Clive Robinson • July 30, 2019 10:55 AM
The main problem I see with steganography is that you need lots of hay(stacks) to hide your needles.
It does not need to be stenography, but you are on the right lines.
As per normal we get a hackned SigInt Agency argument that Jon Callas rightly pulls up,
- “We also need to be very careful not to take any component or proposal and claim that it proves that the problem [of exceptional access] is either totally solved or totally insoluble.
It is factually incorrect and the two GCHQ personnel are either liars or idiots, possibly both.
If you turn the argument around you get two states on a spectrum to be considered,
1) totally solved.
2) totally insoluble.
Which incorrectly makes people think that one is the opposit of the other. That is one must be true and the other must be false. It is actually not the case.
For “exceptional access” to work it is predicated on one of two things being true,
1, Breaking the security mechanism between the security end points.
2, Reaching around the security end points.
In most cases it’s generally accepted that fundemental algorithms are sufficiently proof to “Breaking”. Which is why all the nonsense about “backdooring” such protocols is talked about.
Secondly is a very big and incorrect assumption which is that SigInt “Eve” can reach around the security end points of Alice and Bob. Importantly this is only true when the communications end point Eve has can be extended to reach around Alice or Bob’s security end point.
Thus you get the interesting chain of logic for exceptional access. For it to be true then the following has to be true,
1, Eve can break the security mechanism.
2, If not (1) Eve must be able to reach around the securiry endpoint.
3, For (2) to be true Eve must be able to stop Alice and Bob extending their security end points beyond Eve’s communications end points.
And it’s point (1) and (3) which are very asymetrically in favour of Alice and Bob.
There are certain security algorithms that have a security proof. Not that they can not be broken but that because all mesages are equiprobable all messages of the same length or shorter are just as likely so as an attacker you have no clue as to which is the real message.
That is you can fairly easily make (1) FALSE. Which leaves problem (3) that is what makes it hard or easy for either Eve or Alice and Bob.
Currently as long as the security end point stays on the communications device that can be trivially put under Eve’s control, then Alice and Bob have an insurmountable problem. Because Eve will be able to “reach around to the plaintext”.
But what is Alice and Bob can take their security end point off of the communications end point and beyond Eve’s reach from the communications channel?
Well the insurmountable problem then becomes Eve’s not Alice and Bob’s…
Which is not what either the SigInt agencies or Law Enforcment in particular want you to think about, even though it has been wildly known during WWII and very much in the public domain in the 1970’s to early 1980’s…
What Alice and Bob do is use any messaging app as though it was an open broadcast channel, that is any data in the communications channel is treated as available to all. Thus Alice and Bob need to use a method to make the visable data meaningless at all points between their security end points. That is they pre-encrypt the information securely into meaningless data prior to the communications device. That is “off line encryption” in the old sense.
Back in WWII SOE agents encrypted their information via pencil and paper. They would then give only the encrypted message to the radio operator to transmit.
In the same way Alice and Bob can encrypt their information with a secure pencil and paper cipher at which point the information is protected irrespective of the real or imagined messaging app security (which is now irrelevant).
Eve can still go after Alice and Bob’s traffic, but it’s become an “Operational Security” (OpSec) issue for Alice and Bob not a “Communications security” (CommSec) issue.
From Eve’s point of view this is an unmitigating disaster. Because whilst end run attacks around the security endpoints is very very easy with messaging apps running on the communications end point, it requires considerable “Human resources” when going against security end points that have to be found by Eve’s hands.
Whilst OpSec is hard for most people, it is with practice well within the average persons ability. CommSec is however very different it’s not just hard but impossible for most people as there are so many channels that can be invisibly exploted by SigInt agencies.
The whole point behind these “backdoor” “going dark” arguments is that they are in effect lies. The agenda that is being pushed is unlimited mass surveillance on every citizen at all times 24 by 365.25 for as long as they shall live, if not longer.
What it is not about is all the faux arguments about “super criminals” and “super terrorists” or any other “think of the children” emorive arguments.
In short because Law Enforcment already have no trouble investigating such people irrespective of if they use encryption or not.
For those that want to know more about this subject there are a number of written histories about cold way espionage in the 1950’s through 80’s and the one thing they all have in common with one exception, is they were caught not by ComnSec failings but OpSec failings and the human rrsources of the “Home Security Services”.
The exception was “project VENONA” where OTP pages were “reused” by Soviet personnel,