Cryptography-Digest Digest #103, Volume #14 Sat, 7 Apr 01 21:13:00 EDT
Contents:
Re: How good is steganography in the real world? (Frank Gerlach)
Re: How good is steganography in the real world? (H C)
Re: How good is steganography in the real world? (H C)
[NEWS] PGP broken (maybe) (Fight Boschloo)
Re: NSA is funding stegano detection (Frank Gerlach)
Re: How good is steganography in the real world? (Frank Gerlach)
Re: Dynamic Substitution Question (John Savard)
Re: How good is steganography in the real world? (Miguel Cruz)
Re: Dynamic Substitution Question (newbie)
Re: How good is steganography in the real world? (Charles Lyttle)
Re: How good is steganography in the real world? (David A Molnar)
Re: Dynamic Substitution Question (Terry Ritter)
Re: Dynamic Substitution Question (Terry Ritter)
----------------------------------------------------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sun, 08 Apr 2001 00:13:17 +0200
Marc wrote:
> >It's not just that - you have to consider the traffic analysis questions
> >as well. what sorts of GIFs are you going to use as covertext? and what
> >plausible reason will your contacts have for sending them?
>
> One idea for this problem is to set up a webcam. The picture can always
> carry the most recent message. No pictures without message are ever sent
> so the adversary can not learn the natural noise characteristics of the
> cam unless he has physical access.
This would be true if you would actually *construct* the camera, and if you
were able to define the physical characteristics of it. Still, you have a
point, which is oversampling of the CCD signal. But this means that GIF is not
useful, but a 24bit Truecolor format must be used. Even with this method, the
NSAGCHQ folks will look at the statistic distribution of the noise. Quite some
effort necessary to make sure the hidden data matches the characteristics of
the sampled sensor (CCD, microphone,...)
> The web server distributes the picture to everybody who requests it. If
> placed on the principal page of a well-visited server it should be quite
> easy to hide the daily "hot" download. With 30 clients set up all over
> the US (for example), one can do daily downloads, and still no "hot" client
> visits more often than once per month.
Had exactly that idea when looking at news.bbc.co.uk. British spooks in a
foreign country could easily explain why they access the bbc website. The
other way around is a little more difficult, although I know some people, who
regularly update their personal website with all kinds of silly stuff, like
images of their kids etc.
------------------------------
From: H C <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sat, 07 Apr 2001 18:33:04 -0400
> A lot is at stake for our company. If the risk of discovery is too
> high, it might be best just to limit communication of any critical
> information (inconvenient as that might be). But if the risk is very
> small, the benefit might outweigh the risk.
You guys are digging yourselves a hole, and you're about to jump in and
bury yourselves. You would be better off just NOT communicating sensitive
information in that manner to begin with. You see, you've stated that your
goal is not to be discovered using covert means...not that your critical
info
be protected.
------------------------------
From: H C <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sat, 07 Apr 2001 18:33:36 -0400
Frank Gerlach wrote:
> It seems you are posting from UK. If you do anything Her Majesty's govt.
> doesn't like, I would also not expect stegano to get a additional security
> :-) GCHQ and NSA can be considered a *single* organization...
by whom?
------------------------------
Date: 7 Apr 2001 22:43:48 -0000
From: [EMAIL PROTECTED] (Fight Boschloo)
Subject: [NEWS] PGP broken (maybe)
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
Sure Boschloo will announce that, now, to get some attention
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wanted
to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(when he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: NSA is funding stegano detection
Date: Sun, 08 Apr 2001 00:23:40 +0200
Marc wrote:
> I believe that cheap CCD or CMOS camera chips _do_ generate a lot of
> noise, but I doubt that this noise has the exact same characteristics
> as the encrypted file you intend to send.
Exactly.
> One should analyse the characteristics and map the encrypted file in
> a way so that it remains invisible. This can turn out to be difficult
> and possibly might even be impossible unless you know what type of
> analysis the opponent will undertake (eg FFT). It might be possible
> that he comes up with totally new methods of analysis (just like there
> appear new attacks on ciphers every couple of years), and that your
> stego mapping turns out to be strong or weak against it.
That is what I referred to as cat-and-mouse game.
The fattest cat in town (NSAGCHQ) employs quite a few mathmaticians and will
most probably have quite a few classified statistical tests :-)
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sun, 08 Apr 2001 01:14:32 +0200
H C wrote:
> Frank Gerlach wrote:
>
> > It seems you are posting from UK. If you do anything Her Majesty's govt.
> > doesn't like, I would also not expect stegano to get a additional security
> > :-) GCHQ and NSA can be considered a *single* organization...
>
> by whom?
By every entity outside the WASP (White Anglo Saxon Protestant) community.
Sure, sometimes the english and the US govt have different interests (e.g. Suez
canal crisis), but these are *very* seldom occasions.
Not only are their systems fully integrated (e.g. ECHELON, Rhyolite,...), they
are also "racially and culturally" (sorry for being so blunt) integrated. The
true meaning of "special relationship" is that the brits and the yanks will
share any secret, including the secrets of EU and Nato partners.
