Standard for Stenography?

Sergey Goldgaber sergey at delbruck.pharm.sunysb.edu
Thu Mar 3 19:01:22 PST 1994




On Thu, 3 Mar 1994 wcs at anchor.ho.att.com wrote:

> Sergey writes:
> > I have often heard it said that one should always assume that one's 
> > opponent knows everything except one's secret key.  To me, this makes no 
> > sense!  If your opponent is good enough and determined enough to get by 
> > all the layers of obscurity you may have put up, than its just one more 
> > step to getting your secret key.
> 
> If your cryptography methods are good enough to withstand an
> opponent who has full documentation of your algorithms and methods,
> lots of funds, and everything except your keys, then you don't
> need to waste your time with all the other stuff.  And if you can't
> protect a couple of keys, it doesn't really matter how much other
> security you have.

I have never heard a serious, reputable claim about the unbreakablity of 
an algorithm.  Any newbie that dares to pretend otherwise is promptly 
referred to the example of the NSA.  The biggest single purchaser of 
computer hardware, and employer of mathematicians.  Dozens of years ahead 
of public research and all classified.

The point is, that in the real world, we'll never know if our algorithms 
are "good enough to withstand an opponent who has full documentation of 
your algorithms and methods lots of funds, and everything except your keys."
This opponent need not be the NSA, per se, BTW.  With "lots of funds" 
they may have access to at least some of the NSA's findings.  And, who 
knows, the NSA may regularly hire its services out to the highest bidder.

You may trust your encryption alone, but if it ever comes to that, I'll 
hide any sensitive information I may have every way I can.  

> security-by-obscurity is a naive waste of time,

I still don't see why.

> obscurity-by-obscurity is hard to argue against real clearly :-)
> On the other hand, if your cyphertext looks like random bits anyway,
> it doesn't take a lot to make them invisible.

It certainly lookss like it takes a lot!  The Mimic function seems, to me, 
to be the only effective practical steganography application.  Most of the 
rest of the informed members of this group seem to be debating the 
relative visibility/invisibility of their respective systems.

> The real need is to make your data look like Somebody Else's Problem....

Here's to somebody elese's problems!

> 			Bill
> 


Sergey








More information about the cypherpunks-legacy mailing list