!

@Cipherpunk " is not far fetched that this 1.4 GB file is encrypted multiple times with n keys (onion layer concept). Each key is then distributed to a "trusted" person "

But if it can be encrypted one more round with a key unavailable to Assange and co. it stoppers the bottle from leaking more don't it?

@Pierre 'NSA approved AES256"
@Michael Lynn "you're saying that both AES *and* RSA "
No it sounds like a revoicing of the suspicion that there's a back door in AES. Tell me how you can put a back door into an algorythm will you?

@Pierre *sigh* - NIST approved AES and makes it the mandatory Standard. NSA just reviews system designs on MAC I and II systems and provides implementation instruction, evaluates and certifies that IA requirements are met.

not-meAugust 5, 2010 8:12 AM

It could be the entire contents of wikileaks all bundled up in case a way is found to block or otherwise take down the wikileaks network. Insurance against loss.

42August 5, 2010 10:18 AM

@BF Skinner "Treason is also not well defined"

Could you clarify the wiggle room?

United states constitution, article 3 section 3: "Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

The Congress shall have power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted."

PaeniteoAugust 5, 2010 10:27 AM

@BF Skinner: "Tell me how you can put a back door into an algorythm will you?"

(Preface: I'm not saying that AES or DES have a back door. In fact, I'm rather convinced that they do not.)

Take as example the S-boxes of DES. They were modified by the NSA.
Some years after DES's publication, it turned out that the NSA's S-boxes were very resilient against differential cryptanalysis which wasn't publicly known when DES was publicized.
Curiously, from all imaginable S-boxes, the chosen ones are among the weakest when it comes to linear cryptanalysis (but still ok, IIRC).
(You will find more on this in Bruce's "Applied Cryptography" from which I'm qouting here from memory.)

In order to put a back door into DES, the NSA could have chosen S-boxes that would have allowed differential cryptanalysis.

So, in general, putting a back door into an algorithm would mean to design an algorithm that withstands all currently known cryptanalytic attacks while, at the same time, being vulnerable to a technique that only you know at the moment.
Of course, you never know the exact state of the art of your "competitors" so this is a rather risky endeavour.
Furthermore, the vulnerability would have to be serious enough to allow practical breaks and be subtle enough to not raise any suspisions.

nunameAugust 5, 2010 11:32 AM

Y'all are so dumb.

It is simply a compressed and then encrypted backup of the entire internal wikileaks computers.

Dah!

smh

MarkHAugust 5, 2010 11:49 AM

These comments discuss at length the hypothesis that the intent of the archive is to serve as a threat against those who might harm WikiLeaks.

Some have scoffed that noone would have anything to fear from release of withheld portion of the documents -- if indeed that is what is in the archive.

By this reasoning, 'insurance' would be ineffective as a threat.

But Assange has stated (more than once, I think) that WikiLeaks redacts information that would threaten the safety of informants. If so, any informant identities disclosed by the recent release were a result of error or haste, not policy. And complete (non-redacted) disclosure presumably could be much more dangerous.

MarkHAugust 5, 2010 11:59 AM

About treason:

I'm very pleased to see the Constitution quoted above! These days Americans have a great passion for substituting emotion, opinion, and religion for law.

To the extent that PFC Manning disclosed evidence that civilians were killed by soldiers -- this certainly does not make war against the US, nor does it materially aid enemies.

Probably, a lot of people will "feel" that enemies take comfort by anything that the US finds embarrassing, but I think it would be a mighty big stretch to make such disclosures "aid and comfort" in a court of law.

The Consitution sets a high bar for treason, and does so for Damn Good Reasons. Show me a state where embarrassing the government -- even in time of war -- is treason, and I will show you a totalitarian state!

KevinAugust 5, 2010 12:24 PM

Has nobody yet considered the "sense of humor" scenario - perhaps the encrypted file is destined to be the world's most famous rickroll in history...

Clive RobinsonAugust 5, 2010 12:36 PM

@ BF Skinner,

"No it sounds like a re-voicing of the suspicion that there's a back door in AES. Tell me how you can put a back door into an algorithm will you?"

First you have to state the conditions...

It is well known that the AES competition did not consider certain "dynamic" aspects and within a very short time it was found that many AES implementations had "timing side channels". Subsequently it turns out you have to be an extraordinary software engineer to prevent side channels on the majority of modern CPU's with AES (cache timing attacks).

It is well known how to put "covert channels" into stream ciphers and there has been a paper or two (at the most) about what would be required to put a covert channel into a block cipher.

AS Nick P and myself have discussed in the past the NSA has "previous" when it comes to "back dooring" designs not just by them selves but also by Crypto companies in other nations (where clocks pop out little birds on the hour every hour ;)

I first came across this years ago when writing up some stuff on how to crack some early machine ciphers such as the "coin counting mechanism".

It turns out that when you look at all the keys they have different strengths ranging from very weak to strong. Only very few in the latter group (say 1 sixth or 17%).

If you know this AND you are responsible for producing the daily "key settings" then you stick within that 17%. However if you lose one of these machines and it gets copied, the chances are your adversary does not know about the relative key strength differences therefore they will use keys from all 100%. Which means as the NSA you have been gifted something like 1/3 of the messages by your adversary...

If you come a little further upto date do you remember the "crypto escrow" arguments and "Capstone"?

Well when the "secret design" was looked at it was found to be strong but very brittle, in that even tiny non obvious changes would render it a weak system.

Lastly go back and have a look at AES certification by the NSA, They don't actually "blanket certify" AES... Only AES in approved equipment operated under certain conditions. One of which is usualy only for systems where the ciphertext is at rest (see the inline media encryptor).

My advice to anyone with reason to be even a little paranoid (ie anyone with secrets worth more than 100K USD) is NEVER use AES online and take good EmSec precautions with the machine you do it on...

If you have to use AES online, remember "Clock the Inputs and Clock the Outputs" and "fail hard on any error for a long timeout". This should hopefully throttle any time based side channels to a very very low bandwidth (but it won't stop them so re-key often).

Also don't use standard formats such as Word PDF ZIP etc. (they have standard headers) unless you use "Russian coupling" or equivalent "transposition".

The devil is as they say in the details, which is why the NSA have more strings to using AES than there are on the harps of those angels dancing on the head of that pin...

CornerstoneAugust 5, 2010 4:10 PM

@Clive,
Most of the time I can't figure out if you really know stuff or are just a raving nutbar. I guess it's always somewhat entertaining though. Can always tell your posts before seeing the name - which is usually a long way down.

jasonAugust 5, 2010 4:36 PM

the file contains the location of osama.....does julian assange remind anyone of max headroom?

MontyHallAugust 5, 2010 7:21 PM

The file contains an almost complete list of all US servicemen that have served in Iraq as well as Afghanistan. Almost complete addresses as well as photographs are included as well as respective detachments and field commendations. They are not intended for release until such time that a full withdrawl has taken place, or until UN Security Forces set foot on the ground. Incomplete keys have been distributed. The final part of the key is to be withheld by volunteer lawyers and only to be released in case of detention.

elliotAugust 5, 2010 8:01 PM

Assuming this is a complete info-dump, what's now stopping any group that wants full access to the files to kill Assange thereby initiating a retaliatory password-leak by relaiming Wikileakers to open the file?

Seriously, there are enough groups/agencies wanting info on USA reports and methods -- ranging from Talibs to Russians -- and one would think they'd have done this simple math days ago. Assange's just put a pretty big target on his .... assange.

Peter MaxwellAugust 5, 2010 8:06 PM

@Paeniteo at August 5, 2010 10:27 AM:

"So, in general, putting a back door into an algorithm would mean to design an algorithm that withstands all currently known cryptanalytic attacks while, at the same time, being vulnerable to a technique that only you know at the moment."

Considering that the algorithm, Rijndael, was not designed by NIST (or the NSA for that matter) but Vincent Rijmen & Joan Daemen and submitted to the AES process then analysed by a community of cryptographers, it is rather unlikely there is a backdoor.


@Clive Robinson at August 5, 2010 12:36 PM

Yes, AES has issues with side channel attacks, we all know that. Aside from that, AES has been surprisingly robust.

If you are suggesting any assets worth over a certain value should not rely on protection by AES, you are essentially saying it can be broken for around that value. So are you saying for $100k, you can break a channel encrypted with properly implemented AES?

Personally, if I had $100k and wanted information that badly, it would be much easier bribing or blackmailing someone.

------------

With the encrypted file, it is probably related but as yet unpublished (and probably unprocessed) content that they wanted to make sure was widely distributed in the event their site was brought down.

I really can't see a more complex explanation being plausible. Nor can I see them using it in the context of threatening anyone that it will be released - it doesn't make sense given that the release of information is their main objective in the first place.

Although it does seem to be prime fodder for peoples' imaginations.

Nick PAugust 5, 2010 8:27 PM

@ BF Skinner

"Ah come on Nick...wha'd'ya find!"

A good poker player never shows his hand before it's time to put the cards on the table. Forgive me if I prefer not to play this game with my cards facing outwards. ;)

@ Cornerstone on Clive's insanity/brilliance

You aren't the first person to say that. I still wonder myself. I'm pretty sure he's British and surfs the Internet, but everything else is speculation at this point.

running around in circlesAugust 6, 2010 12:01 AM

I thought Clive Robinson was 'Technical Consultant' at CSS Total Security, Portsmouth, UK. Correct me if I'm wrong. As to whether he knows what he's talking about: I don't know.

bengAugust 6, 2010 12:44 AM

Pentagon demands Wikileaks return Afghanistan documents
http://www.bbc.co.uk/news/...
"The Pentagon has demanded that Wikileaks remove a trove of secret documents on the Afghanistan war from its website and cancel plans to publish anything more it holds."

- Does this suggest that the insurance file does not just contain junk data but actually does contain things the Pentagon wants to keep secret?

RophuineAugust 6, 2010 12:57 AM

Bruce's 3-point suffers a problem: there's no way to prove that, once decrypted and uncompressed, the files aren't all identical.

If you amended the steps to ask for some number of random documents instead, and all of the chosen documents prove to be different, then you have some confidence that it isn't just some small amount of information encrypted in myriad ways.

The larger the number of documents selected, the higher the chance that the random selection would have exposed endemic duplication. WL would need a high level of confidence that all (or at least most) of the documents ARE substantially different, to avoid the possibility of the selector choosing several documents which do happen to be similar or identical.

Clive RobinsonAugust 6, 2010 2:54 AM

@ cornerstone,

Not being American I'm not 100% sure what a "nutbar" is or why it would be "raving" (It brings up images of a "Snickers" Bar dancing the night away to techno / drum-n-base ;)

As for entertaining, aside from the occasional oddbeat comment to raise a wry smile, I aim to provide usefull information or give pause for thought (the first step of inovation). If I also make peoples time pass more easily or provide them with other entertainment, then consider it a bonus.

@ Peter Maxwell,

"If you are suggesting any assets worth over a certain value should not rely on protection by AES"

Absolutly not.

What I'm talking about is useing AES in "on line" or "off line" mode.

In on line mode use the time based side channels from the use of AES can be seen remotly and have been practicaly demonstrated as such.

Removing these AES side channels in a software only implementations on modern CPU's is extreamly difficult for a number of reasons.

Further software changes only limit passive attacks not active attacks. Eliminating active timing attacks on a general purpose multi tasking computer where an attacker can influence such things as load, cache and memory utilisation and a whole host of other factors opens timing side channels back up again.

Also there are other timeing side channels involved with communications that can leak information through AES or any other crypto system because they are not a consiquence of the crypto algorithm.

Thus timing side channels either inherant within the system or induced in the system by an attacker are very real issues not just in the future but currently, and are very difficult to spot (I'm not aware of any IDS or other off the shelf software system that can detect them).

Obviously for an attacker irrespective of if it is a passive or active timing side channel attack there is a certain degree of technical and other difficulties involved which requires a commitment of resources.

Thus there is a tipping point at which the commitment of such resources will (probably) show a return above the cost of commiting them.

Which brings me onto your question,

"So are you saying for $100k you can break a channel encrypted with properly implemented AES"

As I said you have to define your parameters to make a definate answer to that. We do know that previous published timing side channel attacks have involved little more than a network connection and a high end PC.

Therefore what I am saying is that if you routinely handle secrets worth over 100K USD you should realisticaly consider that you may well become a target now or in the future to some kind of attack against your encrypted communications.

As Bruce notes attacks only get more sophisticated and practical with time, and people learn with (sometimes painfull) experiance not to fall for simple attacks. Thus those criminals that have made a good living out of various phishing and malware attacks will migrate upwards to this sort of attack as and when their existing attacks start to fail to bring in the money.

And as a consiquence a responsable user/organisation should take steps to eliminate the potential vulnerability of timing side channels.

There are various ways this can be done but the simplest currently is to use AES "off line" in a way that EmSec attacks are also reduced.

That is your plain text and crypto software are on an "air gaped" and possibly TEMPEST hardend system and only cipher text files get put on the machine responsable for network communications. This way there should be no timing side channels based on the plain text.

However for obvious reasons this does not mitigate traffic flow analysis which may reveal much more information than a single plain text message.

@ running around in circles,

@ Nick P asked if that was me some time ago and the answer is still the same.

Though why people want to know who I am puzzels me unless they have large handfulls of money they want to give me in which case they can give it to Bruce and he can pass it on minus a handeling fee ;)

Clive RobinsonAugust 6, 2010 3:37 AM

@ Nick P,

"... on Clive's insanity/brilliance."

