To: Lewis.Tiffany@cl.cam.ac.uk, Mike.Gordon@cl.cam.ac.uk cc: Ross.Anderson@cl.cam.ac.uk Subject: Part 2 project suggestion Date: Fri, 17 Mar 2000 08:01:50 +0000 From: Ross Anderson Message-Id: The Regulation of Investigatory Powers (RIP) Bill will give the police the power to demand cryptographic keys from people. As a consequence many companies will adopt a policy of destroying emails once read or after a set period of time. Doing this by file deletion is unreliable because most operating systems don't delete files properly, and most commercial sites have an elaborate system of backup and recovery procedures. The obvious thing to do is to encrypt the files with keys that are destroyed when access to the data must be terminated. A possibly interesting twist on this is inspired by the Steganograpic File System. SFS has the feature that if you know a file's password, you can get the file; if you don't, then you can't even get any evidence that the file exists at all. In other words, it provides some defence against coercion. The drawback of the stego file system is that it's fairly inefficient because of the replication of data required (to reduce the probability that data will get overwritten by people who don't know the password and so don't know the data's location on disk). An alternative approach might be to structure a file system so that files are only overwritten when the space is required (say, the earliest created deleted file is overwritten first) and the information hiding functions are done in the key management apparatus. The project is to design and build such a system, whether for Linux or NT. The original paper on SFS, plus a Linux implementation done as a pert 2 project in 1998-99, are at: http://www.cl.cam.ac.uk/users/rja14/#Tempest Details of the RIP bill are at http://www.fipr.org. Ross Anderson