[messaging] Value of deniability

Nadim Kobeissi nadim at nadim.computer
Wed Dec 10 17:56:24 PST 2014

A few points:

First: even if deniability were to come for close to free (which it doesn't, generally) Mike's original question wasn't whether the overhead was worth it, but if the property is worth considering/prioritizing in the ‎first place. Also, whether it's even desirable.

Second: comparing deniability to forward secrecy doesn't make sense. Forward secrecy protects you from a technical, device level compromise. I don't have to convince another human (such as a judge) in order for forward secrecy to work. On the other hand, deniability has to be *subjectively plausible*, hence the term plausible deniabilty.

Finally: something being *brought up* in court as a *potential* defense doesn't grant it legitimacy immediately. I can bring up my cat as a defense in court. Doesn't mean the judge will lend it credence. Can we look for instances where an established court considered a deniability claim seriously? I don't believe this will ever occur unless you find some court that doesn't care at all about circumstantial evidence.


  Original Message  
From: Eleanor Saitta
Sent: Wednesday, December 10, 2014 8:43 PM
To: sam at samlanning.com; messaging at moderncrypto.org
Subject: Re: [messaging] Value of deniability

Hash: SHA256

On 2014.12.10 20.27, Sam Lanning wrote
>>> And it will stand up in a court of law as strongly as a chain
>>> of PGP signed emails.
>> We have no evidence that supports this assertion.
> No. But for all intents and purposes, it is technically identical.

No. Signatures in email are designed to be persistent and are
archived, in many cases for years. They're subject to the Stored
Communcations Act in the US, and significant technical infrastructure
exists to preserve them. It's natural to bring them into the
courtroom, and they're relatively easy to explain to a lawyer.
They're often the result of an explicit choice by the user to signify
a specific piece of communication, which has nontrivial argumentative
value in court. None of these are true for channel authenticity
measures not attached to a specific message.

> Is there zero protective value in forward secrecy?
> Of course we can always tell people about it but not give any UI 
> hints... like forward secrecy.

While in some cases, users may benefit from forward secrecy even if
they don't expect it to be there/understand it, users who are actively
thinking about their security do need to be aware whether they're
using forward-secrecy-preserving cryptosystems, when understanding the
severity of a device capture. If I know that the machine is currently
clean of stored communication data/metadata and that all
communications from the device have preserved forward secrecy, I don't
need to act on the assumption that an adversary I believe to have
captured encrypted communications now has the content of those
communications, which will significantly change the way I react. If
you are designing for users who you expect to perform any kind of
security planning, you must communicate security properties to them.

Now, in systems not designed for high-risk or specifically targeted
users, maybe you don't need to do this. However, most systems
designed with deniability in mind seem to be designed for high-risk users.

>> How much work has been done to test and ensure that deniability 
>> is maintained in Axolotl?
> There was a deep technical study here:
> https://eprint.iacr.org/2014/904.pdf

Right. So it's not even close to free, even at the protocol level --
it's the result of significant engineering effort that could have been
spent elsewhere.


- -- 
Ideas are my favorite toys.

Messaging mailing list
Messaging at moderncrypto.org

More information about the Messaging mailing list