1998-05-14 - Re: Chaffing and winnowing

Header Data

From: bill.stewart@pobox.com
To: Mark Tillotson <gibreel@pobox.com
Message Hash: 019a2d21264e7dea56a0a7555751f6a3e7cdbe9d58bb1ecb1bcd55b9c25678b7
Message ID: <>
Reply To: <874syut9ld.fsf@wsuse5.mckesson.com>
UTC Datetime: 1998-05-14 17:08:21 UTC
Raw Date: Thu, 14 May 1998 10:08:21 -0700 (PDT)

Raw message

From: bill.stewart@pobox.com
Date: Thu, 14 May 1998 10:08:21 -0700 (PDT)
To: Mark Tillotson <gibreel@pobox.com
Subject: Re: Chaffing and winnowing
In-Reply-To: <874syut9ld.fsf@wsuse5.mckesson.com>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain

[Is this still appropriate for coderpunks?]

At 01:07 PM 5/14/98 +0100, Mark Tillotson wrote:
>However I view the process rather differently.  There are two channels
>- the message is carried in the MAC and in the plaintext bits.
>Chaffing simply serves to obliterate the plaintext channel.  The

But it _doesn't_ obliterate the plaintext channel;
it just obfuscates it a lot.

>recipient doesn't need to get the plaintext bits at all - they can
>simply try the MAC against both 0 and 1, and choose the correct one.
>(although this doubles the workload)

Depending on how sequence numbers are managed, it doesn't 
need to double it - if you try the MAC for 0, it either
succeeds or fails, and in either case you don't need to 
check the MAC for 1.  If you're using a shorter MAC which
might have collisions (e.g. 8 bits of a real MAC), you need to
check both, since both 0 and 1 could pass, trashing the bit,
and if you're using the "First different bit in MAC(0) and MAC(1)"
technique you obviously need to calculate both.

>Furthermore an "attacker" can't tell, without breaking the MAC scheme,
>whether the plaintext is genuine or a blind, and so this makes
>chaffing/winnowing an ideal carrier of steganography.  It's like
>sending a plaintext file and a ciphertext file together, with an
>assertion that they correspond - unless you can prove this assertion
>how can an outsider be convinced you are not hiding information in the
>ciphertext file?  How can you prove this assertion without giving away
>your MAC key?  How can you demonstrate you are using a MAC and not
>simply triple-DES?

It's easy to demonstrate that the wheat channel is using real MACs -
if you're hauled into court for some violation or lawsuit,
you can probably be ordered to deliver the key (if you kept it),
since it's "not" being used to keep the message secret,
"only" to authenticate it.  

For the chaffing techniques that can use random chaff, though, 
you really can't prove that the "random" numbers are random 
as opposed to stegotext without giving up the stegotext
unless they're generated by a pseudo-random algorithm
which uses a key you can reproduce (as opposed to a 
session key from /dev/random.)

Will the real use of chaffing/winnowing be to send
uninteresting cover traffic and carry stegotext as chaff?
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639