Steganography from weak cryptography

Steganograph y from w eak cryptograph y B. ˇ Sk ori ´ c Abstract W e introduce a problem setting which w e call “the freedom fighters’ problem”. It subtly differs from the p risoners’ problem. W e prop ose a steganographic meth od that allow s Alice and Bob to fo ol W endy the warden in this setting. Their messages are hidden in encryption keys. The recipien t has no prior knowledge of these keys, and has to cryptanalyze ciphertext s in order to reco ver t h em. W e show an example of the protocol and give a p artial security analysis. 1 In tro duction Usually , the aim of stegano graphy is to send a secret messa ge M hidden in an or dinary data stream S (the ‘cov ertext’) in such a wa y that the adversary do es not susp ect the presence of M . This setting was forma lized by Simmons in [2], wher e he introduced the “prisoners ’ problem”. Two prisoners , ca lled Alice and Bob, are lo cated in differen t cells and wish to devise an es c ap e plan. They are allowed to exchange written messag es. Howev er, W endy the warden insp ects all messages. If any message looks suspicious she will immedia tely punish them, ruining all their hopes of escap e. Her s uspicion is ar oused b y e.g. refer ences to esca p e, unusual phrases and formatting, or anything resembling encryption. In this pap er we descr ibe a stegano graphic technique for a somewhat different setting, which could be called the “free do m fighters’ pr oblem”. The freedom fighters Alice a nd Bob wish to plan an event. They communicate ov er an insecur e channel whic h is eav esdro pped on by their p ow erful adversary W endy . The cir cumstances a re as follows. • W endy allows Alice and Bob to discuss anything they wish. She never blo cks a mess a ge. • W endy will punish Alice and Bob if she catches them putting their plans int o actio n. • Alice and Bob know that W endy will watc h them very c losely if they use unbreak a ble 1 crypto. Such surveillance will preven t them fr o m r ealizing their even t. • Alice and Bo b know that W endy is highly adept at steganaly s is and cryptanaly sis. The aim of the freedom fighters is to discuss their pla n without W endy learning what the plan is, and then to put the plan into actio n. W e prop ose the following solution. Alice encr ypts a cov ertext with a key tha t ca rries the secret mesag e M . She inten tionally us e s a weak cipher that is relatively easy to bre ak, so that Bob can recover the key by brea king the encryption. W endy will of course also break the encryption, but she will fo cus far mor e o n the covertext than on the precise v alue of the e mploy ed key . In or der not to alert W endy to the messa ge pres ent in the key , Alice and Bob use a s econd cipher to encrypt the hidden mes sage so tha t the key lo oks random. This s cheme is different from [3, 1], where messages are hidden in the random input o f ra n- domized s ignatures. Our sys tem is effective b ecause W endy has no reason to b elieve that Alice and Bob ar e sending ciphertext to each o ther for which t he r e cipient do es not have the de cryption key . Below we present an example of this scheme. 1 This is the m ain difference with the pri s oners’ problem, where any form of crypto is punished. 1 2 An example of the p roto col Alice and Bob have a sha red s e cret key K . They hav e agreed o n tw o symmetric cipher s: A stro ng cipher C 1 and a second, weak c ipher C 2 . The weak cipher is e.g. a block cipher with a k nown weakness such a s a to o sho rt key , or an impressive-lo oking but flaw ed cipher co oked up by Alice and Bo b. C 2 works with keys of length ℓ 2 . Alice wan ts to send a secret message M to Bob, hidden in cov ertext S . They per fo rm the fo llowing steps: 1. Alice encrypts the messag e M with the shar ed key K . κ = E (1) K [ M ] . The sup ers c ript ‘1’ r efers to the cipher C 1 . She then cuts the cipher text into n pieces of length ℓ 2 (padding if nec e s sary), κ = κ 1 || · · · || κ n . 2. Alice c o mp o ses a n umber of covertext messages S i , i = 1 , . . . , n . The length of these mes- sages is a r bitrary . The messages are written in ordinar y languag e, or in so me o ther highly redundant format. 3. Alice computes the following encryptio ns , using the weak cipher : c i = E (2) κ i [ S i ] . Over time she s ends these n ciphertexts to Bob. 4. F or ea ch i , Bob br e aks the encry ption, obtaining S i and κ i from c i . His ability to do so is g ua ranteed by the weakness of the cipher C 2 and the fac t that S i contains a lot of redundancy 2 . 