Rubber Hose Attack
The nature that, under duress, people will reveal the method to access hidden information or tools. As people are vulnerabile to stress, be it social, litigious, or physical, they will not be able to maintain security if compromised. In computers, an example would begiving away their password, which makes it a type of attack upon security or cryptography.
Computers themselves do not experience stress and are unaffected by this attack, but could be considered dangerous for some. The term comes from the violent interrogation method (torture) of striking a subject physically to encourage the presentation of knowledge but does not merely entail physical abuse. As it is often a great deal of trouble, it is usually a last resort when secure communications cannot be easily eavesdropped by other means.
Exerpt from the Kremlin Encryption Program help file:
- "...it is also generally agreed that most determined organizations, if they are powerful enough to intercept your encrypted message, they have enough resources (and lack scruples), they could easily torture you and extract the key from you; this is termed the "rubber hose" method of attack and is generally much more effective and easier than spending millions of dollars to build a specialized cracking machine and then waiting weeks, or even years for an answer. Thus, almost any algorithm (except ASCII, ROT13 and Vigenere) is probably sufficient to protect your data if it inadvertently falls into the hands of someone, but a concerted attack by a large corporation or government will most likely bypass the cryptography and go straight for you."
Defeating the Rubber Hose Attack
- To remain inconspicuous in the first place. Steganography is one method to do this.
- Be outside the influence of the unscrupulous party. Sometimes outside the country.
- Increase your physical security for physical attacks and legal representation for legal attacks.
- To avoid social attacks, stop caring what other people think or work in groups of individuals with whom you know and trust. To avoid social engineering attacks, research what a con artists do to disavow people of their security.
- Use a multi-part key that require more than one person to encrypt or decrypt information. For instance, one person is given the first seven characters and another person the next seven.
- Use a One-Time Pad Cryptosystem as it is impossible to decrypt information without the key file, which is enormous. Unless the location of the stored key is known, the information is safe from this attack.
- Use Deniable Encryption, a concept whereby an individual can give one of multiple passwords to allow him to appear to be cooperating