106

In the documentary film Citizenfour, Edward Snowden says about documents:

I'm comfortable in my technical ability to protect [documents]. I mean you could literally shoot me or torture me and I could not disclose the password, even if I wanted to. I have the sophistication to do that.

What technology/methods exist that would enable the scenario Edward Snowden is referring to when he claims to be able to create a protected file where he cannot disclose the password?

Xander
  • 35,616
  • 27
  • 114
  • 141
QBR8ZIKvyJ
  • 971
  • 2
  • 7
  • 4
  • 20
    As pointed out in an answer below, the type of attack Snowden envisages is called “rubber-hose cryptanalysis” (a euphemism for torture, see https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis). You may want to edit the title to be more specific. – MatteoS Mar 04 '15 at 17:04
  • 1
    KeePass generates passwords so long and complex, I could not possibly memorize all of them. I rarely even see my passwords. It does have a master password though. If he is kidnapped, he would not have access to the passwords for a specific document or site, but he could be coerced to provide the master password. – Chloe Mar 05 '15 at 02:40
  • 20
    Relevant to this discussion: http://xkcd.com/538/ – Sobrique Mar 05 '15 at 10:49
  • 4
    Any system where only 1 person is needed to get access is vulnerable to the rubber hose, you can torture someone to go through the steps of decryption. – ratchet freak Mar 05 '15 at 16:57
  • Maybe the encryption key automatically changes every n hours if he doesn't perform some task. – Typewriter Mar 05 '15 at 18:33
  • 6
    another relevant comic http://static.fjcdn.com/pictures/Korean_ca37a1_872460.jpg – jhocking Mar 05 '15 at 21:27
  • Notice that we see a YubiKey, shown e.g. at about 36 minutes in the scene where Snowden disconnects the hotel room phone. I would be surprised if that one is not involved in some manner. – user Mar 06 '15 at 18:59
  • Relevant to recent news story: "Quebec resident Alain Philippon to fight charge for not giving up phone password at airport" http://www.cbc.ca/news/canada/nova-scotia/quebec-resident-alain-philippon-to-fight-charge-for-not-giving-up-phone-password-at-airport-1.2982236 – Aaron Hall Mar 06 '15 at 19:51
  • Perhaps Snowden is bluffing in the hope that it will prevent the rubber hose from coming to visit him. – dotancohen Mar 08 '15 at 13:48
  • There is an actual file system with plausible deniability, linked from the Rubber-hose cryptanalysis Wikipedia page, itself also called Rubberhose: https://en.wikipedia.org/wiki/Rubberhose_(file_system). This answers the question in the title, but not the one in the post body. – zovits Mar 10 '15 at 08:36
  • I'm not sure I'd WANT such an undisclosable password. The people who are torturing you won't believe you that you can't give up the password, so they'll just go on torturing you. You'd have to be REALLY sure that the secret you were trying to protect was worth you being tortured to death for it. Just a thought. – Out of Band Feb 04 '17 at 12:45
  • I will add a simple answer that I don't have enough reputation on this site to add: *Simply make the conditions for opening the file such that your family can verify, in a blockchain or other timestamped means, that you have lived a very nice life for a significant enough time and were not tortured. In addition, if you claim even once that you've been tortured, the file disappears forever.* – Gregory Magarshak Jun 12 '17 at 14:20