Oh ye of little faith ;)

You know I was banging on about RF fault injection attacks for a very very long while before the bods at Cambridge Labs wrote their paper on doing it.

Likewise I upset another one of them by showing that I had already worked out, considered and identified and written on the net the essence of his later PhD thesis (Hey it was a thought excersise for me and he went and did all the hard work of proving a practical example so qudos to him).

Saddly he did not go on and show that the attack could be used to identify Honey Nets using what appeared to be "brain dead" "script kiddy" attacks. And thus enable a "pro attacker" to avoid them and having their latest attack identified.

Another of the researchers their has butted heads with me a few times and has had to back track on what they have said.

Specifficaly the issues with jumping air gaps and covert control channels for Bot Nets (he made the mistake of saying that bot nets where becoming a non... issue due to two issues cutting the very obvious control channels and blacklisting of spam etc).

MattAugust 6, 2010 4:52 AM

They dont have to prove to the public its real. How can you know they haven't sent the key to someone in the US government

Yvon SauvageauAugust 6, 2010 6:01 AM

I haven't seen the file, but just because it's called insurance.aes256 doesn't mean that they used AES. In fact I don't believe it because it makes no sense to use AES if you don't plan to reuse the same key for multiple cyphertexts. The best encryption for a one-time message is the one-time pad. It's 100% uncrackable. So if they've done it right, their key (pad) is 1.4 GB in size. I know it may sound weird, but nowadays it's not much harder to hide than a 256 bit key; and they've shown they can distribute a 1.4 GB cyphertext, so why not a key of the same size?

BF SkinnerAugust 6, 2010 6:21 AM

So heard report today US Governement is demanding the return of all material and the removal of offending data from Wikileak servers.

Too bad they don't have DCMA to fall back on. Or do they?

David RichardsAugust 6, 2010 6:35 AM

The idea of using a 1.4GB key is intriguing because it is then possible for wikileaks to release PART of the key. The could release, for example, a 40K bit-string and an offset into the 1.4GB file. That section of the file could be decrypted, but the contents of the rest of the file would be 100% secure. This would also fulfill Bruce's scheme of proving the file contained real information. Someone could select a random offset in the file, and Wikileaks could provide a key to decrypt a small region of the file beginning at that offset.

David RichardsAugust 6, 2010 6:44 AM

A followup to my last post:

A 1.4GB one-time-pad key would also allow "incremental redaction". Regions with published keys could have sub-regions where the key contained random bits. This would allow 'redaction' of regions that wikileaks may wish to withhold under their "harm minimization" program. Updated keys could be published in the future to 'unredact' any areas that they desire to reveal.

mokum von AmsterdamAugust 6, 2010 7:32 AM

Oddly no one mentioned RubberHose[1] here which was written by Julian Assange[2] [among others] and contains all the features one would like in [un-]certain circumstances[3].

[1]http://en.wikipedia.org/wiki/Rubberhose_(file_system)
[2]http://iq.org/~proff/rubberhose.org/
[3]http://iq.org/~proff/rubberhose.org/current/src/doc/maruguide/x25.html

Another_AnonymousAugust 6, 2010 7:41 AM

I thought I'd share this:

"According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”

http://blogs.forbes.com/firewall/2010/08/01/...

saint-exuperyAugust 6, 2010 8:17 AM

Assanges belief in the need for insurance is well founded. There are many, many people in the giant US intellligence community who have no respect at all for the laws of any country outside the US, and precious little for their own laws. They imprison, torture, kill with impunity - outside the US of course, because inside the US they are protecting democracy :-). And they hate their lies being exposed, so someone like Assange has good reason to be worried.

Clive RobinsonAugust 6, 2010 8:21 AM

@ Yvon Sauvageau,

"The best encryption for a one-time message is the one-time pad. It's 100% uncrackable."

Only in theory...

As you note,

"So if they've done it right, their key (pad) is 1.4 GB in size."

The weasel words being "if they've done it right"

Generating 1.4GByte or more of really random is not easy, and it has it's own issues.

The same theory that proves the OTP security also proves that an unending string of zero's or ones or some "plain text revealing" pattern thereof is equi-probable with one that shows no discernible pattern (ie just one of the myriad possible in 11,000,000,000 bits)

Although the full length string is highly improbable shorter strings of plain text revealing "patterns" are very probable in such large collections of bits.

Which means you have to take steps to decide which strings of bits are unacceptable and why and then mitigate against them (yes you can do Fourier, Walsh, Wavelet and compressibility analysis but that only gets some of them).

So it is far from being as simple as just waiting for your TRNG to pop them out...

In practice you would end up with a deterministic process with a random input, with two major questions arising,

1, What is the acceptable level of determanisum to "sufficiently" prevent revealing plain text.

and,

2, How much True Random input is required to produce the required 1.4Gbytes of OTP key to an appropriate level of security...

In real life you might well be better off using a 256 bit counter with start offset and AES (ie CTR mode) where the AES key is updated at some lesser rate by another crypto algorithm in CTR mode. You then select a subset of the output (ie bottom 32bits or some such)

However at the end of the day it is still effectively a stream cipher (as is the OTP) with all it's inherent defects.

So maybe it should use another block cipher to replace the XOR function, but not in ECB if the...

And so you slowly spiral down in "what if's" ;)

stoertebekerAugust 6, 2010 8:35 AM

If the file insurance.aes256 is indeed an insurance for Asange, then all he has to lose, is the wikileak.org with all published and unpublished files inside.

What could be taken away, could be all the hardware, backups, etc.... maybe his own life.

What is needed than, is a backup, he can get from everywhere all over the world, and what is better, then a file, thousands of activists secure for free all over the world for him?

In that case, by time will come up more and more insurance files, or never versions.

At another scenario, what I don't believe: in the case it is a kind of blackmail insurance file, then it might be encrypted like a container via pgp, against other public keys, he got from different people. Who in that case the people are? Asange knows or not. Maybe it's not his own insurance.

If there is only one password for the outer container, then have a look at the original download link of the file.

straw-glass-and-bottle/insurance.aes256

Then in case, like I read in scenarios, he thinks, he can in the last moment cry out a password to the medias - or whatever (Hollywood style bullshit in my eyes) ... well - he might never be able to do so. I would leave at least a clue or a hint. Maybe a bottle ...

PaeniteoAugust 6, 2010 10:00 AM

I am not sure a One-Time-Pad would be a good choice here... We all know that an OTP-encrypted ciphertext could be decrypted to anything.

Hence, should Wikileaks choose to release (even part of) the OTP key in the future, nobody can tell that the data is actually decrypting to what was previously encrypted. Nobody could prove that a provided key is corrent, nor that it is incorrent etc.

With AES, it is rather unlikely that two different keys decrypt a given ciphertext to two different, but meaningful cleartexts, allowing for a "proof" that a released key is genuine.

OTP is not a silver bullet...

David ThornleyAugust 6, 2010 10:08 AM

@Clive: Just so I've got your take on AES256 right, you're saying that it's almost certainly secure when the encryption and decryption are done on secure* computers (handwaving wildly to avoid the question of how I know they're secure), but much less so on computers that are controlled by somebody else?

*Secure meaning I, or somebody I trust implicitly, has control over what processes are running, and that no enemy has stuck something in without my knowing it (in extreme cases, access would allow a hardware keylogger, and that's game over right then).

Clive RobinsonAugust 6, 2010 12:38 PM

@ David Thornley,

Just so I've got your take on AES256 right you're saying that it's almost certainly secure when the encryption and decryption are done on secure*
computers (handwaving wildly to avoid the question of how I know they're secure),"

Not entirely.

I'm saying that as far as I'm aware the "end product" (ciphertext) of AES in the right mode is secure for most practical purposes.

However on modern computers with general purpose CPU's and OS's it is most likley not secure when software is actually doing encrypting or decrypting.

This is due to timing differences in path execution and cache fetches etc. If an adversary can see these timing differences they can work out what the AES Key is (and this has been demonstrated both across a LAN and using a wide band IQ radio receiver).

So you need either specialist AES hardware that does not leak timing information, or a second computer that is used "stand alone". That is it is not connected to any network or other systems in any way and preferably is TEMPEST / EmSec hardend to reduce emanations to safe(ish) levels.

This standalone second system is used to do your encryption / decryption "off line" and only cipher text files are put on or taken off the computer used "online" to transmit the cipher text.

Which brings me onto your point about,

"but much less so on computers that are controlled by somebody else?"

Whilst it is true the attack surface is way bigger with computers controled by somebody else that is not the issue here.

What is at issue here is Efficiency-v-Security. As a general rule of thumb any "efficient" computer is rife with timing side channels, the more efficient the more channels there are likley to be...

There are recognised ways of limiting the effect of timing bassed side channels but very few are as cheap as a "second laptop" used "off line" in stand alone air gaped configuration.

GumnaamAugust 6, 2010 1:37 PM

Re: "That would be convincing."

Yes it would. However it would also reveal the nature of the contents of the remainder of the documents to the military who are likely knowledgeable about the nature of any files accessed by the alleged leaker.

Could it be a bluff? It's definitely a game of poker, and somebody somewhere really wants to know what cards are held by Assange.

Publishing even one single document would reveal Assange's hand while minimizing the extent of actual disclosure. This would be an unwise gambit for Assange to entertain. He has no need to be "convincing" at this point.

Likely Assange's motive for publishing this file truly was "insurance." He rightfully fears being arrested by thugs without borders. Now with this new encrypted release, military suppression of further leaks cannot be achieved by arresting him. Instead, it would guarantee further leaks since he likely has entrusted the secret key to someone who will disclose it in the event of his arrest.

The tradeoff he makes with this stance, is that it becomes somewhat to his advantage not to publish whatever is in the file or the secret key to decrypt it, and this stance is thus contrary to the mission of wikileaks.

Assange is intelligent, and likely he will find a way of successfully navigating this minefield.

brain fartAugust 6, 2010 3:23 PM

> Clive, most of the time I can't figure out if you really know stuff
> or are just a raving nutbar.

Me neither, but I assume it's the latter.

> Can always tell your posts before seeing the name

Me too. Must be the horrible spelling.

66August 6, 2010 8:21 PM

Wikithief. "There is a growing threat of missiles, information warfare and biological, chemical, and nuclear weaponry, different than the cold war era threat, but equally troublesome." DSB

We don't want biological or chemical leaks. Declaring information warfare on the DOD is a real bad idea. "Hope encourages men to endure and attempt everything; in depriving them of it, or in making it too distant, you deprive them of their very soul." You hope you can get out of the minefield. You can't be too sure. Maybe somebody will leak a map. A good cartoon-all mine and no soul. He already looks like a ghost.

GumnaamAugust 6, 2010 9:01 PM

Perhaps what we're seeing with Wikileaks is the real reason our government wants, and is legislating, an "off-switch" for the internet.

GumnaamAugust 6, 2010 9:11 PM

@Tony
Re: "The Israelis really hate Obama. There is no telling what they have on him."

Probably nothing - which would present a unique problem.

Nick PAugust 6, 2010 10:00 PM

@ David Thornley on Clive's claim

The post he made right after yours tells the story with more clarity than the others. There's little fault to find in that post, in my opinion. He's trying to express what NSA's Christopher Snow said like this: "If you look for a one-word synopsis of computer design philosophy, it was and is SHARING. In the security realm, the one word synopsis is SEPARATION: keeping the bad guys away from the good guys stuff. [important part] So today, making a computer secure requires imposing a "separation paradigm" on top of an architecture built to share. That is tough! Even when partly successful, the residual problem is going to be covert channels." ("We Need Assurance", Snow)

So, Clive's points are accurate in this regard. High assurance designs destined for EAL6-7 or Orange Book B3/A1 were intensely examined for covert channels using mathematical methods. Even in A1-class TCB's, covert channels inevitably existed. This was true even though those systems were designed specifically to control information flow and mitigate covert channels. The boards' microcode/firmware/BIOS/drivers were often modified to reduce their issues. A modern computer with DMA, multicore-shared L3 cache, complex drivers, megs of unverified kernel code, etc. is rife with covert channels. You add all the user-level components and the complexity of their interactions and you have more. If undergrads are exploiting each of these in various ways, how the hell could encryption on such a machine be called "secure" when groups like NSA are the opponents?

So, it's indeed best to use some air gapping and physical separation to help ensure logical separation. My VPN design involved *three* computers for intranet, crypto, and internet respectively. The crypto part might actually be two computers: session/state management and crypto coprocessor. The crypto system uses highly secure[d] hardware/RTOS/software. Other two use hardended OpenBSD. They are all connected via non-DMA hardware (possibly form of ATA) that transmits fixed size data at a regular rate. This all seems wasteful, slow and redundant, but it's the only way to prevent data leaks or remote side channels. Physical attacks are still very possible. (sighs) Just goes to show how hard and expensive it is. Real security requires expensive, custom hardware and millions in development costs. Hence, Clive's right that AES alone isn't secure. It takes secure hardware, software, design, implementation and monitoring.

TunaAugust 7, 2010 2:45 AM

I think it's OpenSSL encrypted. `head -c 8 insurance.aes256` gives me 'Salted__'. Encrypt something with openssl using the -salt flag and base64 decode it, you'll get the same thing.

This proves nothing, and I'm certainly no crypto expert of any sort (and I don't play one on TV, but occasionally in games of Charades), but I personally don't believe it to be a bluff. I think it is probably the unreleased 15,000 documents we keep hearing about.

"Assange is a bit of a drama queen and a publicity seeker. Turning /dev/random output into a little media event is about his speed." -Carlo

Quite possible. But Assange *has* to be a drama queen, he runs a nonprofit organization. You can't keep a nonprofit alive without being a total attention whore. Otherwise you get no donations and nobody pays attention to you. Assange alluded to something similar to this when asked by an interviewer why Wikileaks has commentaries on the material (I don't recall who was interviewing him or when, does this sound familiar to anyone?).

CornerstoneAugust 7, 2010 3:32 AM

@Clive,
You last posts are far more understandable. If you are about sharing information then clarity and explanation are far more helpful than a tornado of technical terms that only a very few readers will make any sense of. There is so much vague incoherent rambling on the web that it's easy to skip over anything that sounds like rubbish.

You have the right idea about "nutbar", though I'm not American so I'm not sure what they say. Now what I want to know is...

What's the simplest way to make a notebook "EmSec"? A big foil bag tented over it, or perhaps a copper mesh box with openings for hands? I assume you pull the LAN cable out. How close does someone need to be to detect "side channel" information? I once had a friend who actually made a small tent sized wood box lined with copper sheeting to sit in. He didn't use computers - this was just to prevent cosmic rays from "getting him".

Clive RobinsonAugust 7, 2010 4:47 AM

@ David Thornley,

@ Nick P's comments about "sharing -v- seperation" come from the then Director of Education at the NSA Brian Snow (Christopher snow did something altogether different) in a keynot speach he gave back in 2005,

http://www.acsac.org/2005/papers/Snow.pdf

In which he does a 5 year and 10 year forcast, even though his forcast was dismal for the time he was woefully over optomistic (in many ways we. have actually regressed).

The paper is well worth a read and I agree with most of it including the DRM point (you need to seperate the purpose of the technology from the intent of the paymasters to see why).

I have been banging on about "efficiency -v- security" for many years (publicly so since the late 1990's). Brian Snow's "share -v- seperation" is but a small subset of it. Sometimes you have to look at the motivation not the technology to see where the real issues and solutions repose.

Dan brownAugust 7, 2010 6:47 AM

Sounds like the plot from on of my books, just create something to keep the NSA's computers busy till they blow up.

Nick PAugust 7, 2010 8:42 AM

@ Clive

Thanks for the correction. I think the mistaken name actually came from a Dean Koontz novel I read a while back. The character had hilarious wit, no doubt a reflection of the author. (Probably a form of bragging, too, but I can't be too sure.)

On Brian Snow, it's probably worth a mention that he was a Technical Director (aka "chief scientist") for 14 years building secure GOTS and custom solutions. In my eyes, this makes his claims more credible and his points worth considering further. That the points make good sense helps, too. I still have to be suspicious of any official recommendations. If only his organization's integrity wasn't so tarnished...

Jason PenneyAugust 7, 2010 11:47 AM

I'm thinking, because they call it "insurance", that there is an instance of Dead Man's Switch somewhere that will broadcast the encryption key if someone (or someones) don't report in.

Yvon SauvageauAugust 7, 2010 12:22 PM

@Clive Robinson

"Generating 1.4GByte or more of really random is not easy, and it has it's own issues."

This is true if one attempts to generate them all from a single seed and a single algorithm. But one can generate multiple batches through various means (and possibly using physical data to generate seeds), and bunched them up together (and perhaps even mix them up).

Also the Soviets often used one time pads. I don't know to what extent it's a good reference though.

66August 7, 2010 12:33 PM

Somebody could not be reporting in. Got hit by a bus, had an accident or a million other things. Can't report in. Murphy Law says you can't plan anything 100% and planning leaks can get you killed or worse, get some other people killed. The people saving time and money are the Taliban. They now have access to intelligence that gives them more operational flexibility and capacity.

Look at wikileaks donor network, chart it and then disrupt it. It's a minefield with the potential to become a bigger minefield.

Yvon SauvageauAugust 7, 2010 9:03 PM

@Paeniteo

You brought up an interesting point. Assuming Wikileaks has planned to play this game of partial disclosure, here's how I think it could be done with OTP.

1) Wikileaks tells the US Gov: we will partition the cyphertext in chunks of fixed size and we will disclose any of those chunks you want to look at. Please choose the chunk size, within reason.

2) US Gov says: how about 50KB?

3) Wikileaks says: good. Now here are the SHA-1 hash values of all the partial keys to view the chunks. Which chunks do you want to look at?

4) US Gov says: chunks 45, 46, 47, 347, 348, 349, 788, 789, 790.

5) Wikileaks says: here are the 9 keys. Please verify that their SHA-1 hash values are indeed those that we previously gave you. You did well in selecting some successive chunks as this will reassure you that the plaintext is coherent throughout.

6) US Gov says: it's true that it looks coherent so far. However there's a change of topic beginning exactly at chunk 348. Could you let us peek at a much wider area around that chunk?

7) Wikileaks says: fair enough. Here are the keys for chunks 300 to 400. Needless to say, you should verify them with SHA-1.

8) US Gov says: looking good so far. However we need to ascertain that there is no region filled with garbage. So we want to look at a large sample of chunks. How about 200 chunks?

7) Wikileaks says: it makes sense. Please select your 200 chunks.

etc...

Note that it goes without saying that they could have wrapped the OTP cyphertext in some encryption layer like AES for extra safety.

pdf23dsAugust 7, 2010 9:36 PM

I think that the OTP idea is just stupid, personally. (Although, to be fair, it did take me a minute to realize it.) Why? Because releasing the "key" and simply releasing the plaintext are, mathematically speaking, identical actions. There's no point in publishing the cyphertext. For instance, the scenario in Yvon's last comment could completely dispose of the OTP cyphertext with no meaningful on the process.

Why post a cyphertext as insurance if publishing the key is just as difficult as publishing the plaintext? Stupid. Clive, I'm disappointed you took the OTP idea seriously.

Seems to me that OTP is only useful when the recipient already knows the key.

Yvon SauvageauAugust 7, 2010 9:51 PM

@pdf23ds

I obviously think of that. The same reasoning goes with AES. Publishing the 256 bit key is equivalent to publishing the plaintext. The only difference is that 256 bits is much shorter than 1.4 GB. But really that difference is trivial, since Wikileaks has shown they can easily distribute data of that size. So either way, Assange is not as bright as he thinks he is; or... he really wants to play this game of progressive disclosure. And OTP is more flexible than AES for this.

Nick PAugust 7, 2010 11:07 PM

@ pdf23ds

I agree. The OTP idea was so stupid I didn't even comment on it, but I can't resist now. They obviously need to be able to publish the key using any communication means available, which may be low bandwidth. I mean, they might signal someone with a high bandwidth connection to release an OTP key, but a 256-bit key is more practical. The data could also be encrypted with two separate keys: one small chunk at beginning for NSA/DOD to verify, whole collection encrypted afterwards. Or they could have simply given NSA/DOD the key to the whole thing for shock and awe.

Regardless of the strategy, OTP is too impractical. There are so many good progressive disclosure possibilities that need no more than a few meg's of keys that a 1.4GB OTP key seems amusing.

Yvon SauvageauAugust 7, 2010 11:24 PM

In what I said earlier, I kind of made an underestimation of Assange in the case where no progressive disclosure is planned. Of course, with either OTP or AES he can now destroy his plaintext.

Yvon SauvageauAugust 7, 2010 11:37 PM

@Nick P

Calling an idea 'stupid' without fully considering its good points is a nice recipe to think inside the box. If you want to call it 'impractical', I think its better. The only thing against it is the key size. I mean, what else (other than it takes some effort to generate random numbers)? In 2010, 1.4 GB is nothing, not even on the Internet where you have BitTorrents. Do you think there's the potential of the world coming to an end and they won't have time to release that? If it's the case then it would be too late for them to act anyway. Don't forget that no agency has the slightest clue how to crack OTP, whereas they have some hope with AES.

Clive RobinsonAugust 8, 2010 5:11 AM

@ Nick P,

Yes Brian Snow has been a Director of quite a few areas in the NSA at one time or another. And I have no issue with what he said in that Key Note Speech (other than it did not go far enough).

Yes the NSA does have a tarnished image as do the likes of IBM Microsoft et al.

The problem the NSA has is it's almost schizophrenic or Multiple Personality Disorder of it's original mission statment.

It was original tasked with two main objectives, the first being "to protect the communications of the US" the second "to intercept and report the communications of other nations".

At first sight it appears to be two seperate functions with a lot of common ground (to be secure you first have to know what you are securing against, which you find out by attacking others systems for weaknesses).

However an issue arises when the first mission gets extended via the likes of NATO, BRUSA etc to "protecting the communications of the US and her Allies" esspecially when you are activly attacking the allies private communications (for whatever reason). You get a schism simply because any system you use with your allies leakes information about it's inner workings which enables those you are evesdropping on to improve their communications beyond the point where you can usefully do anything with any intercepts.

Back in the 1960's it became abundantly clear that National Security was not limited to just matters pertaining to Diplomats and the Military but commerce as well. This point became brutaly clear later when Russia used espionage techniques to manipulate grain prices so they could get large quantities of US grain at prices they would not have been able to without using them.

Thus the NSA had more mission creap on it's hands it now had to provide protection to comercial interests as well which is why we ended up with DES. But the NSA had miscalculated they never intended for DES to be anything other than a hardware implementation (one of the reasons for the Initial Permutation).

Unfortunatly for the NSA DES leaked way to many secrets to enquiring minds, the other side of their business took a major hit. So the NSA went into Public Denial about DES for many many years with easily disprovable statments about it's strength etc.

Back in the 1980's it became clear to some that software had major issues with side channels and software implementation of crypto algorthms was very bad news for security. But very good news for the other side of the NSA's mission as it allowed them to deduce key information and thus stay in business.

However it was bad news for the protection of the comms side. If you have ever had the misfortune to work on NSA or BID equipment you will know what an engineering night mare it is. More so if you ever had to design the bl**dy stuff. It was not just TEMPEST design but SEGREGATION it all had to be done in a non obvious way ("give away" paranoia). The result was the 500lb gold plated Gorilla doing the job of a 10 ounce carrier pigeon.

The equipment the NSA was producing was not fit for purpose and the cost was unacceptable. With the end of the cold war the NSA had to "get with the program" of cost effectivness. They tried a myriad of wrigles (CapStone / key escrow etc) but during the Clinton era they realised that it was better for their interests to be seen to doing something usefull for the US people with all the money they got given.

The NSA actually for a while became proactive in many ways. Unfortunatly the Hawks got back in the driving seat and with no real external enemy they had to treat the civilians as the enemy thus the NSA got a third mission that was most definatly outside it's charter but it came with a nice big bundle of cash.

Then along came 9/11 as a gift from heaven and the NSA illegal third mission went compleatly rouge. And due to the administration at the time it's access to private individuals within the US went just about "total". However this involved so many resources and people it leaked out fairly quickly and hit the fan and the whole organisation got compleatly "dipped in 5h1t".

Sadly the good work (that they still do) as part of their mission to protect the comms of the US et al is now effectivly hidden from view or treated with deep suspicion.

Mostly what this side of the NSA says can be regarded as spot on. However you have to pay attention and read between the lines. The old game between the two original missions still applies only at a different level.

So as I said the NSA approve of AES under certain conditions only... they don't give it blanket approval. It's working out the why's of the conditions that provides a significant challenge to the astute.

As I've said befor on this blog the area of concern currently is "side channels" in all their forms and "known plaintext" in the likes of standard document headers.

Side channels can only be dealt with by "segregation" techniques and strict interface monitoring and control to reduce channel bandwidth to very minimal amounts, then effectivly encrypt the channel with noise such that even that narrow bandwidth is unusable in a realistic time frame.

As for "known" plain text "compression" is not effective thus after compressing a file you need to pre-encrypt it before using the main encryption.

One early way to hide headers (Russian Coupling) was to split the text into two at a random point and swap their position thereby hidding the position of the message header in the body of the message (you then inserted the position of the split at a known point in the text).

In modern times one split is inadiquate and the length of splits needs to be kept as short as possible, whilst being spread across the entire message length. Thus a byte level transposition encryption will break up a "known text". However the "known text" frequency statistics will still remain thus the application of a substitution (stream cipher) after the transposition would not go amiss ;)

Have a look at Ross Anderson's "Dancing Bear" system for some good ideas,

http://www.cl.cam.ac.uk/~rja14/Papers/grizzle.pdf

Yvon SauvageauAugust 8, 2010 6:08 AM

@Nick P

... And to show you how uncrackable this scheme is even with pseudo-random numbers in the key: I would not post the cyphertext in the 'insurance' file. Instead I would post the key. Good luck trying to make sense of that, even if you're able to find all non-random patterns. When comes the time to (partially or not) reveal the plaintext, I would send the cyphertext. Add those things together and you get the plaintext.

Clive RobinsonAugust 8, 2010 7:53 AM

@ Cornerstone,

"You last posts are far more understandable. If you are about sharing information then clarity and explanation are far more helpful than a tornado of technical terms that only a very few readers wil make any sense of."

One flip side of the problem is keeping the post short, compress it to far via techical terms etc and well "snickers all round".

However to answer you question,

"What's the simplest way to make a notebook"EmSec"?"

The simple answer as you have already guesed is you cann't it's the environment around it AND the user.

The things you have to consider are energy and bandwidth in channels.

Most people immediatly think of EMC type protection and forget that a hidden CCTV camera can watch the user typing and possibly even the screen.

It has been shown that you don't even have to be in line with the screen opticaly to use optics to reconstruct it. Some bods at Camb Labs used a telescope and a photo multiplier to pick the serial scan signal of a generalised reflection on the wall from across the street.

