DOCSLIB.ORG

Ensuring Data Confidentiality Via Plausibly Deniable Encryption and Secure Deletion – a Survey Qionglu Zhang1,2,3, Shijie Jia1,2*, Bing Chang4 and Bo Chen5*

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Zhang et al. Cybersecurity (2018) 1:1 Cybersecurity https://doi.org/10.1186/s42400-018-0005-8 SURVEY Open Access Ensuring data confidentiality via plausibly deniable encryption and secure deletion – a survey Qionglu Zhang1,2,3, Shijie Jia1,2*, Bing Chang4 and Bo Chen5* Abstract Ensuring confidentiality of sensitive data is of paramount importance, since data leakage may not only endanger data owners’ privacy, but also ruin reputation of businesses as well as violate various regulations like HIPPA and Sarbanes-Oxley Act. To provide confidentiality guarantee, the data should be protected when they are preserved in the personal computing devices (i.e., confidentiality during their lifetime); and also, they should be rendered irrecoverable after they are removed from the devices (i.e., confidentiality after their lifetime). Encryption and secure deletion are used to ensure data confidentiality during and after their lifetime, respectively. This work aims to perform a thorough literature review on the techniques being used to protect confidentiality of the data in personal computing devices, including both encryption and secure deletion. Especially for encryption, we mainly focus on the novel plausibly deniable encryption (PDE), which can ensure data confidentiality against both a coercive (i.e., the attacker can coerce the data owner for the decryption key) and a non-coercive attacker. Keywords: Data confidentiality, Plausibly deniable encryption, Secure deletion Introduction Spahr LLP: State and local governments move swiftly to Modern computing devices (e.g., desktops, laptops, smart sue equifax 2017); Third, it will directly violate regulations phones, tablets, wearable devices) are increasingly used like HIPAA (Congress 1996), Gramm-Leach-Bliley Act to process sensitive or even mission critical data. Protect- (Congress 1999), and Sarbanes-Oxley Act (Sarbanes and ing confidentiality of those sensitive data is of paramount Oxley 2002). The data confidentiality should be ensured importance because: First, data leakage will endanger data not only during their lifetime (i.e., the data are preserved owners’ privacy. For example, the data leakage of iCloud in the devices), but also after their lifetime (i.e., the data in 2014 disclosed almost 500 private pictures of various have been removed from the devices). This is because, celebrities (Cbsnews: Apple’s celebrity icloud leak proba- by recovering sensitive data which have been deleted, the bly has mundane causes 2014).Second,itwillruinrepu- attacker can achieve a similar gain compared to success- tation of businesses. For example, Equifax data breach in fully attacking the confidentiality of the data being pre- July 2017 caused a leak of 145,500,000 consumer records; a served in the devices. For example, by recovering a naked few local governments like cities of Chicago and San Fran- picture deleted by a victim, the adversary can still use it to cisco, as well as the Commonwealth of Massachusetts, embarrass the victim or ask the victim for ransom money. have filed enforcement actions against Equifax (Ballard Correspondingly, the research efforts for protecting data confidentiality can be divided into two categories: *Correspondence: [email protected]; [email protected] encryption and secure deletion. Encryption can protect 1Data Assurance and Communication Security Research Center, Chinese confidentiality of the data stored at rest by transform- Academy of Sciences, Beijing, China ing them into another format using some secrets (e.g., 2State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China keys), such that the adversary is not able to correlate 5Department of Computer Science, Michigan Technological University, the transformed format to the original format without Houghton, USA obtaining the secrets. All types of existing encryption Full list of author information is available at the end of the article mechanisms like symmetric encryption and asymmetric © The Author(s). 