11 Answers11

84

Shamir's Secret Sharing is a method for this. It allows one to encrypt a file with a public / private keypair, and then effectively split up the parts of the private key to be distributed to several different people. After that action (and assuming the various parts and original input private key are destroyed after distribution), it would require a quorum of people to act together in order to decrypt the data.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 46
    Or a quorum of people to be tortured. It makes that attack harder, not impossible. – PlasmaHH Mar 05 '15 at 09:07
  • 15
    @PlasmaHH If you consider rounding up and torturing everyone whom you shared the partial key doable for that adversary, then there is no defence against it getting access to your data, other than to make it impossible to decrypt by yourself as well. If you can decrypt it and they have unlimited power over you, they can decrypt it too. – March Ho Mar 05 '15 at 09:35
  • 1
    @MarchHo: I don't see why it should be much more doable to torture a single individual than a bunch of individuals sharing the key. If you commit to torture then I don't see any limits on what you are willing to do. – PlasmaHH Mar 05 '15 at 09:45
  • 26
    @PlasmaHH Willing and able are completely different. The US government is willing to torture all of the Taliban and ISIS commanders, but is unable to do so. – March Ho Mar 05 '15 at 10:57
  • 13
    [Low efficacy of torture](https://skeptics.stackexchange.com/questions/4498/does-torture-work-well-as-an-interrogation-technique) is a serious problem here. – Palec Mar 05 '15 at 22:25
  • 1
    @PlasmaHH: if the keyholders are distributed across multiple jurisdictions, it may not be feasible for a single attacker to compel them (through whatever means) before one of their number discovers the attack and destroys his key part. – eggyal Mar 06 '15 at 00:12
  • 1
    @Palec Your comment makes no sense in this context. The key is an easily verifiable fact. The only questionable part of the attach scheme is how you can reliably identify the keyholders, which, is only a concern if you cared for minimizing the usage of torture. – Aron Mar 06 '15 at 01:29
  • 3
    @Aron: The key itself is easily verifiable, but people usually don’t remember their keys. They store them somewhere. And getting the key from a remote location is not as fast and easy. – Palec Mar 06 '15 at 07:53
  • @Palec the only physical encryption key I own and do not carry on my person comes from my bank. The only reason I do not carry it on my person is because it is too friggin large. I used to carry my RSA token everywhere. Besides, most people don't use real keys, they use passwords, which are inflated to key length. – Aron Mar 06 '15 at 07:57
  • @Aron So the torturers will know you’re probably lying. But that’s what they should expect anyway – see the Q&A on Skeptics I linked. Even passwords can be stored and forgotten. AFAIK that is best practice when it comes to root passwords. – Palec Mar 06 '15 at 08:05
  • 2
    Doesn't this also have the problem of needing everyone to be responsive in order to use the password? This sounds like it could get very complicated to use on a normal basis, especially if the shareholders are across multiple timezones. – David says Reinstate Monica Mar 06 '15 at 12:40
  • That solution reminds me of Fidelius Charm from Harry Potter. – Tomáš Zato Apr 15 '16 at 08:02
  • In more practical terms, Shamir's Secret Sharing Scheme (SSSS) is a general software implementation of bitcoin multisignature wallets. Simpler implementation thus is storing the password in question inside a multisig wallet, or have it's private key (or section thereof) be the password. – Gaia May 02 '16 at 19:06
61

All of our answers are speculation, of course, but I suspect that the most likely way that the documents are protected are by following Bruce Schneier's advice regarding laptop security through airports:

Step One: Before you board your plane, add another key to your whole-disk encryption (it'll probably mean adding another "user") -- and make it random. By "random," I mean really random: Pound the keyboard for a while, like a monkey trying to write Shakespeare. Don't make it memorable. Don't even try to memorize it.

Technically, this key doesn't directly encrypt your hard drive. Instead, it encrypts the key that is used to encrypt your hard drive -- that's how the software allows multiple users.

So now there are two different users named with two different keys: the one you normally use, and some random one you just invented.

Step Two: Send that new random key to someone you trust. Make sure the trusted recipient has it, and make sure it works. You won't be able to recover your hard drive without it.

Step Three: Burn, shred, delete or otherwise destroy all copies of that new random key. Forget it. If it was sufficiently random and non-memorable, this should be easy.

Step Four: Board your plane normally and use your computer for the whole flight.

Step Five: Before you land, delete the key you normally use.

At this point, you will not be able to boot your computer. The only key remaining is the one you forgot in Step Three. There's no need to lie to the customs official; you can even show him a copy of this article if he doesn't believe you.

Step Six: When you're safely through customs, get that random key back from your confidant, boot your computer and re-add the key you normally use to access your hard drive.

