Re: [cryptography] Can there be a cryptographic dead man switch?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mhey...@gmail.com mhey...@gmail.com writes: ... and the trustee (that I never really trusted) ... Actually, Trustee may prefer to have no access to the secret so as to be above suspicion if some of the gold should disappear. - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEUEARECAAYFAlBd6UEACgkQDkU5rhlDCl5GZgCeIScQG+YT+FnX4swb9VpoA3r6 rLUAl1Yw38Zt7A+5ULNfbjSfYfZWN8A= =08BZ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James A. Donald jam...@echeque.com writes: On 2012-09-05 11:51 PM, StealthMonger wrote: Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Such a system cannot exist: Obviously the messages have to appear on the system that contains the secret. Pull the internet connection. Counter-measures to Donald's dilemma have so far involved servers too hidden or numerous to simply pull the internet connection. Another approach is for the server to be too big to fail, i.e. public and widely used, so that a whole business would be destroyed if the Internet connection were pulled. It wouldn't take much capability in such a server to allow Grantor to create a robot there which gives Trustee access to the secret, but only if it doesn't hear from the Grantor for some time. With suitable permissions, the Trustee can even be given read-only access the whole while to everything except to the secret itself, so that Trustee can assure herself that it's all actually there. Are there existing public servers that can provide this functionality? Google mail? Zooko's Tahoe? - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBd+C8ACgkQDkU5rhlDCl4gmQCeNRJga4jKwFecbsYWi1LgUSv6 eYsAniTaSeZ8raCBfENb9H+hgdfZ+bxB =rty8 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
I can not imagine anything inherently trustable. I do not want to trust that single server won't be hacked, tapped by NSA or raided by FBI. Den 22 sep 2012 22:49 skrev StealthMonger stealthmon...@nym.mixmin.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James A. Donald jam...@echeque.com writes: On 2012-09-05 11:51 PM, StealthMonger wrote: Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Such a system cannot exist: Obviously the messages have to appear on the system that contains the secret. Pull the internet connection. Counter-measures to Donald's dilemma have so far involved servers too hidden or numerous to simply pull the internet connection. Another approach is for the server to be too big to fail, i.e. public and widely used, so that a whole business would be destroyed if the Internet connection were pulled. It wouldn't take much capability in such a server to allow Grantor to create a robot there which gives Trustee access to the secret, but only if it doesn't hear from the Grantor for some time. With suitable permissions, the Trustee can even be given read-only access the whole while to everything except to the secret itself, so that Trustee can assure herself that it's all actually there. Are there existing public servers that can provide this functionality? Google mail? Zooko's Tahoe? - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBd+C8ACgkQDkU5rhlDCl4gmQCeNRJga4jKwFecbsYWi1LgUSv6 eYsAniTaSeZ8raCBfENb9H+hgdfZ+bxB =rty8 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Natanael natanae...@gmail.com writes: I do not want to trust that single server won't be hacked, tapped by NSA or raided by FBI. I absolutely agree. But the adversary here is nothing like NSA or FBI, and the stakes are nowhere near threats to any State, and nobody has reason to believe otherwise. Remember, this is basically a friendly agreement between Grantor and Trustee and in the category of good fences make good neighbors. Of course, the Trustee, to whose key the secret is encrypted the whole while, has to use a strong key to keep third parties out. - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBeLwgACgkQDkU5rhlDCl6z4wCdFwSXhSi1FarU53U/mlJelwKX MN4AnA93gcQ5AnepfiFMq4S5l2K6KGq1 =L1pU -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
In that case Anonymous and other hacker groups is your problem. Den 23 sep 2012 01:37 skrev StealthMonger stealthmon...@nym.mixmin.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Natanael natanae...@gmail.com writes: I do not want to trust that single server won't be hacked, tapped by NSA or raided by FBI. I absolutely agree. But the adversary here is nothing like NSA or FBI, and the stakes are nowhere near threats to any State, and nobody has reason to believe otherwise. Remember, this is basically a friendly agreement between Grantor and Trustee and in the category of good fences make good neighbors. Of course, the Trustee, to whose key the secret is encrypted the whole while, has to use a strong key to keep third parties out. - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBeLwgACgkQDkU5rhlDCl6z4wCdFwSXhSi1FarU53U/mlJelwKX MN4AnA93gcQ5AnepfiFMq4S5l2K6KGq1 =L1pU -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