2018 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Zhang et al. Cybersecurity (2018) 1:1 Page 2 of 20 encryption can achieve the aforementioned security prop- against both the coercive adversaries and the non-coercive erty. Secure deletion is to ensure that once the sensitive adversaries. We summarize the research for PDE the- data are deleted, the probability of recovering them is ory and systems (including both the desktop systems and negligibly small. This requires special techniques to com- the mobile systems). For the second case, we summa- pletely destroy data, eliminating any traces which may lead rize secure deletion approaches in various storage media to a full/partial data recovery. includingharddiskdrives(HDDs)andNANDflashmem- To protect confidentiality of the data stored in a com- ory. We also outline the new direction of secure deletion puting device, conventional encryption may not work approaches by eliminating impacts of operation history. when both the computing device and the device’s owner are captured by an attacker, since the attacker can coerce Organization. In “Background”section,weintroduce the owner to disclose the secret (i.e., a coercive adver- the background knowledge of flash memory, the architec- sary). Once the secret is disclosed, the transformed format ture of a storage system, PDE as well as secure deletion. created by encryption will be reversed, and the sensitive In “Models and assumptions” section, we unify the adver- data will be leaked. A novel encryption technique, plau- sarial model for both PDE and secure deletion, and also sibly deniable encryption (PDE) (Canetti et al. 1997), has summarize the assumptions required by PDE. We then been designed to complement the traditional encryption summarize the literature for PDE in “Protecting data con- to handle such a coercive attack. The high-level idea of fidentiality against coercive adversaries via PDE”section PDE is, the original sensitive message is encrypted into and for secure deletion in “Ensuring confidentiality of ciphertexts in a special way, such that during decryption, the deleted data via secure deletion”section,respectively. if a true key is used, the original sensitive message can In “Future directions”section,wediscussafewfuture be recovered, but if a decoy key is used, a plausible mes- directions of PDE and secure deletion. We conclude in sage will be generated. Therefore, upon being coerced, “Conclusion”section. the owner can simply disclose the decoy key to protect confidentiality of the original sensitive message. Background To protect confidentiality of the data deleted from Flash memory a computing device, the deleted data should be made Flash memory is a solid-state non-volatile computer stor- completely unrecoverable. Conventionally, this is ensured age medium that can be electrically erased and repro- by carefully over-writing the storage medium storing grammed. It can eliminate mechanical limitations and the data using garbage information (Joukov and Zadok latency of hard drives, achieving a much higher I/O 2005; Wei et al. 2011; Garfinkel and Shelat 2003;Sun throughput with a much lower power consumption. et al. 2008; Gutmann 1996) or deploying encryption Therefore, it gains popularity in main-stream mobile using ephemeral keys (Perlman 2005a, b,Geambasu devices like smart phones, tablets, wearable devices. In et al. 2009,Tangetal.2012, Reardon et al. 2012,Zarras addition, a lot of high-end laptops like Apple MacBook use et al. 2016). This unfortunately was shown to be insuf- flash memory as external storage. Even cloud providers ficient, since past existence of the deleted data will cre- allow their users to choose solid state drives (SSDs) as ate impacts on both the data organization (Bajaj and the underlying storage media (Amazon: New SSD-Backed Sion 2013b) and the other data which have not been Elastic Block Storage 2016). The flash memory being used deleted (Bajaj and Sion 2013a). Those impacts can then as the storage medium is mainly NAND flash. NAND be utilized by the adversary as an oracle to derive sen- flash stores data using an array of memory cells, which are sitive information about the deleted data. In the worst grouped into pages (each page can store 512-byte, 2KB, case, the adversary is able to completely recover the data or 4KB data), and multiple pages are further grouped into being deleted (Chen et al. 2016). Therefore, recent secure blocks (can contain 32, 64, or 128 pages). deletion approaches focus on eliminating those impacts Compared to traditional mechanical disks, NAND flash (Bajaj and Sion 2013a, b,ChenandSion2015;Chenand has several unique characteristics. First, NAND flash has Sion 2016;Jiaetal.2016). an erase-before-write design. Specifically, to overwrite In this work, we aim to conduct a thorough literature a flash page, the page needs to be erased before any review on data confidentiality protection. We believe that new data can be programmed to it. Second, the unit of data confidentiality should be always ensured no mat- read/program of NAND flash is a page, but the unit of terthedataarepreservedinthecomputingdeviceor erase is a block, which
Recommended publications
  • Mobiceal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices

