Re: Standard for Stenography?
Sergey writes:
I have often heard it said that one should always assume that one's opponent knows everything except one's secret key. To me, this makes no sense! If your opponent is good enough and determined enough to get by all the layers of obscurity you may have put up, than its just one more step to getting your secret key.
If your cryptography methods are good enough to withstand an opponent who has full documentation of your algorithms and methods, lots of funds, and everything except your keys, then you don't need to waste your time with all the other stuff. And if you can't protect a couple of keys, it doesn't really matter how much other security you have. On the other hand, steganography is almost by definition an obscurity technique, and while security-by-obscurity is a naive waste of time, obscurity-by-obscurity is hard to argue against real clearly :-) On the other hand, if your cyphertext looks like random bits anyway, it doesn't take a lot to make them invisible. The real need is to make your data look like Somebody Else's Problem.... Bill
On Thu, 3 Mar 1994 wcs@anchor.ho.att.com wrote:
Sergey writes:
I have often heard it said that one should always assume that one's opponent knows everything except one's secret key. To me, this makes no sense! If your opponent is good enough and determined enough to get by all the layers of obscurity you may have put up, than its just one more step to getting your secret key.
If your cryptography methods are good enough to withstand an opponent who has full documentation of your algorithms and methods, lots of funds, and everything except your keys, then you don't need to waste your time with all the other stuff. And if you can't protect a couple of keys, it doesn't really matter how much other security you have.
I have never heard a serious, reputable claim about the unbreakablity of an algorithm. Any newbie that dares to pretend otherwise is promptly referred to the example of the NSA. The biggest single purchaser of computer hardware, and employer of mathematicians. Dozens of years ahead of public research and all classified. The point is, that in the real world, we'll never know if our algorithms are "good enough to withstand an opponent who has full documentation of your algorithms and methods lots of funds, and everything except your keys." This opponent need not be the NSA, per se, BTW. With "lots of funds" they may have access to at least some of the NSA's findings. And, who knows, the NSA may regularly hire its services out to the highest bidder. You may trust your encryption alone, but if it ever comes to that, I'll hide any sensitive information I may have every way I can.
security-by-obscurity is a naive waste of time,
I still don't see why.
obscurity-by-obscurity is hard to argue against real clearly :-) On the other hand, if your cyphertext looks like random bits anyway, it doesn't take a lot to make them invisible.
It certainly lookss like it takes a lot! The Mimic function seems, to me, to be the only effective practical steganography application. Most of the rest of the informed members of this group seem to be debating the relative visibility/invisibility of their respective systems.
The real need is to make your data look like Somebody Else's Problem....
Here's to somebody elese's problems!
Bill
Sergey
Sergey Goldgaber writes:
I have never heard a serious, reputable claim about the unbreakablity of an algorithm.
Maybe not, but if you've been paying atention you know of a great deal of theory that support the intractability of solving certain problems in realistic amounts of time. Most PK cryptosystems are based on relatively simple principles of mathematics. It stretches the imagination to think that the NSA somehow has solved the factoring problem; I concede it's possible, but unlikely.
The point is, that in the real world, we'll never know if our algorithms are "good enough to withstand an opponent who has full documentation of your algorithms and methods lots of funds, and everything except your keys."
Depends on what you mean by "know", I guess.
security-by-obscurity is a naive waste of time,
I still don't see why.
Well, you can't tell when you've been compromised, and you have no rigorous way of demonstrating the robustness of your obscurity. The real problem, however, is that you'll have a hard time convincing anybody else to participate. You can hide all your valuables in a really clever place and do all sorts of really clever secret things to protect them, and that may make you feel secure. However, you won't be able to convince me to entrust *my* valuables to you unless you explain to me the details of your techniques. -- | GOOD TIME FOR MOVIE - GOING ||| Mike McNally <m5@tivoli.com> | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" |
On Fri, 4 Mar 1994, Mike McNally wrote:
Maybe not, but if you've been paying atention you know of a great deal of theory that support the intractability of solving certain problems in realistic amounts of time. Most PK cryptosystems are based on relatively simple principles of mathematics. It stretches the imagination to think that the NSA somehow has solved the factoring problem; I concede it's possible, but unlikely.
Granted.
The point is, that in the real world, we'll never know if our algorithms are "good enough to withstand an opponent who has full documentation of your algorithms and methods lots of funds, and everything except your keys."
Depends on what you mean by "know", I guess.
know = 100% objective certainty
security-by-obscurity is a naive waste of time,
I still don't see why.
