Chaffinch Confidentiality in the Face of Legal Threats

1
ChaffinchConfidentiality in the Face of Legal
Threats

• Richard Clayton and George Danezis
• Computer Laboratory
• University of Cambridge

2
Threat Model Compulsion

• An adversary that can compel users to reveal
  encryption keys or content of messages. She is
  also a passive observer and knows when
  communication occurs.
• We need a channel which offers secrecy
• Without using any encryption primitives.
• Allowing users to plausibly deny that any
  messages except for a cover message are present
  in the communications.

3
What does Chaffinch offer?

• A communication channel
• Confidentiality.
• Multiple messages entangled together.
• The ability to deny the existence of messages.
• Only uses authentication primitives.
• A real, engineered system
• Worked out design beyond proof of concept.
• Working implementations in C and Java.

4
How does it work?
Message A
Interleave messages randomly with
noise (preserving order)
Chaffinch Message

• Original idea from Chaffing Winnowing
• Uses a random number generator to generate
  the authenticator (instead of MAC)
• Secrets are shared between senders and
  receivers.

Data
Authenticator (Secret A)
Message B
Secret B
5
Decoding or Attacking

• The decoder knows the shared secret.
• It identifies the correct authenticators by
  running the RNG, and selects the pieces.
• Puts the pieces back together, decodes and checks
  hash.

• The attacker does not know the secret.
• It needs to select the correct sequence of parts,
  and put them back together.
• Needs to try exponentially many.
• Shortcuts ...

6
Transforming the messages

• Before the messages are split they are
  transformed to look like random noise, to make
  the task of the attacker more difficult.
• Rivest used his Package Transform.
• It is not as effective as one would expect, but
  can be easily fixed.
• Chaffinch uses BEAR with a key that is
  transmitted in clear.

7
Efficiency

• Small amount of redundancy and headers inside and
  outside the messages.
• Constant amount of noise is always present.
• All the remaining space can be used by data, or
  more noise if no other messages are sent.
• The authenticator size can be small if we accept
  the fact that the recipient will make a
  computational effort to reconstruct the message.

8
Trade-offs

• As the size of the authenticator goes down the
  effort to decode goes up. Number of arrangements
  tried for 1.000.000 decodings, 10bit signature,
  1024 sections

9
Use with care!

• Need to always use Chaffinch and always send
  plausible cover traffic.
• The key exchange needs to be done deniably or off
  line.
• If both sender and receiver face compulsion they
  must reveal secrets in pre-arranged order.
• Integrate with a security policy and other
  mechanisms offering plausible deniability.

10
Future directions

• Hiding Chaffinch usage.
• Deniable key exchange mechanisms.
• Integration with other plausible deniability
  mechanisms (Steg-FS).
• Use of asymmetric keys.

11
More information

• Technical responses to legal problems are only
  temporary proofs of concept. They cannot be a
  durable substitute for reasonable laws.
• George.Danezis_at_cl.cam.ac.ukRichard.Clayton_at_cl.cam
  .ac.uk
• Java and C implementations available.
• http//www.chaffinch.info