Forgot your password?
typodupeerror
Data Storage Encryption Privacy Security Linux

Distinguishing Encrypted Data From Random Data? 467

Posted by timothy
from the is-this-a-solved-problem? dept.
gust5av writes "I'm working on a little script to provide very simple and easy to use steganography. I'm using bash together with cryptsetup (without LUKS), and the plausible deniability lies in writing to different parts of a container file. On decryption you specify the offset of the hidden data. Together with a dynamically expanding filesystem, this makes it possible to have an arbitrary number of hidden volumes in a file. It is implausible to reveal the encrypted data without the password, but is it possible to prove there is encrypted data where you claim there's not? If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?"
This discussion has been archived. No new comments can be posted.

Distinguishing Encrypted Data From Random Data?

Comments Filter:
  • After a few whacks on the head with the NYC Yellow Pages (old school, print edition) I think someone could find out which file is encrypted and which is garbage.
    • by parlancex (1322105) on Sunday September 19, 2010 @04:14PM (#33629670)
      I think you're missing the point. Of course after they know that you have some encrypted data on your disk the strength of the encryption becomes moot because they can just drug / beat you until you tell them the key, but what this question is about is hiding encrypted data in unencrypted data so prying eyes can't tell if anything is even there at all.

      For example, there may come a day when airport security could demand you disclose your passwords when they find you are carrying storage with encrypted content using the aforementioned techniques, but they aren't going to drug / beat every single person coming onto an airplane or going across a border. If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you. Another example is there may come a day when any traffic on the Internet that cannot be positively identified as a common protocol with statistically "normal" contents is simply rejected. Maybe not here, maybe not right now, but this kind of idea is still very useful.
      • by Suki I (1546431)

        I think you're missing the point. Of course after they know that you have some encrypted data on your disk the strength of the encryption becomes moot because they can just drug / beat you until you tell them the key, but what this question is about is hiding encrypted data in unencrypted data so prying eyes can't tell if anything is even there at all. For example, there may come a day when airport security could demand you disclose your passwords when they find you are carrying storage with encrypted content using the aforementioned techniques, but they aren't going to drug / beat every single person coming onto an airplane or going across a border. If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you. Another example is there may come a day when any traffic on the Internet that cannot be positively identified as a common protocol with statistically "normal" contents is simply rejected. Maybe not here, maybe not right now, but this kind of idea is still very useful.

        I thought the point was there is one encrypted file and one random file. Properly encrypted data is identical to random data, so let's see how many times the big man can hit you before you tell us which one is which. just like in the XKCD cartoon. Did I miss the point or do we need the drugs and wrench? ;) Even better, a small woman like me and you are helpless. How long do you think you can hold out? LOL

        • by John Hasler (414242) on Sunday September 19, 2010 @04:45PM (#33629848) Homepage

          Try to get your head around the idea that they might have possession of your hard disk but not have possession of you. Or they don't even know who you are. Or they are honest cops, trying to determine if you have violated the rules. They've asked you if there is encrypted data on the laptop, you said no, and they are doing a routine check to verify that. Contrary to popular opinion, "The Man" is not always ready, willing, and able to administer a beating.

          Then there is the possibility that your opponent is not "the Man" but some sort of furtive criminal...

        • by dcollins (135727) on Sunday September 19, 2010 @04:50PM (#33629870) Homepage

          "Did I miss the point or do we need the drugs and wrench?"

          You missed the point. The primary question of the OP is this: "...is it possible to prove there is encrypted data where you claim there's not?"

          Hint: Include the likelihood of false-positives and false-negatives in your "wrench-based" analysis.

          • No, you ALL miss the point. How are you going to explain having a HDD or partition full of "garbage"? Nobody with half a brain will believe you there's nothing encrypted in the noise.

            (Yeah, an entropy file would be easy to explain, but entropy files usually don't come in sizes big enough to hide data in, PLUS, who apart from us here understands what an entropy file is? A judge sure doesn't.)

            Steganography, OTOH, would be very useful. I have around 50 GB of family photos on my machine, that would make for a n

      • by M. Baranczak (726671) on Sunday September 19, 2010 @05:36PM (#33630122)

        they aren't going to drug / beat every single person coming onto an airplane

        If you fly US Airways, there's a $25 service charge if you want to get beaten and drugged before boarding. I remember when that shit used to be included in the base ticket price.

