Bunnie Huang’s Plausibly Deniable Database

Bunnie Huang has created a Plausibly Deniable Database.

Most security schemes facilitate the coercive processes of an attacker because they disclose metadata about the secret data, such as the name and size of encrypted files. This allows specific and enforceable demands to be made: “Give us the passwords for these three encrypted files with names A, B and C, or else…”. In other words, security often focuses on protecting the confidentiality of data, but lacks deniability.

A scheme with deniability would make even the existence of secret files difficult to prove. This makes it difficult for an attacker to formulate a coherent demand: “There’s no evidence of undisclosed data. Should we even bother to make threats?” A lack of evidence makes it more difficult to make specific and enforceable demands.

[…]

Precursor is a device we designed to keep secrets, such as passwords, wallets, authentication tokens, contacts and text messages. We also want it to offer plausible deniability in the face of an attacker that has unlimited access to a physical device, including its root keys, and a set of “broadly known to exist” passwords, such as the screen unlock password and the update signing password. We further assume that an attacker can take a full, low-level snapshot of the entire contents of the FLASH memory, including memory marked as reserved or erased. Finally, we assume that a device, in the worst case, may be subject to repeated, intrusive inspections of this nature.

We created the PDDB (Plausibly Deniable DataBase) to address this threat scenario. The PDDB aims to offer users a real option to plausibly deny the existence of secret data on a Precursor device. This option is strongest in the case of a single inspection. If a device is expected to withstand repeated inspections by the same attacker, then the user has to make a choice between performance and deniability. A “small” set of secrets (relative to the entire disk size, on Precursor that would be 8MiB out of 100MiB total size) can be deniable without a performance impact, but if larger (e.g. 80MiB out of 100MiB total size) sets of secrets must be kept, then archived data needs to be turned over frequently, to foil ciphertext comparison attacks between disk imaging events.

I have been thinking about this sort of thing for many, many years. (Here’s my analysis of one such system.) I have come to realize that the threat model isn’t as simple as Bunnie describes. The goal is to prevent “rubber-hose cryptanalysis,” simply beating the encryption key out of someone. But while a deniable database or file system allows the person to plausibly say that there are no more keys to beat out of them, the perpetrators can never be sure. The value of a normal, undeniable encryption system is that the perpetrators will know when they can stop beating the person—the person can undeniably say that there are no more keys left to reveal.

Tags: , , , , ,

Posted on February 10, 2022 at 6:13 AM28 Comments

Comments

John February 10, 2022 6:31 AM

hmmm….

Seems to me we are seeing an interesting recent example with a certain [former?] Asian tennis star.

John

Alan February 10, 2022 6:33 AM

I’ve also been thinking about this for a while. IMO, it is essentially impossible for one person by themselves to keep themselves and their property secure. At the end of the day, we rely on others and society or the government to help us. The only successful models will have to account for how others might help us, and how they might be used to compromise us (i.e., used to extract a ransom). It is not an easy problem and one that people have been grappling with for many years.

null clam February 10, 2022 7:17 AM

Perhaps some plausible wiggle room to stash secret stuff could be had by pretending to be confused about MB and MiB. Everyone is confused anyway, actually.

Scott February 10, 2022 7:19 AM

Just don’t submit a paper on it, to RSA. All you’ll get is ridicule and contempt from some jackass that didn’t even read the paper. There are several public proof-of-concepts but it doesn’t matter. Everything is snake oil..
Unless you wear a bow tie.

Denton Scratch February 10, 2022 9:06 AM

“Plausible deniability” isn’t plausible unless the data can be plausibly passed-off as something else – e.g. executable software, playable video, an email repository. “Play that video, or I’ll keep whacking you with this $2 wrench.”

So that means steganography. I suppose you could take a backup of an innocent filesystem, and hide bits of ciphertext in things like filesystem flags. But you’d need a lot more innocent data than the amount of ciphertext you want to hide.

