How are spoof decryptions prevented?
Ben Laurie
ben at algroup.co.uk
Tue, 03 Aug 1999 12:42:18 +0100
Denis.Russell@ncl.ac.uk wrote:
>
> At 5:35 pm +0100 2/8/99, Tom.A.Parker@icl.com wrote:
> >This may seem unduly simple minded, but in a situation where enforcement to
> >provide clear text is imposed upon me, how would the LEA know that I did the
> >decryption truly, rather than substitute some censored alternative?
> >...
> >Or is this a reason (not the only one, clearly!) why there is the option to
> >get the decryption key itself?
> ...
>
> Well, since for any arbitrary bag of bits C you can produce *any* second
> arbitrary set of bits P by "xoring" it with a third set of bits K (where
> all of these sets of bits are of the same length, and K is trivial to
> derive from C and P) it is trivial to "comply" with any request for both
> the supposed plaintext and key corresponding to a suspect message. All you
> do is decide whatever plaintext P that you wish to produce, and then
> generate the corresponding key K, call it "a one time pad" and hand it over.
>
> I suspect this may not suffice. :-)
Particularly not if the ciphertext in question is clearly generated by
PGP or the like.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi