[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: standard for stegonography?

To: [email protected] (Sergey Goldgaber)
Subject: Re: standard for stegonography?
From: [email protected] (Matthew Gream)
Date: Tue, 1 Mar 94 11:08:30 EST
Cc: [email protected], [email protected], [email protected]
In-Reply-To: <[email protected]>; from "Sergey Goldgaber" at Feb 28, 94 06:32:28 pm
Organization: University of Technology, Sydney.
Reply-To: [email protected]
Sender: [email protected]

Earlier, Sergey Goldgaber wrote:

> > encrypts a signature but an identifier so as to know which program actually
>              ^^^^^^^^^
> You were originally referring to PGP in particular, were you not?

Nope.

> Yes, I understand that your proposal is compatible with a variety of other 
> schemes.  However, as you note below, this provides very limited security, 
> unless the key is _non_standardized.

What do you mean by non-standardised ?

> "Pseudo-Stego" can be relatively secure as long as a large number of 
> different hiding schemes/standards are used by the public.  

This is limited by the availability of software and the inherent qualities
medium being used to carry the hidden information. In any case, if the
modulation method(s) is/are public, it by itself can't be used to provide 
any means of security.

> An effective means of ensuring this would be to use the reciever's 
> public-key checksum-value as the standard offset for stego.  The large 
> number of public-keys available make it rather infeasable for one's 
> opponents to try them all.  This, I believe, provides pretty adequate 
> security (assuming one strips any telltale headers off the hidden file 
> beforehand).

As for offset, do you mean that the public-key checksum value determines
how much prepended 'garbage' to skip over before the real stego data 
becomes available ? This still doesn't work, because it means not only a
lot of wasted bandwidth, but makes it a requirement to have a public-key
in the first place -- any unnecessary tie in. All you want is a quick
means to determine whether data has been modulated into the medium, and 
if it has by what particular item of software. This needs to be hidden
by some means (eg (cheaply) : s/ware_id + sigma(i=0-n) passwd[i] + csum)
and, as you say, the information itself needs to be unstructured.

Therefore, you can pull pictures off alt.binaries.pictures.contemporary,
run it though something w/ a password "russian_mole" and see whether your
software says "I see this looks like it has a file created by program
#s/ware_id, let me extract it".

Matthew.
-- 
Matthew Gream. ph: (02)-821-2043. [email protected].
PGPMail and brown paperbags accepted. - Non Servatum -
  ''weirdo's make the world go around'' - A.Watts

Prev by Date: Re: standard for stegonography?
Next by Date: Re: standard for stefonography?
Prev by thread: Re: standard for stegonography?
Next by thread: Re: standard for stegonography?
Index(es):
- Date
- Thread