      • by Jeremi (14640) on Sunday September 19, 2010 @05:54PM (#33630244) Homepage

        If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you.

        I've developed a fascinating algorithm for encoding hidden data by slightly modulating breast sizes, but this comment is too small to contain it.

    • Re: (Score:3, Interesting)

      by sjames (1099)

      That's why the deniability matters. They only have so many people available to whack people with the NYC Yellow Pages. You want them to believe there is a low probability that you have any secret to give up under "questioning".

      • Re: (Score:3, Funny)

        by Suki I (1546431)
        I see a market in in automated phone book whacking gadgets! Look for them soon on ThinkGeek.
        • Re: (Score:3, Funny)

          by sjames (1099)

          They will need to give it a significant civilian use, so it should come with an attachment that lets you beat the marketing department and PHBs to death with a paper towel roller.

  • by cpghost (719344) on Sunday September 19, 2010 @03:58PM (#33629538) Homepage
    Encrypted files have maximum entropy, just like absolutely random files. Basically, you can't tell which one is which. However, absolute random noise on a disk isn't all that usual, so any encrypted file (or pure random file) will stand like a sore thumb: it will be highly visible. But, again, you can't tell the difference.
    • by rm999 (775449)

      "However, absolute random noise on a disk isn't all that usual"

      Doesn't compressed data look random?

      • by Omnifarious (11933) * <eric-slash@omnif ... g minus math_god> on Sunday September 19, 2010 @04:05PM (#33629606) Homepage Journal

        Doesn't compressed data look random?

        As an ideal, yes. But compressed data is still pretty distinguishable from random data. In particular, many compression formats have small markers in various places so that the decompressor can attempt to recover a corrupted file. Also, no compression technique is perfect, so even without these the data is still distinguishable.

        • by melikamp (631205) on Sunday September 19, 2010 @05:42PM (#33630142) Homepage Journal

          I've been working on this very problem for a while now. An easier version, even: how to encrypt a single file in a way that makes it indistinguishable from random data? The algorithm must allow for a short password (dozens of bytes), and should be able to encrypt very large files. Optimally, an attacker may see the algorithm and may suspect correctly what the plaintext is, but should still be unable to prove that the given cyphertext is the output of the algorithm. That is, the only way to "prove" that should be by a brute-force password search, whereas finding a working password of a few dozen bytes is proof enough. This is good enough because a brute-force search over 60^30 passwords is kind of slow.

          I further simplified the problem by saying that the size of a file needs not to be hidden: it's a separate task, and a much easier one.

          I have a reason to approach the problem this way. If I have on my computer a file named "one-time-pad.bin", and it looks like a one time pad, then it must be a one time pad. The very existence of an encrypted partition should be enough to convince anyone that there is encrypted data. If a multi-sheaf algorithm is used, then there is a reasonable suspicion that there are multiple sheafs. Either way, the owner seems to be hiding something. Burying data in JPG and similar tricks are also sketchy, as it is almost certainly possible to distinguish (statistically) a benign JPG from the one steganographically altered, although this can be avoided by hiding very little data in very large files. Here, at least, there is an expensive solution.

          I can think of at least one other way to do it, here goes my original description on the internet. Say, we want to use passwords with length up to B bits and encrypt files with length up to M bits. Fix forever B random binary strings of length M each, call them N = {n_1, n_2, ... , n_M}. The set of 2^B passwords is in a bijective correspondence with the set of subsets of N, for example a password like 110101... will select the subset {n_1, n_2, n_4, n_6, ...}. Treat n_i in that subset as integers and add them. Threat the plaintext as an integer and add it to (or XOR with) the result. One can think of it as of constructing a one time pad (one of 2^B) and XORing with it. Even if the attacker knows n_i for each i, and the plaintext (without loss of generality, all zero), and the cyphertext, she still has to decompose the cyphertext as a sum of a subset of N, and even deciding whether or not it can be done is np-hard [wikipedia.org]. The complexity will be exponential as long as both M and B are large, which they are in expected applications.

