-----BEGIN PGP SIGNED MESSAGE----- Several people have suggested that PGP or some similar public-key program could be used to exchange encrypted email, then a "fake" one-time pad file could be created to transform the PGP file into a safe plaintext. If your files were seized and the keys demanded, you could supply the fake OTP file as the key which would "decrypt" the PGP file to the safe text. Unfortunately, this doesn't presently work with PGP. PGP puts a header at the front of encrypted file which identifies it as a PGP file. This includes information about whether the file is RSA or IDEA encrypted, and if it is RSA encrypted it includes information about which key(s) it is encrypted with. If files are saved like this, there will be no question that they are actually PGP files, and not the output of a one-time pad. Any attempt to produce a OTP key file which leads to a safe plaintext will be a transparent fabrication. And, of course, PGP's ASCII encoding, which would usually be used for email, boldly displays the "-----BEGIN PGP MESSAGE-----" at the top. If the files were saved in this format it would be a further giveaway. People have called for PGP to have a "stealth" mode in which it would save files without these headers. This would require the user to know which files were truly PGP encrypted, what the encryption algorithm was, and of course the key. If this were implemented it would make PGP files much less recognizable and the "fake OTP key" approach would be workable. Another approach for now would be to super-encrypt the PGP file with some other system. A simple XOR with a repeated random bit pattern (produced by hashing a user pass phrase) which is longer than the PGP header would be adequate, since the non-header portion of a PGP file should be random. Or you could use one of the widely-available DES encryption utilities, since these don't produce any headers, as far as I know. But this would complicate the process of decrypting the file. PGP's IDEA-encrypted files, which you create with the "-c" switch to PGP, put only a five-byte header on: a type byte, and a four-byte file length. This information is redundant and it should be very easy for PGP to recon- struct it if it were removed. RSA encryption headers will be harder to remove, particularly because of the lack of a key ID to tell which secret key to decrypt with. We would just try the default key, I guess. But this would require a more extensive set of changes to PGP. Hal Finney hfinney@shell.portal.com -----BEGIN PGP SIGNATURE----- iQCVAgUBLCmngKgTA69YIUw3AQGDWgP/U/HwP5gwPXn3GZgH3SH3zjnrKd8dHPqn y2OVF7xqiaVPuV5VF/UBGzFcPgfb/DuamIEr/aQmAMX2BlVktQ/fGaluZ8wvIbs/ QlQcsp+BH9AAb0BcojQ6rmwtf8A5c/3VkuGUSvyRGEX1PecdwoW8Eh/FEIfeU/WE njvIwmn92aY= -----END PGP SIGNATURE-----