[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chaffing and winnowing

To: [email protected]
Subject: Re: Chaffing and winnowing
From: Mark Tillotson <[email protected]>
Date: Thu, 14 May 1998 13:07:38 +0100
CC: [email protected], [email protected], [email protected], [email protected], [email protected]
In-reply-to: <[email protected]> (message from Stephen Zanderon 13 May 1998 09:32:46 -0700)
Sender: [email protected]

Stephen Zander <[email protected]> wrote:
| 
| But wasn't that the gist of Rivest's paper: he's not encrypting the
| message, he's just obscuring it really, really well.

His point is that the message packets start out readable, and then by
adding other packets (not altering the originals) you gain security,
whether intentional or not - apparently encryption is performed by
accident and without a key.

So he argues that since this technique transforms a cleartext stream
to a secure one without use of any cryptographic technique or
algorithm, no act of encryption has happened.

However it is not that simple - for a start to gain real security you have
to be careful to mingle streams in very precise ways, to lose the
temporal statistics that give away the origins of each packet - you
have to match wheat to chaff on a packet by packet basis to get good
security.  Furthermore you have to use a CSRNG or true random source
to generate fake MACs, or have another MAC key for the complementary
stream(s) - It is not so easy to say that these precautions could be an
accidental act, or that they are entirely non-cryptographic.

However I view the process rather differently.  There are two channels
- the message is carried in the MAC and in the plaintext bits.
Chaffing simply serves to obliterate the plaintext channel.  The
recipient doesn't need to get the plaintext bits at all - they can
simply try the MAC against both 0 and 1, and choose the correct one.
(although this doubles the workload)

Furthermore an "attacker" can't tell, without breaking the MAC scheme,
whether the plaintext is genuine or a blind, and so this makes
chaffing/winnowing an ideal carrier of steganography.  It's like
sending a plaintext file and a ciphertext file together, with an
assertion that they correspond - unless you can prove this assertion
how can an outsider be convinced you are not hiding information in the
ciphertext file?  How can you prove this assertion without giving away
your MAC key?  How can you demonstrate you are using a MAC and not
simply triple-DES?


__Mark
[ [email protected] | http://www.harlequin.co.uk/ | +44(0)1954 785433 ]

Follow-Ups:
- Re: Chaffing and winnowing
  - From: [email protected]

References:
- Re: Chaffing and winnowing
  - From: Stephen Zander <[email protected]>

Prev by Date: Re: Anymous twit dealing in hypocracy
Next by Date: 1998 EPIC Crypto Conference - Last week for Reduced Registration
Prev by thread: Re: Chaffing and winnowing
Next by thread: Re: Chaffing and winnowing
Index(es):
- Date
- Thread