          The nicest feature here is that with a non-trivial password, the cyphertext will look as random as they get! It will be a sum of carefully pre-selected random numbers, padded with the plaintext.

          One obvious limitation is that each password can only be used once, since similar plaintexts will produce similar hypertexts, but that could be remedied. A bigger problem, IMHO, is that this algorithm requires B random binary strings of length M each to be built-in. Just to give you an idea, if you want to encrypt files of size up to 1 GiB with passwords of size up to 512 bits, then you need to keep around 512 GiB of pad. Either that, or be able to generate really really fast 512 random reals (random here meaning, the same every time, but completely unrelated), which is very sketchy: the reals could easily be so related that the subset sum will allow for a sub-exponential solution.

          I would be very interested to hear from anyone about this idea.

          I may have another way of solving the same hiding problem, and it has to do with a completely different, yet, IMHO, also very fascinating way of turning a short binary string into a very long and random-looking binary string in a one-way [wikipedia.org] fashion. I decided that I won't implement the subset sum solution unless I am totally sure that I cannot find something more elegant, so feel free to steal my idea above and code it in.

          • by chgros (690878) <`gro.x4m' `ta' ` ... g.irneh-selrahc'> on Sunday September 19, 2010 @10:00PM (#33631710) Homepage

            I suggest you read up on cryptography.
            Encryption, in general, is attempting exactly what you're attempting: make plaintext look random.
            What you're trying to defend against is known as a "known-plaintext attack".
            You can use any standard cryptographic approach such as AES-CBC as suggested above.
            For a password-based approach, there are also standard key generation algorithms such as PKCS #5.
            Note that your claim that your approach gives "as random as it gets" data is not true; once you've fixed for all time a set of random numbers, they're no longer "random".
            As for generating random-like numbers deterministically, that's what stream ciphers (e.g. RC4) do.

      • by Joce640k (829181)

        Nope. Imagine compressing a big file full of zeros. Most compressors will produce repeating output for that.

        • They shouldn't. The best (and also most obvious) compression for such a file would be RLE, which would simply result in 2 numbers: 1 for the size of the file, and the other a 0.
    • Parent is correct. If you want to disguise encrypted data with plausible deniability in existing files you should choose files that already contain data with very high entropy such as compressed file formats like mp3, gzip, rar, etc. Assuming the file remains functionally intact it would be extremely difficult or impossible to tell it was modified.
      • by mlyle (148697) on Sunday September 19, 2010 @04:17PM (#33629684)

        Not exactly.

        The problem with steg'ing inside known container formats, compressed container formats, is this:

        Each implementation of the compression algorithm has its nuances. If the majority of an MP3 looks like it was compressed by the iTunes implementation, but then there's a range of output iTunes would not generate (particularly if the input file is known), that's very suspect. Ditto if things like PSNR change, even subtly, for the portion where steganography is in play. Even though compressed data has a great deal of entropy, it IS significantly constrained over random data in that A) known decompression programs must return specified output from it, and B) known compression programs generated this data as output from possibly-known input data.

        If your adversary is the local police or one of your buddies, this stuff doesn't matter. If it's intelligence agencies or research organizations, good luck. Steganography is hard.

        • Re: (Score:3, Interesting)

          by gnasher719 (869701)

          Each implementation of the compression algorithm has its nuances. If the majority of an MP3 looks like it was compressed by the iTunes implementation, but then there's a range of output iTunes would not generate (particularly if the input file is known), that's very suspect.

          Record same LPs to uncompressed audio files. That recording will be pretty unique. Encrypt your data any way you like, then store the encrypted data in the lowest bit of the 16 bit samples. Compress with Apple Lossless or FLAC or whatever you have.

        • Re: (Score:3, Interesting)

          by parlancex (1322105)
          Steganography is hard if you demand high density. That is, a higher ratio of your content vs the content it is being inserted into. It really depends how much encrypted data you need to hide and how much unencrypted data you have to hide it in. If you're hiding less than a kilobyte of encrypted high entropy data in a 6MB high entropy mp3, and your algorithm is intelligent to distribute it evenly into many areas of the file, that's much harder to detect. That said, I didn't say modifying a complex compressed
      • by bytesex (112972) on Sunday September 19, 2010 @04:18PM (#33629694) Homepage

        make it compressed header-less audio. Give 'em a decoder (which will produce noise), and claim you're a scientist and this is you recording Jupiter.

