Steganography (was Brin on privacy)

Eric Watt Forste (arkuat@pobox.com)
Thu, 02 Jan 1997 15:27:04 -0800


Hara Ra wrote:
>> Why do you continue nattering about this topic as if you had never
>> heard of steganography?
>
>I've never heard of it. Could someone direct me to a suitable URL??

Steganography is the art of hiding encrypted messages in naturally
"noisy" data... GIF images, for instance. One implementation is
discussed at http://www.fqa.com/ezstego/

The trick you were discussing about generating final cyphertext that
masqueraded as the .EXE object file format of MS DOS was an example of
a rather specialized form of steganography. There's a potential fax
effect here... as more people use more and more different varieties of
steganographic techniques (and more and more different encryption
algorithms) the kind of surveillance that some people were suggesting is
possible will become even more expensive... and it is *already*
impossibly expensive.

Anyone who is willing to self-educate, even if starting from scratch,
should have zero trouble keeping their messages reasonably secure from
government bodies after reading Schneier's book and poking around in a
few choice places on the 'net, if they are willing to take the time to
read and think critically about what they are reading. For serious
stuff, of course, communications protocols (in the informal diplomatic
sense, not the network programmer's sense) should be worked out in
advance. Cryptographic and steganographic software are just the building
blocks from which secure communications protocols are constructed.
Anyone who understands this much, and is willing to spend the time
studying the design and implementation of such protocols, shouldn't have
much to worry about.

Of course I was interested in John Clark's discussion of evidence as to
how far in advance of the public academic cryptologic community the
NSA had discovered differential and linear cryptanalysis. But once you
introduce carefully designed steganographic protocols into the
environment, the problem is no longer one of cryptanalysis, but rather
of finding the messages you want to cryptanalyze, and this problem is
getting harder all the time. The advent of the Web, a "broadcast" and
"pull" medium, makes the job even harder. Messages stegged into a
periodically updated GIF on a highly trafficked web page go out to
thousands or millions of people, and there is no way to know which of
those recipients are interested, not in the picture, but in the message
hidden within it. So even SIGINT-style traffic analysis starts getting
muddy.

--
Eric Watt Forste ++ arkuat@pobox.com ++ http://www.pobox.com/~arkuat/