By the way, using SMPC remotely can be generalized beyond Dead Man Switch pretty easily (IMHO). While SMPC actually isn't needed to do a DMS, just secret sharing, SMPC lets you hide the terms for when to release the secret, and even to change the terms while keeping them secret. Here's how: First one creates a scripting engine that can run inside the SMPC. This can be a Python or Bash port if one wants that. Then one writes a script that will run inside the SMPC that during the first run that takes shares from a secret sharing scheme. Each node gets different shares. The data in these shares then contain a flag that says first run, an asymmetric key (generated by you in advance), the secret data and a script with the actual conditions for releasing the secret. Then the loader script assembles the shares and run that conditions script. That script also see that this is the first run. So it gives certain commands to the software on the outside of the SMPC as it's output. This can be look for X at website Y every Z hours, and run me again in 6 hours or whatever. The response is given in a certain format the script can understand as input during the next run of the SMPC. The internal state in the SMPC with all the data and code we want to save is encrypted and split in new shares (Grantor was last heard of 2021-06-12; run code X next time?), this is part of the output and tagged as the input shares for the next SMPC run. This replaces the original shares. As the input fetched to the SMPC can contain new code, you can give the SMPC new instructions this way. The new code in the SMPC can also give new commands to the code outside the SMPC (that code that runs the SMPC and fetch and pass on data). The data the SMPC scheme is supposed to fetch should be both encrypted to it's public key and signed by your public key (you have to give the SMPC your public key then too, obviously). So you rent a bunch of servers online, anonymously, and set up this SMPC scheme on it. So, what would you guys run on this thing? Remember that the overhead makes it slooow, so no secret bruteforcing of anything. - Sent from my tablet Den 5 sep 2012 16:21 skrev Natanael natanae...@gmail.com: If the trustee (correct word?) stops passing the messages to your CDMS (cryptographic dead man switch), it would simply decrypt the original message automatically. So you can not put the entire mechanism in the hands of the trustee, especially not the part that authorizes the decryption. I could imagine that you would set up a remote server that would simply send the secret to the trustee, encrypted to his public key for security, when you stop pinging it by sending signed messages. To prevent one server from being compromised and revealing the secret (even if only to the trustee since it can be pre-encrypted), I could imagine chained-session Secure Multiparty Computation across several remote servers. The idea is that you run the SMPC software on your remote servers, give a large random number to each, they generate a keypair inside the virtual SMPC machine, and you encrypt the message to that key.The machines split the keypair among themselves using a Secure Sharing Scheme. You send that encrypted message to all the machines. Each day the machines re-run the SMPC, sends their key parts and reassemble them using the secret sharing scheme inside the SMPC, checks if a signed message have been recieved from you, and if not it decrypts the secret message to the trustee. A program on the machines will then see this message as the output from the SMPC and send it to the trustee. Overly complicated, maybe, but secure and can actually work. On Wed, Sep 5, 2012 at 3:51 PM, StealthMonger stealthmon...@nym.mixmin.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. The motivating application is a Living Trust wherein the Grantor wants to keep secret, even from the Trustee, the locations of his caches of gold until such time as he is no longer able to send signed messages. Each signed message has to somehow avert revelation of the secret for another time period (three months, say). - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/
Re: [cryptography] Can there be a cryptographic dead man switch?