        • Re: (Score:3, Funny)

          by AK Marc (707885)
          When they discover you aren't a scientist, live in your mothers basement, and have never held a job, they'll arrest you for obstruction of justice.
          • by tftp (111690) on Sunday September 19, 2010 @08:39PM (#33631282) Homepage

            When they discover you aren't a scientist

            The GP should record some LP, at 24 bits per sample, at 96 kSa/s, in stereo. It wouldn't be too unusual, especially if he picks a well known music. Classical music will be particularly good here. A typical opera, in .WAV, will be about 4 GB, and there will be at least 8 lower bits that are yours to play with (they are noise from the turntable.)

        • Re: (Score:3, Funny)

          by Menkhaf (627996)

          Better yet: Make it compressed headerless video. Claim you're recording Uranus.

    • Re: (Score:3, Interesting)

      by LihTox (754597)

      Isn't the point of steganography that you add the encrypted data on top of some other data, like a photograph or video, so that it looks like normal noise? I agree that carrying a thumb drive around, filled with random 0s and 1s, would be rather suspicious....

      • by sjames (1099)

        Yes. What TFA talks about isn't actually steganography, it's just hiding the needle in the haystack a bit.

        Real steganography would replace the nearly random least significant bits of something like a photograph with another set of nearly random LOOKING bits that are actually an encrypted message.

        Ideally, it should use a one time pad for encryption. That will make it actually impossible to prove that there is an encrypted message at all. Any photo's LSBs can be "decrypted" to anything (within length constrai

      • by Kjella (173770) on Sunday September 19, 2010 @05:44PM (#33630160) Homepage

        Well, the problem is that it doesn't really apply to compressed data. Compression schemes try packing things as efficiently as possible, so there's relatively little you can add without making it obvious the compression is tampered with. You could try embedding it as some sort of watermark into the photo/video before compression, but that too is difficult and won't hide very much. And most people don't carry tons of BMPs, WAVs and uncompressed AVIs..

        So far it seems most people agree the best way to hide encrypted data is within other encrypted data. You don't have to be super-paranoid to use encryption, my last workplace used full disk encryption and I don't think anyone can seriously accuse you of anything if you just say that "I feared by computer would get stolen, and I could be exposed to identity theft or have my family photos posted online" or something like that.

        The best solutions I have seen work like this:
        1) If you enter both your "normal" password and your "secret password" => access to the normal disk and it'll seamlessly move around any secret data as long as there is room.
        2) If you enter only your "secret" password => access to your secret data.
        3) If you're under duress, you give just the "normal" password and you get just the normal disk. Your hidden data can get overwritten since the encryption software doesn't know about it, but there's no way to prove that there is a secret container or a secret password.

    • Re: (Score:3, Funny)

      by biryokumaru (822262)
      From now on, whenever I go on a flight I'm bringing several DVDs of random data.
    • by butlerm (3112)

      Encrypted files have maximum entropy, just like absolutely random files

      Not true, unless you have a randomly generated key that is as long as the file. You cannot apply any deterministic process to inputs of limited entropy and expect to get output entropy that is strictly speaking (computational complexity wise) higher than the sum of the entropy of the inputs.

    • by shentino (1139071)

      Just say that you copied stuff from /dev/urandom because you like to listen to it better than pirating crap from the RIAA.

    • by v1 (525388) on Sunday September 19, 2010 @05:20PM (#33630008) Homepage Journal

      However, absolute random noise on a disk isn't all that usual,

      Actually, nowadays, it's extremely unusual. Blocks are all zero'd from the factory, and anything you save over them that's later marked free will almost certainly be far from random. (like pieces of pictures, documents, applications, etc)

      Really, statistically speaking, if you wanted to look on a hard drive for encrypted data, your best bet would be to go looking for blocks of high entropy data.

      The only defense against this would be if you did a random wipe of your hard drive when you bought it, and then reinstalled, and patched your OS to automatically random-wipe files before deleting or updating/moving them. But then you get into the area of "this person is obviously going to a lot of work to make it easy to hide something from us", which by itself raises an eyebrow.

