On Fri, 4 Mar 1994, Hal wrote:
From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
If I have understood you correctly, there is nothing wrong with equating obscurity with a practical, albeit temporary, increase in security. Equating obscurity with ultimate security is a mistake. As is equating a "strong" algorithm with ultimate security.
I would not put it like this. Rather, if you want a temporary increase in security, you need to calculate, or at least assume, how much extra time it will take for your opponent to defeat your temporarily-secret information. Just saying, "oh, well this complication ought to slow him down some, heh hey," doesn't cut it. Again, you need to be explicit about exactly what information you are keeping temporarily secret, and how long you expect it to be kept secret.
I agree. Your cost assesments will, however, be different for each individual StO method. I was generalizing.
I would like to propose that there is a goal, in addition to those you have revealed, for the opponent as well as the legitimate user of steganography. The opponent would, ideally, wish to not only determine that there is a message within the data; in addition, he would prefer to be able to extract that message for analysis. Therefore, I believe that it would be to the advantage of the stego-user to not only hide the existence of his message, but to do so in such a way that the cost of successfully extracting that message, by his opponent, is maximized.
I think this is a plausible, although less ambitious, goal. But what's this about "maximizing cost"? Where does that fit into the analysis? This does not tell you whether your "maximization" has actually helped or not.
Well, if we adopt the method of comparing the cost of implementing a given steganography method to the cost of breaking it as a valid measure of its effectiveness; then, it would make sense to "maximize" the cost of breaking it as a means of making the method more effective (ie. making the method more obscure would make it more effective).
Instead, if you are going to adopt this goal, this means that the test of your steganography is whether the opponent can extract the message. It's not that your goal is to "maximize his difficulty". It's that your goal is to stop him. Again, NoStO emphasizes clear statements of your goals and costs.
The more difficult it is for one's opponent to extract the message, the more effective the method is. Thus, "maximizing his difficulty" is a valid goal. As I see it, this is a goal of most encryption systems. To make decryption as difficult as possible, if not impossible (ie. maximum difficulty).
(The reason I say this is less ambitious is that if the opponent can determine there is a message, but not what it is, they may be able to bring penalties to bear on those communicating, depending on the circum- stances. For example, finding a stego'd file on someone's hard disk might represent probable cause that illegal encryption was used, in some hypothetical future.)
I am well aware of this. I was not proposing the above goal as a substitute, but an addition to the one you pointed out.
I have to take exception with the assertions made in this paragraph. Using the principles of public-key systems, the steganography key itself does not have to be kept secret. The sender, reciever, and indeed the opponent would all have access to this key without compromising the security of the system. The challenge, for the opponent, lies in figuring out which public-key the sender has used. I have no statistics on exactly how difficult this challenge would prove; but, considering the number of public-keys currently availiable and projecting several years into the future, the challenge may be a very significant one.
What key are you talking about here? The public one? That is not secret. As you say, the opponent has access to it. Are you assuming that the opponent cannot guess which public key was used? How will you measure the accuracy of this assumption without statistics?
I am assuming that it will cost the opponent effort. I have no statistics to show exactly how much effort it would cost him; as I believe it would be different in every individual case. However, it is clear that the effort needed would increase.
I really don't think you have understood my essay. The point, again, of avoiding StO is to make it clear what you are keeping secret, and to count the costs of keeping it secret. If you are counting on keeping secret the recipient of the message then you have these costs:
I do not think you have understood _my_ essay. My proposal was for a default, variable offset in certain steganography applications. The benefit of this is obvious: having no offset or a non-variable offset would make for generally poorer security; as, the effort required in figuring out where one's file is located is nonexistant. Effort increases when a variable offset is implemented.
Any stego files found in the recipient's possession are broken.
This need only be the case if the recipient keeps his recieved files (which were sent using the _default_ settings) in their original format. Any compromise in security can be avoided if he resets the offset to a custom value.
Stego files can be exhaustively searched against a list of public keys.
Regularly encrypted files can be searched against random secret keys. The effort involved in both is greater than not having to search at all.
If a particular group or person is targeted for surveillance his keys can be used against all widely-known stego channels.
If no offset, or a non-variable offset, is used than one's opponent wouldn't even have to try to recover the file! That is why I only proposed a default offset, while pointing out that maximum security can only be achieved through custom offsets!
Further, your own test is so weak (inability to recover the actual message) you have not attempted to make it impossible to guess when you have recovered the message, even with the correct key information. So in each of the cases above the authorities know when they have the message in hand.
In my original post I made it clear that my proposal was an addition to, not a subsitition for, the goal you set. Therefore, the ideal steganography program would make it impossible to guess that there is a message _as_well_as_ make it impossible to tell where the message is located. These functions are not mutually exclusive.
Now if you are tempted to say that this isn't true, because we could arrange for the message ALSO to be unrecognizable even when successfully recovered (so that the opponents don't know when they have recovered it) then you have missed the whole point. You earlier rejected this test. If you had accepted it, you wouldn't have needed your keys at all.
Hal
You proposed that a successful steganography program should hide the message in a file in such a way that one's opponent would have to guess about the existance of a message in that file. I do not dispute that goal. I simply offer an additional one. Let me give an example: Steganography Program A hides data at no offset, with a 49% probability of hostile recognition. This program would pass your proposed test. Because it offers no offset, successfull extraction of the data requires only X ammount of effort from one's opponent. Steganography Program B hides data at a variable offset, with a 49% probability of hostile recognition. This program would also pass your proposed test. Because it offers a variable offset, successfull extraction of the data requires X+Y ammount of effort from one's opponent. User C hides data in all 100 of his GIF files using Steganography Program A. User D hides data in all 100 of his GIF files using Steganography Program B. Opponent E searches through every GIF file of both user C and D. He guesses that there is data in 49 files belonging to user C, and 49 belonging to user D. He successfully extracts the data from all 49 of user C's files, expending X ammount of effort. Successfull extraction of user D's data, however, costs him X+Y effort. As this is a hypothetical example, we may subsitute $1 for X ammount of effort, and $1 for Y ammount. Successfull extraction of C's data would cost his opponent $1, while D's data would cost $2. More realistically, substiture $10,000 for both X and Y; or $100,000; or $1,000,000. Now, would you rather use? Program A or B? I, for one, would rather use B, realizing that both X and Y are unknown. Sergey