    Mobiceal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices

    2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks MobiCeal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices Bing Chang∗, Fengwei Zhang†, Bo Chen‡, Yingjiu Li∗, Wen-Tao Zhu§, Yangguang Tian∗, Zhan Wang¶ and Albert Ching ∗School of Information Systems, Singapore Management University, {bingchang, yjli, ygtian}@smu.edu.sg †Department of Computer Science, Wayne State University, [email protected] ‡Department of Computer Science, Michigan Technological University, [email protected] §Data Assurance and Communications Security Research Center, Chinese Academy of Sciences, [email protected] ¶RealTime Invent, Inc. i-Sprint Innovations Abstract—We introduce MobiCeal, the first practical Plausibly searched and copied when he was crossing a border, and he Deniable Encryption (PDE) system for mobile devices that can was inspected for seven times during five years [26]. defend against strong coercive multi-snapshot adversaries, who The existing PDE systems on mobile devices [21], [34], may examine the storage medium of a user’s mobile device at different points of time and force the user to decrypt data. [35], [43], [27], [20] are not resilient against such multi- MobiCeal relies on “dummy write” to obfuscate the differences snapshot attacks since they hide sensitive data in the ran- between multiple snapshots of storage medium due to existence domness initially filled across the entire disk. By comparing of hidden data. By incorporating PDE in block layer, MobiCeal storage snapshots at different points of time, a multi-snapshot supports a broad deployment of any block-based file systems on adversary may detect any unaccountable changes to the ran- mobile devices.
  • LSP 1.20 Davinci Linux NOR Flash Device Driver

    LSP 1.20 Davinci Linux NOR Flash Device Driver

    LSP 1.20 DaVinci Linux NOR Flash Driver User's Guide Literature Number: SPRUF10 April 2008 2 SPRUF10–April 2008 Submit Documentation Feedback Contents 1 Overview............................................................................................................................. 5 1.1 System Requirements .................................................................................................... 5 1.2 Design Overview .......................................................................................................... 6 2 Installation Guide................................................................................................................. 7 2.1 List of Installable Components .......................................................................................... 7 2.2 Component Folder ........................................................................................................ 7 2.3 Development Tools ....................................................................................................... 7 2.4 Build......................................................................................................................... 8 2.5 Steps to Load/Unload the NOR Flash Driver.......................................................................... 8 3 NOR Flash Driver Porting...................................................................................................... 9 3.1 Customizing the NOR-flash partitions .................................................................................
  • PV204: Disk Encryption Lab

    PV204: Disk Encryption Lab

    PV204: Disk encryption lab May 12, 2016, Milan Broz <[email protected]> Introduction Encryption can provide confidentiality and authenticity of user data. It can be implemented on several different layes, including application, file system or storage device. Application encryption examples are PGP or ZIP compression with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. Yet some parts (like filesystem metadata) are still unencrypted. However this solution provides encrypted data with private key per user. (Every user can have own directory encrypted by own key.) Encryption of the low-level storage (disk) is called Full Disk Encryption (FDE). It is completely transparent to the user (no need to choose what to encrypt – the whole disk is encrypted). The encrypted disk behaves as the same as a disk without encryption. The major disadvantage is that everyone who knows the password can read the whole disk. Often we combine FDE with another encryption layer. The primary use of FDE is to provide data confidentiality in power-down mode (stolen laptop does not leak user data). Once the disk is unlocked, the main encryption key remains in system, usually directly in system RAM. Exercise II will show how easy is to get this key from memory image of system. Another disadvantage of FDE is that it usually cannot guarantee integrity of data. Encryption is fully transparent and length-preserving, the ciphertext and plaintext device are of the same size. There is no space to store any integrity information. This allows attacks by direct modification of ciphertext.
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives

    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
  • O'reilly Linux Kernel in a Nutshell.Pdf

