How are spoof decryptions prevented?

Pete Bentley pete at sorted.org
Tue, 03 Aug 1999 10:31:55 +0100 

At Mon, 02 Aug 1999 17:35:04 BST, Tom.A.Parker@icl.com writes:
>This may seem unduly simple minded, but in a situation where enforcement to
>provide clear text is imposed upon me, how would the LEA know that I did the
>decryption truly, rather than substitute some censored alternative?
>Presumably they would wish to see me going through the decryption process
>itself, or have some other contextual evidence that would assure them - not
>always either practical or foolproof.

Presumably the LEA will not accept plaintext only unless they have
some means of verifying that the supplied plaintext matches their
encrypted text.  That sort of verification depends on the cryptosystem 
used.

For 'pure' public key systems, you can demonstrate that the plaintext
when encrypted with the public key matches the encrypted text and so
there should be no need to supply the LEA with the private key.

For symmetric systems like DES, the same key would have to be used to
re-encrypt the plaintext, so the LEA can only verify that the
plaintext is correct if they are supplied with the key too.

For hybrid systems like PGP, where the session key is chosen randomly
for each message, then the plaintext + public key are not sufficient
to regenerate the same encrypted text because a different random
session key would be chosen.  Presumably in this case it would be
sufficient to supply the session key.  The LEA can use the public key
to verify this is the correct session key and can then use the session 
key to decrypt or verify the encrypted text.  As any decryption order
would presumably cover a large number of messages, I suspect the LEA
would complain about the workload required to verify each session key
they were supplied with and try to demand the private key...

For something like a one time pad system, then again the only way to
verify the plaintext and encrypted text match would be with the
encryption key.  If the 'pages' of the pad are totally discarded after
use, then verification would be impossible...... in fact, it may well
be impossible for the person to comply with the decryption order at
all for 'historical' messages.  Presumably once the order has been
served then they will have to supply keys for all future
messages. Unless the pads were to get out of synch somehow... ;)

For 'trivial' cryptosystems (Caesar Cypher, XOR etc), then supplying the
plaintext effectively supplies the key anyway. :)

Pete.