World Library  
Flag as Inappropriate
Email this Article

Rubber-hose cryptanalysis

Article Id: WHEBN0000235585
Reproduction Date:

Title: Rubber-hose cryptanalysis  
Author: World Heritage Encyclopedia
Language: English
Subject: Black-bag cryptanalysis, Cryptography newsgroups, Side-channel attack, Pretty Good Privacy, Hose
Collection: Cryptographic Attacks, Espionage Techniques, Euphemisms, Torture
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Rubber-hose cryptanalysis

In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture[1][2]—such as beating that person with a rubber hose, thus the name—in contrast to a mathematical or technical cryptanalytic attack.

Contents

  • Details 1
  • In law 2
  • See also 3
  • References 4

Details

According to Amnesty International and the UN, many countries in the world routinely torture people.[3][4][5][6] It is therefore logical to assume that at least some of those countries use (or would be willing to use) some form of rubber-hose cryptanalysis.[1] In practice, psychological coercion can prove as effective as physical torture. Not physically violent but highly intimidating methods include such tactics as the threat of harsh legal penalties. The incentive to cooperate may be some form of plea bargain, such as an offer to drop or reduce criminal charges against a suspect in return for full co-operation with investigators. Alternatively, in some countries threats may be made to prosecute as co-conspirators (or inflict violence upon) close relatives (e.g. spouse, children, or parents) of the person being questioned unless they co-operate.[4][7]

In some contexts, rubber-hose cryptanalysis may not be a viable attack because of a need to decrypt data covertly; information such as a password may lose its value if it is known to have been compromised. It has been argued that one of the purposes of strong cryptography is to force adversaries to resort to less covert attacks.[8]

The earliest known use of the term was on the sci.crypt newsgroup, in a message posted 16 October 1990 by Marcus J. Ranum, alluding to corporal punishment:

...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive).
— [9]

Although the term is used tongue-in-cheek, its implications are serious: in modern cryptosystems, the weakest link is often the human user.[10] A direct attack on a cipher algorithm, or the cryptographic protocols used, is likely to be much more expensive and difficult than targeting the people who use or manage the system. Thus, many cryptosystems and security systems are designed with special emphasis on keeping human vulnerability to a minimum. For example, in public-key cryptography, the defender may hold the key to encrypt the message, but not the decryption key needed to decipher it. The problem here is that the defender may be unable to convince the attacker to stop coercion. In plausibly deniable encryption, a second key is created which unlocks a second convincing but relatively harmless message (for example, apparently personal writings expressing "deviant" thoughts or desires of some type that are lawful but taboo), so the defender can prove to have handed over the keys whilst the attacker remains unaware of the primary hidden message. In this case, the designer's expectation is that the attacker will not realize this, and forego threats or actual torture. Alternatively, a defender can use a proof-of-work-high-density-steganographic counterattack to incentivize the attacker to listen to what the defender has to say. See also steganography. The risk, however, is that the attacker may be aware of deniable encryption and will assume the defender knows more than one key, meaning the attacker may refuse to stop coercing the defender even if one or more keys are revealed: on the assumption the defender is still withholding additional keys which hold additional information.

In law

In some jurisdictions, statutes assume the opposite—that human operators know (or have access to) such things as session keys, an assumption which parallels that made by rubber-hose practitioners. An example is the United Kingdom's Regulation of Investigatory Powers Act,[11][12] which makes it a crime to not surrender encryption keys on demand from a government official authorized by the act.

According to the

  1. ^ a b  
  2. ^  
  3. ^ Pincock, Stephen (November 1, 2003). "Exposing the horror of torture".  
  4. ^ a b "Many countries still appear willing to use torture, warns UN human rights official" (Press release).  
  5. ^ Modvig, J.; Pagaduan-Lopez, J.; Rodenburg, J.; Salud, CMD; Cabigon, RV; Panelo, CIA (November 18, 2000). "Torture and trauma in post-conflict East Timor".  
  6. ^  
  7. ^ Hoffman, Russell D. (February 2, 1996). "Interview with author of PGP (Pretty Good Privacy)". High Tech Today. Retrieved August 29, 2009. 
  8. ^ Percival, Colin (May 13, 2010). "Everything you need to know about cryptography in 1 hour (conference slides)" (PDF). Retrieved December 29, 2011. 
  9. ^ Ranum, Marcus J. (October 16, 1990). "Re: Cryptography and the Law...".  
  10. ^ "The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem". SANS. Retrieved 6 June 2013. 
  11. ^ a b "The RIP Act".  
  12. ^ a b "Regulation of Investigatory Powers Bill; in Session 1999-2000, Internet Publications, Other Bills before Parliament". House of Lords. 9 May 2000. Retrieved 5 Jan 2011. 

References

See also

[12][11]

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.