    O'reilly Linux Kernel in a Nutshell.Pdf

    ,title.4229 Page i Friday, December 1, 2006 9:52 AM LINUX KERNEL IN A NUTSHELL ,title.4229 Page ii Friday, December 1, 2006 9:52 AM Other Linux resources from O’Reilly Related titles Building Embedded Linux Running Linux Systems Understanding Linux Linux Device Drivers Network Internals Linux in a Nutshell Understanding the Linux Linux Pocket Guide Kernel Linux Books linux.oreilly.com is a complete catalog of O’Reilly’s Resource Center books on Linux and Unix and related technologies, in- cluding sample chapters and code examples. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We spe- cialize in documenting the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit conferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier on- line reference library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. ,title.4229 Page iii Friday, December 1, 2006 9:52 AM LINUX KERNEL IN A NUTSHELL Greg Kroah-Hartman Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo ,LKNSTOC.fm.8428 Page v Friday, December 1, 2006 9:55 AM Chapter 1 Table of Contents Preface . ix Part I. Building the Kernel 1. Introduction . 3 Using This Book 4 2. Requirements for Building and Using the Kernel .
  • A Plausibly Deniable Encryption Scheme for Personal Data Storage Andrew Brockmann Harvey Mudd College

    A Plausibly Deniable Encryption Scheme for Personal Data Storage Andrew Brockmann Harvey Mudd College

    Claremont Colleges Scholarship @ Claremont HMC Senior Theses HMC Student Scholarship 2015 A Plausibly Deniable Encryption Scheme for Personal Data Storage Andrew Brockmann Harvey Mudd College Recommended Citation Brockmann, Andrew, "A Plausibly Deniable Encryption Scheme for Personal Data Storage" (2015). HMC Senior Theses. 88. https://scholarship.claremont.edu/hmc_theses/88 This Open Access Senior Thesis is brought to you for free and open access by the HMC Student Scholarship at Scholarship @ Claremont. It has been accepted for inclusion in HMC Senior Theses by an authorized administrator of Scholarship @ Claremont. For more information, please contact [email protected]. A Plausibly Deniable Encryption Scheme for Personal Data Storage Andrew Brockmann Talithia D. Williams, Advisor Arthur T. Benjamin, Reader Department of Mathematics May, 2015 Copyright © 2015 Andrew Brockmann. The author grants Harvey Mudd College and the Claremont Colleges Library the nonexclusive right to make this work available for noncommercial, educational pur- poses, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Abstract Even if an encryption algorithm is mathematically strong, humans in- evitably make for a weak link in most security protocols. A sufficiently threatening adversary will typically be able to force people to reveal their encrypted data. Methods of deniable encryption seek to mend this vulnerability by al- lowing for decryption to alternate data which is plausible but not sensitive. Existing schemes which allow for deniable encryption are best suited for use by parties who wish to communicate with one another.
  • AMD Alchemy™ Processors Building a Root File System for Linux® Incorporating Memory Technology Devices

    AMD Alchemy™ Processors Building a Root File System for Linux® Incorporating Memory Technology Devices

    AMD Alchemy™ Processors Building a Root File System for Linux® Incorporating Memory Technology Devices 1.0 Scope This document outlines a step-by-step process for building and deploying a Flash-based root file system for Linux® on an AMD Alchemy™ processor-based development board, using an approach that incorporates Memory Technology Devices (MTDs) with the JFFS2 file system. Note: This document describes creating a root file system on NOR Flash memory devices, and does not apply to NAND Flash devices. 1.1 Journaling Flash File System JFFS2 is the second generation of the Journaling Flash File System (JFFS). This file system provides a crash-safe and powerdown-safe Linux file system for use with Flash memory devices. The home page for the JFFS project is located at http://developer.axis.com/software/jffs. 1.2 Memory Technology Device The MTD subsystem provides a generic Linux driver for a wide range of memory devices, including Flash memory devices. This driver creates an abstracted device used by JFFS2 to interface to the actual Flash memory hardware. The home page for the MTD project is located at http://www.linux-mtd.infradead.org. 2.0 Building the Root File System Before being deployed to an AMD Alchemy platform, the file system must first be built on an x86 Linux host PC. The pri- mary concern when building a Flash-based root file system is often the size of the image. The file system must be designed so that it fits within the available space of the Flash memory, with enough extra space to accommodate any runtime-created files, such as temporary or log files.
  • Mobiflage: Deniable Storage Encryption for Mobile Devices 3

    Mobiflage: Deniable Storage Encryption for Mobile Devices 3

    TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1 Mobiflage: Deniable Storage Encryption for Mobile Devices Adam Skillen and Mohammad Mannan Abstract—Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. Steganographic techniques and deniable encryption algorithms have been devised to hide the very existence of encrypted data. We examine the feasibility and efficacy of deniable encryption for mobile devices. To address obstacles that can compromise plausibly deniable encryption (PDE) in a mobile environment, we design a system called Mobiflage. Mobiflage enables PDE on mobile devices by hiding encrypted volumes within random data in a devices free storage space. We leverage lessons learned from deniable encryption in the desktop environment, and design new countermeasures for threats specific to mobile systems. We provide two implementations for the Android OS, to assess the feasibility and performance of Mobiflage on different hardware profiles. MF-SD is designed for use on devices with FAT32 removable SD cards. Our MF-MTP variant supports devices that instead share a single internal partition for both apps and user accessible data. MF-MTP leverages certain Ext4 file system mechanisms and uses an adjusted data-block allocator. These new techniques for storing hidden volumes in Ext4 file systems can also be applied to other file systems to enable deniable encryption for desktop OSes and other mobile platforms. Index Terms—File system security, Mobile platform security, Storage Encryption, Deniable encryption ✦ 1 INTRODUCTION AND MOTIVATION plaintext can be recovered by decrypting with the true key. In the event that a ciphertext is intercepted, and the Smartphones and other mobile computing devices are user is coerced into revealing the key, she may instead being widely adopted globally.
  • Deniable Encryption Protocols Based on Probabilistic Public-Key Encryption

    Deniable Encryption Protocols Based on Probabilistic Public-Key Encryption

    ______________________________________________________PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION Deniable Encryption Protocols Based on Probabilistic Public-Key Encryption 1LNROD\Moldovyan1,$QGUH\Berezin2, $QDWRO\Kornienko3,$OH[DQGHUMoldovyan1 1SaintPetersburgInstituteforInformaticsandAutomationofRussianAcademyofSciences 2SaintPetersburgElectrotechnicalUniversity”LETI” 3PetersburgStateTransportUniversity St.Petersburg,RussianFederation [email protected],[email protected],{kaa.pgups,maa1305}@yandex.ru Abstract—The paper proposes a new method for designing where P is a public key. At time of the coercive attack the deniable encryption protocols characterized in using RSA-like sender of the message can open a fake message m with another probabilistic public-key encryption algorithms. Sender-, receiver-, random value r =r such that c = EP (m, r ). The fake random and bi-deniable protocols are described. To provide bi-deniability value r can be computed with some faking algorithm FP , in the case of attacks perfored by an active coercer stage of entity parametrized with the public-key value P. The algorithm FP authentication is used in one of described protocols. is considered as a part of the DE scheme. Its input is the pair (c, m), i.e. r = FP (c, m). The fake message can be I. INTRODUCTION selected arbitrary at time when the sender and/or the receiver The regular encryption schemes provide very high security of the ciphertext are coerced. Examples of such design of against known-plaintext and chosen text attacks, therefore they the DE protocols are presented in papers [12], [13]. In that are widely used to protect information sent via telecommuni- protocols the secret message is encrypted consecutively bit by cation channels from unauthorized access.
  • ANDROID PRIVACY THROUGH ENCRYPTION by DANIEL