      And on that note, I'm a little surprised now that I think about it, that I can't come up with a single example anywhere of a native or add-on OS feature for any OS, that does random-wipe-on-delete. OS X has "erase free space" built into disk utility, and you can find an app to do this for other OSs, but obviously zero'd blocks are not what we need to be creating. And the fact that you have to do this step manually, and it takes HOURS to run usually, is also surprising. I don't know offhand if OS X's "secure empty trash" zeros or randoms, but you're not likely to do that for EVERYTHING you throw away since it takes time, and since a lot of files get moved/deleted by the OS automatically without doing this. (end problem: anyone with a clue knows you can't hide anything in a bunch of zero'd blocks)

      • by xombo (628858) on Sunday September 19, 2010 @06:38PM (#33630560)

        "Secure Empty Trash overwrites your data with digital gibberish"
        From apple's site about Secure Empty Trash feature @ http://www.apple.com/pro/tips/empty_trash.html [apple.com]

      • Re: (Score:3, Insightful)

        by moonbender (547943)

        I'm not so sure high entropy data is all that rare. While the container format makes them distinguishable from completely random data, compressed audio and video files do have very high entropy, I think. And much of the space of a drive will probably be used for movies and music.

      • Re: (Score:3, Insightful)

        by melikamp (631205)

        I won't make a prediction about a proportion, but it seems to me that orphaned blocks of compressed files would seem pretty darn random, and almost everyone has those.

        Also, in GNU/Linux at least, there is shred utility that does what it sounds like: overwrites files with patterns (optionally, with zeroes) before erasing them. May be it works on OS X too?

  • No (Score:3, Interesting)

    by trigeek (662294) on Sunday September 19, 2010 @03:59PM (#33629542)
    Properly encrypted data is indistinguishable from random data. However, just the presence of random files on the system could be incriminating. Perhaps it's better to hide the data in another type of file? Perhaps using the lsb of a bitmap file?
    • Re: (Score:3, Insightful)

      by sjames (1099)

      It would be best to precondition the media by writing random data over the entire thing. For added fun, encrypt the text of various childrens books and write the result to the drive.

    • by ceoyoyo (59147)

      Unless you're using a properly constructed one time pad, which the poster is not, encrypted data is distinguishable from random. The more of it you have, the more distinct it is. With a good encryption algorithm it's not easy, and investigators would probably use other techniques, but it is possible.

    • by butlerm (3112)

      Properly encrypted data is indistinguishable from random data.

      That is the ideal, but hardly the reality. It is strictly _impossible_ for an encrypted version of a non-random data file to have as much real randomness as as a random data file, unless the key is as long as the file. Sure it can look pseudo random, much more random than the output of a pseudo random number generator (depending on the source file), but distinguishing it from real random data is just a matter of having sophisticated enough stat

    • by MBoffin (259181)

      However, just the presence of random files on the system could be incriminating. Perhaps it's better to hide the data in another type of file? Perhaps using the lsb of a bitmap file?

      Or just name the file JavaRandomNumberSeedFile.txt or similar.

  • It depends.... (Score:5, Insightful)

    by TrumpetPower! (190615) <ben@trumpetpower.com> on Sunday September 19, 2010 @04:00PM (#33629562) Homepage

    If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

    Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?

    The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.

    Cheers,

    b&

    • by zill (1690130)

      If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

      Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?

      The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.

      Then why does the field of steganography exist at all? If your claims are true, then there is absolutely no point in studying and researching steganography. Yet dozens of paper are published on the subject matter every year.

      • zill wrote:

        Ben Goren wrote:

        The point of steganography is to not get caught in the first place. If you need plausible deniability, you've already lost.

        Then why does the field of steganography exist at all?

        To keep from getting caught. Duh.

        Cheers,

        b&

      • by Joce640k (829181)

        Simple: Because there's a difference between "the card in this camera has some holiday snaps on it" and "the card in this camera has a file on it which is indistinguishable from random noise".

        One will get you waved through, the other will get you tied up in the back room, drugged and being hit with a wrench.

    • The point of steganography is to not get caught in the first place. If you need plausible deniability, you've already lost.

