From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
To: wcs@anchor.ho.att.com
Message Hash: ae94ba90b278dfec6f50f778f3e48c0c58a4db9bbfaa424d1a81b513781b04ea
Message ID: <Pine.3.89.9403032133.G23725-0100000@delbruck.pharm.sunysb.edu>
Reply To: <9403040134.AA15184@anchor.ho.att.com>
UTC Datetime: 1994-03-04 03:01:22 UTC
Raw Date: Thu, 3 Mar 94 19:01:22 PST
From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Thu, 3 Mar 94 19:01:22 PST
To: wcs@anchor.ho.att.com
Subject: Re: Standard for Stenography?
In-Reply-To: <9403040134.AA15184@anchor.ho.att.com>
Message-ID: <Pine.3.89.9403032133.G23725-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain
On Thu, 3 Mar 1994 wcs@anchor.ho.att.com wrote:
> Sergey writes:
> > I have often heard it said that one should always assume that one's
> > opponent knows everything except one's secret key. To me, this makes no
> > sense! If your opponent is good enough and determined enough to get by
> > all the layers of obscurity you may have put up, than its just one more
> > step to getting your secret key.
>
> If your cryptography methods are good enough to withstand an
> opponent who has full documentation of your algorithms and methods,
> lots of funds, and everything except your keys, then you don't
> need to waste your time with all the other stuff. And if you can't
> protect a couple of keys, it doesn't really matter how much other
> security you have.
I have never heard a serious, reputable claim about the unbreakablity of
an algorithm. Any newbie that dares to pretend otherwise is promptly
referred to the example of the NSA. The biggest single purchaser of
computer hardware, and employer of mathematicians. Dozens of years ahead
of public research and all classified.
The point is, that in the real world, we'll never know if our algorithms
are "good enough to withstand an opponent who has full documentation of
your algorithms and methods lots of funds, and everything except your keys."
This opponent need not be the NSA, per se, BTW. With "lots of funds"
they may have access to at least some of the NSA's findings. And, who
knows, the NSA may regularly hire its services out to the highest bidder.
You may trust your encryption alone, but if it ever comes to that, I'll
hide any sensitive information I may have every way I can.
> security-by-obscurity is a naive waste of time,
I still don't see why.
> obscurity-by-obscurity is hard to argue against real clearly :-)
> On the other hand, if your cyphertext looks like random bits anyway,
> it doesn't take a lot to make them invisible.
It certainly lookss like it takes a lot! The Mimic function seems, to me,
to be the only effective practical steganography application. Most of the
rest of the informed members of this group seem to be debating the
relative visibility/invisibility of their respective systems.
> The real need is to make your data look like Somebody Else's Problem....
Here's to somebody elese's problems!
> Bill
>
Sergey
Return to March 1994
Return to “wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)”