From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
To: Hal <hfinney@shell.portal.com>
Message Hash: 87e1dd8dafea7a5ee3b7e7c53cf2912c581d49e570a69dd4f6f6e570b6c6c6ee
Message ID: <Pine.3.89.9403050116.F28008-0100000@delbruck.pharm.sunysb.edu>
Reply To: <199403041522.HAA24738@jobe.shell.portal.com>
UTC Datetime: 1994-03-05 07:45:18 UTC
Raw Date: Fri, 4 Mar 94 23:45:18 PST
From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Fri, 4 Mar 94 23:45:18 PST
To: Hal <hfinney@shell.portal.com>
Subject: Re: Security through Obscurity
In-Reply-To: <199403041522.HAA24738@jobe.shell.portal.com>
Message-ID: <Pine.3.89.9403050116.F28008-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain
On Fri, 4 Mar 1994, Hal wrote:
> From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
> >
> > If I have understood you correctly, there is nothing wrong with equating
> > obscurity with a practical, albeit temporary, increase in security.
> > Equating obscurity with ultimate security is a mistake. As is equating a
> > "strong" algorithm with ultimate security.
>
> I would not put it like this. Rather, if you want a temporary increase
> in security, you need to calculate, or at least assume, how much extra time
> it will take for your opponent to defeat your temporarily-secret information.
> Just saying, "oh, well this complication ought to slow him down some, heh
> hey," doesn't cut it. Again, you need to be explicit about exactly what
> information you are keeping temporarily secret, and how long you expect it
> to be kept secret.
>
I agree. Your cost assesments will, however, be different for each
individual StO method. I was generalizing.
> > I would like to propose that there is a goal, in addition to those you have
> > revealed, for the opponent as well as the legitimate user of steganography.
> > The opponent would, ideally, wish to not only determine that there is a
> > message within the data; in addition, he would prefer to be able to extract
> > that message for analysis. Therefore, I believe that it would be to the
> > advantage of the stego-user to not only hide the existence of his message,
> > but to do so in such a way that the cost of successfully extracting that
> > message, by his opponent, is maximized.
> >
>
> I think this is a plausible, although less ambitious, goal. But what's
> this about "maximizing cost"? Where does that fit into the analysis? This
> does not tell you whether your "maximization" has actually helped or not.
Well, if we adopt the method of comparing the cost of implementing a
given steganography method to the cost of breaking it as a valid measure of
its effectiveness; then, it would make sense to "maximize" the cost of
breaking it as a means of making the method more effective (ie. making
the method more obscure would make it more effective).
> Instead, if you are going to adopt this goal, this means that the test of
> your steganography is whether the opponent can extract the message. It's
> not that your goal is to "maximize his difficulty". It's that your goal is
> to stop him. Again, NoStO emphasizes clear statements of your goals and
> costs.
The more difficult it is for one's opponent to extract the message, the
more effective the method is. Thus, "maximizing his difficulty" is a
valid goal. As I see it, this is a goal of most encryption systems. To
make decryption as difficult as possible, if not impossible (ie. maximum
difficulty).
>
> (The reason I say this is less ambitious is that if the opponent can
> determine there is a message, but not what it is, they may be able to
> bring penalties to bear on those communicating, depending on the circum-
> stances. For example, finding a stego'd file on someone's hard disk
> might represent probable cause that illegal encryption was used, in some
> hypothetical future.)
>
I am well aware of this. I was not proposing the above goal as a
substitute, but an addition to the one you pointed out.
> > I have to take exception with the assertions made in this paragraph.
> > Using the principles of public-key systems, the steganography key itself
> > does not have to be kept secret. The sender, reciever, and indeed the
> > opponent would all have access to this key without compromising the
> > security of the system. The challenge, for the opponent, lies in figuring
> > out which public-key the sender has used. I have no statistics on
> > exactly how difficult this challenge would prove; but, considering the
> > number of public-keys currently availiable and projecting several years
> > into the future, the challenge may be a very significant one.
