1998-05-14 - Re: Chaffing and winnowing

Header Data

From: Mark Tillotson <markt@harlequin.co.uk>
To: gibreel@pobox.com
Message Hash: 9eb43e5c8d0079f5bbbb8c684e274ace6e661942142fd4d39d55145ddeae3b5f
Message ID: <199805141207.NAA00226@spike.long.harlequin.co.uk>
Reply To: <874syut9ld.fsf@wsuse5.mckesson.com>
UTC Datetime: 1998-05-14 12:08:33 UTC
Raw Date: Thu, 14 May 1998 05:08:33 -0700 (PDT)

Raw message

From: Mark Tillotson <markt@harlequin.co.uk>
Date: Thu, 14 May 1998 05:08:33 -0700 (PDT)
To: gibreel@pobox.com
Subject: Re: Chaffing and winnowing
In-Reply-To: <874syut9ld.fsf@wsuse5.mckesson.com>
Message-ID: <199805141207.NAA00226@spike.long.harlequin.co.uk>
MIME-Version: 1.0
Content-Type: text/plain

Stephen Zander <gibreel@pobox.com> wrote:
| But wasn't that the gist of Rivest's paper: he's not encrypting the
| message, he's just obscuring it really, really well.

His point is that the message packets start out readable, and then by
adding other packets (not altering the originals) you gain security,
whether intentional or not - apparently encryption is performed by
accident and without a key.

So he argues that since this technique transforms a cleartext stream
to a secure one without use of any cryptographic technique or
algorithm, no act of encryption has happened.

However it is not that simple - for a start to gain real security you have
to be careful to mingle streams in very precise ways, to lose the
temporal statistics that give away the origins of each packet - you
have to match wheat to chaff on a packet by packet basis to get good
security.  Furthermore you have to use a CSRNG or true random source
to generate fake MACs, or have another MAC key for the complementary
stream(s) - It is not so easy to say that these precautions could be an
accidental act, or that they are entirely non-cryptographic.

However I view the process rather differently.  There are two channels
- the message is carried in the MAC and in the plaintext bits.
Chaffing simply serves to obliterate the plaintext channel.  The
recipient doesn't need to get the plaintext bits at all - they can
simply try the MAC against both 0 and 1, and choose the correct one.
(although this doubles the workload)

Furthermore an "attacker" can't tell, without breaking the MAC scheme,
whether the plaintext is genuine or a blind, and so this makes
chaffing/winnowing an ideal carrier of steganography.  It's like
sending a plaintext file and a ciphertext file together, with an
assertion that they correspond - unless you can prove this assertion
how can an outsider be convinced you are not hiding information in the
ciphertext file?  How can you prove this assertion without giving away
your MAC key?  How can you demonstrate you are using a MAC and not
simply triple-DES?

[ markt@harlequin.co.uk | http://www.harlequin.co.uk/ | +44(0)1954 785433 ]