Booji Boy February 10, 2022 9:09 AM

I thought this level of protection was handled with a database that takes two passwords, one that decrypts fake but plausible data, while the fake and real data overlap cryptographically so the final size isn’t far off.

Clive Robinson February 10, 2022 9:19 AM

@ Bruce, Other usual suspects,

I have been thinking about this sort of thing for many, many years.

Yup… It’s a good thing to occupy the mind when taking a soak in the tub or doing something else, where the conscious brain would be otherwise not needed.

Bunnies system like most is doomed to fail because it’s a “two player game”. Worse it assumes denial is sufficient it’s not.

As @Bruce indicates,

But while a deniable database or file system allows the person to plausibly say that there are no more keys to beat out of them,

The question has to be asked if they have started applying preasure, what would make them stop?

Denials would not be enough, history has many examples of both judicial and extradicial behaviours going on effectively indefinately. To stop the preasure once it has started you actually have to do two things,

1, Provide proof you do not have access to the “secret”.
2, Provide the identity of the person who does have access to the secret.

Anything less and the preasure will continue whilst the resources are available to the interogators who are applying the preasure.

If you think that unprovable denial will get you your freedom, take a look at Gitmo… Or how about “Special Administrative Measures”(SAM) where a “political post holder” is the only decider of your freedom. But oh so many more people to find reason to put more preasure on by way of say toothpaste with an expired date.

Deniability requires at least three parties in the game,

1, The interogated.
2, The interogators.
3, The scapegoats.

The interogated also requires,

4, An absolute “proof”

That even an idiot can understand, with further proof,

5, They can not access the secret.
6, They could never have known the secret.

Knowing these six things then you can start thinking about designing a system.

The big problem is the sixth, in effect you are trying to prove a negative and that can be just a tads imposible to do.

Oh and those that think you can hide signals in noise forget it, it does not work when the noise can be regenerated. Which means you can not use any kind of determanism, or truely random twice ir more. And that is very difficult with the human mind and it’s very very limited capacity for remembering things[1].

Yes you can design a deniable system under certain constraints I’ve described one. But there is no way it is going to stop the interogators carrying on “checking” or “keeping you from talking” indefinately…

The trick and it’s a hard one is never come to an interrogators attention.

There are systems you can design and I’ve described a couple that will assist you in that. But you have the problem of “second party betrayal”… Again there are ways out and I’ve described some, but the chances of you and the second party maintaining the required OpSec is so small you can effectively say “not possible for me or them”.

[1] Take a password/phrase, for various reasons six to eight charecters are about the limit for the equivalent of a PIN. Brut forcing that is not that difficult when you have everything else and can do things many times faster or in parallel.

Winter February 10, 2022 9:27 AM

@Clive
“Anything less and the preasure will continue whilst the resources are available to the interogators who are applying the preasure.”

This problem was solved with safe-boxes in banks and stores: Time-delay locks. It is physically impossible to open a safe before a certain delay, or before a certain time.

The same would work with, say, a multiple key setup where a number of people have to enter a secret key in a certain order or at a certain time delay to allow access to a resource.

Just to heat up the current discussion, you could encode that into a blockchain contract. 😉

Chad February 10, 2022 10:00 AM

Winter introduces an interesting solution to this concept applied to another related realm of information storage (sp. safe-deposit-boxes, safes, physical lock mechanisms).

This problem was solved with safe-boxes in banks and stores: Time-delay locks. It is physically impossible to open a safe before a certain delay, or before a certain time.

Perhaps adapting the solution set as he/she suggests is a worthwhile avenue to pursue. In both the safe deposit and any type of “lock”, there is a universal requirement that the person(s) that possess the key(s) are co-located with the object that is being unlocked. In this manner, maybe we would require that the person(s) presenting the key(s) be present with the thing being unlocked. Be that a database, application, or other. Sort of like a “terminal zero” situation. This would obviously be for the most important secrets.

