Cryptography and Steganography
overview for students in my "Defense Against Dark Information"
seminar
Business and government web sites routinely use cryptography to prevent personal
information (credit card numbers, etc.) from being intercepted by
criminals. Cryptography is also widely used by privacy advocates
who think email should be more like a letter than a postcard. Some countries
only allow those forms of cryptography that their secret police can
decipher. While privacy advocates in more democratic
countries
may use cryptography as a political statement, democracy activists in
less democratic countries (plus terrorists,
drug dealers, and
pornographers) may worry that encrypting email will alert the
secret police that they are "up to something", even if they can't
decrypt the message. Steganography
(hiding a message in a seemingly harmless file, such as a "vacation
picture") makes it harder (but not necessarily impossible) to even
detect the presence of a secret message.
Assuming it is legal in your country for you to use cryptography or
steganography
today, there are still some possible risks you should consider:
- If your country becomes less democratic, the new government could
decide to jail or harass everyone who used cryptography back when it
was legal, assuming email was monitored and records were kept (whether
or not such monitoring
and record-keeping was legal or constitutional at the time).
- Your messages may not be as undeciperable or undetectable as you
think. For example, messages hidden in pictures on the web by the
steganographic web browser CameraShy
may be easy to detect (but not decipher), according to one report.
- The cryptography/steganography software could have a "back
door" that allows criminals or the secret
police to spy on you or launch virus attacks.
Deliberate inclusion of back doors or accidental inclusion of security
vulnerabilities can be problems with any software (e.g., your word
processor) , especially if the source code is kept secret.
"Open source" software (for
which source code, not just the compiled or
.EXE file, is available to the public) may be safer, because back doors
or other security issues are more likely to be detected. For example,
three computer security researchers say they found lots
of problems in software of a leading electronic voting system, once
the "secret" software appeared on the web.
The CEO of the company that makes the voting machines in question is a
leading fundraiser
for the Bush campaign, but he says the election-systems division is
run by a "registered Democrat." Their political inclinations
wouldn't matter if all aspects of the voting machine hardware and
software were open to public scrutiny. If you have the economic
power of the Chinese government, you may be able to get access to normally
secret source code.
Open source software may also be less complex, especially if the
complexity of
some commercial software is intended mainly to prevent compatability
with competitor's software! Some computer security experts have suggested
that the resulting "complexity is the first enemy of security" because
it makes back doors and other problems harder to find, even for those
with access to the source code. (The first author of
that report has since been fired.) The report also suggested that "monoculture"
(domination by a single operating system) makes it easier for viruses
to spread, but here's a contrary
opinion.
If you want to try cryptography,
Pretty Good Privacy (PGP) is a popular open source program. It
has been around long enough that any security problems probably would
have been detected by now, despite some rumors.
Of course, encrypting your messages doesn't keep them secret if someone
has installed a keystroke
logger on your computer (perhaps by emailing it to you as a
computer
virus). Here are some sources of the PGP software:
http://web.mit.edu/network/pgp.html
http://www.pgp.com
http://www.pgpeurope.com/
You can try it by sending me an encrypted message using my public key.
Two steganography programs
that I have used (a little) are CameraShy
and S-tools. I
downloaded both from StegoArchive.
I don't guarantee that either is free from malicious code, but haven't
had any problems so far. Either program can hide messages in a
.GIF picture in a way that wouldn't be obvious to the average
person. The secret police could probably detect (if
not decode)
the message pretty easily, but can they arrest you for forwarding a
picture to a friend?
If you want to try CameraShy (detailed instructions here) the
image below has hidden information (needed by an "underground group" to
achieve their goals). The password is Dark and the "signature" is Information