>
> What key are you talking about here? The public one? That is not
> secret. As you say, the opponent has access to it. Are you assuming that
> the opponent cannot guess which public key was used? How will you measure
> the accuracy of this assumption without statistics?
I am assuming that it will cost the opponent effort. I have no
statistics to show exactly how much effort it would cost him; as I
believe it would be different in every individual case. However, it is
clear that the effort needed would increase.
> I really don't think you have understood my essay. The point, again, of
> avoiding StO is to make it clear what you are keeping secret, and to count
> the costs of keeping it secret. If you are counting on keeping secret the
> recipient of the message then you have these costs:
>
I do not think you have understood _my_ essay. My proposal was for a
default, variable offset in certain steganography applications. The
benefit of this is obvious: having no offset or a non-variable offset
would make for generally poorer security; as, the effort required in
figuring out where one's file is located is nonexistant. Effort
increases when a variable offset is implemented.
> Any stego files found in the recipient's possession are broken.
This need only be the case if the recipient keeps his recieved files
(which were sent using the _default_ settings) in their original format.
Any compromise in security can be avoided if he resets the offset to a
custom value.
>
> Stego files can be exhaustively searched against a list of public keys.
>
Regularly encrypted files can be searched against random secret keys.
The effort involved in both is greater than not having to search at all.
> If a particular group or person is targeted for surveillance his keys can
> be used against all widely-known stego channels.
If no offset, or a non-variable offset, is used than one's opponent
wouldn't even have to try to recover the file! That is why I only
proposed a default offset, while pointing out that maximum security can
only be achieved through custom offsets!
> Further, your own test is so weak (inability to recover the actual message)
> you have not attempted to make it impossible to guess when you have
> recovered the message, even with the correct key information. So in each
> of the cases above the authorities know when they have the message in hand.
In my original post I made it clear that my proposal was an addition to,
not a subsitition for, the goal you set. Therefore, the ideal steganography
program would make it impossible to guess that there is a message
_as_well_as_ make it impossible to tell where the message is located.
These functions are not mutually exclusive.
> Now if you are tempted to say that this isn't true, because we could arrange
> for the message ALSO to be unrecognizable even when successfully recovered
> (so that the opponents don't know when they have recovered it) then you
> have missed the whole point. You earlier rejected this test. If you had
> accepted it, you wouldn't have needed your keys at all.
>
> Hal
You proposed that a successful steganography program should hide the
message in a file in such a way that one's opponent would have to guess
about the existance of a message in that file. I do not dispute that goal.
I simply offer an additional one. Let me give an example:
Steganography Program A hides data at no offset, with a 49% probability of
hostile recognition. This program would pass your proposed test.
Because it offers no offset, successfull extraction of the data requires
only X ammount of effort from one's opponent.
Steganography Program B hides data at a variable offset, with a 49%
probability of hostile recognition. This program would also pass your
proposed test. Because it offers a variable offset, successfull
extraction of the data requires X+Y ammount of effort from one's opponent.
User C hides data in all 100 of his GIF files using Steganography Program A.
User D hides data in all 100 of his GIF files using Steganography Program B.
Opponent E searches through every GIF file of both user C and D.
He guesses that there is data in 49 files belonging to user C, and 49
belonging to user D. He successfully extracts the data from all 49 of
user C's files, expending X ammount of effort. Successfull extraction of
user D's data, however, costs him X+Y effort.
As this is a hypothetical example, we may subsitute $1 for X ammount
of effort, and $1 for Y ammount. Successfull extraction of C's data
would cost his opponent $1, while D's data would cost $2. More
realistically, substiture $10,000 for both X and Y; or $100,000; or
$1,000,000. Now, would you rather use? Program A or B?
I, for one, would rather use B, realizing that both X and Y are unknown.
Sergey
Return to March 1994
Return to “Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>”