1994-02-24 - Stealth PGP and Stegonagraphy (LONG)

Header Data

From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
To: cypherpunks@toad.com
Message Hash: e24a88cbcc28792deb6b47779baaf526b0ff69c68fc4b2a2df79dcb478a8a35c
Message ID: <Pine.3.89.9402240722.A4135-0100000@delbruck.pharm.sunysb.edu>
Reply To: N/A
UTC Datetime: 1994-02-24 12:10:55 UTC
Raw Date: Thu, 24 Feb 94 04:10:55 PST

Raw message

From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Thu, 24 Feb 94 04:10:55 PST
To: cypherpunks@toad.com
Subject: Stealth PGP and Stegonagraphy (LONG)
Message-ID: <Pine.3.89.9402240722.A4135-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain




         Making Stealth PGP (random noise) Files "Undetectable"


         INITIAL PROBLEM:

         The following ideas were developed in response to the concern 
         over the future legal implications of possessing encrypted files.
         If non-Clipper encryption becomes illegal, even the mere
         possession of possible non-Clipper-encrypted files may be
         grounds for a search warrant, confiscation of equipment, and
         miscellaneous court sanctions.


         PRACTICAL OBJECTIVE:

         The possession of encrypted files must be made virtually
         undetectable, even to the most determined and best 
         informed opponent.


         BASIC PREMISE:

         On many machines the file system allows users to "delete" files
         without actually erasing them.  This is usually accomplished by
         simply marking the disk blocks that make up the file as free.
         Thus it is possible to write an encrypted (noise) file on 
         to disk, pad the rest of the disk with more noise and "delete" the
         whole thing, making the disk look blank to all casual observers.


         CHALLENGES:

         I   - Miscellaneous disk writes, such as those performed routinely
               by DOS, can overwrite the "deleted" files.

         II  - Certain security measures on the part of the user may make 
               recovery of the hidden file non-trivial.  Ideally, the file 
               will not have an "End Of File" marker, a file name, nor an 
               entry in the File Allocation Table.

         III - Upon examination of the deleted segment of a disk, the
               aware opponent will notice the discrepancy between a large,
               highly-random noise-segment and the "structured garbage"
               that will make up most of the rest of the deleted portion 
               of the disk.
         

         PROPOSED SOLUTIONS:

         I   - To ensure the integrity of the hidden data, all disk 
               writes must be directly controlled by the user, not DOS.

                A  - Use of a floppy disk is recommended; as, controlling
                     each individual disk-write operation on a harddrive
                     becomes infeasible due to the large amount of 
                     said operations.

                B  - The user should specify and keep track of the exact
                     address and length of the encrypted file when 
                     writing it to disk.  The file's location/length
                     should be guarded as dearly as one's secret key
                     and corresponding password,  for similar reasons.

         II  - Keeping track of the exact address and length of the 
               hidden file will allow easy file recovery, without need for an 
               EOF marker, a file name, nor a FAT entry.

         III - In order to make one's file deleted file virtually 
               indistinguishable from the rest of the deleted portion of the 
               disk, the implementation of one of the following measures 
               is recommended.

                A  - Split the noise file into small individual files and
                     scatter them throughout the "structured garbage" that is
                     already on the disk.  It should blend in with the other
                     little pieces of highly random noise that are naturally
                     interspersed in the deleted portion of the disk.
                     Recovery would, of course, require one to keep track
                     of the addresses, lengths, and order of the 
                     component files.
                     
                B  - Use a stegonagraphy utility to hide one's file in a
                     segment of "structured garbage".  A Mimic function
                     with a "structured garbage" grammar would be highly
                     usefull for this.


         DISCUSSION:
         
         All of the above speculation relies on the use of Stealth PGP, or a
         similar program that encrypts plaintext into a format indistinguishable
         from random noise.  Unless this stegonagraphic function is implemented
         detection of the encrypted file, even when hidden among megabytes of
         other "deleted" files, will be trivial; as, PGP has a distinct header.
         
         The success of the above method also relies on the use of non-standard
         locations for the hidden files.  For, if this method becomes popular, 
         _and_ everyone starts hiding their files in the last few sectors of the
         disk, for example, a significant portion of the method's effectiveness 
         may be compromised.
         
         It should be noted that as long as the user is writing directly to and 
         reading directly from the disk (bypassing DOS), "deletion" of the file 
         is no longer necessary.  It is necessary to keep the blocks one writes
         to marked as "FREE", "BAD" or "DELETED" (take your pick!).  Some
         modification of the FAT or equivalent may be required here.
         
         
         SUMMARY:
         
         In order to hide a Stealth PGP (or equivalent) encrypted "noise" file
         effectively one may follow the steps outlined below:
                               
                           1    Embed it in "structured garbage" such as is
                                present normally on the deleted portions of the
                                disk.  This can be accomplished by using a 
                                stegonagraphy program or by splitting the file
                                into small segments and scattering them among
                                "structured garbage".
                                
                           2    Write the resulting "structured garbage"/noise
                                combination directly to disk.  This can be
                                accomplished by using a normal disk-sector 
                                editor utility.
                           
                           3    Keep track of the exact location and size of the
                                file if you want to retrieve it later.  Keep
                                this information secure.
                                
                           4    Modify the FAT (or equivalent) to mark the
                                sectors you've written to as "FREE", "BAD", or
                                "DELETED" (if necessary).
         
         In order to retrieve and reconstruct one's file simply reverse
         steps 2 and 1.
         
         
         THANKS:
         
         I wish I could thanks everyone who has commented on this thread 
         individually.  Unfortunately, I am rather new to this.  Next time, 
         I'll know to keep track of each response/address/name instead of 
         simply replying to your mail/posts.  You know who you are.  Thank you!
         Keep you comments flowing!


                                 All feedback welcome,

                                     Sergey







Thread