And that's it.

This is by no means a magic get-through-customs-easily card. Your computer might be impounded, and you might be taken to court and compelled to reveal who has the random key.

To be even more secure, Snowden himself may not know who has the backup key--as the associate he gave it to may have passed it along elsewhere. Also, it is likely that the person that did receive the backup key from Snowden is in a different country than any likely attacker and is doing his or her best to stay very safe.

EDIT: In response to the below comment, I decided to add the following advice:

Create a dummy operating system that starts at the beginning of the laptop's hard drive. The encrypted operating system with sensitive information will be the following partition. Configure the laptop's bootloader to boot from the dummy operating system without your intervention.

TrueCrypt had a similar hidden operating system feature where the TrueCrypt bootloader would accept two different passwords, giving access to two different operating systems. The hidden operating system was concealed with a bit of clever steganography.

We can do something similar in Linux and LUKS, but without the steganography, by doing the following:

  1. Installing Linux twice--on two partitions.
  2. Encrypting both of them with LUKS.
  3. Configuring the bootloader (probably GRUB2) to boot the first Linux installation, and remove the entries for the second installation.
  4. Whenever you want to boot your second, secret installation, boot your laptop and reach the GRUB screen. Modify the bootloader entry (temporarily) directly from the boot screen to point to the second partition.

Step four is not very user friendly, and we could get rid of it and make a separate bootloader entry for our secret operating system, but then anybody that looked at the screen could tell that there are two operating systems on the machine. An investigator can still tell, but now they must look at the laptop's hard drive with a partition editing tool.

James Mishra
  • 1,124
  • 6
  • 12
  • 18
    If your laptop is not bootable, they might not allow you to take it aboard. – Kevin Krumwiede Mar 04 '15 at 23:45
  • 5
    My LG G2 phone has a UI like that. One pattern/pin takes you to guest mode and another pattern/pin leads to your normal account. Once a user is taken to guest mode, that user has no idea he is in guest mode (assuming you didn't uncheck any of the normal pre-approved apps on your phone). And even if you do pre-approve all the apps to work in guest mode, a user in guest mode won't have access to any of the data held from your normal account. – Stephan Branczyk Mar 05 '15 at 12:10
  • 3
    What about giving out a "self-destruct key" as is envisioned in different disk level encryption schemes. You just give it to them and they destroy all the data. There is a flaw somewhere probably, maybe cloning the disk would make this irrelevant, as they still have another copy to try it again. – WalyKu Mar 05 '15 at 18:36
  • 7
    @Kurtovic The disk is guaranteed to be mirrored by any government-level attacker, simply because that is what a sensible person would do. Either way, attempting to destroy the ciphertext when detained may incur legal penalties. – James Mishra Mar 05 '15 at 21:11
  • 12
    **STEP TWO Solve the key sharing problem.** STEP THREE PROFIT. – Aron Mar 06 '15 at 01:30
  • @KevinKrumwiede [Dead devices in general](http://techcrunch.com/2014/07/06/charge-your-phone-before-flying-tsa-will-now-block-dead-devices-at-some-airports/) are not permitted on some flights. – Ryan Kennedy Mar 09 '15 at 14:33
  • A dummy operating system seems like a good alternative to the dead device option. It would at least get you through a basic check of your laptop. "Yep, it boots. Here's Windows. Nothing interesting here." – Rick Chatham Jul 09 '15 at 19:52
38

Here is an original technique I have come up with that can survive a rubber-hose attack:

  1. Get a stack of cash, about 50 one-dollar bills. Maybe mix some fives and tens in with them.
  2. Shuffle them into a random order
  3. Derive a password from the serial numbers, for example by taking the two least significant digits from each bill in order to form a 100-digit number
  4. Use this password as your encryption key
  5. Keep your cash in a neat stack next to your computer.
  6. If government agents raid your home, they will take the cash. With a bit of luck, it'll simply vanish into a policeman's pocket, never to be seen again. But if you get an honest cop who checks it into evidence, it's still going to be sorted and counted; it is very unlikely to maintain its order through that process, especially if your stack contains different denominations.
  7. At this point, your password is well and truly gone. You might vaguely remember a few digits of your password, but no torture can force you to disclose it. Especially because of your policy of changing the password every time you started to remember it.
  8. (Optional) You don't have to actually do any of this. Your password can be your dog's name, as long as you're willing to stick to the story that you did steps 1-5, and maybe keep a stack of a few bills next to your computer.