Read "The Puzzle Palace" by Charles Bamford and you are going understand the
deeper sense of Churchill's speeches about "bonds of blood" (or whatever his
term was).
Taking into account that the roots of US, Canadian (Quebec doesn't count),
Australian and NZ culture is England, this is just natural. This "virtual
english nation" is reflected in the extremely close cooperation of their
intelligence services, with ECHELON just mirroring this on the technical level.
Having some public quarrels from time to time is just beneficial in
camouflaging this english-speaking conspiration.
All that said, the "virtual english nation" is the flamekeeper of freedom, if
you compare it to spanish- or french-speaking countries. Even India is
remarkably democratic...
PS: No, It doesn't matter that Tony B. is a catholic. The WASP network will
make sure he doesn't deviate too much :-)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Substitution Question
Date: Sat, 07 Apr 2001 23:03:46 GMT
On Sat, 07 Apr 2001 17:57:21 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>John Savard wrote:
>[snip]
>> Although I think that there _may_ possibly be slight problems with the
>> broader aspects of the Dynamic Substitution patent, the "preferred
>> embodiment" at least is very clearly original. Nothing remotely like
>> it seems to have predated it that I've ever heard of.
>Since you seem to have better studied DS than many, may
>I ask your favour to explain a little bit the term
>'preferred embodiment' above (which isn't a commonly
>encountered one in posts of our group)? Thanks.
It's a term found in the patent.
The "preferred embodiment" is the specific algorithm used in many of
Terry Ritter's products that employ Dynamic Substitution, which has
been given in some posts in these threads;
but that is contrasted with the broader class of algorithms that are
covered by what the patent claims.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
From: [EMAIL PROTECTED] (Miguel Cruz)
Date: Sat, 07 Apr 2001 23:24:45 GMT
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
> Another thought. We still have alot of people out of work here
> you could hire some Navahos. And just let them communicate messages
> to and from IRAQ. It worked in WWII. I doubt he has anyone there
> fluent in it. Or pick some other small indian tribe to hire workers.
Or they could hire some pimply American teenage geeks and have them
communicate in 31337 h4x0r-5p33k.
miguel
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: Dynamic Substitution Question
Date: Sat, 07 Apr 2001 19:42:58 -0300
Ritter himself agree that Dynamic Substitution does not add randomness
comparing to OTP. I think that DS not only add nothing to randomness of
the keystream but it add more determinism to the keystream.
I can prouve it without statistical analysis.
Just by mathematical demonstration.
I'm working on it.
John Savard wrote:
>
> On Sat, 07 Apr 2001 17:57:21 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote, in part:
> >John Savard wrote:
>
> >[snip]
> >> Although I think that there _may_ possibly be slight problems with the
> >> broader aspects of the Dynamic Substitution patent, the "preferred
> >> embodiment" at least is very clearly original. Nothing remotely like
> >> it seems to have predated it that I've ever heard of.
>
> >Since you seem to have better studied DS than many, may
> >I ask your favour to explain a little bit the term
> >'preferred embodiment' above (which isn't a commonly
> >encountered one in posts of our group)? Thanks.
>
> It's a term found in the patent.
>
> The "preferred embodiment" is the specific algorithm used in many of
> Terry Ritter's products that employ Dynamic Substitution, which has
> been given in some posts in these threads;
>
> but that is contrasted with the broader class of algorithms that are
> covered by what the patent claims.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Charles Lyttle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sat, 07 Apr 2001 23:49:20 GMT
Frank Gerlach wrote:
>
> Marc wrote:
>
> > >It's not just that - you have to consider the traffic analysis questions
> > >as well. what sorts of GIFs are you going to use as covertext? and what
> > >plausible reason will your contacts have for sending them?
> >
> > One idea for this problem is to set up a webcam. The picture can always
> > carry the most recent message. No pictures without message are ever sent
> > so the adversary can not learn the natural noise characteristics of the
> > cam unless he has physical access.
>
> This would be true if you would actually *construct* the camera, and if you
> were able to define the physical characteristics of it. Still, you have a
> point, which is oversampling of the CCD signal. But this means that GIF is not
> useful, but a 24bit Truecolor format must be used. Even with this method, the
> NSAGCHQ folks will look at the statistic distribution of the noise. Quite some
> effort necessary to make sure the hidden data matches the characteristics of
> the sampled sensor (CCD, microphone,...)
>
> > The web server distributes the picture to everybody who requests it. If
> > placed on the principal page of a well-visited server it should be quite
> > easy to hide the daily "hot" download. With 30 clients set up all over
> > the US (for example), one can do daily downloads, and still no "hot" client
> > visits more often than once per month.
>
> Had exactly that idea when looking at news.bbc.co.uk. British spooks in a
> foreign country could easily explain why they access the bbc website. The
> other way around is a little more difficult, although I know some people, who
> regularly update their personal website with all kinds of silly stuff, like
> images of their kids etc.
Also each frame would have to have a different message. Otherwise the
message showes up in every frame and simple convolution will reveal it.
