ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Revealing individual messages.

1997-10-19 04:03:33
from [Ian Miller] [Permanent Link] 
One thing sadly lacking from all current PGP implementations is the ability
to reveal the contents of _some_ messages encrypted to you, without handing
over the secret key.  This is most important as damage limitation when
ordered by a court of law to reveal certain messages.  [The most
pathological case is where Mallory has generated those messages himself,
merely to persuade the courts to force you to hand over your privacy key.]

What is required is:
1) The format of a Message Revelation certificate.  Which provides the
information necessary to decrypt a message.  Probably it should be the PKE
plaintext information rather than merely the session key so that the PKE
operation for the relevant SKE packet can be verified.
2) Implementations to generate these packets as required, and to verify the
packets and decrypt messages with them.

Whereas all this is possible within the PGP framework, it is not possible
with any existing implementations.  Any PGP user subject to a court order
to provide someone else with the facilities to decrypt certain messages
would (with current implementations) have to hand over the secret key to
comply.  I think this is highly unsatisfactory.

There are a number of other advantages to this approach.  Notably that
Mallory has to give Alice copies (or at least the SKE packets of) any
messages that he is demanding that Alice decrypts.  This at the very least
enables her to know that these messages exist.  [Consider the case where
Mallory has intercepted the message and prevented its delivery.]  Currently
however it would tell Alice very little about the message beyond its
existence.  Accordingly for RSA encryption at least I propose a
modification to the DEK plaintext that contains the session key.  Currently
this is largely random containing over a hundred bytes of nonce
(for a 1024bit-key).  If part of this nonce was replaced by sender-Id,
timestamp and similar data, then Alice would at least learn who had sent
the message (Bob) and when.  They might then have to opportunity to contact
the Bob to ask for retransmission and warn of the interception.

As a system administrator considering cryptography requirements for my
employers I see facilities of this type to be vital.  Indeed I would
consider it a pre-requisite for the enabling of any CMR facility.
Otherwise the misbehaviour by any one employee might result in the
compromising of the CMR key.

Ian

--
Ian_Miller(_at_)bifroest(_dot_)demon(_dot_)co(_dot_)uk    FAI-D10204
PGP Fingerprint: 2A20 4610 E596 2740 91B1 95BA CAD3 BC14
Antworten auf Deutsch waeren mir angenehm.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  why we are arguing for more resistant variants (Re: Is PGP still private?), Adam Back
Next by Date:  Callas/Grigg CMR variant (was Re: what is purpose of CMR?), Adam Back
Previous by Thread:  Re: why we are arguing for more resistant variants, Kent Crispin
Next by Thread:  Re: Revealing individual messages., Bill Stewart
Indexes:  [Date] [Thread] [Top] [All Lists]