Re: steganography

From: Ken Clements (Ken@Innovation-On-Demand.com)
Date: Fri Sep 21 2001 - 00:59:34 MDT


Louis Newstrom wrote:

> ----- Original Message -----
> From: "Ken Clements" <Ken@Innovation-On-Demand.com>
> > However, one
> > time codes have been considered too inconvenient to be practical
> <SNIP>
> > It is now possible for someone to carry around a chip with
> > enough pre-recorded random bits in it to last longer than anyone can type.
> > It is now possible for such a chip to be inserted under the skin (see the
> RF
> > ID stuff) and be accessed by a palm device
>
> I wish the bad guys WOULD do something this simple. We would easily be able
> to recover the chips from dead bodies and have a copy of the master code.
> (This is the classic probelm with "infinite random" codes. If the recipient
> has a code-book, that code book can be stolen.)
>

Louis, I was talking about one time codes. The bits used for decryption are
gone after each message. If you capture the device you, for sure, will not know
what was in the past messages, and if it has good access controls (Harvey talks
about this later on this thread) it may be very difficult to use it at all.

>
> > Steganography has value on more than one level. Traditionally, it was
> > valuable (when it worked) to send messages without anyone knowing that you
> > were sending messages.
>
> Very rarely. If the NSA are watching a known terrorist, and he transmits a
> picture of a puppy-dog, do you really think they won't know there is a
> message?

When I used the term "traditionally" above I was talking about the many
centuries of history of steganography. Read any history of cryptography book
for this stuff.

>
>
> > If I publish a page of random numbers, I may also be sending a
> > message, but you cannot prove that I am unless you can break it.
> > If you haul me into court and demand I supply you with a key, I can
> claim that
> > they are just numbers, and that there is no key
>
> I doubt it. If you published a random page of numbers, everyone will ASSUME
> it is a message. It's just too bizarre to believe that someone published a
> random page of numbers.
>

Quite common, actually.
http://www.rand.org/publications/classics/randomdigits/
http://www.random.org/
http://www.fourmilab.ch/hotbits/
G. Marsaglia, The Marsaglia Random Number CDROM, Department of Statistics and
                Supercomputer Computations Research Institute, Florida Sate
University (1995).

>
> > Harvey has indicated that steganography alone is not useful,
>
> I think you added the "alone" part. Harvey was saying that steganography
> does not add anything to encryption. You might as well send encrypted text.
> He was saying that embedding it in a picture buys you nothing.
>

Not quite. He pointed out that embedding a pattern that can be detected by its
statistical structure does not hide its existence. I naturally agree.

>
> > This combination can make it undetectable. I can put a digital recording
> of a poem reading
> > on my web that sounds perfectly normal, and stands up to any statistical
> > analysis.
>
> You are just repeating yourself. Multiple people have objected that you
> CAN'T make it undetectable. Yet you keep repeating that you can.
> Steganography may hide a message, but if someone suspects that it does
> contain a message, it will be OBVIOUS upon statistical analysis.
>

People have objected that you cannot guarantee that algorithmic encryption will
remain undetected because there is always the possibility that tomorrow someone
will discover a statistical test that gives a signature for some algorithm we
think looks pretty random today. What I am talking about is using one time
codes based on actual random physics. It is not detectable now, and will not be
detectable tomorrow either.

-Ken



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 08:10:52 MST