--
Russ Lyttle
"World Domination through Penguin Power"
The Universal Automotive Testset Project at
<http://home.earthlink.net/~lyttlec>
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 7 Apr 2001 23:52:51 GMT
In sci.crypt Marc <[EMAIL PROTECTED]> wrote:
> The web server distributes the picture to everybody who requests it. If
> placed on the principal page of a well-visited server it should be quite
> easy to hide the daily "hot" download. With 30 clients set up all over
> the US (for example), one can do daily downloads, and still no "hot" client
> visits more often than once per month.
OK. If you can hide it in the pictures seen on cnn.com, maybe this works.
If you have a site which is only visited by people whose only intention is to
download covertext...
By the way, note that in Iraq cnn.com may not be a nice site to be caught
visiting. Maybe a better bet would be to upload them to
amiallyourbaseornot.com , although some of the other photos there could run
you afoul of decency standards.
-David
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Dynamic Substitution Question
Date: Sun, 08 Apr 2001 00:39:19 GMT
On Sat, 07 Apr 2001 19:42:58 -0300, in
<[EMAIL PROTECTED]>, in sci.crypt newbie
<[EMAIL PROTECTED]> wrote:
>Ritter himself agree that Dynamic Substitution does not add randomness
>comparing to OTP. I think that DS not only add nothing to randomness of
>the keystream but it add more determinism to the keystream.
>I can prouve it without statistical analysis.
>Just by mathematical demonstration.
>I'm working on it.
"Ritter himself" sees Dynamic Substitution as a reversible nonlinear
and keyable cryptographic combiner. One use is to replace the
reversible but LINEAR and non-keyable additive combiner (e.g., XOR)
used in stream ciphers and "One-Time-Pad" (OTP). That combiner is
typically used to mix plaintext data and a "keying sequence" or
"confusion sequence" produced by some sort of Random Number Generator
(RNG). That is how plaintext is carried on the apparently-random
ciphertext stream.
The reason one might want to use a better combiner is that the classic
attack on additive stream ciphers is "known-plaintext": if the
opponent gets some plaintext which can be associated with the
ciphertext, that will expose the raw "confusion sequence" which can
then attacked on its own. We do assume that the opponent has known
plaintext. We also assume the opponent knows the electronic or
logical details of the RNG that produces the confusion sequence, so
that, knowing the raw output, there is decent chance of opening that
up, and then predicting the sequence forward and backward. There is a
long history of doing exactly this sort of thing.
In contrast, when we have a nonlinear and keyable combiner, simply
having known-plaintext does not immediately reveal the confusion
sequence. That complicates attacks and hopefully stops the opponent
well before encountering a generator which might be analyzed and
broken. But in the same way that there is no proven-secure generator,
Dynamic Substitution is no panacea; it is just a tool to improve
stream cipher security. On the other hand, we already know that XOR
has no strength at all against known-plaintext.
I recommend that *some* sort of nonlinear (non-additive) combiner even
for the OTP. That would of course not be necessary if we could simply
*assume* that the OTP keying sequence was in fact absolutely
unpredictable. But that is something which at this point cannot be
proven and also cannot be tested. It consequently makes sense to
assume that predictability is present, and then take steps to hide
that. For anyone interested in real security, using a keyed nonlinear
combiner (e.g., a Latin square, or, yes, Dynamic Substitution) makes a
lot of sense, even in an OTP design.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Dynamic Substitution Question
Date: Sun, 08 Apr 2001 00:39:29 GMT
On Sat, 07 Apr 2001 23:03:46 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (John Savard) wrote:
>On Sat, 07 Apr 2001 17:57:21 +0200, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote, in part:
>>John Savard wrote:
>
>>[snip]
>>> Although I think that there _may_ possibly be slight problems with the
>>> broader aspects of the Dynamic Substitution patent, the "preferred
>>> embodiment" at least is very clearly original. Nothing remotely like
>>> it seems to have predated it that I've ever heard of.
>
>>Since you seem to have better studied DS than many, may
>>I ask your favour to explain a little bit the term
>>'preferred embodiment' above (which isn't a commonly
>>encountered one in posts of our group)? Thanks.
>
>It's a term found in the patent.
Well, yes, but "preferred embodiment" is also one of the major terms
in patents in general:
One part of the contract between society and the patent applicant is
that the inventor is required to disclose how to "practice" the
invention. This is the meat of patent "publication." This is what
society gets out of the deal.
With many inventions, there can be almost infinite ways to practice or
exploit the invention, but the inventor is the expert on scene in this
new technology, and is expected to describe what she or he considers
the "best way" at the time. This is the "preferred embodiment,"
demonstrating one way the invention could be used. It is a specific
realization shown in figures with numbered parts whose operation thus
can be and is discussed in detail. No "handwaving" is allowed.
There is no implication that the invention is limited to the use shown
in the "preferred embodiment." That is just an example to clearly
show how the invention works and one way that it may be advantageously
practiced. But, starting from that basis, one is in a better position
to see what the claims mean, and what any generality in the claims
implies in terms of other applications.
>The "preferred embodiment" is the specific algorithm used in many of
>Terry Ritter's products that employ Dynamic Substitution, which has
>been given in some posts in these threads;
>
>but that is contrasted with the broader class of algorithms that are
>covered by what the patent claims.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