You don't have to use cash, either; your password could be embedded in the order of the books on your bookshelf, or some other ephemeral thing that will most likely be destroyed by government agents in a search. But cash has the advantage of being much more likely to vanish completely in a search.

Aric TenEyck
  • 481
  • 3
  • 3
  • 16
    This sounds like a great way to lose your password forever, without the help of any would-be attackers. – David says Reinstate Monica Mar 06 '15 at 12:38
  • 1
    I like it. Although if this becomes commonplace, police searching the house will counter it by photographing everything they encounter during a search. – S.L. Barth Mar 06 '15 at 14:44
  • 32
    "Hey dude, I borrowed $20 from your drawer. Whoa! Why do you look so mad? Don't worry, I'll pay you back on Friday..." – Digital Chris Mar 06 '15 at 17:30
  • "Everything" potentially covers a *lot* of photography... – Aric TenEyck Mar 06 '15 at 18:25
  • 2
    Clever! I like it. I have doubts about how well it would work however, at least in the U.S. where cash is not as likely to disappear, but end up preserved in an evidence locker. Then, even if they bills do end up out of order (and I agree that this is quite likely) once they get the scheme out of you, they still have a very limited set of candidate passwords to work with. Still, a neat idea. – Xander Mar 08 '15 at 23:31
  • 5
    +1 for thinking out of the box, but this would definitely need some optimizing before implementation. – Mast Mar 09 '15 at 09:07
  • 1
    If the bills are out of order, there are 50! keys (assuming you made sure beforehand that there were no duplicates) that would need to be tried in a brute-force attack. This is about equal to 10^64, or 2^214. – Aric TenEyck Mar 09 '15 at 13:43
  • You can do the same with a stack of poker cards, except that it's much less likely to be disturbed. Maybe if you set it on a surface that is likely to be moved... – Out of Band Feb 04 '17 at 12:43
  • The difference is that, "The stack of cash I had on my desk never made it into evidence" is much more plausible than, "The deck of cards I had on my desk never made it into evidence". – Aric TenEyck Feb 07 '17 at 16:07
  • Combining this method with the Bruce Schneider technique seems like a really good solution. You have two keys you don't have memorized, so you can always phone a friend if your cash pile gets messed up by accident. And if the friend also uses a (different) cash pile, oh, the possibilities are endless! So much plausible deniability! – Rocky Feb 14 '17 at 00:26
27

He might be referring to neuroscientific methods of cryptographic primitives such as those outlined in the following paper: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final25.pdf

Basically, you can prevent against "rubber hose attacks" as they call it (torture the password out of somebody) by training the user via some sort of game or app that subconsciously plants the password (combination of moves to accomplish a goal, for example) using implicit learning. The user can use the password, though cannot recall it outside of the situation of playing the game.

Think, for instance, moves you memorize in Pac-Man or Mario when you play the same level over and over... you get "good" at it because you are practicing the same movements repeatedly to accomplish the goal, even though if I sat you down with a game controller in an empty room (no game, no screen), you wouldn't (easily) be able to replicate the pattern.