    ANDROID PRIVACY THROUGH ENCRYPTION by DANIEL

    ANDROID PRIVACY THROUGH ENCRYPTION by DANIEL DEFREEZ A THESIS Presented to the Department of Computer Science in partial fullfillment of the requirements for the degree of Master of Science in Mathematics and Computer Science Ashland, Oregon May 2012 ii APPROVAL PAGE “Android Privacy Through Encryption,” a thesis prepared by Daniel DeFreez in partial fulfillment of the requirements for the Master of Science in Mathematics and Computer Science. This project has been approved and accepted by: Dr. Lynn Ackler, Chair of the Examining Committee Date Pete Nordquist, Committee Member Date Hart Wilson, Committee Member Date Daniel DeFreez c 2012 iii ABSTRACT OF THESIS ANDROID PRIVACY THROUGH ENCRYPTION By Daniel DeFreez This thesis explores the field of Android forensics in relation to a person’s right to privacy. As the field of mobile forensics becomes increasingly sophisticated, it is clear that bypassing common privacy measures, such as disk encryption, will become routine. A new keying method for eCryptfs is proposed that could significantly mitigate memory attacks against encrypted file systems. It is shown how eCryptfs could be modified to implement this keying method on an Android device. iv ACKNOWLEDGMENTS I would like to thank Dr. Lynn Ackler for introducing me to the vast world of computer security and forensics, cultivating a healthy paranoia, and for being a truly excellent teacher. Dr. Dan Harvey, Pete Nordquist, and Hart Wilson provided helpful feedback during the preparation of this thesis, for which I thank them. I am deeply indebted to my friends and colleagues Brandon Kester, Andrew Krug, Adam Mashinchi, Jeff McJunkin, and Stephen Perkins, for their enthusiastic interest in the forensics and security fields, insightful comments, love of free software, and encouraging words.
  • Mobihydra: Pragmatic and Multi-Level Plausibly Deniable Encryption Storage for Mobile Devices?

    Mobihydra: Pragmatic and Multi-Level Plausibly Deniable Encryption Storage for Mobile Devices?

    MobiHydra: Pragmatic and Multi-Level Plausibly Deniable Encryption Storage for Mobile Devices? Xingjie Yuy;z;\, Bo Chen], Zhan Wangy;z;??, Bing Changy;z;\, Wen Tao Zhuz;y, and Jiwu Jingy;z y State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, CHINA z Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, CHINA \ University of Chinese Academy of Sciences, CHINA ] Department of Computer Science, Stony Brook University, USA Email: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Abstract. Nowadays, smartphones have started being used as a tool to collect and spread po- litically sensitive or activism information. The exposure of the possession of such sensitive data shall pose a risk in severely threatening the life safety of the device owner. For instance, the data owner may be caught and coerced to give away the encryption keys so that the encryption alone is inadequate to mitigate such risk. In this work, we present MobiHydra, a pragmatic plausibly deniable encryption (PDE) scheme featuring multi-level deniability on mobile devices, to circumvent the coercive attack. MobiHydra is pragmatic in that it remarkably supports hiding opportunistic data without necessarily rebooting the device. In addition, MobiHydra favourably mitigates the so-called booting-time defect, which is a whistle-blower to expose the usage of PDE in previous solutions. We implement a prototype for MobiHydra on Google Nexus S. The evaluation results demonstrate that MobiHydra introduces very low overhead compared with other PDE solutions for mobile devices.
  • Deniable Encryption with Negligible Detection Probability: an Interactive Construction

    Deniable Encryption with Negligible Detection Probability: an Interactive Construction

    Deniable Encryption with Negligible Detection Probability: An Interactive Construction Markus Durmuth¨ ?1 and David Mandell Freeman??2 1 Ruhr-University Bochum, Germany [email protected] 2 Stanford University, USA, [email protected] Abstract. Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. To date, constructions are only known either for weakened variants with separate “honest” and “dishonest” encryption algorithms, or for single-algorithm schemes with non-negligible detection probability. We propose the first sender-deniable public key encryption system with a single encryption algorithm and negligible detection probability. We describe a generic interactive construction based on a public key bit encryption scheme that has certain properties, and we give two examples of encryption schemes with these properties, one based on the quadratic residuosity assumption and the other on trapdoor permutations. Keywords. Deniable encryption, electronic voting, multi-party computation. 1 Introduction One of the central goals of cryptography is protecting the secrecy of a transmitted message. The secrecy property of an encryption scheme is usually formalized as semantic security [10], which guarantees that an adversary cannot gain even partial information about an encrypted message. The notion of semantic security has proven to be very useful in a large number of applications. However, there are some scenarios where semantic security is not sufficient. For example, semantic security does not ensure message secrecy if the adversary can coerce the sender or the receiver of a message to reveal the secret keys and/or the randomness that was used to form an encryption.