Well, you can't tell when you've been compromised,
How can you tell that you've been compromised if you stick to non-security-by-obscurity methods?
and you have no rigorous way of demonstrating the robustness of your obscurity.
That would be difficult. But, lack of objective measures does not mean that security-through-obscurity is innefective. BTW, there may be some statistics on the effectiveness of StO, somewhere. (Anyone out there heard of any?)
The real problem, however, is that you'll have a hard time convincing anybody else to participate.
I am not trying to convince everyone hide their data in the same place I am hiding it. Simply consider hiding it, rather than leaving it out in the open! That's not too crazy a proposition, is it?
You can hide all your valuables in a really clever place and do all sorts of really clever secret things to protect them, and that may make you feel secure. However, you won't be able to convince me to entrust *my* valuables to you unless you explain to me the details of your techniques.
Take your encrypted data. Stick it in a file, using a variable offset. That's all there is to it. Sergey
know = 100% objective certainty
Well, OTP gives you this. Probabilistic encryption does too, I think (the original version -- not the practical version). Quantum cryptography is pretty close, depending on how much trust you place in the laws of physics. Granted, none of these are very useful. The question is, 100% objective certainty of *what*? If breaking a scheme were provably exponential-time, that'd be enough for me.
Sergey
Eli ebrandt@hmc.edu
On Fri, 4 Mar 1994, Eli Brandt wrote:
know = 100% objective certainty
Well, OTP gives you this. Probabilistic encryption does too, I think (the original version -- not the practical version). Quantum cryptography is pretty close, depending on how much trust you place in the laws of physics. Granted, none of these are very useful.
Newbie questions: What is OTP? What about probabilistic encryption vs quantum cryptography? How do they give one 100% certainty that they can't be broken?
The question is, 100% objective certainty of *what*? If breaking a scheme were provably exponential-time, that'd be enough for me.
100% objective certainty of the scheme's invulnerability.
Sergey
Eli ebrandt@hmc.edu
Sergey :)
Newbie questions: What is OTP? What about probabilistic encryption vs quantum cryptography?
OTP is one-time pad. There was an article on quantum cryptography in the October '92 Scientific American. For probabilistic encryption, I think the sci.crypt FAQ has a reference.
How do they give one 100% certainty that they can't be broken?
OTP and some flavors of probabilistic encryption are information- theoretically secure. For OTP, this is obvious if you think about it a bit. Quantum cryptography relies on the math of quantum mechanics, whose validity is ultimately empirical but rather well tested.
100% objective certainty of the scheme's invulnerability.
My point is, invulnerability to *what attack*? An attacker may know the algorithm, or not; may have known plaintext; may be able to choose plaintext; may be able to read a channel, or to garble it, or to change it; may have limited or unlimited space and time; might be able to factor in polynomial time -- there are a lot of parameters here. And it makes no sense at all to say, "Well, let's just consider the strongest possible attack." Eli
On Sat, 5 Mar 1994, Eli Brandt wrote:
My point is, invulnerability to *what attack*? An attacker may know the algorithm, or not; may have known plaintext; may be able to choose plaintext; may be able to read a channel, or to garble it, or to change it; may have limited or unlimited space and time; might be able to factor in polynomial time -- there are a lot of parameters here. And it makes no sense at all to say, "Well, let's just consider the strongest possible attack."
Eli
My original response was concerning an algorithm "good enough to withstand an opponent who has full documentation of your algorithms and methods lots of funds, and everything except your keys." That opponent may, concievably, be the NSA or another person/organisation with access to similar resources. The consensus seems to point to such an opponent as being one who could mount the "strongest possible attack". It may not be practical to consider such a general danger when designing particular encryption schemes; but, it is likewise impractical to make sweeping generalizations concerning a given scheme's invulnerability. Sergey
My original response was concerning an algorithm "good enough to withstand an opponent who has full documentation of your algorithms and methods lots of funds, and everything except your keys."
That's what they have; what can they *do*? As I've been trying to get across, that is not a full specification of capabilities. Enough. Eli ebrandt@hmc.edu
know = 100% objective certainty Well, OTP gives you this. Probabilistic encryption does too, I think (the original version -- not the practical version). Quantum cryptography is pretty close, depending on how much trust you place in the laws of physics. Granted, none of these are very useful.
Don't forget Dining Cryptographer's nets and CalShad nets.
participants (5)
-
Eli Brandt -
m5@vail.tivoli.com -
Sergey Goldgaber -
SINCLAIR DOUGLAS N -
wcs@anchor.ho.att.com