[akx]

So... assuming there are bad guys demanding access to your data and you say "oh yes, I've been using this plausible deniability encryption/archive format", chances are that they're going to torture you for about exactly as long as they want until they get the data they want.

Also – assuming you have three layers of equal compressed size in your container, and you provide two passwords, can't your interrogator see that only 2/3 of the container file gets accessed, and has a reason to believe there's more data to be found?

[dane-pgp]

> until they get the data they want.

The game theory here is interesting. If they are sure that you have the information (for example, the private key to your bitcoin wallet) then "plausible deniability" isn't really a useful feature. It means you can credibly bluff "The key isn't on this device", but they can just torture you until you reveal which device it is on.

In contrast, the threat model of Rubberhose[0] assumes that the secret police believe that you have an incriminating file on your device, but they aren't sure. That means if you are innocent and disclose all your passwords to them, they won't be satisfied and will have to keep on torturing you forever, hoping that you might give them the information you don't actually have. Therefore they have to convince you that there is some information that you could hand over which would satisfy them, and they mustn't over-estimate what information you have, otherwise they are committing to torturing you forever and there is no advantage to you disclosing even the information you do have.

[0] https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29

[orev]

Exactly this. In True/VeraCrypt, there’s only the possibility of having two keys, the main and hidden one. Just the existence of this feature places everyone using the software in danger (at least people who are potential targets of this type of regime), because if you’re not using the hidden volume, you can’t ever prove it. To be really safe, everyone would need to use both volumes, with the hidden one being empty so it can be proven nothing is in there.

But with something that has an arbitrary number of hidden volumes, you have no way to prove it and they can interrogate you forever.

[anigbrowl]

It's bleakly amusing that you think torturers are worried about some sort of credibility calculus. Where torture is sanctioned or tolerated, people are sometimes tortured for information, sometimes for compliance - but those considerations are often excuses offered to justify the torture to external critics. In many cases, people are tortured purely in order to terrorize others into compliance, or because the torturers are sadists who get off on it.

A lot of HN discussions on this topic are based on the implicit assumption that torture is a rational tactic, if extremely brutal and unpleasant one, because most people will eventually tell torturers what they want to hear in hopes of making it stop, and giving up secrets is a bargaining option. The sad fact is that many torturers are motivated by their enjoyment of others' suffering, so you could give them everything only to have them laugh at your dismay when you figured out they never cared about your secrets in the first place.

In some historical conflicts, this realization ahs been exploited by the underdogs; Algerian guerrillas under French occupation had standing agreements to maintain silence for 24 hours if arrested, but after that they could spill everything freely without fear of moral compromise, thus denying the incumbent powers a credible excuse for carrying out torture. Guerrillas were expected to keep abreast of each others' liberty status and to have an unshared plan to bail out if their network was compromised.

I point this out purely as a tactical maneuver; following the ejection of the French the newly independent Algerian state itself instituted all kinds of unethical and repressive practices.

[ativzzz]

> It's bleakly amusing that you think torturers are worried about some sort of credibility calculus. Where torture is sanctioned or tolerated, people are sometimes tortured for information, sometimes for compliance - but those considerations are often excuses offered to justify the torture to external critics. In many cases, people are tortured purely in order to terrorize others into compliance, or because the torturers are sadists who get off on it.

They actually are in some ways. I toured a former secret East German prison in Berlin, and they would keep prisoners for a long time, and psychologically torture them until they confessed, and would then send them to "trial" with their confession as proof.

I asked the guide why they didn't just physically torture them or falsify the trial right off the bat and he answered something along the lines of the prison guards thinking they were civilized people and wouldn't resort to such barabarous manners.

Torturers are still people and have some level of cognitive dissonance going on, but do require some kind of credibility.

[orev]

I said interrogation, not torture. There are now at least a few law abiding countries (e.g. UK) where disclosing passwords is mandatory by law as part of an investigation, where interrogation is the process where they demand the suspect reveal such information. With a tool like this, it would be impossible to prove you have revealed every password, and they could hold you in contempt forever.

Don’t assume everyone is making an argument from an extreme position, as reality is rarely ever black and white.

[anigbrowl]

You did, but as soon as you are discussing things in the context of rubber hoses that includes extreme interrogation methods.

[a1369209993]

> but those considerations are often excuses offered to justify the torture to external critics. In many cases, people are tortured purely in order to terrorize others into compliance, or because the torturers are sadists who get off on it.

