ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

pgp-stealth (Re: Chosen-ciphertext attack on receiver anonymity)

2005-07-20 13:08:37
from [Adam Back] [Permanent Link] 

There was some work done on this as a filter to pgp (2.x) called
pgpstealth [1].

Basically it should be able to make a reversible transformation where
the output has unbiased rectangular distribution throughout (for both
key-transport, and remove any boilerplate).

openpgp has become a bit more complex since pgp2x but I think there
are potential customers for this -- as input to steganography
programs.

There was some discsussion a long time ago now in the context of the
feature under discussion here of whether pgpstealth-like functionality
could be added as a builtin feature of a pgp implementation.  

As an external filter I'm not sure the 0x000... or short keyid would
really help the transformation because the transformation has to
anyway be wrt a specific key.  ie so you're actually trying each key
with a trial transformation so it would actually hook either
externally where the empty keyid picks a key, does trial
transformation, tries to decrypt, fails, skips to the next keyid in
the keyring.


Of course there are also other potential uses for hiding the recipient
-- broadcast of a message (eg to alt.anonymous.messages), where the
recipient is by prior arrangement scanning for messages he can
decrypt.

Anyway pgp-stealth is at present a bit of an orphan project.  It might
be interesting / useful to update it as a standalone filter working
with openpgp or re-write it as a gnupg extension, or something like
that.

Adam

[1] http://www.cypherspace.org/openpgp/stealth/


On Tue, Jul 12, 2005 at 04:18:20PM -0700, Brent Waters wrote:


It seems from everyone's comments that there is a desire/need to complete 
this particular RFC, which makes sense.

I do think, however, that it would also make sense to eventually define an 
encryption standard that has "Key-Privacy" built in. I think the norm 
should be for the ciphertext not to reveal the receiver's identity. If 
an application wishes to do so they can always tag the ciphertext with the 
identity and an application that does not wish to do so is not forced to.

Anyway, if anyone has interest furthering this idea on a different venue 
let me know.

-Brent



On Wed, 6 Jul 2005, Jon Callas wrote:



Right, that's what I feared.  Has anyone actually
implemented it *and* seen a benefit out in the field?




I think we should leave it the way it is.

Sorry. I want to put this RFC to bed, and that means we have to stop 
making tweaks.

    Jon
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Section 5.2.3 of latest draft: bis14., "Hal Finney"
Next by Date:  Re: Section 5.2.3 of latest draft: bis14., Jon Callas
Previous by Thread:  Re: Chosen-ciphertext attack on receiver anonymity, Brent Waters
Next by Thread:  Re: Chosen-ciphertext attack on receiver anonymity, Brent Waters
Indexes:  [Date] [Thread] [Top] [All Lists]