Likewise acoustic energy has been used to pick up the keyboard sounds and that of the fan and hard drive to leak information.

In theory (and probably in practice) strain guages mounted at appropriate points will be able to tell which key was pressed if the mechanical coupling is sufficient, Thus a laptop put down ontop of a suitable preasure mat would each time a key is pressed give four different strength signals from the four rubber pads underneath the laptop...

Thus in "theory" you have a lot to consider and mitigate against.

As I said (badly ;) above there is a tipping point at which each type of attack becomes viable to an adversary.

There are two ways of dealing with energy emissions, suppression and masking.

Neither is totaly effective for a number of reasons and their cost tends to rise faster than their effectivness (same as car seat belts and airbags).

However in combination as in many engineering problems there is a "sweet spot" where their combind efforts produce results greater than the sum of their individual effects.

But... and it's a big but you need to consider the transmission channels available to an attacker and how you suppress them. As you note,

"you pull the LAN cable out."

To remove one channel (and also turn off the wifi bluetooth and unplug the power cable).

But some you cannot see like re-bar in the wall, steel joists, cables etc where an EM signal "close couples" and gets carried considerable distances.

In some cases a loop antenna might well be put in an environment and not immediatly be recognised as such (outer of the TV antenna cable and ground in mains wiring forming a closed loop around a hotel room likewise metal framed windows). Thus distance from such objects is desirable as is using your laptop in random places in public areas (but never the same place twice and keep moving).

But that only deals to a certain extent with low frequency EM there is still IR and visable light to be considered. Which brings me around to your comment,

"A big foil bag tented over it, or perhap a copper mesh box with openings for hands".

A big foil bag over you and the laptop will help suppress IR and Visable light but not real be effective with low frequency EM which an appropriate metal mesh would be better at.

With care most laptops can be taken appart and appropriate metal mesh put inside the outer clamshell casing and be connected back to the battery ground. However care needs to be taken as it could also act as a radiating antenna if not done properly. With more care the mesh can be put across the keyboard area (take the key caps off and punch holes in the meash to alow the plastic key cap sprues to go through) and with the right mesh put across the LCD screen and still be seen through (this has the extra advantage of vastly reducing the screen viewing angles). Further suppression can be gained by the use of ferrite and carbon loaded foam and low density plastics, these can usually be easily molded to the case as well (but not the screen) and can be optained as "100 ohm foam" for ESD protection for storing IC's on or anechoic material for RF test chambers.

There are also software solutions such as "TEMPEST fonts" to reduce screen emmision and disabaling the loading of peripheral drivers.

Sound and vibration can usually suppressed via the use of graded materials that absorb achostic energy.

But these are all only partialy effective thus you therefore need to consider "masking" the signals your laptop produces.

To do this you need to find out what sort of signals your laptop emits this involves the use of an anechoic test chamber and suitable sensors for both EM and acoustic energy and test equipment to analyse the individual signals. Having done this you then make a suitable generator that produces about 100 times (+20dB) the output.

There are also software solutions that produce random (white) noise in the speaker and "champing jobs" that cause random CPU, memory and I/O activity.

However masking has it's downside effectivly you are adding a random signal to the signal an attacker is looking for. And the attacker should not be able to predict it or null this noise signal otherwise they can remove it from the signal the actually want.

An early example of predicting was the cars provided by the Russian authorities for visiting dignitaries, they helpfully put in a radio knowing that the dignitaries had been told that talking quietly with a loud music station playing would "confuse the hidden mics" and stop the conversation being recorded. However the Russians used multiple track recorders where one track was wired in from the radios speaker terminals to provide a canceling signal. And the three or more mic channels could be put through various processess to remove other audio interferance.

Which brings me on to your second question,

"How close does someone need to be to detect side channel information?"

The answer is difficult because of the complexities involved with such things as "near field" effects and coupling to transmission channels as well as the actual level of emissions from your laptop.

Also what the attacker can do out of sight. For instance if you are in a hotel room and your laptop emits a usefull VHF or UHF signal (and the all do these days) the attacker can use two or more high gain antennas and use "space diversity" effects to pull your laptop signal out of the general background noise. Like wise with audio and traveling wave mics.

As for your past friend,

"I once had a friend who actually made a small tent sized wood box lined with copper sheeting to sit in. He didn't use computers- this was just to prevent cosmic rays from getting him."

Most "cosmic rays" and quite a bit of other EM / magnetic energy would pass through copper sheeting and him(?)....

CornerstoneAugust 8, 2010 1:14 PM

@Clive,
Wow. Just wow. And here I was hoping I could buy something on ebay... ha ha. Or make and sell something.

Regarding wikileaks: have others noticed that their site is blocked? For me both in the UK and Thailand it just gives a blank page. But from Germany it is fine (using proxies).

NIRAugust 8, 2010 4:53 PM

I wonder whether the whistleblower of this insurance data is happy about not getting it publicized...

Clive RobinsonAugust 9, 2010 5:21 AM

@ pdf23ds,

"Clive, I'm disappointed you took the OTP idea seriously."

As a hypotheses I have taken it no more seriously or less seriously than any other presented here and have added an evaluation (not that favourable to OTP) which you will see if you go back and read it again.

The problem we have is,

1, A large bag of bits with a name attached that supposadly "is" something to do with WiKiLeaks, everything else is hypotheses which we cannot test (ie unsound scientific method).

2, We further have assumptions about how many documents or other data (17,000 to 200,000 cables etc) the "front man" of WiKiLeaks might or might not have.

3, Likewise the assumptions as to if the "front man" behind WiKiLeaks actualy believes his life / liberty is in danger from atlest three different sets of people (US Gov, Taliban, Families of Afgan agents) and possibly various non governmental entities in the US and other places.

4, There are also statments made by others that the "front man" behind WiKiLeaks has seen his funding dry up.

5, And likewise supposadly the monies sofar donated to WiKiLeaks has paid for the "front man's" (lavish?) life style abroad.

As a series of not necessarily true or related items you can spin and weave a whole heap of unfinished broad cloth and then cut your sails to suite from it.

As the Newtonian Scientific method can not be applied (no measurands to test) you are left with the methods of Aristotle and his predecessors, which as a scientific method was so lacking we got a whole load of subsiquent limiters such as Occam's Razor.

However when dealing with humans and their endevors the likes of Occam's Razor do not apply (just apply it to just about any game man has ever invented to see why).

However the way of Aristotle is supposadly also the way of the detective with different adagies applied such as the fictional Sherlock Holm's "after eliminating the impossible..."

So you have to examin each and every hypotheses no matter how improbable and only disgard it if you can show it's impossible.

Then you rank each surviving hypotheses against a set of measures to see which is more probable than others.

You then set about trying to confirm or refute each hypothes, whilst also adjusting your measures against the light of new evidence or hypotheses.

As we know what is considered to be "evidence" is at the best of times a probable fact open to interpretation or at worst pure invention with no basis in reality we have considerable problems.

It thus descends into the joys and entertainment of a "who dun it" weekend or "rag chew over a brewski on the front step", and it would be inadvisable to treat as anything more serious.

Yvon SauvageauAugust 9, 2010 12:08 PM

To summarize this OTP vs AES debate. No matter how you slice and dice it, all Wikileaks has achieved by encrypting the file is that now they can destroy the plaintext. And it probably does not exist as we speak. So now the complete information is split in two parts. The publicly accessible part is 1.4 GB in both AES and OTP, and the hidden part is 256 bits in AES and 1.4 GB in OTP.

With AES it is very likely to be crackable by some agencies. With OTP, it is 100% uncrackable, because Wikileaks would have publicized the 1.4 GB key instead of the 1.4 GB cyphertext (which they would keep hidden).

It all boils down to what Wikileaks' intents are. If they don't mind that agencies might crack it, and they value the fact that the hidden part (the key) should be memorized in Assange's brain and can be publicized by a mere phone call, then they would be justified to choose AES. But if they've chosen AES, they probably have not given consideration to progressive disclosure as Bruce mentioned, given the way they have released it.

As I've pointed out, all they have achieved with encryption is that the plaintext is destroyed by now. With OTP, they could have published the amusing key 111111111... but they would not be able to destroy their plaintext. But anyway, take that amusing key and go back to my discussion on how progressive disclosure can be done with OTP, and it will be obvious to anyone why it works. (And reverse the use of key and cyphertext, as they would actually have published the OTP key, so the SHA-1 would be applied to parts of cyphertext.)

Given how OTP seems unintuitive to most people, I would now bet that Wikileaks went lazy and simply used AES. So Assange, or one of his acolytes, probably has the hidden part stored in his brain.

Nick PAugust 9, 2010 2:03 PM

@ Yvon Sauvageau

Perhaps I could have chosen better words, but it seems that "stupid" and "impractical" are equivalent from an operations standpoint. Isn't choosing the impractical over more practical alternatives usually "stupid"?

Back to your point, they might have used OTP. But it just seems unnecessary for insurance. I don't think they have a need to prove anything about their insurance: their actions up to this point have proven that they have access to damaging information and the ability to present it well. If they told NSA the names of some documents or subject matter, the number of documents, file size, etc. I think NSA would believe they have them. NSA is too paranoid to say "this group that consistently leaked damaging classified information is probably bluffing."

Also, they can just send them encrypted fragments or the key to the main collection to prove they have damaging info, so OTP progressive disclosure is also not needed. I see how it could be useful, it's just not as practical. If an agent is kicking down the door to your African hotel, the last thing I'd like to say is "Quick, upload the 1.4GB key!" Again, they might have it on a secret external computer with good bandwidth and it releases it when it receives a small secret. Sounds feasible way to quickly deploy your OTP idea, but might get DDOSed during an attack on Assange by pro's. He acts paranoid schizophrenic so he'd do whatever works the quickest, most certainty and with the most impact. Just my hypothesis...

So, again, it's not that the idea is totally stupid or anything. It just seems that alternatives make more sense, especially to paranoid individuals deciding on them. The alternatives are also more practical. I'll be pleasantly surprised if I see a 1.4GB key on torrents in near future.

pdf23dsAugust 9, 2010 2:15 PM

"As the Newtonian Scientific method can not be applied (no measurands to test) you are left with the methods of Aristotle and his predecessors, which as a scientific method was so lacking we got a whole load of subsiquent limiters such as Occam's Razor.

However when dealing with humans and their endevors the likes of Occam's Razor do not apply (just apply it to just about any game man has ever invented to see why)."

Actually, I think the method you're looking for is game theory. And yes, game theory is worlds away from Occam's razor.

jgrecoAugust 9, 2010 2:20 PM

@Yvon Sauvageau at August 9, 2010 12:08 PM

"With OTP, it is 100% uncrackable, because Wikileaks would have publicized the 1.4 GB key instead of the 1.4 GB cyphertext (which they would keep hidden)."

See, comments like that just scream to me "someone doesn't know what they are talking about". What pray tell is the conceptual difference between publishing the "key" and publishing the "ciphertext" with a OTP, so long as the other remains secret? Sounds like you are meaning to imply that publishing a OTP ciphertext but not the key is not 100% secure.

"With AES it is very likely to be crackable by some agencies."

While possible, I think I certainly would avoid calling that "very likely".

Furthermore, using limited disclosure to convince your adversary the entire file is genuine (while completely unneeded in this case as far as I can tell...) is entirely possible with AES. For all we know the file is actually a bunch of files cat'd together, each with a separate key (one of the files could simply contain keys to all the files, thus effectively creating a 'master key'). Give whoever you are attempting to convince a plaintext 'index' of the file, and ask them which file they want to see. They pick out a file, and you give them the key. You can play with the container like this all day, you don't have to go to such absurd lengths as you are proposing to achieve what you are going for.

jgrecoAugust 9, 2010 2:27 PM

@EDITED TO ADD (8/9): Weird Iranian paranoia:

Kind of makes me wonder if maybe the Iranians don't want their people knowing what's in that file either for some reason. Probably just some normal, though in this case misguided, paranoia of the US government though. Simply don't try to execute the file and I can't imagine what the problem could be.

other thought: I haven't looked at the source where that came from, but maybe "spy software" was a mistranslation of "spy program"? The file being some sort of sting, with the US logging who downloaded it, makes far more sense (I still don't buy it).

MarkHAugust 9, 2010 3:01 PM

Some awfully hypothetical and high-flying speculation in the comments!

Not to pick on one commenter, but two examples:

"all Wikileaks has achieved by encrypting the file is that now they can destroy the plaintext" -- Well, Assange claims that he wants a sort of back-up of the data. Encrypting it allows it to be published and copied and mirrored around the world (an unerasable backup) without disclosing the contents.

"With AES it is very likely to be crackable by some agencies" -- If anyone has the SLIGHTEST hint, shred, or trace of factual evidence that AES can be cracked by ANYONE IN THE UNIVERSE without knowing many of the key bits (for example, by some attack against the computer that did the encryption) ... won't you please post a link to this evidence, in your comments here? The community of professional cryptographers would be very interested to learn about your new attack!

If there were computers that could run through a trillion keys per second ... and you had a trillion of them ... you could test about 2^105 keys per year. Unless someone has done some significant cryptanalysis against AES, no attack without key knowledge is feasible. Period.

The only cryptanalysis yet published against AES are very specialized related-key attacks (not relevant to normal AES applications), that still have very high computational cost.

This speculation about using OTP only makes sense, if Wikileaks doesn't trust AES, and thinks they can manage distribution and retention of gigabyte sized keys while keeping them confidential.

