[Cryptography] stegophone (was: escalating threats to privacy)

Wed Mar 29 15:39:45 EDT 2017

Here's yet another major threat to privacy:  In the context of
warrantless and suspicionless searches, on 02/25/2017 08:26 AM,
Ian G wrote:
>
> the security community is upset

A *lot* of people are upset.  For example:
  https://www.theguardian.com/law/2017/mar/27/us-customs-digital-device-searches-privacy-lawsuit-passwords
which says in part:

>> Escalating concerns about US customs officials demanding access to
>> travelers’ cellphones, tablets and laptops [...]
>> while DHS conducted fewer than 5,000 searches in 2015, NBC has
>> reported, the number of inspected devices reached 25,000 in 2016.
>> [... plus] 5,000 device searches in February [2017] alone.

See also:
  http://www.nbcnews.com/news/us-news/american-citizens-u-s-border-agents-can-search-your-cellphone-n732746

> which means we will now start thinking about 'duress' devices which
> will further complicate everyone's life.

Where an I get a 'duress' device?  Or duress app?  When I google for
"duress app" I mostly see things that would more appropriately be
called /distress/ apps, e.g. "help I've fallen and can't get up".
I can find all sorts of duress-related proposals, but they seem to
have withered on the vine.

What I would like to see is something very simple, which I call a
stegophone, although the idea applies to all devices, including
laptops, not just phones.  The specifications are as follows:
 *) There are two passcodes:  one for normal use, and one for duress.
 *) Unlocking the phone using the normal passcode results in a completely
  normal phone.
 *) Unlocking it with the other passcode results in a sanitized phone:
   -- a short innocuous contact list;
   -- no call logs;
   -- no stored messages;
   -- an app that immediately deletes any logs, messages, etc.,
    so there is an innocent explanation for their absence, even if
    the adversary gets your actual call history from communication
    intercepts.
   -- a feature that instantly zeroizes the key used for full-image
    encryption of the normal phone, so that even they beat the normal
    passcode out of you it wouldn't be valid, and they wouldn't even
    know for sure that the phone had ever had any features or any
    information other than what the sanitized phone offers.
 *) The device is protected against disassembly and against cold-boot
  attacks.

In particular, the sanitized phone does *not* give any indication that
the duress app was ever installed.  More generally:
 *) It does not do anything to call attention to itself, or to you.
 *) It does not give anybody any reason to suspect you have anything
  to hide, or that you are being less than 1000% cooperative.
 *) It is not a distress app.  It does not send messages calling for
  help.
 *) It does not play an audio file reciting the fourth amendment at
  high volume.

The objective is to make finding the device totally unremarkable and
unexciting, rather like finding a pair of socks on your feet.

===========

Usage note:

Consider the following threat scenario:
  Suppose the adversary grabs you by the neck and takes your phone
  by force, then demands that you hand over the passphrase.  Further
  suppose that your normal passcode is constructed using diceware:
    https://xkcd.com/936/
  and your duress passcode is constructed using the Blackberry method,
  i.e. a full-length cyclic permutation of the normal passcode.  Now
  you are screwed, because it will stick out like a sore thumb:
     orrectHorseBatteryStapleC

Therefore the duress passcode MUST be constructed independently.  It
MUST NOT follow the Blackberry example.

Also, it must be easy to remember, even in a panic situation.  It
does not need to be very secure;  it could be your middle name, or
your date of birth, or Sw0rdf1sh.
  http://tvtropes.org/pmwiki/pmwiki.php/Main/ThePasswordIsAlwaysSwordfish

Avoid the temptation to be clever or political, e.g. 1776 or 1789.