
Designing Crypto Primitives Secure Against Rubber Hose Attacks - zvrba
https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/bojinov
======
pointernil
"While the planted secret can be used for authentication, the participant
cannot be coerced into revealing it since he or she has no conscious knowledge
of it." Quite interesting idea. But don't we now move from "rubber hose" to
"Please sit down and authenticate here." territory?

~~~
AlyssaRowan
Unless it somehow fails subconsciously when under duress, yes, so this has no
practical applications I can think of. It's still fascinating research,
though.

The problem with deniable cryptosystems that make it intractable to prove
you've complied, like the old stegfs or the not-quite-as-old Marutukku (aka
Rubberhose, which Julian Assange worked on by the way) is that it really sucks
to be the keyholder! You can _try_ to secure a system against duress
disclosure, but you can't safeguard the people as well - it is possible to
make wrench-resistant systems, but unfortunately not wrench-resistant
kneecaps. I don't think any good solution exists for that: that's a
physical/political/legal/OPSEC problem, not a technical one.

~~~
wcummings
It's also impossible for the key holder to prove to his assailants that he has
provided the correct keys, so there is little incentive to comply in some
situations, since you will likely be killed / tortured, either way.

~~~
tedunangst
The best of both worlds. Tortured until you reveal your password, then
tortured some more!

~~~
AlyssaRowan
Exactly. Valuable if you want to ensure the confidentiality of the data no
matter what - but you'd better _really mean_ that "no matter what", because if
the eventuality arises where the system's properties might be desirable, those
same properties essentially spell your own doom.

That and the disk-space penalty for the compartments (either fixed or
stochastic) meant that, even in areas of potential forced key-disclosure,
these systems didn't take off and are as far as I know mothballed and
unmaintained.

------
anologwintermut
Not this paper again. It can't be used for cryptographic usage and the
title(which is the original title of the paper) is completely misleeading.

The device you're authenticating must have the secret you're authenticating
with in it in a retrievable format. So it can't be used for e.g. disk
encryption, etc, because the attacker can just get the secret from the device
and decrypt.

All it can be used for is authentication, and for that they require a human
security guard to ensure it's actually a human playing the authentication
game. If you were to attach a computer, its likely it could impersonate you.
So almost completely useless (except for getting people's hopes up).

More discussion here :
[https://news.ycombinator.com/item?id=4266115](https://news.ycombinator.com/item?id=4266115)

------
peri
This paper is from a few years ago, but I think that for folks who aren't
quite as in to the net/info security side of things, it's better to think of
"rubber hose attacks" as a polite way to say "having to fight too many
subpoenas from a more wealthy adversary".

Hopefully doesn't apply to your businesses, but it sure delayed a lot of
things in the 80s and 90s before the EFF/CDT/and so on helped settle a lot of
the law that we take for granted now.

(No I do not work for the EFF, CDT, or any other TLA. I just think that
programmers and painters both need to be cognizant of copyright)

~~~
rhino369
Nothing will save you from discovery in a civil case. You either hand the data
over, perjure yourself and hope nobody has evidence the data existed, or get
sanctioned then the court make an adverse inference that you the evidence must
have been bad and can use that against you.

------
peterwwillis
I think that the finger-prick scanners from Gattaca are the future. We already
have them in the form of diabetes scanners. They could look for matching
genetic material to identify the user, and generate a hash based on the
average amounts of hormones in the body, for example. It would only produce
the correct hash if you felt 'normal', so a flood of fear hormones or an
abundance of drugs would make it throw an invalid hash.

~~~
JoachimSchipper
Do you actually need to prick for that? Both fingerprint scanners and
thermometers (cf.
[http://en.wikipedia.org/wiki/Mood_ring](http://en.wikipedia.org/wiki/Mood_ring))
already exist; analyzing reflections of the finger may provide even more
information.

A computer that doesn't work when the users is stressed is still going to get
defenestrated, though.

------
infinity0
This really has nothing to do with crypto primitives, but is all about memory.
One would still use exactly the same crypto primitives and protocols as we
have already, just the method of memorising secrets would be different.

It would be interesting to see how their approach does against attacks against
_subconscious_ reactions that can nevertheless be measured by more
sophisticated devices.

------
Kenji
Hmm, training 30-40 min, authentication 5 min. That's a huge inconvenience.
It's very interesting research but I don't see this being used in real life.

~~~
frandroid
Well, one has to think of the contexts in which rubber hose cryptography might
be used. If you're a political dissident or whistleblower, you might invest
the time. Think Edward Snowden, etc. Clearly this is not meant to lock your
phone. :)

~~~
Kenji
Even if it was used for launching nukes. Do you want the president to play a
game for 5 minutes to give consent? It's unrealistic.

~~~
jeffreyrogers
> It's unrealistic.

I think you'll find this is true of most academic research :)

~~~
Kenji
Yes but the commenter was arguing specifically for this method being applied
in real life. While my opinion is that the research is very interesting but
that's unlikely.

------
millettjon
This might be useful for password recovery in some scenarios.

------
cwmma
yeah I fail to see how this actually defends against the `I'm going to hit you
with this rubber hose until you login` attack

~~~
MagicWishMonkey
If you don't know the password to your system it can't be forced out of you.

For example, if you have a password algorithm that takes an input value (lets
say a website name) and a seed that is stored on your system somewhere (that
you don't have memorized), concats them together and then hashes the result to
generate the password, the rubber hose attackers would to both beat the input
value out of you and have physical access to the machine your seed is stored
on to recover the password.

~~~
chiph
The trick, it seems, is to be able to convince the guy wielding the rubber
hose that you don't have the information he wants.

"Give me the password!" "Password to what?" {whack}