Moxieman February 10, 2022 10:23 AM

Didn’t TrueCrypt have something similar to this for deniability?

Speaking of — was it shown that the NSA forced Truecrypt’s keepers to crack it? I never did find a good substitute for Truecrypt.

Winter February 10, 2022 10:33 AM

@Moxieman
“I never did find a good substitute for Truecrypt.”

Veracrypt:
ht-tps://www.veracrypt.fr/en/Home.html

(please make sure you get it from a trusted source)

Here is the audit, for whatever an audit is worth:
ht-tps://ostif.org/the-veracrypt-audit-results/

Ted February 10, 2022 10:37 AM

At this point, I am a little confused about this project. Does publishing its details draw attention from law enforcement agencies like the FBI?

Also does linking the Precursor device to PDDB mark it for just the kind of inspection it seeks to avoid?

You would surely hope that the people who want any data on the device are experts in forensics and lawful acquisition – including the type of lawful acquisition that prevents rubber-hose cryptanalysis.

JonKnowsNothing February 10, 2022 10:42 AM

@Clive, @Winter, @All

re: The Key Wrench Removal Scheme

As Clive indicates, passing “deniable or real” data is not the point of Key Wrench Key Removal Schemes and giving the interrogators information isn’t the point either.

Every torture victim and perpetrator knows: The Wrench Doesn’t Stop Here.

A good read is: Mohamedou Ould Slahi memoir “Guantánamo Diary” January 2015.

Synopsis:

He had nothing to tell them [USA/Gitmo/Torturers] but they continued the torture anyway. In order to preserve his own life he had to make up something, which he did.

  If your buying, I’m selling…

There are other equally informative and recent books about the same interrogation methods.

Truth, Part Truth, Fiction have the same results.

A Safe Box is only as safe as the location, and the coordinates of the location is only as safe as the interrogators Key Wrench Removal Schemes.

Switzerland was considered a Safe Box location. They did prosecute and arrest an employee who discovered boxes of incriminating material both financial and criminal which had been directed to be destroyed. He carted some of the evidence to another “safe box” and The Swiss Banks were Most Annoyed after it was disclosed.

Plausible Deniability depends on the “integrity” of the interrogators based on the supposition that the interrogator will stop IF they hear something they like and there isn’t much chance of that. The Reid interrogation technique requires less Wrench, using PALS,SWELLS & LOADED QUESTIONS and gets similar results. (1)

It’s also highly dangerous to have such interaction with law enforcement in the USA. For the most part you do not have to talk to them but if you do talk you better be 100% sure you know the impacts of anything you say. A decent lawyer will tell you to STFUp.

===

1) An entertaining example of the Reid Technique can be seen in the first MATRIX movie.

and you… help your landlady carry out her garbage…

null clam February 10, 2022 10:57 AM

If someone is interested in some information, they are going to treat the problem not academically but practically, and will have their own hypotheses, intuitions, and reasonings, right or wrong. Subject to their own economic limits, and the importance of the information to their cause, they can be expected to be intelligent, and won’t stop and will escalate the rigor of the inquiry until they convince themselves that they have a satisfying analysis. Plausible databases, tricky double keyed and double timed locks etc. will be no more than gimmicks to them. Of course they may not even be really interested in the information but just want to make a point.

Q February 10, 2022 11:54 AM

I think that carry one of those PDDB boxes around is like wearing a flashing neon sign saying “look at me, I have secrets to hide”. So if you are going to advertise that you have secrets then you might as well use something more normal, that can blend in much easier.

LUKS, with its plain text header, might be another option. The header is obvious, you can’t hide that, so don’t even try. Instead …

LUKS supports 8 passphrase slots. Each passphrase is intended to encrypt the same master key that opens the data. But instead of using it as intended, have one (or more) slot(s) with a “decoy” passphrase that encrypts the “wrong” random master key. So the unlocked data is just more random data.

