[Is this still appropriate for coderpunks?] At 01:07 PM 5/14/98 +0100, Mark Tillotson wrote:
However I view the process rather differently. There are two channels - the message is carried in the MAC and in the plaintext bits. Chaffing simply serves to obliterate the plaintext channel. The
But it _doesn't_ obliterate the plaintext channel; it just obfuscates it a lot.
recipient doesn't need to get the plaintext bits at all - they can simply try the MAC against both 0 and 1, and choose the correct one. (although this doubles the workload)
Depending on how sequence numbers are managed, it doesn't need to double it - if you try the MAC for 0, it either succeeds or fails, and in either case you don't need to check the MAC for 1. If you're using a shorter MAC which might have collisions (e.g. 8 bits of a real MAC), you need to check both, since both 0 and 1 could pass, trashing the bit, and if you're using the "First different bit in MAC(0) and MAC(1)" technique you obviously need to calculate both.
Furthermore an "attacker" can't tell, without breaking the MAC scheme, whether the plaintext is genuine or a blind, and so this makes chaffing/winnowing an ideal carrier of steganography. It's like sending a plaintext file and a ciphertext file together, with an assertion that they correspond - unless you can prove this assertion how can an outsider be convinced you are not hiding information in the ciphertext file? How can you prove this assertion without giving away your MAC key? How can you demonstrate you are using a MAC and not simply triple-DES?
It's easy to demonstrate that the wheat channel is using real MACs - if you're hauled into court for some violation or lawsuit, you can probably be ordered to deliver the key (if you kept it), since it's "not" being used to keep the message secret, "only" to authenticate it. For the chaffing techniques that can use random chaff, though, you really can't prove that the "random" numbers are random as opposed to stegotext without giving up the stegotext unless they're generated by a pseudo-random algorithm which uses a key you can reproduce (as opposed to a session key from /dev/random.) Will the real use of chaffing/winnowing be to send uninteresting cover traffic and carry stegotext as chaff? Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639