Steganography [was Re: Russian hacker ...]

From: Ken Clements (Ken@Innovation-On-Demand.com)
Date: Mon Jul 30 2001 - 11:33:37 MDT


Eugene Leitl wrote:

> In any case, screening for steganography is much, much more expensive.

Here is an example. Suppose you and your friends want to have secure
communications over the net that are not detectable. You could set up a web
cam on a motorized mount that sends out pictures of the natural environment
somewhere (robot astronomy is a great choice). With some care, you can make
the low order bits of these pictures unpredictable, in which case you can
substitute noise bits from a good hardware random bit generator (usually
junction shot noise). Next, you have to make sure that the encryption you
want to use for your data gives the same statistical distribution, such that,
only those with the key can tell that it is not just random noise. Finally,
you substitute your encrypted message bits for the low order picture bits
above when you want to send messages. This assumes that your friends are
tracking your web cam, and have software that extracts the bits and tests for
the existence of a message by decrypting. Without the keys, snoopers can't
do traffic analysis on you, or even prove that you are sending anything
covert.

As Eugene noted, if a bunch of folks start doing this, the cost of checking
for it is beyond any agency budget. This is especially true if you only send
one message in a thousand frames. Snoopers would have to spend time trying
to crack 999 frames of noise never knowing if a message was in one of those.

-Ken



This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 14:39:59 MDT