I'm not sure if that is what Snowden is referring to, but it's one possibility.

armani
  • 2,658
  • 20
  • 20
  • 16
    Could you not be tortured to (1) reveal how you decrypt (playing the game) and then (2) be forced to play it? I suppose, under torture, you could argue that you can't play the game the same way due to the stress? – Alex Kuhl Mar 04 '15 at 16:30
  • 1
    The paper discusses that the user is not consciously aware that they have the password, nor might they even realize what the authentication mechanism is, especially under stress. Furthermore, check the "Basic Coercion Threat Model" section of that paper's Section 5.1 where they show the situation you describe as being impractical (for a 5-minute test it would take "about one year of nonstop testing per user which will either interfere with the user’s learned password rendering the user useless to the attacker, or alert security administrators.") – armani Mar 04 '15 at 16:42
  • 2
    The part you're citing does not solve the problem I mention. They define their "basic threat model" where an attacker intercepts some number of users, gets info out of them, and then tries to impersonate them at some physically secure location where an alarm is raised after a failed login attempt. The scenario here is different: the encryption is local to one computer and the attacker can force the actual user to play the game, no impersonation required. This is mentioned here http://arstechnica.com/security/2012/07/guitar-hero-crypto-blunts-rubber-hose-attacks/ and in the comments. – Alex Kuhl Mar 04 '15 at 19:11
  • You grabbed that part from their Intro, whereas in Section 5.1 they describe how it is solved, but they do apply certain unreasonable constraints such as the user being physically at some location to authenticate. Either way, this nitpicking doesn't answer the OP's question, and I believe implicit learning techniques might be what Snowden is referring to. – armani Mar 04 '15 at 21:20
  • 1
    @AlexKuhl, the game analogy is great (thanks Armani) but the `key` is not necessarily **how** you play the game but rather the **game** itself. For instance, I can **demonstrate** how to swim but I cannot explain (in significant detail) how I **learned** how to swim. The process of learning (or the game) is the key -or rather contains the key, because a user will subconsciously inherit the item being taught and it is that subconscious level where the 'password' is stored in your brain. Bare in mind that this paper is a mere conceptual approach and not necessarily a ready to implement design... – Matthew Peters Mar 04 '15 at 21:53
  • 1
    * imagines a game of "Missile Command" having to be played before being allowed to launch missiles at the enemy.. ironically you protect the cities too well and the enemy blows you up before you complete the game. – DoubleDouble Mar 05 '15 at 19:35
14

Keyfiles can almost accomplish this. The idea is the encryption key is stored as a file rather than a phrase the user memorizes. Keepass/KeepassX offers keyfiles as an option for securing the password database instead of a passphrase. The key can be more secure because it can be of much longer length than something a human needs to use, but the downside is that file must be protected from other parties gaining access. Typically these files are stored on a USB drive or other external media, or could possibly be held by a third party or otherwise outside your possession. This may not solve your problem though, since you may be tortured to reveal the location of the keyfile.

Other options are encryption that requires more than one person to be party during the process (again, could be tortured to reveal the other people involved), deniable encryption, and verifiable destruction. The latter two are discussed here. All of these have their own unique set of problems though.

Alex Kuhl
  • 251
  • 1
  • 5
  • +1. Your first paragraph gives a good introduction on how a [license dongle](https://en.wikipedia.org/wiki/Software_protection_dongle) works. – Mast Mar 09 '15 at 08:51
  • The keyfile on a separate physical medium does have the advantage that you can physically destroy it and thus be unable to recall it ever again. – jeteon Dec 14 '15 at 13:10
9

I haven't seen the documentary, but in addition to what others have spoke about, he could be talking about public/private key encryption.

You encrypt a file with the public key provided by an anonymous third party who shares your view. Only they can decrypt the file, and you don't know who they are.

So he has a document, encrypt it so it is protected and no matter how much you torture him he would never be able to decrypt it for you.

