Cryptography and Steganography

overview for students in my "Defense Against Dark Information" seminar

Business and government web sites routinely use cryptography to prevent personal information (credit card numbers, etc.) from being intercepted by criminals.  Cryptography is also widely used by privacy advocates who think email should be more like a letter than a postcard.  Some countries only allow those forms of cryptography that their secret police can decipher.   While privacy advocates in more democratic countries may use cryptography as a political statement, democracy activists in less democratic countries (plus terrorists, drug dealers, and pornographers) may worry that encrypting email will alert the secret police that they are "up to something", even if they can't decrypt the message.   Steganography (hiding a message in a seemingly harmless file, such as a "vacation picture") makes it harder (but not necessarily impossible) to even detect the presence of a secret message.

Assuming it is legal in your country for you to use cryptography or steganography today, there are still some possible risks you should consider:
Deliberate inclusion of back doors or accidental inclusion of security vulnerabilities can be problems with any software (e.g., your word processor) , especially if the source code is kept secret.  "Open source" software (for which source code, not just the compiled or .EXE file, is available to the public) may be safer, because back doors or other security issues are more likely to be detected. For example, three computer security researchers say they found lots of problems in software of a leading electronic voting system, once the "secret" software appeared on the web.  The CEO of the company that makes the voting machines in question is a leading fundraiser for the Bush campaign, but he says the election-systems division is run by a "registered Democrat."  Their political inclinations wouldn't matter if all aspects of the voting machine hardware and software were open to public scrutiny.  If you have the economic power of the Chinese government, you may be able to get access to normally secret source code.

Open source software may also be less complex, especially if the complexity of some commercial software is intended mainly to prevent compatability with competitor's software!  Some computer security experts have suggested that the resulting "complexity is the first enemy of security" because it makes back doors and other problems harder to find, even for those with access to the source code.  (The first author of that report has since been fired.)  The report also suggested that "monoculture" (domination by a single operating system) makes it easier for viruses to spread, but here's a contrary opinion.

If you want to try cryptography, Pretty Good Privacy (PGP) is a popular open source program.  It has been around long enough that any security problems probably would have been detected by now, despite some rumors.  Of course, encrypting your messages doesn't keep them secret if someone has installed a keystroke logger on your computer (perhaps by emailing it to you as a computer virus).   Here are some sources of the PGP software:
http://web.mit.edu/network/pgp.html
http://www.pgp.com
http://www.pgpeurope.com/
You can try it by sending me an encrypted message using my public key.

Two steganography programs that I have used (a little) are CameraShy and S-tools.  I downloaded both from StegoArchive.  I don't guarantee that either is free from malicious code, but haven't had any problems so far.  Either program can hide messages in a .GIF picture in a way that wouldn't be obvious to the average person.  The secret police could probably detect (if not decode) the message pretty easily, but can they arrest you for forwarding a picture to a friend?

If you want to try CameraShy (detailed instructions here) the image below has hidden information (needed by an "underground group" to achieve their goals).  The password is Dark and the "signature" is Information