From: "Dr. D.C. Williams" <dcwill@ee.unr.edu>
Date: Wed, 18 Jan 95 15:53:40 PST
To: cypherpunks@toad.com
Subject: Re: Key backup (was: How do I know . ..)
Message-ID: <199501182358.SAA29305@bb.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

'Adam Shostack' was reported to have written:

> 	Putting the UPC's on things other than cards (such as books)
> makes it easier to hide in the open.  `UPC' stickers on, say, a few
> books are easier to miss than UPC stickers on index cards.

Exactly. If the intention is to keep them out in the open, then
making labels which resemble UPCs is preferred. However, if I'm
going to dig a hole in the ground at a secret location and bury my
barcoded key in a special container, a different format might be
indicated.

> 	Invisible ink draws attention to the correct UPC's once they
> know you're using it.  See Kahn for a discussion of secret inks being
> developed during the second world war. 

I'll do that, but I think you might be intermixing ideas. Pseudo-UPCs in
invisible ink wouldn't be a good combination. Pseudo-UPCs should 
probably be printed exactly like normal UPCs. If you want the "invisible
ink" process, it should probably blend into the ambient environment as
much as possible. Even if "they" know you're using secret ink, don't "they"
have to find the printed key first? How much work is required to check
every page of every book and every sheet of paper you might have access
to? You could mail your key anywhere in the world invisibly printed on 
the outside of an envelope. Better yet, send someone a special document
(wedding announcement, legal document, 21st birthday card, whatever;
the important part is to send something that the recipient will keep)
with your keyring invisibly printed on it. 

Variations on this theme (there are many) are encouraged. Have a friend
check out a library book and let you stamp your key somewhere inside. It's
the number of possible variations that make this seemingly impossible to
attack. Apologies if this "secret ink" stuff is way off base  ;-) .

Most people (myself included) would opt for the "split and
disguise" or "hidden/buried" key schemes where secret ink wouldn't add
much security.

> If you want to hide bits, they
> should be stripped of low entropy parts and hidden with a stego
> program.

The idea was to use something other than magnetic media. A new and
different optical encoding method could be devised to hide a key in a 
halftone, but the barcode example was offered as one possibility using
an existing standard. The basis for this thread was the perceived need
for a relatively simple key backup system that didn't require the active
participation of a whole hoard of people.


=D.C. Williams	<dcwill@ee.unr.edu>

- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBLx2rEyoZzwIn1bdtAQEBVAGAzJc1fOAchLGEIlnbQBiJXV2cICE2WK8e
8FnXnP8ztcWEdUCYY0vjDewiLI2iW4bt
=tUR2
-----END PGP SIGNATURE-----