5. Using the shar ed key K , Bob recons tr ucts Alice’s messa ge as follows M = D (1) K  κ 1 || · · · || κ n  . Then Bob sends a reply to Alice in the same w ay , etc. (Alternatively , Alice and Bob exchange ciphertexts in an interlea ved manner, i.e. Alice sends c Alice 1 , then Bob sends c Bob 1 in res po nse, then Alice sends c Alice 2 etc. This allows for more natural lo oking cov ertexts, s ince communication with one messag e at a time lo oks more natural than n messages in one direction followed by n messages in the o ther direction. The e xchange o f cov ertexts lo oks like a normal conv ersa tio n, with each cov ertext containing references to the preceding cov ertexts. The mess a ge M , on the other hand, can of cour s e b e r econstructed only after receiving n c overtexts; so in ter ms of messag e exchanges the hidden conv ersation is n times slow er tha n the cover conv ersation.) Of cours e , W endy to o is ca pa ble of breaking the C 2 encryption. F rom the ciphertexts c i she obtains S i and κ i . She will assume that the S i are g e n uine messages. She has no r e ason to assume that Alic e is sending encrypte d data for which Bob has no de cryption key! In contrast, it is e ntirely believ able to W endy that they a re ent rusting their secr ets to a weak cipher. Ther e a re many historical examples of p eople thinking that their home-brewed ciphers are invincible. Being a g o o d cryptanalys t, W endy will wonder what kind of key s chedule Alice and Bob are using. She will notice that in g eneral κ 1 6 = κ 2 · · · 6 = κ n . How ever, the cipher C 1 will preven t her from finding any regularity , provided that C 1 is strong enough. The lack of regularity in the sequence o f keys κ 1 , · · · , κ n will not aro use suspicio n in W endy; Alice and Bo b may hav e set up a list of o ne-time keys in the past, or they could b e us ing some key up dating schedule. Alice and Bob make sure that the exchange of cov ertext messag es lo oks ‘nor mal’, which in this case means tha t it must lo ok like an exchange of highly co nfident ial informa tion, i.e. the kind of data that would never be sent in pla int ext. They may also so metimes refer to a ‘key sc hedule’ for 2 T o aid Bob’s cr yptanalysis, Al ice may also include pieces of plain text in S i that are known to Bob beforehand. 2 determining the κ i keys (o f c o urse co mpletely fake), thus convincing W endy that the κ i v alues are of no direct impo rtance. A nice prop er ty of our s cheme is that a convincing-loo king cov ertext ca n misdirect W endy in many wa ys. Most notably , the cov ertext may directly contradict the secret message. R emark : The bit rate of the hidden channel is ra ther low: ℓ 2 bits of cipher text p er exchanged message. 3 Securit y analysis Of cour se, publishing abo ut a steg anogra phic scheme gives it aw ay . O nce the adversary susp ects that there could b e a payload in the encr yption keys κ i , she will star t paying a tten tion to them and s tart distrusting S i . The stegana lysis is now a matter of A. detecting if there is anything fishy ab out the set { κ i } , and B. breaking the C 1 -encryption. A thorough analys is of part A is no n trivial, and we will no t attempt it in this pap er. The fact that the encryption k ey v arie s do es not, in itself, automa tically raise suspicio n. First, Alice and Bob may simply hav e agre e d o n a list o f o ne-time keys. Second, they may b e using a proto col inv olving session k ey upda tes. Several protocols are known in the literature where a ses sion key gets up dated, e.g. using a has h c hain, in order to provide backw ard security . It dep ends on the circ ums ta nces if W endy has rea s ons to disb elieve these p os sibilities. (Note that this ha s implications for so-called ‘deniable encryption’.) The difficult y of part B o f the steganalys is directly translates to the difficult y of cry ptanalysis. The message M remains hidden from W endy if the cipher C 1 is strong enough. R emark : If W endy suc c e eds in part A, then, in the freedom fighters’ pr oblem setting, Alice and Bob have lost, even though M remains sa fe. The y hav e b ecome suspicious and are put under surveillance. Ac kno wledgemen t s W e thank Stefan K atzenbeisser a nd Klaus Kursawe for useful suggestio ns. References [1] R. J. Anderso n, S. V a udenay , B. P reneel, and K. Nyb erg. The newton channel. In Information Hiding, First International Workshop, Pr o c e e dings, V ol. 1174 of L e ctu r e Notes in Computer Scienc e, Springer , pag e s 151 –156 , 1 9 96. [2] G. J. Simmons . The prisoners’ problem a nd the subliminal channel. In CR YPTO , pages 5 1–67, 1983. [3] G. J . Simmons. The subliminal channel and dig ital signature s . In A dvanc es in Cryptolo gy, Pr o c e e dings of EUROCR YPT 1984, V ol. 209 of L e ctur e Notes in Computer Scienc e, Springer , pages 364– 378, 1985 . 3