[Cryptography] Rubber-hose resistance?

Jerry Leichter leichter at lrw.com
Fri Dec 22 17:51:19 EST 2017 

>> Maybe all zeroes are easier to remove.  Maybe a random bit pattern is easier to remove.  Take a simple analogy:  If you were talking about audio, a random bit pattern would be like high-frequency hiss, easily removed by a low-pass filter.
>>> 
> Umm, no, you can't get rid of random noise with a filter. You can remove the annoying high frequency portion, but you remove the high frequency component of the signal as well....
It was an analogy, nothing more.  If you're talking about typical audio - as in sounds of interest to human beings - then a low-pass filter (with a high enough cut-off) usually leaves enough information around that a human can easily access it.

The real weakness of the analogy, in fact, is on the other side:  All zeros would amount to a DC offset, which is trivial to remove.

> Writing zeros to a disk may be good enough to prevent data recovery, but writing random data is no worse. 

You have no basis for saying that without knowing something about the technology "inside the box".

Suppose we're dealing with a disk, and the attack is based on reading "off the centerline", where previous values sometimes stick around.  (There have been real attacks like this.)  Imagine that the particular technology happens to  have the property that writing 0's "spills over" more of the track than writing 1's.   If you overwrite with all 0's, all the previous information is lost; if you write random bits, half of it is still there.  (I don't know of any technology with this property, but if we don't know "what's inside the box", hey, maybe it works this way.)

Yes, finding which (zero!) bits are "real" and which ones aren't is hard - but one can, for example, imagine cases where it might be worthwhile to figure out that some particular bit pattern was likely on the disk or not, which you could reasonably check for.

The most you can say is that, lacking any information about "what's inside the box", any two possible erasure patterns are equally likely to be good.  But you need to look inside to actually know that one is better than another.

> Of course this is mostly moot with the rise of SSDs, which, as others have pointed out, are hard to erase with any certainty. Recent Apple’s iOS devices solve this by encrypting the entire volume with a key stored in a special “effaceable memory” that they erase when you reset the device.
It's not clear, from the documentation I've seen (I haven't dug into this *too* deeply), what effaceable memory actually is.  I believe what the documentation describes is just memory that the OS guarantees to wipe when the device is reset.  There's no specific indication (correct me if I'm wrong) that this is actually implemented at the hardware level:  It may be that it's simply normal space on the SSD.

Keep in mind that Apple isn't trying to protect you from some three-letter agency.  Even if effaceable memory were just on the SSD, recovering the key would require specialized hardware and techniques beyond the capabilities of most attackers.  The "zero on reset" capability is there mainly to ensure that re-sold phones don't trivially pass along their previous owners' data.

It's certainly *possible* that effaceable memory is actually sealed inside the "secure enclave", part of the CPU chip which does have the capability to store keys.  But I don't think Apple has said.

Note also that at this point it's a secondary technique.  Based on complaints from the LE community, the encryption off all the data stored in the phone is already beyond the reach of "normal" techniques.  (That is, if NSA knows how to do it, they won't admit it even to the FBI.)
                                                        -- Jerry

More information about the cryptography mailing list