      No. You are not "lost" if the party examining the files is doing a routine search for encrypted files which usually comes up empty and/or has no access to your person anyway.

  • No. You cannot distinguish between the two. If you could, you would have an attack vector against the encryption. The trick, once you have a key, is to have authentication-strings in your data structure, so you can see whether the key you used is actually correct, and the decrypted data is actually useful. An attack based on this authentication string, is one of the many, many possible attack vectors against encryption. Also, 'random' is not always very 'random'. In the world of cryptography, we need

    • Re: (Score:2, Informative)

      by mysidia (191772)

      Perhaps. But if you use cryptsetup with LUKS, there is a readable header for the encrypted file, you don't need the key to determine encryption has been used. In fact, you can set multiple passphrases that have the authority to decrypt the partition.

      GPG Encrypted data is also distinguishable, regardless of whether you use ASCII armoring or binary .GPG files. There are headers in the encrypted output that can be recognized without having the key to decrypt anything.

      Now if you run 'openssl' from the

    • by Joce640k (829181)

      Maybe you should design it so the encrypted data has some patterns in it (ie. interleaved with the ciphertext)

    • Re: (Score:3, Informative)

      by butlerm (3112)

      You cannot distinguish between the two.

      This is categorically not true, unless the key is as long or longer than the data file (and never used again). There is indeed an attack vector against any encrypted data file if the key length is small by comparison. Statistical analysis plus the slightest idea of what type of data is being encrypted is more than adequate to mount a successful attack (given sufficient computational resources) unless the key is _much_ longer than what is typical today. The lack of c

  • by mclearn (86140) on Sunday September 19, 2010 @04:02PM (#33629580) Homepage
    Perhaps the question is incorrect. If i have a volume with data and a volume with encrypted data, then the encrypted data can be discerned from the non-encrypted data by virtue that there will be patterns detectable in the non-encrypted volume. So technically if you have a drive and there is random data on it but no discernible patterns, then there is either encrypted data on it, or it is an empty drive. It is likely not even factory default since that it likely to have some structure imposed upon it as well. What is the point of carrying around an encrypted volume with the ability for plausible deniability if that plausible deniability requires you to have random data as a volume? The existence of random data will render your plausible deniability claim useless since, by definition, your claim is no longer plausible.
  • LUKS has a header. When I run cryptsetup on an uninitialized volume
    # cryptsetup luksOpen /dev/sdb1 foo
    Device /dev/sdb1 is not a valid LUKS device.

    That means it can tell if the header is valid without a password. So now every offset needs valid LUKS header. Once you've done that, just make a bunch of perfectly valid encrypted volumes. Put real data in them. Install a working operating system that looks used.

  • Do you think that 'I'm just sending random garbage' is going to offer any kind of plausible denyability in any situation where you could expose yourself to prosecution simply for using encryption?

  • by PPH (736903)

    The files on employees computers containing seemingly random data can be assumed to be just that unless they're driving brand new Porsches and have vacation condos in Whistler.

  • Shouldn't (Score:5, Informative)

    by dachshund (300733) on Sunday September 19, 2010 @04:13PM (#33629658)

    AES is designed to be a pseudo-random function (meaning it's evaluated against that criteria). What this means is that /when used properly/ AES encrypted data should be indistinguishable from random data, at least for a distinguisher running in bounded time. If anyone discovers an efficient algorithm that can distinguish this, it'll be a big nail in AES's coffin (and yes, at the very theoretical level I realize that there already are some known weaknesses in AES, but for the moment you're in good shape).

    • Re: (Score:3, Informative)

      by dachshund (300733)

      Erp, I meant Pseudo-Random Permutation, which is indistinguishable from a PRF if the amount of data is realistic.

    • by butlerm (3112)

      AES encrypted data should be indistinguishable from random data, at least for a distinguisher running in bounded time

      That is a mathematical impossibility. The computational complexity of any finite deterministic function of inputs of finite complexity is finite. That means that any necessary analysis can also be conducted in finite time. The only thing protecting AES is the lack of computational resources on the part of attackers. Does anyone really think that thirty years from now it won't be commonplac

      • Re: (Score:3, Insightful)

        by linuxrocks123 (905424)

        Yes. People do.