Yvon SauvageauAugust 9, 2010 9:04 PM

@jgreco

""With OTP, it is 100% uncrackable, because Wikileaks would have publicized the 1.4 GB key instead of the 1.4 GB cyphertext (which they would keep hidden)."

See, comments like that just scream to me "someone doesn't know what they are talking about". What pray tell is the conceptual difference between publishing the "key" and publishing the "ciphertext" with a OTP, so long as the other remains secret? Sounds like you are meaning to imply that publishing a OTP ciphertext but not the key is not 100% secure."

OTP cyphertext is mathematically proven to be 100% uncrackable, provided that the key is made of pure random numbers. But as Clive has mentioned, it's hard to produce random numbers. So, the cyphertext is extremely hard to crack with pseudo-random numbers, but not 100% safe. That's why it's safer to publish the key instead, since it has no meaning at all, whether or not you have the ability to spot all its non-randomness.

Yvon SauvageauAugust 9, 2010 9:38 PM

@MarkH

The NSA has many experts working on these matters 300 days a year. And of course they don't publish anything. I think it would be naive to think there is no reasonable likelihood that they could crack Wikileaks document. Moreover there are people who argue that the NSA would never agree to a standard they wouldn't know how to crack, and other encryption would be added to highly secret documents. I don't know about that, but it doesn't sound like total nonsense to me.

Yvon SauvageauAugust 9, 2010 9:47 PM

@jgreco

Regarding your remarks about disclosure. I think you should be arguing with Bruce. I just claim it's easily solved with OTP.

Yvon SauvageauAugust 9, 2010 11:43 PM

@Nick P

Engineering is the art of making trade offs. I'm not sure if I've read this before, or if I'm making this up. Anyway I find this to be true. It's all a matter of balancing your needs with the trade offs.

Do you need quick disclosure that can be done in a matter of a minute? You're probably better off with AES, but don't count too much on it being uncrackable. That's the trade off you're willing to accept.

Do you need tight secrecy that will last for at least a century? You're better off with OTP, but don't count on it to be easily manageable, and disclosure might take more time depending on your network resources. That's the trade of you're willing to accept.

You seem to think they need quick disclosure more than they need tight secrecy. You could be right, you could be wrong.

MarkHAugust 10, 2010 12:17 AM

@Yvon: "The NSA has many experts working on these matters 300 days a year. And of course they don't publish anything. I think it would be naive to think there is no reasonable likelihood that they could crack Wikileaks document. Moreover there are people who argue that the NSA would never agree to a standard they wouldn't know how to crack, and other encryption would be added to highly secret documents. I don't know about that, but it doesn't sound like total nonsense to me."

Well, of course each of us will think as we like. I'm only a student of crypto, and not any kind of authority at all.

It is always possible to postulate that NSA has some vastly superior capability to anything known -- who can prove such claims, or disprove them?

Of course NSA has experts, and of course they don't publish sensitive research. There is some reason to believe that academic cryptography has caught up fairly close to the NSA, but this is far from proven.

Most cryptanalysis is progressive -- if a system has an ideal strength of 2^127, and somebody finds a 2^115 attack, the attack is perfectly useless, but shows that the system falls short of an ideal cipher. Perhaps a year or two later, the same researchers, or another group, publishes a 2^100 attack, and so on.

To public knowledge, there are no such attacks on AES (leaving aside related-key, an attack that cannot be even attempted in most systems). AES has not been shown to even 1 bit weaker than an ideal cipher.

I acknowledge that no one without inside knowledge can be sure that NSA did not find some radical shortcut against AES. But I observe that after 35 years, the government-approved DES has stood up well against cryptanalysis. It is crackable, because the key size is small enough to allow exhaustive search. But the weaknesses that have been found in DES are not useful in the real world: when someone wants to read a DES encrypted ciphertext without the key, they use exhaustive search! There is no better practical attack.

When DES was proposed, NSA interfered in two ways: they agitated to shorten the key length, and they changed the S-boxes. The S-box changes led to much speculation, that NSA did this in order to insert some kind of a "trap door".

It is now known that the NSA changes to the S-boxes made DES stronger: they enhanced resistance to an attack that was not publicly known at that time. Apparently, NSA wanted DES to be close to an ideal cipher (and we can say that it IS close to an ideal cipher, because after 35 years there is no practical attack better than exhaustive search). Believe it or not, the US government has a national security interest in good crypto being widely available!

NSA also wanted to limit the key length, so that exhaustive search would be possible for them to carry out.

Well, with 256-bit keys, exhaustive search is a physical impossibility. Even if some secret breakthrough were to break AES "in half", for example an attack costing 2^128, it is likely to be decades before recovering a key from plaintexts and ciphertexts will be feasible, even to those with multi-billion dollar budgets.

Nick PAugust 10, 2010 1:01 AM

@ Yvon

"you seem to think they need quick disclosure more than they need tight secrecy"

You seem to think OTP with a 1.4GB key laying around somewhere provides more secrecy than AES-256 with a good memorized passphrase. It usually doesn't, as most people doing OTP screw it up. AES-256 is considered good enough for top secret information for at least 50 years. Even assuming a Grover-like algorithm on a quantum computer would cut search time in half, it would still be 128-bit key strength. If it's truecrypt, it can also be double or triple encrypted with same passphrase. I can't recall an AES, Triple-DES, IDEA, or Blowfish encrypted file being cracked because of theoretical weaknesses in the algorithms. Being too hard to beat the algorithms, the agencies almost always resort to other tactics.

All of this means that the encryption algorithm isn't really an issue. Wikileaks already uses a bunch of COTS crypto and anonymity software. Progressive disclosure just means you say the file is 1.4GB of the *rest* of the damaging documents and just send NSA some examples. That would definitely get their attention. Look what that one video did: a government leaked document suggested they want to take out wikileaks. No need for OTP. They can just selectively disclose documents to three letter agencies who know the damage potential, say they are in that file, and release the password at any time. That's what I would do and I'm pretty sure it would work on the similarly paranoid minds inside the Pentagon and the think tanks.

Yvon SauvageauAugust 10, 2010 1:18 AM

@MarkH What do you think of the possibility that only a subset of the keys might encrypt well? And that they would know about that? I'm just throwing this in the air.

Richard E.August 10, 2010 2:47 AM

The insurance file begins "Salted__...s..^9"

The same as files encrypted with :

openssl enc -aes256 -in Secret -out Secret.aes256

Mark WoodingAugust 10, 2010 9:00 AM

The one-time pad thing is ridiculous.

There are two deficiencies of a one-time pad (henceforth OTP) which make it utterly unsuitable for this kind of `insurance'.

The first is simply that the key is the same size as the plaintext. Hence, revealing the key is exactly as hard as releasing the plaintext, only one has to do a tedious but basically trivial computation to recover the plaintext from the ciphertext and key. Worse, the recipients have to fetch twice as much data as they'd have to if the plaintext were simply released later. Thought experiment: suppose, rather than releasing the key later, they simply release the plaintext. This is just as much data, and anyone who cares can compute the key from this plaintext and the ciphertext already released. Further change the experiment: rather than releasing ciphertext up front, you release the key. (This doesn't change the probability distributions of the key or ciphertext, so in fact nobody can tell that this change has been made.) Of course, the key is now just a long string of random bits -- which are almost, but not quite, completely useless.

Secondly, OTP has the unusual property that it is /non-committing/. That is, Alice can come up with a ciphertext and later decide what message it's meant to decrypt to (called `equivocation'). Computationally secure encryption schemes with short keys (e.g., schemes based on AES) aren't like this. In order to equivocate, you have to invert a one-way function (namely, work out K so that E_K(m) = c, where m is the message you want to claim to have committed to, and c is the existing commitment). (Pedantry: it's possible that if you know the messages you might want to equivocate over at the time you construct the commitment that this might be easier. But that implies a key-schedule weakness of the kind that modern symmetric encryption schemes are specifically designed not to have, so it's still unlikely.) Non-committing encryption doesn't make a convincing threat in these circumstances, for fairly obvious reasons.

No, the obvious idea is that the `insurance' ciphertext is meant to be Barbara Streisanded all over the intarwebs so that Assange, should the whimsy take him, can release the conveniently tiny key through some suitable low-bandwidth channel and suddenly everyone can find out whatever it was that They didn't want us to know.

Yvon SauvageauAugust 10, 2010 9:20 AM

@Mark Wooding

I can't blame you for not reading all the posts as there have been many. But all your points have been discussed earlier. I'll just repeat the reply on the most obvious point: Yes, releasing the OTP key looks ridiculous because it's equivalent to releasing the plaintext. But it's also true about releasing the 256 bit AES key. Of course you'll say that the OPT key is much larger than the 256 bit AES key. But so what? That's mixing up encryption concerns with compression concerns.

Regarding the non-committing property of OTP, it's addressed in the post that talks about SHA-1.

jgrecoAugust 10, 2010 10:18 AM

@Yvon Sauvageau at August 10, 2010 9:20 AM

No, I'm sorry to say it but he's very correct. This OTP stuff is flat out absurd. Just to review though, this is my current understanding of how you think this process should work using a 'OTP'

1) Wikileaks assembles their 1.4 GB of data.
2) Wikileaks generates a 1.4 GB "OTP" key using a series of PRNGs
3) Wikileaks publishes the key, and SHA1SUMs of each block of data of the ciphertext (block size determined by 3rd party).
4) Wikileaks and the 3rd party engage in a back and forth discussion revealing a limited number of blocks chosen by the 3rd party. (thus establishing the authenticity of the plaintext).
5) If in the future Wikileaks decides to publicly release the data, they release 1.4 GB of ciphertext (which the public can then combine with the previously released 1.4 GB of key).

If I've gotten anything terribly wrong then please don't hesitate to correct me, but as far as I can tell this is the jist of your little idea.

...So, where to start...

First thing that stands out here is your use of PRNGs to generate the key. You state that you need to publicly release the key and not the ciphertext because you can't trust your key to be sufficiently random. Thing is, if you are using a PRNG to create a "OTP" like that, then you _are not actually using a OTP_. You are for all intents and purposes using a stream cipher.

So fine, we'll no refer to this as a stream cipher instead of a OTP, no biggy. The problem is, once you think of it in these terms, your plan is revealed to be inefficient in a very silly way. Instead of publishing the entire bit stream that the stream cipher combines with the plaintext to create the ciphertext, you can simply release the seed (key). So say we just use AES in OFB mode. You can achieve _exactly_ the same advantages that your plan has by simply releasing the 256bit key to the public, instead of a 1.4GB bitstream.

...And just like if you executed your plan, when you release a key to the public and say "better watch out, I have nasty data encrypted with this key that I'm going to release", people are going to laugh in your face. Who is going to be afraid of someone silly enough to pre-release a tiny little key but save the massive file for distribution later?


Anyways, suppose we still think this is a good idea for some reason. Why should we even bother with encryption in the first place? We're obviously not pre-distributing the plaintext so just keep it on your harddrive completely unencrypted and save yourself some time. Instead of releasing a 1.4GB key to the public, simply make a press release that says "I have a lot of data, about 1.4GB of it. Here are the sha1sum's of each file I have." You could then engage in the exact exchange as before, except this time you just send them the plaintext and they can check it against the pre-released checksums. Your data is just as secure as before (as secure as your harddrive), you've saved yourself a ton of CPU time, and now you don't look like quite the fool.

@Yvon Sauvageau at August 10, 2010 9:20 AM
"Of course you'll say that the OPT key is much larger than the 256 bit AES key. But so what? That's mixing up encryption concerns with compression concerns."

You ARE aware that a REAL one-time-pad isn't going to compress worth crap right?

Yvon SauvageauAugust 10, 2010 11:14 AM

@jgreco
""Of course you'll say that the OPT key is much larger than the 256 bit AES key. But so what? That's mixing up encryption concerns with compression concerns."

You ARE aware that a REAL one-time-pad isn't going to compress worth crap right?"

Of course, but you're the one who didn't understand what I was trying to say. It's the 256 bit key which you can view as compressed with respect to the OTP key. If you see value in that size difference you're kind of valuing the 'compression'. Sorry if I'm running out of terms. I landed on this site through a web news paper, and only made a cursory remark which turned into something controversial which is going much further than I imagined. I'll keep discussing it, but frankly I don't give a dam about cryptography. So spare me with your passionate language, I don't give a crap myself.

Yvon SauvageauAugust 10, 2010 12:05 PM

@jgreco

If you don't put yourself in the shoes of someone who doesn't believe in the invincibility of AES, you'll probably never get this into your mind that one would be ready to go to such lengths as I've described. You don't need a rational explanation as to why some people wouldn't bet the farm on AES. These people exist, and I'm one of them; and it looks like I'm not alone even in this forum.

"First thing that stands out here is your use of PRNGs to generate the key. You state that you need to publicly release the key and not the ciphertext because you can't trust your key to be sufficiently random. Thing is, if you are using a PRNG to create a "OTP" like that, then you _are not actually using a OTP_. You are for all intents and purposes using a stream cipher."

Yes we're using OTP. The public who receive this key are like the Soviet spy holding his secret OTP key. Then the KGB (Wikileaks) sends the cyphertext to the spy who can decode it.

"So fine, we'll no refer to this as a stream cipher instead of a OTP, no biggy. The problem is, once you think of it in these terms, your plan is revealed to be inefficient in a very silly way. Instead of publishing the entire bit stream that the stream cipher combines with the plaintext to create the ciphertext, you can simply release the seed (key)."

