Hello. Thanks for your reply. I am aware of the first method as well as a variation of the second (it had not occurred to me that they both can use the same key!; I had thought that each correspondent used one key of his own with a meaningless ID and used only for communication with the other correspondent). The problem is that these are an extra layer, not currently implemented in GNU PG or any other software I know of.
I was hoping that OpenPGP had a feature of “deniable authentication of [writer] to [recipient]”. It can be easily implemented with Diffie-Hellman as follows. Writer and recipient have a Diffie-Hellman key over the same group and know each other's public key. The writer computers the shared secret per the DH algorithm, and processes it with a KDF. This is the key to a MAC algorithm (e.g.: HMAC). The writer send the, the message (either encrypted or unencrypted), the authentication code, and a nonce (if the KDF requires it) to the recipient To verify, the recipient computes the shared secret, the MAC key and the authentication code of the message. The recipient knows (save for broken algorithms or leaked private keys) that only the writer or him could have computed the authentication code for the message. We assume that the recipient remembers what he has written and what he has not written, so he can discard himself, leaving the writer as the only option. The recipient can divulge the message, but he can not prove that the writer (as opposed to him) wrote the message, even if he is willing to divulge his private key. *Maybe* I will implement this scheme sometime in GNU PG as an OpenPGP extension, if somebody doesn't do it in the meantime. Alternatively, the writer can write an message encrypted to the recipient public-key consisting of 3 parts: (1) A message signed by the writer saying “I am sending *somebody* a secret message authenticated with MAC algorithm ... and key ...”. (2) The authentication code. (3) The message itself. The signed message (1) should not include the name of the recipient. Obviously (3) should not be signed. (2) can be signed without deniablity implications, but is not necessary. The most the recipient can do is to prove that the writer wrote “I am sending *somebody* a secret message authenticated with MAC algorithm ... and key ...”, but he can not even prove that the writer wrote that to *him*. Both of these methods require no prior agreement between sender and receiver. On 29/08/17 15:00, ved...@nym.hush.com wrote: > There are workarounds to accomplish this: > > [1] Sender 1 sends a signed and encrypted pgp e-mail to Receiver 1, > giving Receiver 1 a 'passphrase' which they will agree to use for the > next encrypted messages. > > [2] Sender 1 and Receiver 1 now send conventionally encrypted messages > with this passphrase, but without signatures. > > [3] They both know that only the person who knows the passphrase could > have sent it. > > [4] If they want deniability, they can say that the passphrase 'leaked > out' and anybody who it leaked to could have sent it. > Alternatively, > > One can generate a keypair with a random name, and send it to the > other one, and they can both sign with it, but encrypt to their own > non-shared keys. -- Do not eat animals; respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