        We know you can brute-force AES. We also know that if you had a computer the size of the Earth where every piece of matter the size of a grain of sand was an ALU, you wouldn't be able to do it in thousands of years. The only hope attackers have is more sophisticated cryptanalysis techniques. This may or may not happen within 30 years.

        ---linuxrocks123

    • Re:Shouldn't (Score:4, Insightful)

      by ras (84108) <russell-slashdot AT stuart DOT id DOT au> on Sunday September 19, 2010 @10:15PM (#33631778) Homepage

      AES encrypted data should be indistinguishable from random data

      Nope. This assertion has been made here over and over again, and it is out and out wrong . See: http://opensource.dyc.edu/random-vs-encrypted [dyc.edu]

      In essence, encrypted data sticks out like dogs balls because of its high entropy, yet there are enough patterns in it to make it obvious to an expert it isn't just random data. Even if it did look like random data who in the hell is going to believe you are carrying around gig's of data you can trivially generate as needed from /dev/urandom? Nobody.

      So, the problem you have to solve is how you are going to plausibly explain away gig's of what is clearly encrypted crap. Forget TrueCrypt, or any special tools that don't normally come with your Operating System. Their very presence screams "liar!". Forget large encrypted files that don't have any conceivable use, even if they aren't named "my-porn-collection.zip.gpg". After all, its your laptop so a program you use must have put them there, so some program should break if you move them out of the way.

      And finally, once you come up with a way of hiding your encrypted crap, don't go blasting it over the internet. If it became common knowledge the men with rubber hoses may hear of it, rendering your lovely invention useless.

      Some evidently don't agree with this last piece of advise because they have posted their solutions to the problem right here, on one the largest megaphones on the 'net. Fortunately for them, Slashdot has in typical Slashdot fashion come to their rescue. Unlike the piece of miss-information I am responding to which is rated "5, informative", these insightful and informative posts are rated 1. Probably because they necessarily involve long complex commands which are utterly beyond your average slashdotter, which probably means they will rarely be used, which probably means they are right - my last piece of advise is alarmist.

  • crypto is hard (Score:4, Informative)

    by Tom (822) on Sunday September 19, 2010 @04:21PM (#33629710) Homepage Journal

    Hard to say from your question, but if you haven't done already, get yourself some crypto knowledge. Crypto is hard, there is a reason that you are laughed out of the room if you say you've invented a new crypto algorithm and you don't already have strong credentials.

    Randomness is one of the harder computer problems. Especially in steganography, many implementations have been defeated by creating not enough or too much randomness. If you want to hide your message in something, it doesn't matter if your output is distinguishable from randomness, it matters if it is distinguishable from what should be there. Simple approaches like LSB tricks have often fallen because those happen to be not random in many input data.

  • by pedantic bore (740196) on Sunday September 19, 2010 @04:32PM (#33629768)

    If you use AES in ECB mode, then the answer is that it's usually painfully obvious that the original data was structured.

    If you do use chaining (CBC, or something similar), then it will look quite random.

    Excellent example here: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 [wikipedia.org]

  • by symes (835608)
    Arthur Conan Doyle wrote that the best place to hide something was right under the nose of the person looking for it - if someone spots an encrypted file, no matter how well hidden, it says you have something to hide. Instead you could simply print out your secret file in the form of a glossy magazine, something no one in the security world would really be interested in flicking through. Gardeners World or Philosophy Today. And then just leave it lying around, literally. It will be the last place they look.
  • While the data within the encrypted volume should be indistinguishable from randomness, the metadata headers are quite distinguishable. It's pretty obvious if something is a LUKS volume, but within that you shouldn't be able to tell.

  • by mirkurius (133480) on Sunday September 19, 2010 @04:56PM (#33629896)

    Steganographic attempts are considered foiled if someone can detect that there is a secret message, they don't need to be able to retrieve the message in order for the attempt to be considered a failure. I did my Master's project on hiding data in the least significant bitplane of imagery. The trick is to "randomly" scatter your secret message throughout this plane. I showed methods that would allow you to do this so that the data was indistinguishable. You should always encrypt your secret message first so that it looks random, or better yet, shape the statistics of your encoded message to match the noise characteristics that were in the original LSB plane. If you use an image created from a very noisy source, such as a digital camera, and you encrypt the embedded message and scatter it using a reversible algorithm, and iteratively ensure that the statistics of the altered LSB plane look the same as the original LSB plane, I proved that it is not possible for someone to tell that there is a secret message hidden there. However, you need to be careful to use an original image you created yourself, and to destroy the original, because if someone ever compared the original to the one with the embedded message, they could definitely tell there was something altered by comparing the LSB planes.

