From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
To: cypherpunks@toad.com
Message Hash: e24a88cbcc28792deb6b47779baaf526b0ff69c68fc4b2a2df79dcb478a8a35c
Message ID: <Pine.3.89.9402240722.A4135-0100000@delbruck.pharm.sunysb.edu>
Reply To: N/A
UTC Datetime: 1994-02-24 12:10:55 UTC
Raw Date: Thu, 24 Feb 94 04:10:55 PST
From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Thu, 24 Feb 94 04:10:55 PST
To: cypherpunks@toad.com
Subject: Stealth PGP and Stegonagraphy (LONG)
Message-ID: <Pine.3.89.9402240722.A4135-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain
Making Stealth PGP (random noise) Files "Undetectable"
INITIAL PROBLEM:
The following ideas were developed in response to the concern
over the future legal implications of possessing encrypted files.
If non-Clipper encryption becomes illegal, even the mere
possession of possible non-Clipper-encrypted files may be
grounds for a search warrant, confiscation of equipment, and
miscellaneous court sanctions.
PRACTICAL OBJECTIVE:
The possession of encrypted files must be made virtually
undetectable, even to the most determined and best
informed opponent.
BASIC PREMISE:
On many machines the file system allows users to "delete" files
without actually erasing them. This is usually accomplished by
simply marking the disk blocks that make up the file as free.
Thus it is possible to write an encrypted (noise) file on
to disk, pad the rest of the disk with more noise and "delete" the
whole thing, making the disk look blank to all casual observers.
CHALLENGES:
I - Miscellaneous disk writes, such as those performed routinely
by DOS, can overwrite the "deleted" files.
II - Certain security measures on the part of the user may make
recovery of the hidden file non-trivial. Ideally, the file
will not have an "End Of File" marker, a file name, nor an
entry in the File Allocation Table.
III - Upon examination of the deleted segment of a disk, the
aware opponent will notice the discrepancy between a large,
highly-random noise-segment and the "structured garbage"
that will make up most of the rest of the deleted portion
of the disk.
PROPOSED SOLUTIONS:
I - To ensure the integrity of the hidden data, all disk
writes must be directly controlled by the user, not DOS.
A - Use of a floppy disk is recommended; as, controlling
each individual disk-write operation on a harddrive
becomes infeasible due to the large amount of
said operations.
B - The user should specify and keep track of the exact
address and length of the encrypted file when
writing it to disk. The file's location/length
should be guarded as dearly as one's secret key
and corresponding password, for similar reasons.
II - Keeping track of the exact address and length of the
hidden file will allow easy file recovery, without need for an
EOF marker, a file name, nor a FAT entry.
III - In order to make one's file deleted file virtually
indistinguishable from the rest of the deleted portion of the
disk, the implementation of one of the following measures
is recommended.
A - Split the noise file into small individual files and
scatter them throughout the "structured garbage" that is
already on the disk. It should blend in with the other
little pieces of highly random noise that are naturally
interspersed in the deleted portion of the disk.
Recovery would, of course, require one to keep track
of the addresses, lengths, and order of the
component files.
B - Use a stegonagraphy utility to hide one's file in a
segment of "structured garbage". A Mimic function
with a "structured garbage" grammar would be highly
usefull for this.
DISCUSSION:
All of the above speculation relies on the use of Stealth PGP, or a
similar program that encrypts plaintext into a format indistinguishable
from random noise. Unless this stegonagraphic function is implemented
detection of the encrypted file, even when hidden among megabytes of
other "deleted" files, will be trivial; as, PGP has a distinct header.
The success of the above method also relies on the use of non-standard
locations for the hidden files. For, if this method becomes popular,
_and_ everyone starts hiding their files in the last few sectors of the
disk, for example, a significant portion of the method's effectiveness
may be compromised.
It should be noted that as long as the user is writing directly to and
reading directly from the disk (bypassing DOS), "deletion" of the file
is no longer necessary. It is necessary to keep the blocks one writes
to marked as "FREE", "BAD" or "DELETED" (take your pick!). Some
modification of the FAT or equivalent may be required here.
SUMMARY:
In order to hide a Stealth PGP (or equivalent) encrypted "noise" file
effectively one may follow the steps outlined below:
1 Embed it in "structured garbage" such as is
present normally on the deleted portions of the
disk. This can be accomplished by using a
stegonagraphy program or by splitting the file
into small segments and scattering them among
"structured garbage".
2 Write the resulting "structured garbage"/noise
combination directly to disk. This can be
accomplished by using a normal disk-sector
editor utility.
3 Keep track of the exact location and size of the
file if you want to retrieve it later. Keep
this information secure.
4 Modify the FAT (or equivalent) to mark the
sectors you've written to as "FREE", "BAD", or
"DELETED" (if necessary).
In order to retrieve and reconstruct one's file simply reverse
steps 2 and 1.
THANKS:
I wish I could thanks everyone who has commented on this thread
individually. Unfortunately, I am rather new to this. Next time,
I'll know to keep track of each response/address/name instead of
simply replying to your mail/posts. You know who you are. Thank you!
Keep you comments flowing!
All feedback welcome,
Sergey
Return to February 1994
Return to “Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>”
1994-02-24 (Thu, 24 Feb 94 04:10:55 PST) - Stealth PGP and Stegonagraphy (LONG) - Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>