Re: Simpler solutions (was Re: Stealth PGP work)
At 10:26 AM 2/28/96 -0500, Bruce Zambini wrote:
Or, you can develop a public-key stego system... ie a stego system that uses bits in specific ways depending on the private key of the recipient. I assume you mean the public key of the recipient?
Something I've been thinking about, but haven't quite figured out how to do yet, except that one could use certain bits based on a PRNG and begin the message with an RSA-encrypted seed (ie the first X bits will be the seed, encrypted with your public PGP key).
That's equivalent to stego(picture, ( RSA(sessionkey,pubkey), Symmetric(message, sessionkey))) where Symmetric is a potentially cheaper (and weaker) algorithm than IDEA that possibly uses transposition rather than strict block-structuring. This approach is no more obscure than stego(stealth(PGP(message, pubkey))) though slightly more obscure than stego(PGP(message, pubkey)), optionally less secure, and probably not much faster except for long messages with wimpy Symmetric. And it still suffers from the non-stealthiness of vanilla RSA that Hal Finney, Adam Back, Harry Hastur, and others have discussed. Might as well keep the stego and encryption parts separate. You gain a certain degree of obscurity by using stego(picture, scramble( PGP(message, pubkey), key )) where scramble is some cheap symmetric encryption algorithm and key is either the recipient's public key or keyid, and PGP is in binary mode. This hides the message from eavesdroppers who don't know the recipient, but not from eavesdroppers who are willing to test against the keys of a list of usual suspects (assuming the recipient is one of them.) #-- # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com / billstewart@attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281
On Thu, 29 Feb 1996, Bill Stewart wrote:
At 10:26 AM 2/28/96 -0500, Bruce Zambini wrote:
Or, you can develop a public-key stego system... ie a stego system that uses bits in specific ways depending on the private key of the recipient. I assume you mean the public key of the recipient?
Well, no. Or yes and no. Something like Public-Key crypto in general, where the public key isn't enough knowledge to decrypt it. For example, you could encrypt a session key with RSA. [...]
You gain a certain degree of obscurity by using stego(picture, scramble( PGP(message, pubkey), key )) where scramble is some cheap symmetric encryption algorithm and key is either the recipient's public key or keyid, and PGP is in binary mode. This hides the message from eavesdroppers who don't know the recipient, but not from eavesdroppers who are willing to test against the keys of a list of usual suspects (assuming the recipient is one of them.)
Well, that's what I want to avoid; I think the issue is that as long as stego is predictable, there's a problem, ie a message to a certain party can be shown to exist, even if it's not readable. This might prove more than ample evidence in certain circumstances. You shouldn't be able to recover the stego'd message without special knowledge. This isn't addressed by current software, to my knowledge. Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser@rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA.
participants (2)
-
Bill Stewart -
Bruce Zambini