  • 3
    What stops them beating him with a rubber hose until he hands over the private key? – sapi Mar 04 '15 at 23:46
  • 7
    He need not have the private key. If I encrypt documents with a private key, store my only copy of the private key on a USB drive, and then give the drive to someone else... I no longer have the key. If Snowden did this, he would lose the ability to decrypt his documents, but that is a relatively small price to pay. Presumably, he already knows what is in the documents, and he stole them *for others* to decrypt. – James Mishra Mar 05 '15 at 00:19
  • 5
    Then you beat the person he gave it to with a rubber hose... – Wayne In Yak Mar 05 '15 at 02:04
  • Person A contacts you online. Talks to you about the atrocities of the US military. You agree with them, and use your data clearance to grab a bunch of files. You encrypt them with the public key provided to you by Person A. You provide Person A with the encrypted file. Government wants to know who you gave it to and what. You don't know who and they don't reach out to you again. You don't remember what, just a bunch of files that were accessible. You do not have the capability to decrypt them to find out. – David Jacobsen Mar 05 '15 at 15:16
  • 4
    Someone or someone's has the capability to de-crypt the files. All depends on how many people a person is willing to torture and how willing they are to stand up to the torture. – Wayne In Yak Mar 05 '15 at 20:32
  • 1
    You are correct that someone has the capability to de-crypt the file. However neither I nor the government, in this example, have enough information to identify and find anonymous Person A. You can torture me all you want, I only ever spoke to him when he reached out to me and no logs identify him because he used disposable hardware on an open Wi-Fi in a location without security cameras. Knowing that someone can decrypt the file is useless if you cannot find out who that someone is. – David Jacobsen Mar 05 '15 at 20:54
  • 4
    @sapi Well, they can still beat me with a rubber hose but I don't have the private key. They can't beat Person A because neither I nor the government know who they are. They always contacted me. – David Jacobsen Mar 05 '15 at 20:56
  • I don't see how this answer is any different from just securely erasing the file. Either way, you can never decrypt the file again. (Unless you had some method by which, in your scheme, you could decrypt the file later, but can't be tortured. If so, you need to edit your answer to explain how that works -- but it seems in tension with the "can't be tortured out of you" requirement.) – D.W. Mar 05 '15 at 21:49
  • @D.W. The difference is that someone out there has the information in cleartext format, ready to publicly leak it. We just don't know who. In the context of someone revealing government secrets, particularly in the case of Snowden where I remember reading the Government logs weren't sufficient to identify what was copied, the government would want to know what was leaked. The government has no way of knowing which clandestine operations are secure and which are compromised. Encrypting a document in this way would not be useful to the encrypter, but detrimental to the target. – David Jacobsen Mar 05 '15 at 21:55
  • 3
    @DavidJacobsen, I don't think this is a helpful answer. We already know that Snowden shared all those documents with reporters, so it's already true that "someone out there has the information in cleartext format". I don't think your answer is a likely explanation of what's going on with Snowden (why wouldn't he just securely erase the documents, if he didn't want to retain access to the documents?), and I don't think it will be useful to others in the future who want a way to resist rubber-hose cryptanalysis (a method that leaves you without a reasonable way to regain access is not useful). – D.W. Mar 05 '15 at 22:08
  • I think this answer is correct, but just more broad than some people would like. All the other answers fall into this category, which is: "The person being tortured is able to encrypt an unknown file, but is not able to decrypt it at the location and time of being tortured because the key is in other hands" Yes, it could be difficult or it could be easy to figure out what you need to do to decrypt it, but it still qualifies for `you could literally shoot me[him] or torture me[him] and I[he] could not disclose the password, even if I[he] wanted to` – DoubleDouble Mar 05 '15 at 22:11
5

While I haven't seen the film, I can easily imagine a randomly generated passcode which changes every [brief time window here]. Some online gaming security protocols started doing this a couple years ago, such as Battle.net (Blizzard - games like World of Warcraft, Starcraft, Diablo)

Add in the fact that you can only get the most recent passcode from a selected secure device and then he can't know what the current passcode is without that device.


Taking that and running with it...

As an extreme example, his phone may have encrypted files, but is not able to decrypt them without the passcode provided from the secure device [similar to @DavidJacobson's answer] - in this case a combination of people or computers in different locations [@JeffFerland's answer] which each have their own section of the passcode. If one person or computer is attacked, the others can be disconnected or moved - depending on the situation.

The weakest point is then the process for requesting the decrypt key. Assuming a person is qualified to have access to that file, they may have to provide physical identification. Perhaps they only have access to the decrypted file if they are in a specific location.