Sure, but in that case you're fucked regardless, so there's not much point worrying about it.

[a1369209993]

> Therefore they have to convince you that there is some information that you could hand over which would satisfy them, and they mustn't over-estimate what information you have, otherwise they are committing to torturing you forever and there is no advantage to you disclosing even the information you do have.

This is a very useful explanation/articulation of the idea here, thank you.

[davidhbolton]

In countries like the UK where you can be jailed or fined for not giving a password, this provides a way to do that and escape jail. Truecrypt did it and after the developers stopped supporting that, VeraCrypt came along.

You obviously don't reveal that you are using a plausible denial storage method. Give it a zip extension and rename the application that you access with to something like Zip Archiver. "It's an encrypted zip file and the password is ...." How do they know its not zip or that's there's secret data there?

[flixic]

The app literally says "Welcome to FractalCrypt!" when you open it. Not only revealing the encryption format name, but clearly hinting to how it works.

I'd much prefer an encryption format that hides itself in a well-known one layer encryption (like encrypted zip).

[KingOfCoders]

I agree, something like VeraCrypt where the partition has a certain size, with or without hidden data.

But state level actors might nevertheless have methods to find out, that you write 120gb of data compressed into a 100gb file, there needs to be something hidden because otherwise you would get in 122gb - something like that.

Or single stepping VeraCrypt machine code execution (you see I have no clue).

[akx]

For one, it's not clear that this tool creates standard .ZIP files, so the bad guys using an off-the-shelf `unzip` tool would probably suspect things.

If the tool does create regular ZIPs with irregular contents, they could still see that there's noise that isn't read during the course of decryption/extraction, which is suspect.

[XorNot]

Partly because these systems are designed to destroy the data if not unlocked. Your "plausible" container, if not unlocked, makes the rest of the container look like free space - i.e. destroyed by an OS not aware it shouldn't write to it.

Which is common with HDD block-device format containers (not sure this thing makes as much sense) anyway: if my laptop here (which is encrypted) gets unlocked with 2 passwords, you would need to independently verify that in fact I normally used 3 and the idea is you can't prove that the "free space" is actually not just normal freespace on my HDD.

Combined with a TPM chip and not having any recovery codes and the HDD can't be realistically extracted except by nation-state level actors with a motivated interest.

Also why would "truly secret" data be large in size to start with? The more likely relationship would be 100:10:1 or greater in terms of "plausible" to "implausible".

[dane-pgp]

> and not having any recovery codes

An alternative might be to use something like Shamir's Secret Sharing to split the recovery codes between a dozen mutually-unknown friends in different jurisdictions, such that the secrets held by some threshold of them could produce the recovery codes.

These friends would have to be trusted to only hand you their share if they meet you in person in their jurisdiction, and should perhaps also first tweet out that they were doing so, in order to warn anyone whose security might depend on your encrypted data not being compromised.

[XorNot]

Well the data is going to get wiped after you unlock without enough passphrases anyway, so it's kind of pointless - you need a backup. The point of not having recovery codes for the TPM is to ensure the disk is completely unusable if the machine is tampered with - i.e. you have to be forced to unlock that machine, and not a copy, to ensure the data is destroyed. I do wonder if TPM's would detect the use of SATA/PCI-E write blockers (or some elaborate shim system - but again, nation-state level).

Of course this is the real fiction: in reality I'm somewhat too lazy to set all that up for the much more likely scenario of a preventable glitch hosing my system.

[qwerty456127]

> you can't prove that the "free space" is actually not just normal freespace on my HDD.

Isn't normal free space supposed o contain at least partially recoverable traces of deleted files usually? I think we need a file system that wipes everything deleted (including file names!) and replaces it with random data by default.

[Seirdy]

One of the best mitigations against rubber-hose and similar attacks is a hardware key. If you leave it at home, you can't be compelled to decrypt unless an attacker also breaks into your home and searches the place.

In a pinch, you might be able to conveniently "lose" your hardware key, or smash it if you hear the front door break open. Doing so effectively erases your data without actually erasing it, since it's unreadable without the key.

[sildur]

That format really needs widespread adoption. Using it is suspicious by itself right now.

[arsome]

Yeah, TrueCrypt or VeraCrypt are widespread enough right now and most people are just using them in normal, non-deniable form, so it seems like better cover currently.

[moritonal]

To expand on your second point, these kinds of systems should let you set the fixed-size of the volume, like 1G or 5G, with the payload being unrelated.