On Wed, Sep 5, 2012 at 9:51 AM, StealthMonger stealthmon...@nym.mixmin.net wrote: -BEGIN PGP SIGNED MESSAGE- Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Every three months I, the Grantor, encrypt my secret in a new secret-encrypting-key and place that secret in my box. (I keep my box away from others - maybe put it in a safe). I also encrypt that secret-encrypting key in a public key but not too strong a public key, one that can be broken in three months time. I then throw away the private key to that public key (I don't need it, I know my secret). I give the public-key encrypted secret-encrypting key to the trustee, heck I can publish it on the web if I want. If I should die, I will stop re-encrypting the secret and the trustee (that I never really trusted) can break the public key and get to the secret. I know a second scheme that we worked out years ago when one of our group was working on DTN (delay tolerant networking) where we would encrypt something and bounce the encrypting key off a distant node and get a few seconds or minutes of safe time until the something could get decrypted. This scheme has the benefit of not failing if some whiz-bang new crypto breaking system comes along but deals with much shorter time periods. I assume that if I'm using the crypto-only method, then I will keep apprised of whiz-bang new crypto breaking systems and re-encrypt early with a larger key to get back on my three month schedule if such a faster breaking system should appear. Michael Heyman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
Doh, don't know why I brought public-key crypto into this. There isn't a need for it. Just pick, say, an AES key and give the trustee some of the key's bits so they only have to brute force part of the key. On Wed, Sep 19, 2012 at 4:48 PM, mhey...@gmail.com mhey...@gmail.com wrote: On Wed, Sep 5, 2012 at 9:51 AM, StealthMonger stealthmon...@nym.mixmin.net wrote: -BEGIN PGP SIGNED MESSAGE- Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Every three months I, the Grantor, encrypt my secret in a new secret-encrypting-key and place that secret in my box. (I keep my box away from others - maybe put it in a safe). I also encrypt that secret-encrypting key in a public key but not too strong a public key, one that can be broken in three months time. I then throw away the private key to that public key (I don't need it, I know my secret). I give the public-key encrypted secret-encrypting key to the trustee, heck I can publish it on the web if I want. If I should die, I will stop re-encrypting the secret and the trustee (that I never really trusted) can break the public key and get to the secret. I know a second scheme that we worked out years ago when one of our group was working on DTN (delay tolerant networking) where we would encrypt something and bounce the encrypting key off a distant node and get a few seconds or minutes of safe time until the something could get decrypted. This scheme has the benefit of not failing if some whiz-bang new crypto breaking system comes along but deals with much shorter time periods. I assume that if I'm using the crypto-only method, then I will keep apprised of whiz-bang new crypto breaking systems and re-encrypt early with a larger key to get back on my three month schedule if such a faster breaking system should appear. Michael Heyman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
But you can't revoke his ability to keep bruteforcing the message. - Sent from my tablet Den 19 sep 2012 23:01 skrev mhey...@gmail.com mhey...@gmail.com: Doh, don't know why I brought public-key crypto into this. There isn't a need for it. Just pick, say, an AES key and give the trustee some of the key's bits so they only have to brute force part of the key. On Wed, Sep 19, 2012 at 4:48 PM, mhey...@gmail.com mhey...@gmail.com wrote: On Wed, Sep 5, 2012 at 9:51 AM, StealthMonger stealthmon...@nym.mixmin.net wrote: -BEGIN PGP SIGNED MESSAGE- Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Every three months I, the Grantor, encrypt my secret in a new secret-encrypting-key and place that secret in my box. (I keep my box away from others - maybe put it in a safe). I also encrypt that secret-encrypting key in a public key but not too strong a public key, one that can be broken in three months time. I then throw away the private key to that public key (I don't need it, I know my secret). I give the public-key encrypted secret-encrypting key to the trustee, heck I can publish it on the web if I want. If I should die, I will stop re-encrypting the secret and the trustee (that I never really trusted) can break the public key and get to the secret. I know a second scheme that we worked out years ago when one of our group was working on DTN (delay tolerant networking) where we would encrypt something and bounce the encrypting key off a distant node and get a few seconds or minutes of safe time until the something could get decrypted. This scheme has the benefit of not failing if some whiz-bang new crypto breaking system comes along but deals with much shorter time periods. I assume that if I'm using the crypto-only method, then I will keep apprised of whiz-bang new crypto breaking systems and re-encrypt early with a larger key to get back on my three month schedule if such a faster breaking system should appear. Michael Heyman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