  • Statistics (Score:4, Interesting)

    by Spazmania (174582) on Sunday September 19, 2010 @05:14PM (#33629990) Homepage

    If you find a file on my hard drive with data you can't readily decode, is it:

    A) Compressed with an unknown compressor
    B) Encrypted with an unknown encryptor
    C) Random bytes used for an encryption process
    D) Random bytes used for something else

    I can't prove that answer D is wrong... but I don't have to because I know that 99% of the time, it's one of the other answers.

    If you want to hide your data, the file must ostensibly have some other purpose... something that isn't obviously a lie. That's what steganography is about. For example, you might download as much of the 1 meter-resolution Google Maps satellite image as fits on your hard disk, save it uncompressed and then store encrypted data in the low-order bit of each byte (3 bytes to a pixel). Coupled with a map application that can display the imagery, it would appear to be one thing (a map) while really being another (a container for encrypted information).

    At that point, unless you capture the encryption software it becomes hard to suspect that there is encrypted data, let alone prove it.

    • If you find a file on my hard drive with data you can't readily decode, is it:

      A) Compressed with an unknown compressor
      B) Encrypted with an unknown encryptor
      C) Random bytes used for an encryption process
      D) Random bytes used for something else

      I can't prove that answer D is wrong... but I don't have to because I know that 99% of the time, it's one of the other answers.....

      OK, let's, as a community, add an (E). Everyone create a file on your laptop, in your home directory, named random.bin, as follows:

      dd if=/dev/urandom of=random.bin bs=4096 count=10000

      The actual value of the count isn't important, as long as it is large enough to create lots of random bits. If lots of people do this, we have “(E) Random bytes because Slashdot told me to”, providing plausible deniability for anyone who needs to use that file to encrypt something important.

  • by PhunkySchtuff (208108) <kai&automatica,com,au> on Sunday September 19, 2010 @05:44PM (#33630158) Homepage

    Rubberhose [iq.org] (Pronounced Marutukku) is transparently deniable encryption, developed by (among others) Julian Assange.
    This seems to do exactly what you're trying to do, so even if you want to go ahead and implement it yourself from scratch, it's worth reading up on what they've done to get some ideas and avoid some potential pitfalls.

    Rubberhose is a computer program which both transparently encrypts data on a storage device, such as a hard drive, and allows you to hide that encrypted data. Unlike conventional disk encryption systems, Rubberhose is the first successful, freely available, practical program of deniable cryptography in the world. It was released in an earlier form in 1997, but has undergone significant changes since that time. The design goal has been to make Rubberhose the most efficient conventional disk encryption system, while also offering the new feature of information hiding.

    Rubberhose is a type of deniable cryptography package. Deniable cryptography gives a person not wanting to disclose the plaintext data corresponding to their encrypted material the ability to show that there is more than one interpretation of the encrypted data. What deniable crypto means in the Rubberhose context is this: if someone grabs your Rubberhose-encrypted hard drive, he or she will know there is encrypted material on it, but not how much -- thus allowing you to hide the existence of some of your data.

  • by BoRegardless (721219) on Sunday September 19, 2010 @07:57PM (#33631030)

    What happens if you use the old "torn sheet of paper" routine?

    Each drive or device moving from A to B goes with a different courier/ISP/method and no "piece" contains enough information to be identifiable or usable.

    All the pieces need to arrive at the destination to be able to be re-constructed back into usable form.

    Any time you send a complete message in one burp, one hard drive or one CD or one image, there is a chance for decryption by any number of accidents or threat of death to all your family members one person at a time while you watch.

    No encryption was used in the creation of this message...thus I have deniability.

A Fortran compiler is the hobgoblin of little minis.

Working...