RE: Steganography

From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Fri Sep 28 2001 - 16:07:41 MDT


Smigrodzki, Rafal wrote,
> Harvey Newstrom wrote:
> > Nothing is uncrackable these days, even with brute-force. Encryption is
a
> > temporary solution at best.
>
> ### Here is a message from me: 17, 5, 15, 27, 47, 8, 54.
> It is a message that can easily be decrypted by anybody who has the key,
and the same key can be used > to encode a large number of messages, without
using any advanced cryptographic techniques.
> I am perfectly sure that you, or anybody not informed about the exact
cipher, will never be able to
> decode the message, no matter how powerful your computer might someday be.

You really think this is uncrackable, don't you?

Are you so confident that you would bet me a million dollars on it?

Think hard about this before scrolling down!!!

OK... I am NOT betting a million dollars! (I don't think either of us
could afford it!) I just wanted to see if you really thought this was an
uncrackable code and not just a flippant example thrown out without much
thought.

This code may not be as perfect as you think.

I assume that this is just a simple word replacement code. You took a
common book or document, and replaced each word of your message with its
position number from the document. Your first word is word #17 in the
document. Your second word is #5 in the document. And so forth. If so,
this is a classical code that was used in the Cold War. Such codes were
frequently cracked by both sides. This is why they were discarded in favor
of modern encryption.

Such codes are vulnerable to statistical analysis. If your messages are in
English, your most common word will be "the", the second most common word
will be "and", the third "to", the fourth "of", and so forth. Other
languages would have other statistical numbers for each of their words.
Just applying these statistical probabilities to your messages will decode
most of the words. The rare ones that don't decode could be determined by
context, especially in the case of multiple instances. (Names and locations
may not decode since they are arbitrary labels and not part of the language
vocabulary.)

If this direct approach didn't work, there is still the brute-force method.
Instead of searching for passwords in order or decryption keys in order,
this brute-force search would go through a list of book and document titles
sorted in order of popularity. A fast server connected to an online library
on the Internet could grab the first 54 words of each document and try it as
the solution. If it could do this at a rate of one per second, it could try
86,400 documents in the first day, 604,800 in the first week, 2,628,000 in
the first month, and 31,536,000 in the first year. Using multiple computers
to split up the work could dramatically increase these numbers.

So be honest... Was your message in English or some other natural language
that could be decoded by the statistical frequency of each word? If not,
was your code book a common book likely to be found on the Internet such
that a brute-force search would find it? Or, more specifically, if you had
bet me a million dollars could I have been planning my retirement?

--
Harvey Newstrom <www.HarveyNewstrom.com>
Principal Security Consultant, Newstaff Inc. <www.Newstaff.com>
Board of Directors, Extropy Institute <www.Extropy.org>
Cofounder, Pro-Act <www.ProgressAction.org>



This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 14:40:58 MDT