Have at least one of the slots encrypt the real master key, otherwise your data is really lost.

If questioned why the data is nonsense then say the data has been destroyed with a random wipe, or the FS hasn’t been initialised yet, or it got corrupted during the last crash and you need to make time to figure out how to fix it.

If someone looks deeper with a HDD hex viewer and you are questioned what the other passphrase slots are for, say those passphrases are for your boss/co-workers/spouse/etc. and that you don’t know what those passphrases are, go ask them for their passphrases.

But it depends on the threat model. It might be fine for crossing an international border. Maybe not so fine if the Mafia are keen to get your data. But at least you have the choice to give which of the passphrases you feel is appropriate for the situation.

Mexaly February 10, 2022 12:16 PM

If someone is being tortured, the value of their life to the torturer, is the undisclosed information.
When the torturer thinks they have it all, the tortured becomes disposable.

Winter February 10, 2022 12:26 PM

@JonKnows
“Every torture victim and perpetrator knows: The Wrench Doesn’t Stop Here.”

You are only “safe” if the attackers know for sure that you cannot give the data. Like in the time-lock.

With a time-lock, it is of no use to torture or kill people. You will have to break open the safe by force, or wait. Multi key cryptography works the same. You need enough keys, or decryption falls back to brute force. No use killing or torturing people.

If you can acces the valuables makes you vulnerable.

PS: related, I heard a story of a jeweler that locked his merchandise in a safe-box in his car outside. He rather had thieves blow up his car than entering his house to force their way to the valuables.

Sofa February 10, 2022 2:41 PM

Seems 1Password has an idea too, Travel Mode:

Travel Mode removes vaults from your computers and mobile devices, except those you mark as safe for travel.

Sofa

JonKnowsNothing February 10, 2022 4:02 PM

@Winter, @Mexaly, @All

re:
@M: If someone is being tortured, the value of their life to the torturer, is the undisclosed information. When the torturer thinks they have it all, the tortured becomes disposable.

@W: You are only “safe” if the attackers know for sure that you cannot give the
data. Like in the time-lock.

You might have missed the manual on torture. (1) The US Army provides one to South American Military on a regular basis. They take it home and make their own improvements.

1) The torturer does not know that you have disclosed all the information.

The presumption of guilt precludes them from saying “Oh right, after that last waterboard we got it all…. “.

2) The value of torture is in the act, not in the information gained.

The victim can be anyone, anywhere, from any group, sex, religion or age. The act is indifferent to the victim. The techniques may change by gender but they are tried and true over centuries. Negotiation has a dismal record of success. (2)

===

1) Search Terms for Wikipedia:

  • Western_Hemisphere_Institute_for_Security_Cooperation
  • Army_Foreign_Intelligence_Assistance_Program
  • U.S._Army_and_CIA_interrogation_manuals

2) Wikipedia has some excellent entries on historical events of King Edward II of England, Isabella of France, Roger Mortimer 1st Earl of March, and Hugh Despenser the Younger. An important period for Scotland: the Battle of Bannockburn under Robert the Bruce.

WARNING: It takes a pretty strong stomach to read the details of the period and some of the art from that period may be disturbing, even though factual.

Clive Robinson February 10, 2022 4:32 PM

@ Q, ALL,

So if you are going to advertise that you have secrets then you might as well use something more normal, that can blend in much easier.

Quite some time ago now there was a conversation on this blog between @Figueritout and myself about optical data diodes.

The “comercial versions” of such things are clearly “network-kit” with significant indications they are a security product. They also have a habit of coming in 19″ (~0.5metre wide) racks at a price tag high enough to make the average bank account wince. So they are a huge “Red Flag” to anyone looking into your effects.

Now the thing about optical data diodes is if you set them up correctly they give very strong “galvanic issolation” because they can use a length of optical fiber and two independent powersupplies that can be safely run on different “Power Phases”[1]. They also stop “ground loops” and “EM pickup” and much else that plagues low voltage signal cables, especially those used for audio work.

