Farewell, Forced Decryption: A Dive into Cypherlock
“Cypherlock is different because it does not attempt to hide that you are hiding something, but preventing recovery of the data that only relies on the user’s inaction. At that point then the user can SHOW that he doesn’t have the means to access anymore, rendering the data unreachable by the attacker — at least as long as it comes to leaning on the user.” — Smuggler
Passwords are tricky. On one hand, you have those that ensure their own adherence to best standards – 32 (or more) character strings made up of randomised letters, numbers and symbols, stored in a password manager. On the other, you have those that, if permitted, would use the same lowercase name of their favourite pet across Netflix, Amazon, Facebook and their online banking account (if you’re anything like me, this demographic makes up about 97% of your extended family).
In the grand scheme of things, passwords are only really effective for deterring those trying to gain access to an account, volume or device ‘peacefully’, for lack of a better term – i.e. not resorting to threat, but rather trying to guess your credentials. In this case, the stronger your password, the better.
Now consider the scenario where you wake up cuffed to a bloodstained radiator, with a gang of thugs waving barbed wire-wrapped baseball bats and demanding that you unlock your laptop for them. I don’t know about the contents of your device, but my fairly weak meme collection and assortment of beginner-level Python scripts aren’t worth the risk of having my beautiful face caved in. Honestly, I’d be wishing that my password was ‘0000’, purely for the ease with which I could hastily type it in and be freed by my captors.
Take the case above, except instead of a radiator you’re cuffed to a desk in an interrogation room, instead of thugs you’re faced with law enforcement (these are by all means synonymous under certain regimes), and instead of the threat of being beaten half to death, you’re facing jail time for refusing to hand over decryption keys.
What may sound like a subplot in your favourite 1949 dystopian novel is actually something you could face today: if police or border agents in a growing number of countries demand you decrypt something for them, the old ‘I forgot my password’ line isn’t going to cut it.
The problem cited above was the driving force behind Cypherlock, the software recently released by crypto-anarchists Smuggler and Frank Braun. In a presentation at BalCCon2k18, Smuggler outlined the use of timed remote oracles and ratchet encryption that could be leveraged by entities at risk of being held under duress. At the heart of the system is the premise that you can’t hand over data you don’t have access to. After a time period predetermined by the user, an encrypted partition is irretrievable.
The software is designed specifically for use cases where journalists or businessmen carrying confidential information need to clear checkpoints or borders – providing a solution to the increasingly invasive laws mandating key disclosure.
“Cypherlock originally goes back to a customer request roughly 7 years ago,” Smuggler told me in an email exchange. “There was a financial service provider who was caught in some political conflict between two countries, and had to protect client data on the laptops its consultants used during travels and client meetings.
“Then this year we decided to make the tool available to the general public, but ran into NDA issues. Hence we reimplemented a version. The main trigger for that decision were reports from China, UK, Russia, USA, New Zealand and Australia about people being stopped at borders and forced to decrypt their devices. Especially for journalists, that’s a big threat since they might endanger confidential sources if they decrypt.”
The software’s process is relatively straightforward. The secret in question is encrypted with a random key, which is in turn encrypted with a time-sensitive key. From there, the oracle’s (persistent) key is used protect the result.
The oracle can be a device as simple as a Raspberry Pi, stored off-site. An individual would set this up to run TOR and the Cypherlock daemon, before heading off on their travels with their laptop (sheltering a secret partition for interaction with the oracle and hiding sensitive documents, nuclear launch codes, your pirated copies of Nickelback’s Silver Side Up, etc.).
Let’s assume that a journalist is travelling from Point A to Point B, where the entire journey (including passing through security) will take no more than 2 hours. Prior to departure, they could set an expiry time of three hours and be on their merry way. It may be that no incident arises, in which case they can reach their destination and unlock their secret — note that, in case of delays, the software allows the user to extend their timer.
In the scenario where they’re detained, however, they need only wait until the timer expires. At this point, it’s safe for them to divulge their passphrase as a border agent can check and see that, whilst the key was once able to unlock the partition, it no longer can (evidently, you’d probably want some kind of backup elsewhere so that you don’t lose access to your files).
It’s a superior solution to other commonly-used methods such as the hidden partition. As Smuggler puts it:
‘Hidden partition schemes rely on the attacker believing that you don’t have any hidden partitions. You do however have a tool installed with exactly that feature — and most likely you have it installed BECAUSE of that feature. Basically you carry the signal with you that tells the attacker that he should probe deeper.’
The issue here lies chiefly in the fact that with forensic tools, attackers can infer that hidden partitions are being used. Smuggler explains:
‘The problem in all things “real” attacker is that they don’t make binary decisions. For them the question is not “does X use a hidden volume” but “does X probably use a hidden volume”. With hidden volume tech that probability can be put above 50% by an attacker, and then the trouble starts. It will take a lot of effort to convince the attacker that no such partition exists, even though the tool is present and forensic analysis makes it probable.
‘Now, theoretically one could build hidden volume tech that is not as vulnerable to discovery as what we are using today. It will however be costly to use. For everybody but the most technically competent, it remains extremely hard to beat forensic analysis technology.’
Mercifully, whilst the software runs from the command-line, it’s not limited to the tech-savvy: commands are easy, a number of different operating systems are supported, the program can be installed with Go, and it supports multiple oracles for redundancy (spread out across locations in case of connection failure).
One particularly poignant point made by Smuggler was that, with Cypherlock, privacy is not assured by concealment, but rather by transparency (‘hiding vs. verifiable destruction’). It’s orders of magnitude easier to provably demonstrate that you can no longer access data than it is to convince an adversary that you’re not hiding it in the first place.
Crucially, this lends itself to greater clarity between the ‘attacker’ and the ‘defender’. I mean, you’re not actually breaking any laws if you’re complying with a request to provide a key, are you?
Thanks to Smuggler for taking the time to speak with me.