[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pgp-stealth (Re: Chosen-ciphertext attack on receiver anonymity)

To: Brent Waters <bwaters@xxxxxxxxxxxxxxxxxxx>
Subject: pgp-stealth (Re: Chosen-ciphertext attack on receiver anonymity)
From: Adam Back <adam@xxxxxxxxxxxxxxx>
Date: Wed, 20 Jul 2005 16:08:26 -0400
Cc: ietf-openpgp@xxxxxxx, hal@xxxxxxxxxx, Adam Back <adam@xxxxxxxxxxxxxxx>
In-reply-to: <Pine.LNX.4.62.0507121601450.16898@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <E1Dpdsf-0002LZ-00@xxxxxxxxxxxxxxxxxxxxxxxxxx> <200507051220.32079.iang@xxxxxxxxxxxxx> <fbf357ef184dcd9d3b0b658099749301@xxxxxxxxxx> <Pine.LNX.4.62.0507121601450.16898@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Mutt/1.4.1i

There was some work done on this as a filter to pgp (2.x) called
pgpstealth [1].

Basically it should be able to make a reversible transformation where
the output has unbiased rectangular distribution throughout (for both
key-transport, and remove any boilerplate).

openpgp has become a bit more complex since pgp2x but I think there
are potential customers for this -- as input to steganography
programs.

There was some discsussion a long time ago now in the context of the
feature under discussion here of whether pgpstealth-like functionality
could be added as a builtin feature of a pgp implementation.  

As an external filter I'm not sure the 0x000... or short keyid would
really help the transformation because the transformation has to
anyway be wrt a specific key.  ie so you're actually trying each key
with a trial transformation so it would actually hook either
externally where the empty keyid picks a key, does trial
transformation, tries to decrypt, fails, skips to the next keyid in
the keyring.

Of course there are also other potential uses for hiding the recipient
-- broadcast of a message (eg to alt.anonymous.messages), where the
recipient is by prior arrangement scanning for messages he can
decrypt.

Anyway pgp-stealth is at present a bit of an orphan project.  It might
be interesting / useful to update it as a standalone filter working
with openpgp or re-write it as a gnupg extension, or something like
that.

Adam

[1] http://www.cypherspace.org/openpgp/stealth/

On Tue, Jul 12, 2005 at 04:18:20PM -0700, Brent Waters wrote:
> 
> It seems from everyone's comments that there is a desire/need to complete 
> this particular RFC, which makes sense.
> 
> I do think, however, that it would also make sense to eventually define an 
> encryption standard that has "Key-Privacy" built in. I think the norm 
> should be for the ciphertext not to reveal the receiver's identity. If 
> an application wishes to do so they can always tag the ciphertext with the 
> identity and an application that does not wish to do so is not forced to.
> 
> Anyway, if anyone has interest furthering this idea on a different venue 
> let me know.
> 
> -Brent
> 
> 
> 
> On Wed, 6 Jul 2005, Jon Callas wrote:
> 
> >>
> >>Right, that's what I feared.  Has anyone actually
> >>implemented it *and* seen a benefit out in the field?
> >>
> >>
> >
> >I think we should leave it the way it is.
> >
> >Sorry. I want to put this RFC to bed, and that means we have to stop 
> >making tweaks.
> >
> >	Jon
> >
> >

References:
- Re: Chosen-ciphertext attack on receiver anonymity
  - From: Peter Gutmann
- Re: Chosen-ciphertext attack on receiver anonymity
  - From: Ian Grigg
- Re: Chosen-ciphertext attack on receiver anonymity
  - From: Jon Callas
- Re: Chosen-ciphertext attack on receiver anonymity
  - From: Brent Waters

Prev by Date: Re: Section 5.2.3 of latest draft: bis14.
Next by Date: Re: Section 5.2.3 of latest draft: bis14.
Previous by thread: Re: Chosen-ciphertext attack on receiver anonymity
Next by thread: Re: Chosen-ciphertext attack on receiver anonymity
Index(es):
- Date
- Thread