Yes, so what? Now it's the cyphertext that's hidden from you. Do you have the cyphertext? No. There's nothing you can do whether or not you know how that key was generated.

"So say we just use AES in OFB mode. You can achieve _exactly_ the same advantages that your plan has by simply releasing the 256bit key to the public, instead of a 1.4GB bitstream."

Yes you're right, and I did think of that. It looks silly but it still works. But again, it's like the spy who holds his 256 bit key, and will receive cyphertext later.

"...And just like if you executed your plan, when you release a key to the public and say "better watch out, I have nasty data encrypted with this key that I'm going to release", people are going to laugh in your face. Who is going to be afraid of someone silly enough to pre-release a tiny little key but save the massive file for distribution later?"

Ha! Ha! The spy mentioned above is really laughing at his KGB boss when he receives his huge cyphertext. The guy says: "Silly them, they initially sent me a mere 256-bit key! And now they're sending me a huge cyphertext!"

The reason they encrypted their file is to get rid of the plaintext. Why? We can speculate a lot. But presumably it's a very embarrassing piece to hold.

CornerstoneAugust 10, 2010 12:30 PM

I don't think Wikileaks is concerned about ridding themselves of the plaintext. They don't seem to have any problem with having secrets on hand. It appears fairly obvious that the idea here was to get the data out there in a way that any attempt to shutdown the site would result in a simple release of data. On the verge of being arrested, site cut off and a SWAT like team arriving I just don't see releasing a 1.4 GB file being very practical. It would just give too much time for the thing to be blocked. A far as I see the site is already blocked from several locations. In this circumstance using a OTP does appear silly. Releasing a 1.4 GB "key" is about as good as a press release saying "we may release the data if you attack us".

Yvon SauvageauAugust 10, 2010 12:32 PM

At any rate. It could have been done that way, but as I said I now don't believe it was. Apparently the file begins with "Salted__...s..^9". I don't see why it would be there with OTP (for make belief, or the key is AES encrypted? I seriously doubt it).

MarkHAugust 10, 2010 12:49 PM

Yvon, I don't think I was clear in my previous posting. The stated purpose of the file is the PUBLISH and PRESERVE the data, without DISCLOSING it.

And publishing an encrypted archive appears to be a completely feasible way to accomplish this.

I am aware of no evidence, that WikiLeaks has "destroyed" the plaintext, or has any motivation to do so. While it's possible that is what they want to do, this is only a presumption.
____________________________

Quote: "These people exist, and I'm one of them; and it looks like I'm not alone even in this forum." -- Oy! 100s of millions, if not billions, of people doubt or deny that new species come into being by evolution. Do their doubts have any bearing on the truth of the matter?

If someone has real doubts about AES, they could successively encrypt an archive with AES, Serpent, IDEA, Twofish, and 3DES. The entire key material would amount to a couple of hundred bytes. Does anyone who has ANY education about cryptography, believe that such an archive could be decrypted without independent knowledge of the keys?

In the real world of the 21st century -- as far as we know -- people don't recover keys from analysis of fresh ciphertexts. They snoop or steal the keys. What is more secure, a small key that can be encoded by learnable passphrases, or giant file that must be carried or copied around, to ensure that the data won't be lost?

The risk that someone will cryptanalyze an AES archive (within the next few years, for example) is, for practical purposes, zero. The risk that someone will get hold of a 1.4 GB "key" is substantial.

jgrecoAugust 10, 2010 2:09 PM

@Yvon Sauvageau at August 10, 2010 12:05 PM

If they really "got rid of the plaintext", then nobody has anything to worry about. So long as they have the ciphertext and they have the key, they for all intents and purposes also have the plaintext, so getting rid of the plaintext would presumably mean they have forgotten the key. Even if they merely separated and secured both the key and the ciphertext physically and deleted any plaintext from their harddrives, this scenario doesn't make any sense.

That they a) encrypted the data, and b) distributed the ciphertext, can only really logically mean that they are protecting the data from deletion. I can't think of any possible reason that they'd want to distribute the key the instead of the ciphertext.

If they don't worry about not having the ability to distribute large files in the future, but they also don't want plain-text sitting on their harddrives (implying they think their servers may become compromised, but they still expect to be able to keep their site up?...). Then they could merely issue a press release stating that they have the data, then encrypt the data and keep the key and ciphertext to themselves (but physically separated and secured).

No need to waste money on allowing every Tom, Dick, and Harry on the internet to download a 1.4GB file from you (or download _two_ 1.4GB files from you in your "OTP" (actually stream cipher) situation).

Seriously, bandwidth isn't free and they are run off donations...


PS: Your KGB agent examples are flawed. Sending an agent out into the field with a key and later sending him the ciphertext makes sense.... but only if the data contained in the ciphertext does not exist beforehand and is only available by the time the agent is already in the field. If you wanted to send your agent out and give him data you only wanted him to be able to read in certain situations, you'd send him with the ciphertext and only send the key if needed. There aren't any logical reasons to do it otherwise.

Yvon SauvageauAugust 10, 2010 4:39 PM

MarkH

Alright Mark and everyone, let me explain my stance on this, which caused such a difference in views. And then I'll move on to other stuff.

1) I never considered 1.4 GB to be a big deal. Everyone seems to think that it has to be released within less than say an hour, and that a whole team scattered around the world could not do it. Well maybe.

2) I possibly overestimate the agencies. Yes, I realized you can have multiple layers of commercial off-the-shell encryptions. And I'm totally aware of the theoretical exponential complexities with respect to key size. But still I would not bet the farm on that, even with multiple encryption layers. Is it irrational? Most likely and I know it, but there is still doubt in me.

3) I apparently see too much benefit in the ability to destroy the plaintext. And it's the only scenario that keeps OTP a rational option.

But anyway, there's an additional impracticality to OTP. It's that the public would have to program their own OTP decoder before reading the file. It's easy to do, but it's probably too much of a hassle. So the likelihood that they have done that is pretty slim.

Yvon SauvageauAugust 10, 2010 9:28 PM

Ok I goofed up and should have admitted it from the start. In the fight back I was just kidding myself that it would go away. Move on, there's nothing to see.

Nick PAugust 11, 2010 1:01 AM

@ Yvon Sauvageau

"Ok I goofed up and should have admitted it from the start. In the fight back I was just kidding myself that it would go away. Move on, there's nothing to see."

Been obvious from the start. Stick around a few blog posts, though, as you might learn something. There's people on this forum with plenty of knowledge and/or experience in the arcane art of *real* security. I'd like to consider myself one of them, but I'm too busy solving problems to stop for professional introspection. ;)

@ Mark H

Good points, esp. regarding multiple algorithms. Dare I say that a broken algorithm probably wouldn't hurt even if the two or three ciphers all had the *same* key. There's just too much complexity in looking at a ciphertext and figuring out the key with todays algorithms, esp. if multiple were used. It's basically the security through diversity concept that's been getting traction in the academic community, like instruction set randomizers. Diversity is how nature builds survivable systems. I've found this useful in designing security systems, as I can increase the assurance of a system with low assurance COTS components.

Clive RobinsonAugust 11, 2010 5:25 AM

@ Nick P,

"It's basically the security through diversity concept that's been getting traction in the academic community"

About time it has been known and proved over and over again (especially with 3-DES).

Claude Shannon pointed out that multiple uses of "transposition followed by substitution" would strengthan a cipher by more than the sum of their individual parts. Latterly the ideas of "Confusion and diffusion" where realised to apply in a more general purpose way.

Ultimatly the only known way to crack any cipher (including OTP) is to mount a "British Museum" or "Brut Force" attack and go through every possible key.

However it' success depends on knowing when you have the correct key from examining the deciphered output. Thus simplisticaly if you cannot recognise the correct deciphered text "Brut Force" fails.

The question of "recognition" then arises in two ways,

Firstly even a very simple cipher either on the plain text or cipher text renders the recognition process to expensive to make a Brut Force attack viable.

Secondly is the issue of differentiating multiple plain texts.

The usual assumption is the first deciphered text that makes sense is the correct key and you can stop (however with OTP all plain texts are equi probable so...).

All of which has been known if not painfully obvious to the Open Academic community since the DES competition (and almost certainly since the second world war for a great number of people many in academia).

Which begs the question "why now" with the academic community?

I've certainly been very well aware of the implications since the mid 1970's and have applied the concepts where required in many designs. Which is unusual for an engineer where simplicity and clarity are usualy strived for beyond all else (guess you could say either I'm an unusuall engineer or have worked on unusuall engineering projects or both ;)

As you say,

"Diversity is how. nature builds survivable systems."

Importantly is the consequence of this with respect to "efficiency"...

Evolutionarily the more efficient an organism is the less tolerant it is to changes in it's environment and the less able it is to respond. We call this an "evolutionary culdersac" and the much over given (and incorrectly attributed) example is the "saber tooth tiger" being an "over specialised hunter".

As many are aware I've been banging on about "Efficiency-v-security" for a very very long time ;)

I can assure any budding engineers out there that efficiency is a very double edged sword...

In one respect it results in over specialisation a lack of resiliance and as a consequence gives rise to "brittle" designs (think about the longevity of Victorian steem engines -v- modern very short life high efficient engines).

In another it can result in systems that are over lumbering designs where inertia makes them slow to respond and thus very susceptable to more agile systems.

The trick as in all things to find a balance or "sweet spot" where you get a desired response in a sensible way.

As a rough rule of thumb small light general purpose standard parts (like nuts and bolts) are the best way to go. But not to general purpose this results in unnecassary waste. Thus you have a range of "standard parts" from which to select (as seen with various types of fastenings not just nutsand bolts).

Which brings me nicely onto your point,

"I've found this useful in designing security systems, as I can increase the assurance of a system with low assurance COTS components"

It's a case of "sweet spot" finding in any given environment at a point in time. The COTS parts can be easily changed should a more demanding or different requirment arise from the change in environment.

And the best way to ensure you get "sweet spots" is "standardization" and well designed "frame works" into which "standard parts" fit easily and conveniently.

Peter MaxwellAugust 11, 2010 11:58 AM

@Clive Robinson at August 6, 2010 2:54 AM

" What I'm talking about is useing AES in "on line" or "off line" mode.
In on line mode use the time based side channels from the use of AES can be seen remotly and have been practicaly demonstrated as such.
Removing these AES side channels in a software only implementations on modern CPU's is extreamly difficult for a number of reasons.
Thus timing side channels either inherant within the system or induced in the system by an attacker are very real issues not just in the future but currently, and are very difficult to spot (I'm not aware of any IDS or other off the shelf software system that can detect them). "

You've glossed over some of the practicalities: on the same system, the timing attacks are very successful, however to mount remotely is significantly more tricky - remember Berstein specifically prepared his system and did an enormous number of queries. Security Event Monitors will notice that sort of increase in queries. So assuming a remote server, AES still looks no bad.

Unless you've had sight of something the rest of us haven't?


----


" As I said you have to define your parameters to make a definate answer to that. We do know that previous published timing side channel attacks have involved little more than a network connection and a high end PC.
Therefore what I am saying is that if you routinely handle secrets worth over 100K USD you should realisticaly consider that you may well become a target now or in the future to some kind of attack against your encrypted communications.
As Bruce notes attacks only get more sophisticated and practical with time, and people learn with (sometimes painfull) experiance not to fall for simple attacks. Thus those criminals that have made a good living out of various phishing and malware attacks will migrate upwards to this sort of attack as and when their existing attacks start to fail to bring in the money. "

If I were to say either a standard out-the-box apache on linux/bsd with SSL/TLS using AES128 and a Checkpoint Firewall appliance using AES as the VPN cipher (it's IPSec). From a remote connection - i.e. you're not in the same building - can you use a timing/side-channel attack reliably for $100k?

Yes, attacks only get better, but it does not mean one scenario can be automatically extrapolated into another.

And seriously, if you have $100k it's much easier to either bribe for what you want or pay someone with a violent streak to extract it. The cryptography is still one of the strongest points in the chain, and it's always easier to attack the weak point.

Nick PAugust 11, 2010 12:41 PM

@ Peter Maxwell

Good points. Defending high value assets requires making all avenues of attack costly. They usually only do side channel attacks when nothing else is available, but at that point it can matter. Remember the covert channels in TCP/IP stacks? Or leaking data through VoIP traffic? There's plenty of ways to leak data through legitimate traffic that won't alarm an SEM. Whether in these applications or starting with a low privilege compromise, the covert channels have attack potential.

Clive RobinsonAugust 11, 2010 11:59 PM

@ Peter Maxwell

As @Nick P says some good points, but also some old points that just are not holding good any more and less so with time.

For instance,

"And seriously, if you have $100k it's much easier to either bribe for what you want or pay someone with a violent streak to extract it. The cryptography is still one of the strongest points in the chain, and it's always easier to attack the weak point."

If you look back at what I said it was in the context of "low hanging fruit" drying up and "for profit" attackers and thus their risks and motivations now and importantly in the future.

So first off is the fallacy of the "rubber hose" attack being "cheap" it's not and in many cases it just won't work unless you are a major power and even then it is usually as a measure of last resort.

The price is not just monetary but risk and distance and invariably the results are poor.

Most "for profit" crime currently on the Internet is done from two or three jurisdictions away and it is against controled and monitered assets like bank accounts. For this to work it has to be sufficiently stealthy that the money can be moved retreived and moved again before any alarm is raised. The last thing these sorts of criminals want to do is to actually come and "bang the cocunuts" or find and pay people to do it for them. This type of behaviour is for old style low value "street crime", "protection rackets", "debt enforcment" etc and it is something that LEO's are familiar with.