Sure, all this could ultimately be overcome, but the point is that it would be incredibly difficult. Let's say you capture someone with the file and try to get the key from them only to find out that it can only be gotten from someone else, and only while they are inside a guarded building, plus they can't physically take the information out with them. What would be your approach after that?

  • if you attack the building that requests are made from an alert will be sent out and the key will be unavailable.
  • You might be able to capture this other person (without it being noticed, since I assume they would have their access revoked if there is any reason to believe they are acting for another party) and "convince" them to go and steal or memorize the information, but can you trust that the information they bring back is correct?
  • You could try to attack the various holders of the key, but you would need to know all the people/locations and make it a simultaneous attack - otherwise the others would be better protected, moved, or, if that's not possible, maybe even just destroy the key. Of course, that could happen even during the attack.

In the end, I can't imagine the information that is on this file to make it worth so much effort. The more truly valuable the information is, the less people that will have access to it, and those people are likely in higher positions of power, therefore they are more likely to be protected or at least noticed missing if they get kidnapped.

DoubleDouble
  • 151
  • 4
4

There are very interesting answers there. One warning though: I was once offered to access the ATM of my bank account via a finger scan instead of the typical PIN. I refused. The bank was then assuring me that they guarantee that a copy of my fingerprint cannot be used (yeah, it was a few years ago)

I then told them that I am not sure that the bad guys know this and I very, very much prefer to rather give them the PIN than my thumb.

This is to say that the rubber hose users may not be aware of the subtle techniques used to not know the password.

WoJ
  • 8,968
  • 3
  • 33
  • 51
  • Your life (or thumb, even) is worth more to you than the money the bad guys could steal using your ATM card. The data Mr. Snowden has access to may very well be worth protecting at the cost of his thumb, or even his life. This is not unheard of - take a look at Suicide pill on [Wikipedia](http://en.wikipedia.org/wiki/Suicide_pill). – matega Mar 07 '15 at 17:00
  • @matega: I do not get your point. I am saying that the bad guys may beat the crap of you to get your password even though you assure tham that you do not know it, because you use a fancy mechanism and even have web links to prove that. – WoJ Mar 10 '15 at 07:31
1

I think the only way how you actually can decrypt it now, but not when being tortured is if you either have the chance to destroy/forget the key before you can be made to reveal it. Or the key has a property which makes it unusable in a tortured situation.

Many answers address only the part, where you "can not reveal the key to the evil guy, even if you wanted to" - but with some whistle-blower I think a usable system would also have to give you a way how to access the information if you need it, before or even after they got to you.

  1. Maybe you have a system where you can only enter the key if you are calm and relaxed. A sophisticated speech analysis software? Or maybe just an anonymous third party. - If only a third party has the key one scheme would be this: You have to post a video of yourself where you kindly request the key in a calm and controlled manner, standing in a public space or something. You post it somewhere where it gets a lot traffic like youtube/twitter. The anonymous source will access the video (among thousands of viewers) and if he believes you are safe and your voice sounds controlled and everything, he sends you the decrypted documents.

  2. Maybe the key self-destructs under certain circumstances, like physiological signs of extreme stress, like biting you teeth or extreme heart-rate. As soon as torture comes into play the key will be gone.

  3. There are shared key principles where you need a certain amount of people together to decrypt something - you could employ one, where you split the key in a way where you need at least 3 of 5 people to decrypt it. But then still, if you have a way to contact the other people of this group, you can probably be forced to contact them, so it all boils down to solution 1, where your communication with them needs to be good enough, so they can make sure if you are forced to do it or do it willingly.

Falco
  • 1,492
  • 10
  • 14
  • Another possibility but more akin to scifi would be mental conditioning: Maybe you could condition your brain to forget the key in a traumatic event, like repressed memories which can only be revealed in a certain calm and relaxing environment... – Falco Mar 09 '15 at 16:43
-1

It might refer to having multiple possible decryption states. Basically, you start with an extra-large blob of encrypted data, and multiple keys. Each key results in a different document.