On Sep 19, 2012, at 4:48 PM, mhey...@gmail.com mhey...@gmail.com wrote: Every three months I, the Grantor, encrypt my secret in a new secret-encrypting-key and place that secret in my box. (I keep my box away from others - maybe put it in a safe). I also encrypt that secret-encrypting key in a public key but not too strong a public key, one that can be broken in three months time. I then throw away the private key to that public key (I don't need it, I know my secret). I give the public-key encrypted secret-encrypting key to the trustee, heck I can publish it on the web if I want. If I should die, I will stop re-encrypting the secret and the trustee (that I never really trusted) can break the public key and get to the secret. This doesn't work or doesn't help. If the trustee doesn't have access to the safe until after you're dead, then the encryption is unimportant: just keep your secrets in the safe unencrypted. If they can access the encrypted message before your dead, they can decrypt it in a few months, even if you stay on the right side of the grass. Separately, I think it's impracticable to know the available computation time for key breaking, so it's difficult to estimate how long it will take the trustee to recover the message after gaining access to the encrypted message. I don't know of any way to solve the original problem other than changing the framing to allow somewhat trusted third parties (distribute secret shares to a dozen people, requiring 10 of them to agree to recover the decryption key, hope that they don't conspire to recover it until after you're dead), having access to a secure agent (software running somewhere that releases the secret if you don't check in for 30 days), or the ability to invalidate an old secret store (e.g., physically hide the secret somewhere, move it every 30 days, and encrypt the location with a 60-day weak key, but see the above challenge of predicting how long it will take to crack--a key long enough to be safe for 60 days against all attackers may take your trustee a couple of years to crack once you're dead). - Tim ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
On 2012-09-19 17:01:02 -0400 (-0400), mhey...@gmail.com wrote: [...] If I should die, I will stop re-encrypting the secret and the trustee (that I never really trusted) can break the public key and get to the secret. [...] And how does the trustee get access to the encrypted form of the secret? If he has a copy of it encrypted with the old key, how do you ensure he throws it out when you reencrypt with the new key? If he doesn't get access to the encrypted secret until you die, then why not simply rely on that access mechanism and forget about encrypting it in the first place? -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fu...@yuggoth.org); FINGER(fu...@yuggoth.org); MUD(kin...@katarsis.mudpy.org:6669); IRC(fu...@irc.yuggoth.org#ccl); } ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
On Wed, Sep 19, 2012 at 2:08 PM, The Fungi fu...@yuggoth.org wrote: ... And how does the trustee get access to the encrypted form of the secret? presumably you get it to him securely.[0] ... If he has a copy of it encrypted with the old key, how do you ensure he throws it out when you reencrypt with the new key? the only mechanism i have considered that might fit this bill is a private key represented with coding redundancy across a molecule or crystal containing radioactive isotopes with a very short half life in the chemical bonds comprising the information in the structure. as the isotope decays, the bonds break, the information withers. if you lose enough you can no longer obtain the private key from the physical storage. note that this conveniently ignores attacks against partial key space that might be recovered via the remaining structures, even if a full reconstitution isn't directly possible. [1] i can't even imagine how expensive such a thing would be to make and manage... but one day we'll have matter compilers, right? 0. secure key management is left as an exercise to the reader. ;P 1. recent research indicates a remote denial of service via neutrino beams might be a risk factor for availability. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
On Wed, Sep 19, 2012 at 4:32 PM, coderman coder...@gmail.com wrote: ... presumably you get it to him securely.[0] s/him/her/. or other; perhaps a trained sea mammal. avoid those honeypot vulns fueled by testosterone... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
And make sure there are multiple internet connections to the hidden servers. Adam On Thu, Sep 06, 2012 at 03:40:23AM +0100, StealthMonger wrote: Good argument. Thanks. It makes Natanael's solution, or some variant of it, all the more appealing. Keep Natanael's servers secret, such as on scattered Virtual Private Servers. They read the Grantor's signed messages from a message pool such as alt.anonymous.messages and use that channel also to communicate among themselves, outputting via anonymizing remailers. The adversary wouldn't know which of the world's internet connections to pull. When the servers agree that the Grantor is dead, they release the secret, encrypted all the while with the Trustee's key. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Can there be a cryptographic dead man switch?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. The motivating application is a Living Trust wherein the Grantor wants to keep secret, even from the Trustee, the locations of his caches of gold until such time as he is no longer able to send signed messages. Each signed message has to somehow avert revelation of the secret for another time period (three months, say). - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBF1ecACgkQDkU5rhlDCl5omQCgpcuTWhFuojJkkgUOLeZwnYIf TlwAnAhrxdyeLMccamIAZ8CbLZKn2jyb =MaVJ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