Likewise bribary it is generaly to high risk to work with "for profit" crime that works with information systems, and invariably it is more likley to be an "insider attack" of one form or another. That is an insider gets "socialy engineered" or the insider has seen an oportunity and is looking for partners to monetarize the oportunity.

Also "information" or "intangable asset" crime is currently visably changing with targeted attacks starting to come to the fore (spam / CC No trading is actually a "Lemon Market" with very low asset capitalisation at best). Targeted attacks usually revolve around theft of Intellectual Property and is akin to the old "industrial espionage". To work it generaly has to be in place for quite a while and thus remain stealthy. Those who have access to that sort of IP are generally not bribable in the traditional "brown bag of cash" sense and are looking for equivalent payouts in the million dolar plus range.

Thus taking the risk etc into consideration the weak link may well not be where you think it is, or for that matter where goverments think...

[---
For example one sort of crime I'm waiting to see is "anonymous money laundering" services by bot net.

Currently there is a lot of legislation where banks etc have to report movments of assets of over 10,000 USD/Euro equivalent or any other movment likley to be of interest to the authorities.
The simplistic answer is to divide the money up and make lots of 9,000 USD/Euro transactions but the work involved in setting it up is so large it is either not cost effective or way to obvious to the authorities (which is why the threshold is where it is and this is the week link in the governments reasoning).

If you remember back a little while ago somebody came up with an attack against "Home Internet Banking" software where it hid transactions from the software user by not displaying them to the user. Back then it was being used to hide small transactions out of accounts (a scalping operation in effect).

Now assume a wiser person used it to hide both transactions "in" and "out" of the account you have yourself one step in an anonymous money pipe line with low cost overhead.

As we have seen with bot nets getting a million or so home user PC's under your control is not that difficult. So the steps to set up a hundred thousand 30USD/month money laudering channels is "known technology". With a little extra work (think overseas adult entertainment for the "out" and fake click through add income for the "in" or share trading etc etc) it looks like a real business transaction, but it has atleast a 36millionUSD/year laundering capacity.

Small fry perhaps but as it can be set up by just a couple of people the overheads are low and it's way down below the noise floor of the money laundering threshold set by governments who have effectivly assumed the wrong weak link in the money laudering chain.
---]

Which brings me onto your point of,

"Yes, attacks only get better, but it does not mean one scenario can be automatically extrapolated into another."

Yes and no, attacks get better in several ways, we tend to view them in terms of speed or resources. However their "scope" also broadens and fairly quickly one type of attack sufficiently overlaps another type of attack so they get put together and the result can often be considerably greater than the some of the parts (various time / memory trade offs being an example area where neither attack is practical on it's own but together the attack is practical).

But the same principle applies to attack spaces in certain respects. For instance your senario of,

"If I were to say either a standard out-the-box apache on linux/bsd with SSL/TLS using AES128 and a Checkpoint Firewall appliance using AES as the VPN cipher (it's IPSec). From a remote connection - i.e. you're not in the same building - can you use a timing/side-channel attack reliably"

It has two parts the target "Apache server" and the protective "Checkpoint Firewall".

If I was going to attack it I would do a "divde and conquer" on it and split the job up into two attack spaces. The first to get me into the network behind the protective firewall. The second to install my side channel exploiting software either on the target server or on another machine on the inside network.

Even if I could not get inside the protective firewall if I can send ordinary traffic to the server from somewhere else (ie attack into other end of VPN) then it may be sufficiently transparent to enable a side channel attack to be mounted. If not sufficiently transparent then using the TCP time stamps from the server it may be possible to find the correct timing points and de-skew appropriatly.

I know from "looking for honey pots" you can find them by various de-skew techniques even though a firewall with variable latency is between the honey pot and the outside world. And worse for the honey pot operator the attacks can be done in a way that doesn't trigger the SEM's alarms...

Which brings me onto the point of the 100K tipping point what I said was,

"Therefore what I am saying is that if you routinely handle secrets worth over 100K USD you should realisticaly consider that you may well become a target now or in the future to some kind of attack against your encrypted communications."

People appear to have missed or misunderstood the implications of "routinely handle" that is the total value of the secrets could be millions to billions in a relitivly short time span. Further that as with share trading "knowing" is often more valuable then "stealing". Thus you have to decide what attacks an adversary can make as a "one off" or as a "on going" attack.

As always it's a judgment call as to if you think the attack senario is both viable and worthwhile in your particular circumstances. And further what the mittigation costs are in terms of CapEx and procedures.

There are some relativly trivial and low cost solutions to the issue of timing channels. For instance rapid AES key rotation or a master slave pump system across a controled channel or using a net book for the internet connection and a laptop for doing work and the encryption / decryption with only cipher text messages being transfered on a memory stick.

The important point is being aware of the possability of such attacks and how to mitigate them in a cost effective manner if you think it appropriate to do so.

Joel PetrowAugust 14, 2010 6:26 AM

"Has nobody yet considered the "sense of humor" scenario - perhaps the encrypted file is destined to be the world's most famous rickroll in history...
Posted by: Kevin at August 5, 2010 12:24 PM"


You're on the right track. The government makes mistakes, but is also very clever. The file one way or another (with Wikileaks either a confederate or a dupe) contains information that will throw the Afgan opposition into some disarray. It names individuals and organizations that the US wants to throw under suspicion by portraying them as collaborators of the US.

66August 14, 2010 10:04 AM

Laser arrays. "Using the quantum properties of light, it is now possible to send information that is quantum encrypted and is guaranteed secure against eavesdropping by the laws of physics. Using a scheme envisioned in the 1980s, single packets of light (photons) are sent through an optical fiber, with the information encoded in their polarization. The receiver makes measurements of the polarization of the photons they receive, and because of the properties of quantum mechanics, they can be sure that no one has been listening in on the conversation. Quantum cryptographic systems are now commercially available, but will most likely be used for very special communications (like bank-to-bank) for the near term." http://laserfest.org/lasers/innovations.cfm

Life on the run.
There was a woman named Bright and she moved at the speed of light. You can't outrun her. Before you know it, it's game over.

JoelAugust 14, 2010 2:24 PM

The original - "There was a young woman named Bright Whose speed was much faster than light. She set out one day. In a relative way, And returned on the previous night."


I'm not sure the relevance of the previous post, but there is a not insignificant possibility that US intelligence has a quantum computer that could make short work of simultaneously testing a very large number of keys.

KimAugust 15, 2010 12:31 AM

We can't be sure *what* it is. This speculation may all be useless.

In addition, the encryption code may be a one-time pad, making it practically impossible to crack no matter how strong your supercomputer.

PierreAugust 15, 2010 4:26 AM

@Michael Lynn

After you dive into secret-service reports for long enough, you will find *plenty* of references to the concerns expressed by U.S. Allies about the fact that the U.S. standards are so weak and the quantum computers (in use since 1990) so efficient.

Of course, 100% of those who have found this information started by bothering to search in the first place...

@BF Skinner

Tip: use your snorkel and fins to build yourself an opinion based on something else than the usual Academia rethoric or servile Press Releases.

The results of a regular practice are priceless.

Clive RobinsonAugust 15, 2010 6:43 AM

@ 66,

"Using the quantum properties of light, it is now possible to send information that is quantum encrypted and is guaranteed secure against eavesdropping by the laws of physics"

Sorry the "guarantee" is very very very limited to each Q-Bit and absolutly no more than that.

Which means there are all sorts of ways to probe the communications channel to get information about the Q-Bit without having to do anything to it at all.

In the simple case where the sending end sets a polarizor to a given angle, simply having an "out of band" light source whereby the polarisation can be probed is sufficient to know what position it is in.

Then there is the electronics that randomly positions the polarizor this will emit all sorts of EmSec signals or likewise be as equally susceptible to EmSec signals. "The laws of physics" puts the same guarentee on this.

Some successful atacks against commercial QKD devices has been shown and they are mostly low tech attacks.

Way way to many pepole look at that oh so very very narrow guarantee and assume incorectly it applies to the whole system. It does not, and the result is as with any other misplaced faith cause for embarrassment when it all goes wrong. As it usually does without any significant malintent.

DonnieAugust 15, 2010 5:47 PM

I believe the Insurance files are legit. Generally people/organizations only obtain insurance if they feel they are susceptible to and insured peril. In WL case, their insurable perils are the data/information. If the US government is successful in wiping out WL data or capturing Assange, ultimately a decipher to his insurance file will almost instantly surface.

66August 16, 2010 1:39 PM

Insurance is limited. The old struggle between freedom and despotism goes on. Those on the side of freedom have been on the defensive side and the despots are on the offense side. Are you more confident in leaks to achieve your goals or not? The WL data does not belong to WL. The idea of telling the Pentagon, all your data is ours won't fly. WL has a position that can't be defended. It's deranged. If you pass classified USG material to binladen & co. there are people prepared to kill you for that. No joke.

KlootAugust 22, 2010 10:05 AM

Generating a 1.4 gig random key? What about using the DVD of Jurassic Park. Distribution problem solved.

Clive RobinsonAugust 22, 2010 2:38 PM

@ Kloot

"What about using the DVD of Jurassic Park. Distribution problem solved"

It's "known Key Mat" which is an abslute no no in cryptography. Put more simply I would expect the likes of the NSA to "know" that is a possability (Book Codes) and to have tried some of it to see if the output statistics change.

The other thing is even compressed video has fairly predictable properties so does not make good "Key mat".

That said several years ago some one looked at applying book codes multiple times and found that around four different books applied in succession was virtualy indistinguishable from purely randomly generated Key Material.

As always with OTP or a stream cipher generating a sufficiently unpredictable (to an attacker) Key Stream is simple in theory but extreamly difficult in practice.

If you want to know how hard go have a look at NESSIE which was an EU initiative to provide amongst other things good stream ciphers. If I remember correctly all the entrants failed...

ParalipsisSeptember 4, 2010 11:51 PM

Gee, so many conspiracy theories…lol!

The “insurance file” contains the video footage of the “Granai airstrike” in Afghanistan.
The one that killed all those school children.

It really isn’t a secret, it is even on wikipedia…click on the link.

anonymousOctober 3, 2010 8:46 AM

Wikileaks are noobs. Bruce if they encrypted each document independently they would be at higher risk of plausible plaintext attacks unless they use padding. AFAIK they never tell their leaks to pad encrypted documents and most of them only encrypt with GPG and no content padding. This is why I find it hard to believe that the NSA doesn't know where every single leak comes from. Their Narusinsight operation should be able to locate an encrypted file of X size as soon as it goes through an IX. Once they see the decrypted document on Wikileaks they can determine the size of ciphertext it would produce once encrypted with RSA/AES or whatever. Then they just need to check for an encrypted stream of that size and as simple as that they have located the leak.

rmuqt2gq7awlrmxg.tor2web.com/polyfront/internetoverlayanalysis.html

anonymous againOctober 3, 2010 8:50 AM

this is also why I think wikileaks is little more than a CIA honeypot operation designed to take care of a difficult HUMINT problem; detecting malicious insiders before they can leak. If CIA runs Wikileaks they can screen leaked documents and only release things that nobody really cares about. At the same time they can, with some help from NSA, determine the people leaking interesting shit that they actually do care about and never release to the public. Then they neutralize the leaker and nothing ever really is released to the public.

That is my guess anyways. NSA not being able to pwn Wikileaks is a laugh.

A. SmithOctober 4, 2010 1:30 AM

If and when the file "Insurance" is opened up what everyone will see is all the nasty dirty unethical things that our political leaders have done and are still doing to people domesticaly and internationally, but very covertly. So then I say this the clandestine svcs. mi5, nsa there won't be any covering any of this up. Even the top computer experts will tell you the only 100 percent to be safe from having eyes pry at even the hightest level of classification on any type of computer network/system is to not have one and turn it off Its the best hackers that no one knows about that can cause the most people to shit their pants. I appulade wikileaks and anymore that pop up that are willing to do the same. So what the government waits 60 plus years then comes back and says yes we did that along time ago we are sorry and people forget about it its one of many cover tactics that are used all the time. There is not one governemnt officialk that has their shit together the only way to be that type of person is you must be the best liar ever the leaks will continue to pour in from all over the world and theres not one thing that can be done when the governemnts overstep to far they will be pulling back a nub from the millions that will stand for wikileaks cause. If people could be honest and upfront with things which we know that every gov business and associte knows not those words or even the slightest meaning. Hell I know people who swindle hundreds of thousands of dollars of unreported money that never even sees the irs and these are your so called up t e up businesses that have governemnt ties I know this for a fact Im debating on even sending that on out my self Everyone only cares about themselves not one damn person within the us governemtnt cares about whats the greater good and has one lick of common sense.
So if the right person even wants to know more from me my email is sandman28036@yahoo.com I have nothing to hide but I wont be takin advantage of either. Good Day To All!

WatersnakeOctober 17, 2010 7:48 AM

It is not stated which nation or administration this information would "hurt". It may be something not necessarily harmful to any national security, but very politically embarassing to some persons.

That would be even more effective. Politicians are like Tanya Harding.

HenrikOctober 20, 2010 5:49 AM

Someone get Sony to produce a new "SETI@home" app for PS3... Something like "Distributed-Decrypt-Wikileaks-File" app...

NotSoAnonymousOctober 29, 2010 3:21 PM

To decrypt all you need to do is this:
$ openssl enc -d -aes256 -in insurance.aes256 > out.dec
use ONION as password.

