1994-02-25 - Re: “self decrypto” and Steg

Header Data

From: Seth Morris <Seth.Morris@lambada.oit.unc.edu>
To: cypherpunks@toad.com
Message Hash: 378fb280969ce8083af60ede95dfd2a8c4f610ce409014536423f282a7ced55c
Message ID: <9402250855.AA20045@lambada.oit.unc.edu>
Reply To: N/A
UTC Datetime: 1994-02-25 08:56:01 UTC
Raw Date: Fri, 25 Feb 94 00:56:01 PST

Raw message

From: Seth Morris <Seth.Morris@lambada.oit.unc.edu>
Date: Fri, 25 Feb 94 00:56:01 PST
To: cypherpunks@toad.com
Subject: Re: "self decrypto" and Steg
Message-ID: <9402250855.AA20045@lambada.oit.unc.edu>
MIME-Version: 1.0
Content-Type: text


First, re: "self decrypting" binaries.
> An interesting idea, although highly unpracticable.  Sending a binary
> is nearly impossible.  As an example, I have at my disposal (and I log
> into regularly) at least 6 different platforms.  All Unix, but each
> one would require its own binary!
 
> Also, there is no way to meet your goal of "no external binary
> needed."  There may be a few things you can do in lieu of this, but
> all of them require some knowledge of the recipient hardware system.
> But in a case such as mine, even that wouldn't help (do you send it
> for an RT, Vax, Decmips, RS6000, Alpha, Linux, Sun386i, Next, ...?)

 Sounds more like a general utility for conventional key crypto with versions
ported to other platforms. Like pkzip's "crypto" options, but hopefully
without publicly posted programs to crack it!
 Imagine a program built with lharc, zip, arj, tar, uuxfer, md5, and idea.
A general file cruncher. Then you send a binary .whatever file with a
special header that has the passphrase prompts you've decided on.

 Not "self-decrypting" by any means, but more likely to be run and accepted
by a user unwilling to install pgp. Also, very easy to write. Hork gzip,
maybe info-zip, pgptools, maybe some lharc code, etc from publicly
visible locations and snap them together.

 I have to agree with the statement that I'm NOT going to run a random
binary dropped in my mbox! Even if someone I'd like to communicate 
securely with had said it'd be dropping by.

 I think with all the talk about steg lately we might want to recall an idea
posted a few months (several?) ago.... Create and widely distribute a
program to take a "stealth" crypto file (of course, the util might also
do the stealthing.... details) and perform a large number of manipulations
on it. 
 Something like a command blend -"Hello, world!" file.bin would do
something like use the "H" option (of MANY) with an argument of 5 (or
of 101 or whatever the ascii value of 'e' is... I'm tired), then the "l"
manipulation twice ("l" might not take an argument), then "o", skip the
comma and whitespace (or maybe not), etc.
 No way to gaurantee that some operations don't undo one another, but you'd
still have a good chance that the resulting file would be VERY difficult to
cryptanalyse, I think (and I *know* I'll be told if I'm wrong... I'm 
repeating what seemed like a good idea). At the very least, it wouldn't
decrypt into anything useful.
 This way, one utility can provide man avenues to help steg (if the file
cannot be determined to be encrypted by a particular program/with a
particular method, it may be easier to hide in a practicable way (which
may be less secure than a more theorhetically sound method)).

 Again, I'm in favor of having the program also provide a non-crypto
related service to the user. Encourage people to have it and know
how to use it, and provide a cover to explain it's presence.

 Just a couple-a comments on current threads.

 Seth Morris (Seth.Morris@LaUNChpad.unc.edu)






Thread