Obviously, the encrypted data needs to be large enough to hold all documents, but there's no way to prove how many keys exist. Make it large enough to hold 10 documents, for example, and you could have 2 false keys, one real key, and a bunch of random data.

user3757614
  • 131
  • 2
  • 2
    This doesn't address the issue of how Snowden *cannot* decrypt the documents. If he doesn't know the "correct" key, there is no need for a bunch of other keys. – Matthew Read Mar 05 '15 at 02:09
  • An encryption algorithm that produces multiple coherent outputs from the same ciphertext when different decryption keys are used is still very much in the realm of theory, not practice. – Mark Mar 05 '15 at 05:19
  • @Mark: Any particular part of the ciphertext blob only needs to represent one file. If one has nine plausible fake documents and a real one, have a program "flip a coin" for each fake document and either replace it with random data or not. Then encrypt each of the ten documents with a different key and store them in random order. The number of documents that could be decrypted using all ten real keys would be somewhere between one and ten, but it would be impossible to tell whether any supposed set of keys was complete. – supercat Mar 06 '15 at 23:44
-3

I'm going a little sci-fi with this answer.

Smart cards, even contactless ones are powerful enough to do cryptography. They often contain a private key, which was generated by them and never leaves the card, but the corresponding public key can be retrieved freely. These smart cards can be protected with a password, they can make themselves inoperable after 3 failed tries, etc. They are uncloneable and extremely secure. (Also, they are tiny, they're a tiny chip within a plastic card, and they consume only a tiny amount of energy.)

You could then encrypt a document, a whole hard drive or whatever using a random key, then encrypt the key with the smart card's public key and save only that. This way, if you want access to the encrypted data, you first have to ask the smart card to decrypt the key using its internal private key.

Now we just have to tie the card to Snowden in a way that ensures that

  • It is only him that can activate the card
  • The card self-destructs when it is not with him any more
  • He himself is able to disable the card permanently, even when restrained

A straightforward option is implanting the card (only the chip, not the plastic part) into him. It could feed on the voltage generated by his body while inactive (e.g. his heart and/or muscles output a few millivolts constantly) and disable itself if this power is cut. You could also wire it up to some of his voluntary muscles which, if activated in a certain pattern could enable or destroy the card. If we want to go deeper into this sci-fi, you could have the card check if his heart rate and/or epinephrine level is below a certain threshold and deny operation temporarily when he is under excessive stress. It would have an antenna in a convenient place, possibly his palm, to communicate using NFC or something similar.

If the power supplied by his body isn't enough, another option would be to implant it along with a battery. It could be a pacemaker-like device. Pacemakers have an internal battery which lasts for years. It could do anything the previously described implant does. (It could be a pacemaker/ICD too, for preventive purposes - It's not unheard of for important people to have a defibrillator in their home and their family trained to use it.) An alternative idea would be to have a regular contactless smart card in his front pocket that feeds off of this pacemaker-like device continuously using the same principle as NFC and disables itself permanently if power is cut for more than a minute. This NFC power could also carry cryptographical data to be unique and unreplicable.

matega
  • 369
  • 1
  • 8
  • Do you have any citations to point towards, which would indicate that what you are describing is possible and practical to do, for an individual? – user Mar 07 '15 at 20:02
  • There's [this](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for an example. It is a contactless smart card, running solely off the power it receives through NFC. Low-power ECG and EMG (electromyograph) devices do exist. A Low-power ECG analyzer is used in every implantable pacemaker - an EMG version could be made too, as voluntary muscles give off of electric signals similar in amplitude to those of the heart. Of course, it requires specialised hardware which an individual does not have access to. Which part of my answer do you object to? – matega Mar 07 '15 at 21:26
  • My objection is mostly with your answer in relation to Snowden's talking about *himself*. The way he phrases himself makes it sound like his actions to protect the confidentiality of the data, while sophisticated, is something that should be available to an individual even outside of the purview of a large organization. I don't really see how your proposal qualifies as such. – user Mar 08 '15 at 14:08