Hi, what's the difference from a normal dead man switch that would reveal said secret if/when messages stop appearing. You can't check the signature of a message that isn't received, right? It could work in a way where the 'switch' sends a message and reveals the message if there is no signed answer within a certain period of time. The use case is still unclear to me. Cheers, Wim On Wed, Sep 5, 2012 at 3:51 PM, StealthMonger stealthmon...@nym.mixmin.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. The motivating application is a Living Trust wherein the Grantor wants to keep secret, even from the Trustee, the locations of his caches of gold until such time as he is no longer able to send signed messages. Each signed message has to somehow avert revelation of the secret for another time period (three months, say). - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBF1ecACgkQDkU5rhlDCl5omQCgpcuTWhFuojJkkgUOLeZwnYIf TlwAnAhrxdyeLMccamIAZ8CbLZKn2jyb =MaVJ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Wim Remes Security Afficionado ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
If the trustee (correct word?) stops passing the messages to your CDMS (cryptographic dead man switch), it would simply decrypt the original message automatically. So you can not put the entire mechanism in the hands of the trustee, especially not the part that authorizes the decryption. I could imagine that you would set up a remote server that would simply send the secret to the trustee, encrypted to his public key for security, when you stop pinging it by sending signed messages. To prevent one server from being compromised and revealing the secret (even if only to the trustee since it can be pre-encrypted), I could imagine chained-session Secure Multiparty Computation across several remote servers. The idea is that you run the SMPC software on your remote servers, give a large random number to each, they generate a keypair inside the virtual SMPC machine, and you encrypt the message to that key.The machines split the keypair among themselves using a Secure Sharing Scheme. You send that encrypted message to all the machines. Each day the machines re-run the SMPC, sends their key parts and reassemble them using the secret sharing scheme inside the SMPC, checks if a signed message have been recieved from you, and if not it decrypts the secret message to the trustee. A program on the machines will then see this message as the output from the SMPC and send it to the trustee. Overly complicated, maybe, but secure and can actually work. On Wed, Sep 5, 2012 at 3:51 PM, StealthMonger stealthmon...@nym.mixmin.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. The motivating application is a Living Trust wherein the Grantor wants to keep secret, even from the Trustee, the locations of his caches of gold until such time as he is no longer able to send signed messages. Each signed message has to somehow avert revelation of the secret for another time period (three months, say). - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBF1ecACgkQDkU5rhlDCl5omQCgpcuTWhFuojJkkgUOLeZwnYIf TlwAnAhrxdyeLMccamIAZ8CbLZKn2jyb =MaVJ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
So to be short: no, there cannot. The absence of new information cannot cause the information needed for decryption to become known. Unless you find some way to reverse that or use a hybrid crypto and non-crypto solution a DMS cannot happen. Anyone disagree? Note that a Bitcoin-like/distributed network could in potential be an automated DMS-crypto-cheat. 2012/9/5 Natanael natanae...@gmail.com If the trustee (correct word?) stops passing the messages to your CDMS (cryptographic dead man switch), it would simply decrypt the original message automatically. So you can not put the entire mechanism in the hands of the trustee, especially not the part that authorizes the decryption. I could imagine that you would set up a remote server that would simply send the secret to the trustee, encrypted to his public key for security, when you stop pinging it by sending signed messages. To prevent one server from being compromised and revealing the secret (even if only to the trustee since it can be pre-encrypted), I could imagine chained-session Secure Multiparty Computation across several remote servers. The idea is that you run the SMPC software on your remote servers, give a large random number to each, they generate a keypair inside the virtual SMPC machine, and you encrypt the message to that key.The machines split the keypair among themselves using a Secure Sharing Scheme. You send that encrypted message to all the machines. Each day the machines re-run the SMPC, sends their key parts and reassemble them using the secret sharing scheme inside the SMPC, checks if a signed message have been recieved from So , and if not it decrypts the secret message to the trustee. A program on the machines will then see this message as the output from the SMPC and send it to the trustee. Overly complicated, maybe, but secure and can actually work. On Wed, Sep 5, 2012 at 3:51 PM, StealthMonger stealthmon...@nym.mixmin.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. The motivating application is a Living Trust wherein the Grantor wants to keep secret, even from the Trustee, the locations of his caches of gold until such time as he is no longer able to send signed messages. Each signed message has to somehow avert revelation of the secret for another time period (three months, say). - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAlBF1ecACgkQDkU5rhlDCl5omQCgpcuTWhFuojJkkgUOLeZwnYIf TlwAnAhrxdyeLMccamIAZ8CbLZKn2jyb =MaVJ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can there be a cryptographic dead man switch?
On 2012-09-05 11:51 PM, StealthMonger wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can there be a cryptographic dead man switch? A secret is to be revealed only if/when signed messages stop appearing. It is to be cryptographically strong and not rely on a trusted other party. Such a system cannot exist: If the trustee wants to discover the secret, he simply stops attending to the messages. Obviously the messages have to appear on the system that contains the secret. Pull the internet connection. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography