Deniable encryption

Deniable encryption

In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that the data is encrypted, or that they are able to decrypt it[citation needed]. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.

Normally ciphertexts decrypt to a single plaintext and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.



Deniable encryption allows an encrypted message to be decrypted to different sensible plaintexts, depending on the key used, or otherwise makes it impossible to prove the existence of the real message without the proper encryption key. This allows the sender to have plausible deniability if compelled to give up his or her encryption key. The notion of "deniable encryption" was used by Julian Assange and Ralf Weinmann in the Rubberhose filesystem[1] and explored in detail in a paper by Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky[2] in 1996.


Deniable encryption allows the sender of an encrypted message to deny sending that message. This requires a trusted third party. A possible scenario works like this:

  1. Alice is the wife of Bob, who suspects his wife is engaged in adultery. She wants to communicate with her secret lover Carl. She creates two keys, one intended to be kept secret, the other intended to be sacrificed. She passes the secret key (or both) to Carl.
  2. Alice constructs an innocuous message M1 for Carl (intended to be revealed to Bob in case of discovery) and an incriminating love letter M2 to Carl. She constructs a cipher-text C out of both messages M1, M2 and emails it to Carl.
  3. Carl uses his key to decrypt M2 (and possibly M1, in order to read the fake message too).
  4. Bob finds out about the email to Carl, becomes suspicious and forces Alice to decrypt the message.
  5. Alice uses the sacrificial key and reveals the innocuous message M1 to Bob. Since Bob does not know the other key, he has to assume that there is no other message M2.

Another possible scenario involves Alice sending the same ciphertext (some secret instructions) to Bob and Carl, to whom she has handed different keys. Bob and Carl are to receive different instructions and have not to be able to read each other instructions. Bob will receive the message first and then forward it to Carl.

  1. Alice constructs the ciphertext out of both messages M1, M2 and emails it to Bob.
  2. Bob uses his key to decrypt M1 and isn't able to read M2.
  3. Bob forwards the ciphertext to Carl.
  4. Carl uses his key to decrypt M2 and isn't able to read M1.

Modern forms of deniable encryption

Modern deniable encryption techniques exploit the pseudorandom permutation properties of existing block ciphers, making it cryptographically infeasible to prove that the ciphertext is not random data generated by a cryptographically secure pseudorandom number generator. This is used in combination with some decoy data that the user would plausibly want to keep confidential that will be revealed to the attacker, claiming that this is all there is. This form of deniable encryption is sometimes referred to as steganography.

One example of deniable encryption is a cryptographic filesystem that employs a concept of abstract "layers", where each layer would be decrypted with a different encryption key. Additionally, special "chaff layers" are filled with random data in order to have plausible deniability of the existence of real layers and their encryption keys. The user will store decoy files on one or more layers while denying the existence of others, claiming that the rest of space is taken up by chaff layers. Physically, these types of filesystems are typically stored in a single directory consisting of equal-length files with filenames that are either randomized (in case they belong to chaff layers), or cryptographic hashes of strings identifying the blocks. The timestamps of these files are always randomized. Examples of this approach include Rubberhose filesystem and PhoneBookFS.

Another approach utilized by some conventional disk encryption software suites is creating a second encrypted volume within a container volume. The container volume is first formatted by filling it with encrypted random data,[3] and then initializing a filesystem on it. The user then fills some of the filesystem with legitimate, but plausible-looking decoy files that the user would seem to have an incentive to hide. Next, a new encrypted volume (the hidden volume) is allocated within the free space of the container filesystem which will be used for data the user actually wants to hide. Since an adversary cannot differentiate between encrypted data and the random data used to initialize the outer volume, this inner volume is now undetectable. Concerns have, however, been raised for the level of plausible deniability in hiding information this way – the contents of the "outer" container filesystem (in particular the access or modification timestamps on the data stored) could raise suspicions as a result of being frozen in its initial state to prevent the user from corrupting the hidden volume. This problem can be eliminated by instructing the system not to protect the hidden volume, although this could result in lost data. FreeOTFE[4] and BestCrypt can have many hidden volumes in a container; TrueCrypt is limited to one hidden volume.[5]


The existence of a hidden volume may be revealed by flawed implementations relying on predictable cryptographic items[6][7] or by some forensic tools that may detect non-random encrypted data.[8][9] Vulnerability to chi-squared randomness test has also been suggested: encrypted data, after each write operation, should be adjusted to fit a plausible randomness property.[10]

Deniable encryption has also been criticized because of its main inability in defending users from rubber-hose cryptanalysis. Possession of deniable encryption tools could lead attackers to continue an investigation even after a user pretends to cooperate, providing an expendable password to some decoy data.[11]

Malleable encryption

Some in-transit encrypted messaging suites, such as Off-the-Record Messaging, offer malleable encryption which gives the participants plausible deniability of their conversations. While malleable encryption is not technically "deniable encryption" in that its ciphertexts do not decrypt into multiple plaintexts, its deniability refers to the inability of an adversary to prove that the participants had a conversation or said anything in particular.

This is achieved by the fact that all information necessary to forge messages is appended to the encrypted messages – if an adversary is able to create digitally authentic messages in a conversation (see HMAC), he is also able to forge messages in the conversation. This is used in conjunction with perfect forward secrecy to assure that the compromise of encryption keys of individual messages does not compromise additional conversations or messages.


  • OpenPuff, freeware semi-open-source steganography for MS Windows.
  • BestCrypt, commercial on-the-fly disk encryption for MS Windows.
  • FreeOTFE, opensource on-the-fly disk encryption for MS Windows and PocketPC PDAs that provides both deniable encryption and plausible deniability.[3][12] Offers an extensive range of encryption options, and doesn't need to be installed before use.
  • Off-the-Record Messaging, a cryptographic technique providing true deniability for instant messaging.
  • PhoneBookFS, another cryptographic filesystem for Linux, providing plausible deniability through chaff and layers. A FUSE implementation. No longer maintained.
  • rubberhose. Defunct project (Last release in 2000, not compatible with modern Linux distributions)
  • StegFS, the current successor to the ideas embodied by the Rubberhose and PhoneBookFS filesystems
  • TrueCrypt, which is on-the-fly disk encryption software for Windows, Mac and Linux that provides limited deniable encryption[13] and to some extent (due to limitations on the number of hidden volumes which can be created[5]) plausible deniability, and doesn't need to be installed before use as long as the user has full administrator rights
  • Vanish - a research prototype implementation of self-destructing data storage
  • ScramDisk 4 Linux - A free software suite of tools, for GNU/Linux systems, which can open and create scramdisk and truecrypt container.

See also


Further reading

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Deniable authentication — In cryptography, deniable authentication refers to authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event. In… …   Wikipedia

  • Disk encryption software — To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software that is used to implement the technique (for cryptographic aspects of the problem see… …   Wikipedia

  • Comparison of disk encryption software — This is a technical feature comparison of different disk encryption software. Contents 1 Background information 2 Operating systems 3 Features 4 Layering …   Wikipedia

  • Filesystem-level encryption — Filesystem level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself. This is in contrast to full disk encryption where the entire… …   Wikipedia

  • TrueCrypt — infobox software caption = TrueCrypt on Windows Vista developer = TrueCrypt Foundation latest release version = 6.0a latest release date = release date|2008|7|8 programming language = C, C++, Assembly operating system = Cross platform language =… …   Wikipedia

  • Plausible deniability — is, at root, credible (plausible) ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in (formal or informal) chains of command, where upper rungs quarantine the blame… …   Wikipedia

  • Cifrado negable — En la criptografía y la esteganografía, el cifrado negable es un tipo de cifrado que permite negar en modo convincente que los datos están cifrados, o de ser capaz de descifrarlos. La negación, aunque falsa, no puede ser verificada por el… …   Wikipedia Español

  • Steganography — is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message. By contrast, cryptography obscures the meaning of a message, but it does not conceal …   Wikipedia

  • BestCrypt — Infobox Software name = BestCrypt caption = author = developer = Jetico, Inc. released = latest release version = 8.05.3 latest release date = 2008 07 22 latest preview version = latest preview date = operating system = Windows Vista, Windows XP …   Wikipedia

  • Rubber-hose cryptanalysis — In cryptography, rubber hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion, in contrast to a mathematical or technical cryptanalytic attack. The term… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”