50 characters ? (was RE: Man jailed over computer password refusal

Nicholas Bohm nbohm at ernest.net
Sat Oct 16 17:57:06 BST 2010

 On 16/10/2010 16:21, John Wilson wrote:
> On 16 October 2010 08:14, Nicholas Bohm <nbohm at ernest.net> wrote:
>> With a key written on a cigarette paper, you can play the game either
>> way:  either "It was on my desk when you searched, I haven't seen it
>> since, so you must have lost or destroyed it by accident" or "It was in
>> the binding of my copy of 'A Midsummer Ramble in the Dolomites' by
>> Amelia Edwards, and your search missed it.  As you had my computer, I
>> destroyed it after you left."
>> The second variant could be buttressed by evidence from an unimpeachable
>> witness who saw the paper with a very long and unrememberable password
>> on it and saw it destroyed.  The first variant is perhaps more plausible
>> as an account of how we amateurs really do things with written records
>> of passwords.
> OK, here's another variant:
> I buy two YubiKey one black and one white.
> I destroy and securely dispose of the white one
> I use the black one to generate and hold the first part of my
> passphrase and manually type the rest in from memory - this means that
> I only know a part of the passphrase
> I also use the password held in the YubiKey as the password for some
> innocuous application to allow me to explain why I needed two YubiKey.
> When the computer equipment is seized the YubiKey may or may not be
> seized with it.
> If the YubiKey is not seized I get the YubiKey to forget the password
> (I can do that in front of witnesses)
> If the YubiKey is seized I claim that the white YubiKey was used to
> hold the password. If the Police don't have it they must either have
> lost it or they left it here and I've lost it.
> In the first scenario I always tell the truth
> In the second I tell a single lie.

A neat scenario.

> In either case the computer logs confirm that I've used a YubiKey
> every time I've accessed the encrypted data.

This is, I think, its single advantage over the piece of flimsy paper
approach, where there would be no evidence from logs.

Paper might be easier for a jury to follow, perhaps - less geekish.

And perhaps it's a good thing the criminal classes don't subscribe to
ukcrypto (if they don't).

Contact and PGP key here <http://www.ernest.net/contact/index.htm>

More information about the ukcrypto mailing list