[1008] in cryptography@c2.net mail archive
Re: Dorothy and the four Horseman
daemon@ATHENA.MIT.EDU (Phil Karn)
Fri Jun 13 13:10:25 1997
Date: Thu, 12 Jun 1997 15:44:10 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: kentborg@borg.org
CC: dee@cybercash.com, cryptography@c2.net
In-reply-to: <v0310280cafbf89635d4c@[199.3.131.82]> (message from Kent Borg on
Sat, 7 Jun 1997 18:43:04 -0400)
>I'm not sure what to call it, but let me ask whether anyone has devised a
>"spread spectrum" crypto system? (This ought to be right up Phil's alley.)
>Or, as I think about it more, it could be put in more standard crypto terms
>as multi-channel stego, where the number of channels is indeterminent.
I've already given this some thought. It would be a form of CDMA
(code division multiple access), a subset of spread spectrum.
The main drawback is efficiency. Well designed CDMA systems can
substantially increase efficiency on linear RF channels, mainly by
their ability to function at very low (even negative) signal-to-noise
ratios. But on a disk that already has strong FEC coding built in at
the physical layer, the "channel" signal-to-noise ratio is already
infinite. Without the ability to bypass the physical layer stuff,
you'd be squandering all that CDMA redundancy instead of using it to
increase capacity.
It seems to me that all you really need is "plausible deniability"
that a particular random-looking file may be something other than
hidden ciphertext. Just fill up your unused disk space with some files
containing truly random bits; Linux's /dev/urandom makes this very
easy. Be sure to leave the shell scripts that generate these random
files in the clear where they can be easily found.
Think of this as the storage equivalent to message padding used to
defeat traffic analysis.
You might also include a few decoy files i.e., innocuous plaintext
encrypted with a key you're willing to give up under duress.
Such a scheme could even be automated with some mods to Matt Blaze's
CFS, for example. Just load up the directories with random file names
having the proper hex format and load up the files themselves with
truly random bits. When you need the space for a real file, just
delete a few of the decoys.
As I recall, CFS has a special "..." file consisting of known
plaintext encrypted with the key. This is just a user convenience
feature to verify that the correct key is being used. This should of
course be deleted.
I suspect it was schemes like these that led Eric Hughes to coin the
expression "Use a random number, go to jail". The meaning, I assume,
is that the only way to truly enforce a ban on unescrowed crypto is to
presume guilt whenever the government encounters a file that they
cannot understand and you cannot decrypt. Which would apply even to
files that are truly random and contain no hidden information at all.
Ergo, use a random number, go to jail.
Phil