Knowing this tells you why in “musical studios” they try to have as much galvanic issolation as possible. One way they do this is with the Optical version of S/PDIF over TOSLINK. You can by ready made interfaces for as little as $20 in a box that looks like semi-pro audio equipment and importantly is advertised for high end Home entertainment / semi-pro and home audio studios[2]…

But… You can also use them for the transmission of high rate RS-232C that you can get out of those FTD232 USB-Serial interfaces.

So with just a smidgen of “out of the box” thinking you have cheep readily available very standard parts that with next to no effort become a reliable data diode (run “Serial Internet Protocol”(SIP) or PPP if you want to do networking). But all the parts are innocent “non security” items that either don’t attract attention or very minimal attention…

If you are traveling abroad and have advance booked a room, you can usually get such stuff sent to the hotel you will be staying in, in advance of your arival so even avoid having to chat to “customs” etc.

Oh and as the inside of such boxes is so simple[3], it’s hard –but by no means impossible– for a SigInt agency to put “implants in”.

[1] Most power in large buildings is drawn from a “three phase supply” with each floor on a different phase to give “load equalisation”. The problem is neutral is not ground but many assume it is. The voltage difference can easily be more than the 30V needed to kill you if the current is not limited (old US electrician saying “It’s the mils that kill and the volts that jolt”). Whilst the US tends to current limits which are hard to set, the EU goes with voltage limits that are easy to set, maintain, and measure continuously. It’s basically not possible to current limit the voltage difference on the neutrals in real life so not just shock but fire hazard… With computer networking being a “whole building” issue galvanic issolation between phases is therefore important.

[2] Just one of many low cost commercially made units,

https://www.studiospares.com/studiospares-red507-toslink-spdif–aesebu-converter_465760.htm

[3] There are very many examples up on the Internet, some abuse things and just use a resistor and the LED in the Toslink opto-coupler others use a couple of inverters in the 74HC series TTL as a buffer. Any way one example of an S/PDIF to Toslink transmit converter,

http://www.taligentx.com/projects/opticalconverter/

Winter February 11, 2022 1:43 AM

@JonKnows
“The presumption of guilt precludes them from saying “Oh right, after that last waterboard we got it all…. “.”

The point is to prevent them even trying to extract the information as they know you do not have it. After they started torturing, it is not always (never?) likely that they will let you go whatever the outcome.

And I am perfectly aware that torture is part of a rule of terror and does not have to result in “information” or any other benefits apart from terror. But in such cases, whether or not you have the information is irrelevant anyway.

FA February 11, 2022 4:44 AM

@CLive

Serial Internet Protocol (SIP)

You probably meant the Serial Line Internet Protocol (SLIP).
The Session Initiation Protocol (SIP) is something entirely different.

You can also run UDP/IP over a unidirectional link. For point to point you don’t need ARP or DNS.

SPDIF sound cards provide at least 2 Mb/s. Some can do 96 kHz sample rate and full 24 bits, providing around 4.5 Mb/s.

One level up is ADAT which uses the same optical links but provides 8 audio channels or ~9 Mb/s. And then there is MADI with 64 channels or ~73 Mb/s.

Some ADAT sound cards are relatively cheap, and ADAT is used in many ‘semi pro’ systems. MADI hardware will be expensive and more difficult to ‘explain’.

null clam February 11, 2022 5:42 AM

@ Winter @ JonKnowsNothing

a jeweler that locked his merchandise in a safe-box in his car

The old professor in Akira Kurowsawa’s film “Madadayo” [1] used an amusing, different, approach to encourage thieves not to destroy his house. (Spoiler alert: there is no spoiler.)

  1. xyzzy://en.wikipedia.org/wiki/Madadayo

Clive Robinson February 11, 2022 6:56 AM

@ FA,

You probably meant the Serial Line Internet Protocol (SLIP).

