1994-03-04 - Re: Security through Obscurity

Header Data

From: Hal <hfinney@shell.portal.com>
To: sergey@delbruck.pharm.sunysb.edu
Message Hash: de7dc118a107c99778326f4e4af269441a26df4b1d6cdf68864dc87efdf154a1
Message ID: <199403041522.HAA24738@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-03-04 15:22:16 UTC
Raw Date: Fri, 4 Mar 94 07:22:16 PST

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Fri, 4 Mar 94 07:22:16 PST
To: sergey@delbruck.pharm.sunysb.edu
Subject: Re: Security through Obscurity
Message-ID: <199403041522.HAA24738@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
> > To sum up, obscurity is not bad.  What is bad is to confuse obscurity
> > with security.
> 
> If I have understood you correctly, there is nothing wrong with equating
> obscurity with a practical, albeit temporary, increase in security.
> Equating obscurity with ultimate security is a mistake.  As is equating a
> "strong" algorithm with ultimate security.

I would not put it like this.  Rather, if you want a temporary increase
in security, you need to calculate, or at least assume, how much extra time
it will take for your opponent to defeat your temporarily-secret information.
Just saying, "oh, well this complication ought to slow him down some, heh
hey," doesn't cut it.  Again, you need to be explicit about exactly what
information you are keeping temporarily secret, and how long you expect it
to be kept secret.


> > In encryption, the opponent's desire is to find out the original message.
> > What is the opponent's desire in steganography?  I feel it is to be able
> > to prove or determine with some degree of certaintly that there is a
> > hidden message.  We use steganography in a context where sending such a
> > message openly is for some reason undesirable.  Hence our goal is to
> > prevent the opponent from knowing that a message exists.
> 
> I would like to propose that there is a goal, in addition to those you have 
> revealed, for the opponent as well as the legitimate user of steganography.  
> The opponent would, ideally, wish to not only determine that there is a 
> message within the data; in addition, he would prefer to be able to extract 
> that message for analysis.  Therefore, I believe that it would be to the 
> advantage of the stego-user to not only hide the existence of his message, 
> but to do so in such a way that the cost of successfully extracting that 
> message, by his opponent, is maximized.
> 

I think this is a plausible, although less ambitious, goal.  But what's
this about "maximizing cost"?  Where does that fit into the analysis?  This
does not tell you whether your "maximization" has actually helped or not.

Instead, if you are going to adopt this goal, this means that the test of
your steganography is whether the opponent can extract the message.  It's
not that your goal is to "maximize his difficulty".  It's that your goal is
to stop him.  Again, NoStO emphasizes clear statements of your goals and
costs.

(The reason I say this is less ambitious is that if the opponent can
determine there is a message, but not what it is, they may be able to
bring penalties to bear on those communicating, depending on the circum-
stances.  For example, finding a stego'd file on someone's hard disk
might represent probable cause that illegal encryption was used, in some
hypothetical future.)

> I have to take exception with the assertions made in this paragraph.  
> Using the principles of public-key systems, the steganography key itself 
> does not have to be kept secret.  The sender, reciever, and indeed the 
> opponent would all have access to this key without compromising the 
> security of the system.  The challenge, for the opponent, lies in figuring
> out which public-key the sender has used.  I have no statistics on 
> exactly how difficult this challenge would prove; but, considering the 
> number of public-keys currently availiable and projecting several years 
> into the future, the challenge may be a very significant one.

What key are you talking about here?  The public one?  That is not
secret.  As you say, the opponent has access to it.  Are you assuming that
the opponent cannot guess which public key was used?  How will you measure
the accuracy of this assumption without statistics?


I really don't think you have understood my essay.  The point, again, of
avoiding StO is to make it clear what you are keeping secret, and to count
the costs of keeping it secret.  If you are counting on keeping secret the
recipient of the message then you have these costs:

Any stego files found in the recipient's possession are broken.

Stego files can be exhaustively searched against a list of public keys.

If a particular group or person is targeted for surveillance his keys can
be used against all widely-known stego channels.

Further, your own test is so weak (inability to recover the actual message)
you have not attempted to make it impossible to guess when you have
recovered the message, even with the correct key information.  So in each
of the cases above the authorities know when they have the message in hand.

Now if you are tempted to say that this isn't true, because we could arrange
for the message ALSO to be unrecognizable even when successfully recovered
(so that the opponents don't know when they have recovered it) then you
have missed the whole point.  You earlier rejected this test.  If you had
accepted it, you wouldn't have needed your keys at all.

Hal






Thread