Well this is weird ...
This seems to work as well ...
#Using Blowfish Cipher
$ openssl enc -d -bf -in insurance.aes256 > out.dec
use ROUTER as password
I tried using different passwords and I get an error but not when I use ROUTER.

Just to add to the weirdness, you can also decrypt it by using "ONION" with blowfish: these
permutations could lead to something interesting.

NotSoAnonymouseOctober 29, 2010 3:24 PM

"Rubberhose works by initially writing random characters to an entire hard drive or other dynamic storage device. This random noise is indistinguishable from the encrypted data to be stored on that disk. If you have a 1 GB drive and want to have two Rubberhose encrypted portions of 400 MB and 200 MB, it assumes that each aspect (as the encrypted partitions are called) will be 1 GB and fill the entire drive. It will keep doing this until the drive is really filled to capacity with encrypted material. It breaks up the pieces of each aspect into small pieces and scatters them across the entire 1 GB drive in a random manner, with each aspect looking as if it is actually 1 GB in size upon decryption.
"Each aspect has its own passphrase that must be separately decrypted, and if a hard drive is seized neither mathematical analysis nor physical disk testing can reveal how many aspects actually exist. Internal maps are used to locate where the data is stored amongst the random characters, with each aspect having its own map which can only be decrypted via its specific passphrase. As such, a Rubberhose disk can only be written to after all the passphrases have been entered. Everything works on a "need to know" basis, i.e. each aspect knows nothing about the others other than when to avoid writing over the top of another."

SO THEY JUST USIN` THIS FILE TO TRACK DOWN ORGANISATION AND KEY PEOPLE (SOURCES) AND HUNT `EM DOWN.

DOWNLOAD AND DECRYPT AT YOUR OWN RISK.

NotSoAnonymousOctober 29, 2010 3:26 PM

Rubberhouse algoritm/crypt was written by Julian Assange, Suelette Dreyfus and Ralf Weinmannit and it was designed to be resistant to attacks by people willing to use torture on those who knew the encryption keys. This is a reference to the rubber-hose cryptanalysis euphemism.

SETINovember 26, 2010 11:47 PM

"They might have sent the key to the person/institution they are insuring from. They don't care if anybody else in the world knows if it's true or not, only the person they are protecting themselves from."

Yes, this is smart, but even smarter than that is to put together a stash of baffle material and instead create this delusion for all gov. agencies that they have already posted the code for the respective adversary. The point is every org thinks the docs have been leaked fro one of the other orgs out there.(NSA thinks CIA has been irresponsible to let it happen, CIA thinks FBI and so on) different organizations in US bureaucracy are so tightly competing that no agencies wants others to know that their loose security measures has allowed a fiasco,

The ultimate result is that all of us think we have sth top secret in our hands and gov agencies, in the other hand, are suspicious of each other more than ever.

SETINovember 27, 2010 12:00 AM

and of course WikiLeaks obtains security until gov. agencies realize they've been tricked.
Every agency thinks that the entity responsible for the leaks is monitoring the situations but dares not to arrest or seriously harass the WikiLeaks staff. Because the docs are too sensitive to risk their release.

a realistNovember 27, 2010 12:15 PM

It's not a bluff, as they surely know that the NSA has a backdoor into aes encrypted files. He is proving to them that he has the goods on them.

jpechNovember 29, 2010 12:38 AM

The NSA does NOT have a "backdoor" into AES. Anyone claiming such has zero understanding of basic mathematics.

weirdoNovember 29, 2010 11:42 PM

I guarantee you that they will release the key sometime soon, that will decript two files, an embarrasing one, and then another encrypted file with information even more embarrasing (insurance, maybe extgra coverage =) just to prove their point

RichardDecember 1, 2010 6:20 PM

Let them publish it all but prosecute each one of them and anyone who helped finance the wikileaks site. I believe that's doable under US law.

RamDecember 2, 2010 10:22 AM

an attack on that protocol...

encrypt the exact same bit of data 10,000 times with different keys.

counter-protocol...

show me two pieces of info so i can be sure it's not all the same

counter-attack...

encrypt 50 pieces of information 200 times (hope you don't get really unlucky)

counter-protocol...

reveal more... but this is going down a bad way...

better counter-protocol...

encrypt all the messages with the same public key... also provide some sort of digital fingerprint that differs little with tiny tweaks(anti hash?) verify that no two are alike.

publish the plaintext of a challenged one

verify that the public encryption is correct.

verify that the anti-hash is correct.

AtomicBDecember 5, 2010 4:42 AM

this is just silly :( we all know that with the ammount of computational power the USG has they cracked that file within moments and are playing dumb. even a 256 key would EASILY be cracked with a bruteforce attack running multiple threads on multiple copies thare is still only a limited amount of keys to be used allbeit BILLIONS of them. they know whats in it , plain and simple.

ZeboDecember 5, 2010 5:02 AM

Re: "SO THEY JUST USIN` THIS FILE TO TRACK DOWN ORGANISATION AND KEY PEOPLE (SOURCES) AND HUNT `EM DOWN."

Well, it isn't illegal (yet). And if they go trying to make it illegal before a key is released we'll know right away that they're planning on shutting Wikileaks down somehow, and probably soon. It would tip their hand in advance.

And what would they do to make it illegal? "Downloading any files claimed to be encrypted copies of leaked secret State Department documents is now illegal." At that point, the number of red-herring files that will be claimed to be such will increase significantly. Or maybe they'll wait until the key is released then immediately pass a law that using the key to decrypt anything is illegal? Or warning us that they will pass such a law retroactively should the key be released? They'd have to come up with a pretty convoluted law to try to prohibit people from reading the text once a key is released, and even then the law would only apply to US citizens. Suppose then a non citizen decrypts the whole package and publishes it in a volume, or just downloadable as plain text. No, it's not illegal, and it's never going to BE illegal, for the plain reason that if it was illegal, such a law would be ineffective at keeping much of anyone from access to the info once the key is out.

But it does make one wonder about the advisability of putting all the eggs in one basket-- once the key is released, will they no longer need any insurance? Seems to me, there would be serious repercussions from the release of such a key, and they'd need even better insurance to protect against that. I suppose the Rubberhose filesystem would allow them to release bits at a time, or claim that there's more there that can continue to be released, etc., and no one will know exactly how much more is there.

Regarding one-time pads: I suppose they could always say that it is a OTP, and the pad for the first segment is a WAV file rip of the song Number 9 from the Beatles White Album, byte reversed. The second segment is the Ascii text of the Declaration of Independence. The third segment is the Windows REGSVR32.exe for XP SP3 version 9.1.2.3 (or whatever). No need to cart around 1.4GB OTP files at all, and they could release it a bit at a time.

PhiloDecember 5, 2010 6:20 PM

The problem with ASSange's logic, (and that of his supporters) is assuming the US government cares. The do not, in the sense that there's anything they can do about it. I assure they know what's there, whether they cracked the encrypt or not.

But they know that the info's been widely distributed and are making the necessary changes to address any issues that might emerge from full disclosure.

There will be some future poo-poo'ing in the international press about things exposed, but so what? Life will go on, and the only thing this pasty skinned albino will have accomplished is to bring a gigantic, steaming load of law & regulation down on the interwebs.


Kind of ironic, isn't it?

MichaelDecember 6, 2010 7:36 PM

ok, even if he's protected from all the people that don't want all this info to see the light of day, the US, our allies, etc... What about the ones who do? Foreign governments, terrorists, you know, people who've killed more than just one guy for much less? didn't he just kinda screw himself?

SETIDecember 7, 2010 2:31 AM

http://english.farsnews.com/newstext.php?...
This whole story is a myth. Despite what clever Iranians think, insurance is not a trap by state departments,

"Farsnews", the news agency that spread this around at the first place is a state funded media that has a reputation in Iran for making up stories based on conspiracy theory. It is not a reliable source in eyes of Iranians themselves.

Insurance, whatever it is, is not a trap from state departments, I say don't waste you time even thinking about this probability!

PaulDecember 7, 2010 5:49 AM

I wish the US goverment would read the legislation that passed like they've read wikileaks documents to find out what we the people are finding out.

calimeloDecember 7, 2010 6:31 AM

a good plot. maybe they should make a movie about it.

if some of Assange's associates actually knew the decryption password it should have "leaked" by now in a website called "wikileakleak.con". correction: "com".

PatricDecember 7, 2010 2:03 PM

"Wikileaks published reams of documents with the unredacted names, even home addresses and relatives names, of Afghans who opposed Talliban, supported US or NATO, or in some way helped the current government. Collaborators."

Lie. Flat out, lie.

gagaDecember 7, 2010 7:20 PM

open a vm (vmware or any) disconnect it from the network,

and start decrypting, that will remove your doubts about the file...

gogoDecember 7, 2010 7:24 PM

i believe the key is already published, the answer is hidden inside the file... interesting,... i will have to download the insurance first...

eimacDecember 7, 2010 9:03 PM

I believe the point of the insurance goes to persist the stated goals of WL. The harshest penalty inflicted on WL would be the form where WL violates it's own grounds of existance. That is, it would be the utmost failure to violate the trust of it's sources. The sources keep them viable.

The insurance is probably a piece of data that links a source to a report where this source has no choice but protect the outing of this information.

And, the only way the threat can be useful is if the named source has the Insurance file.

So, my interest is in tracking the players involved. Who would be a likely source-wishing-not-be-named? Spin the wheel... which name gets the most votes..

johnDecember 8, 2010 8:10 PM

2f2b3d2077407e68393837839935a543c4a796a2156362c3840366b3c68715d783e2c6a6356374644576d2c61776278284et
4546veew
42366c36325e40732c4d23275f6f216c423c217527774e5d754e403275352e2c563c465c3252316b694c2826304b3f3e3d2a
2d732676383f562w345vv234e594d722c49636928337423753b274e7c6742547b395f32625c2f673e465b2e4e7e24
304f4e24365951633f393b7345bghujssss27613945424827

Or so I hear. Friend might be bluffing. I'm trying it when I get to my home pc.

fxDecember 9, 2010 5:50 PM

Does somebody published the hash value of the insurance file? 1.4 GB file size isn't exactly a unique property...

damnedufoslolDecember 15, 2010 6:44 AM

I think the most interesting thing about this whole case, is if the us government had nothing to hide: Then it would just cut to the chase, and spill the cables ahead of wikileaks... Problem solved.

thats the biggest part that scares me...
Im a u.s. citizen... and If my government wont do it... I want my tax dollars back ;}

AntonDecember 17, 2010 8:32 PM

"I think the most interesting thing about this whole case, is if the us government had nothing to hide: Then it would just cut to the chase, and spill the cables ahead of wikileaks... Problem solved."

Leaves the door wide open for speculation. If even righteous honest people with no hidden agenda start siding with the Government, must be bit time secret!

justmeDecember 18, 2010 11:33 AM

i have decrypted the file with aes and i know the password. i won't publish it here.. it will be foolish.. but i can say it's full PDF named .. let's take an example 148ufj9wjf9v.pdf .. this is just one of the afgan war log i've read. there are many of there in here after you decrypt it

justyouDecember 18, 2010 8:39 PM

@JUSTME...

Yes, I recon you do have the password 'justme' and I also recon your mum ironed your pants for you this morning.

What you getting for Christmas? Stabiliser for your bicycle...

ChuongJanuary 6, 2011 3:45 AM

Yeah, it's a bit odd. Wikileaks means exposing everything it receives from leakers.. .
So it soud dumb to withhold the thing the leakers entrust Wikileaks to publish them..
Just say If the US Gov give in and the "insurance" logiaclly becomes "forever-secret"...
Thus What a hell Wikileaks woulf mean? It will be Wiksecret?
It's so dumb...if one trust the philosophy of Wikileaks.. and open-society.

The TruthApril 1, 2011 6:28 AM


If its about the secret book of enoch, rockets, flyings saucers and planes in the bible, the secret of the hollow earth and how all planets are hollow, how most regular sightings of ufo's are from the ones originating from beneath the earth (drones) and not from outer space, how there is existence of other life on the galaxy, the framed saddam capture in a hole when he was drugged and placed there for the photo shoot, the real stargate technology that the us was looking for and not weapons of mass destruction but technology that saddam was hiding since the iraq ufo crash he recovered. The destruction of the world trade centre by the US government itself and not foreign nationals inorder to gain international backing and the backing of the us people, the assination of president kennedy by the CIA in two groups of three snipers, HAARP, radiant zero point free energy..etc, thaen its about time cos we know whats going on and here might just be the confirmation to the fact that the US government is being run by the Nazi's from WW2 through the pioneered influences of reckefeller who infiltrated the US government way back.

qswzzwfikJune 19, 2012 1:19 AM

In recent months, water miscible oil paint is now to prominence,[ur=http://www.good.is/community/benjamanritt12]oil paintings[/url] somewhat replacing the utilization of traditional oils. Water soluble paints contain an emulsifier that permits the theifs to be thinned with water (than with paint thinner), and allows really quick drying times (1¨C3 days) every time likened to traditional oils (1¨C3 weeks).

MonkeeRenchOctober 31, 2012 7:51 PM

Wikileaks has no obligation to publish everything that is entrusted to them - they necessarily pick and choose according to their purposes and hopefully to protect the at-risk innocent of or those personal excesses irrelevant to their purposes.

The files of insurance.aes256 could conceivably comprise those files formerly rejected from the purpose-motivated releases, but which could be highly personally devastating to prominent elite individuals. Indeed sending such elitists the private key with directions on finding their particular peccadillo files could be a highly influential tactic.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..