Yes… You know the sad thing, back in the early 1990’s I must have written ten or eleven implementations for various embedded systems.

One advantage of SLIP is “it should” make the lightweight end simpler, in that the heqvyweight end is supposed to buffer, de-duplicate and correctly order packets. The down side is the lightweight end is not supposed to open more than one stream at a time though that changed with CSLIP. But come the mid 90’s the world moved on as IP was not enough). So we went to “Point to Point Protocol”(PPP) which is still routinely in use (from memory the shift happened as soon as 16bit CPUs and more than 64k of RAM became available at sensible pricing).

One level up is ADAT which uses the same optical links but provides 8 audio channels or ~9 Mb/s. And then there is MADI with 64 channels or ~73 Mb/s.

Yes ADAT “Lightpipe” does work at the physical layer but even the lowest data protocols are incompatible to S/PDIF. Which can cause confusion, as “simple interfaces” will do both but more complex interfaces won’t. But at higher data rates “simple interfaces” for Toslink start getting increasingly complicated.

Toslink was originally designed for 3Mb/s tops, but later it was extended to 40 times that at over 120Mb/s. Which means capacitance is one ever present issue rounding edges etc and 74HC especially ordinary inverters are not officially upto the task though if you drive the diode differentially with some capacitive bypass on the current limit resistor it usually works (likewise adding an anti parallel diode across the optical diode).

The correct solution is to use a driver chip of which there are several you can chose from these days, but the price goes up…

But the “consumer” side of things has also been “pushed” into HDMI by IP owners[1] like Warner Bros, as it in theory stops piracy at that level by the use of HDCP. Though it does not stop people due to various failings by Intel, who did some fairly dumb things, that have long been known to fail and fail hard usually to full break, as has happened with HDCP in several ways. ..

[1] Ed Felten has penned a couple of caustic comments about HDMI, when the “master key” of HDCP was released via twitter and pastebin. Firstky that HDCP was,

“less a security system than a tool for shaping the consumer electronics market.”

And

“…the main practical effect of HDCP has been to create one more way in which your electronics could fail to work properly with your TV”

Both quite true, and Intel threatening litigation left right and center has not realy helped as it turned into a “red cheek event” for them and Warnet Bros[2]…

[2] A Chinese company makes products that “downgrade” higher numbered standard versions which have had some security fixes, to lower numbered where they have not been fix. A court case was brought and promptly dropped when the company pointed out that such downgrading was part of the HDCP agreement so they were behaving legitimately…

https://www.techdirt.com/articles/20160105/06462433245/warner-brothers-intel-begin-futile-legal-assault-to-defend-ultra-hd-4k-drm.shtml

Then came the push back against Intel and Co, pointing out the same things Ed Felton has, and in essence accused Intel/WB of running an illegal cartel to force consumers into endless and needless expensive upgrades and damage of reputation,

https://www.digitaltrends.com/movies/legendsky-counterclaim-warner-bros-digital-content-protection/

I must admit I did shed some tears over Intel/WB’s predicament, but they were caused by mirth.

FA February 11, 2022 10:53 AM

@CLive

… up to 120 MHz… which means capacitance is one ever present issue rounding edges etc and 74HC especially ordinary inverters are not officially upto the task

Unless you want to have these sort of speeds, there is no need to go down to the hardware level. You can just use e.g. the MiniDSP ADAT cards as they were intended to be used: as audio devices at both ends. There is no audio processing (not even gain controls) going on at all, so you get a bit for bit copy at the receiver.

Chris Drake February 15, 2022 11:19 PM

Who, besides someone hiding multiple things, would use a PDDB? Surely it’s worse to be using one, than not? It guarantees you’ll attract extra scrutiny in the first place, and guarantees that when you are “rubber hosed”, it’s not going to end until you’ve at least revealed two sets of data, (and any third/fourth set, depending on the capabilities of the PDDB and your resistance to pain…)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.