Re: Steganography - Encryption challenge
From: Craig Stuntz [TeamB] (cstuntz_at_nospam.please)
Date: 09/07/04
- Next message: Kevin: "Re: Your best laptop?"
- Previous message: John Herbster: "Re: A new use for Borland tools..."
- In reply to: Dennis Landi: "Re: Steganography - Encryption challenge"
- Next in thread: John Herbster: "Re: Steganography - Encryption challenge"
- Reply: John Herbster: "Re: Steganography - Encryption challenge"
- Reply: Dennis Landi: "Re: Steganography - Encryption challenge"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 7 Sep 2004 13:28:38 -0700
Dennis Landi wrote:
> I hate message parsing, but I explicitly challenged anyone to post the
> message embedded in the image...
You realize that such challenges are frequently sorta meaningless,
right?
I can type some random gibberish:
a;ajkdsajlksdjlksjdfksajklnxzvcncxvioiuoiuwerfsjklsjlkn,vxcx
...and then challenge anyone to find the "message" hidden within. I
can even write some plaintext:
"a;dsklkjkljjjaiodsjiodjdjsksldsllkskjdjfkalldsf;ad" (Nobody said it
had to be English)
...and put it in an envelope as the "winner" before I post the
challenge.
What's missing? Well, an encryption algorithm, for starters. But
it's easy enough to make up one which will make the plaintext fit the
kinda-random cyphertext. Such an algorithm may turn out to be useless
for anything else, but it will fit the rules of the contest well
enough. I could make one up ahead of time and put it in the envelope
with the "plaintext."
The point is that a cryptosystem is not useful if it can only encrypt
certain data, or if it becomes progressively weaker as the number of
encrypted messages available to the public increases, or if having
access to the application which produced the cyphertext allows you to
crack the encryption more easily (etc.), and you may not be able to
judge any of these things by looking at a single piece of cyphertext.
Based on the fact that Eugene returned the plaintext in a few minutes,
he clearly was aware of what system the competitor was using, and what
its weaknesses were. He may or may not have discovered this by
himself, but a good knowledge of ASM, a disassembler, and a background
in the field of cryptography would be enough. At this point, you know
the algorithm and you have some idea about the implementation. If the
algorithm is insecure, you exploit that to find the plaintext. If the
algorithm is secure, you look for errors in implementation or side
channels. You can't do this by looking at a single cyphertext, but you
don't have to, because it's part of a released product.
In asking folks to spend time working on a single piece of cyphertext,
you're implicitly counting on security via obscurity as part of the
challenge. But in the real world such obscurity doesn't tend to be
practical.
So here's a more meaningful challenge, albeit one which is more likely
to divorce you from your $500: Post an encrypted message along with the
source code for the encryption tool (but not the key). This is really
only one step removed from having a binary EXE, and it opens the
contest to folks without a knowledge of ASM -- which adds only trivial
security against a determined opponent anyway.
-Craig
-- Craig Stuntz [TeamB] . Vertex Systems Corp. . Columbus, OH Delphi/InterBase Weblog : http://blogs.teamb.com/craigstuntz Everything You Need to Know About InterBase Character Sets: http://blogs.teamb.com/craigstuntz/articles/403.aspx
- Next message: Kevin: "Re: Your best laptop?"
- Previous message: John Herbster: "Re: A new use for Borland tools..."
- In reply to: Dennis Landi: "Re: Steganography - Encryption challenge"
- Next in thread: John Herbster: "Re: Steganography - Encryption challenge"
- Reply: John Herbster: "Re: Steganography - Encryption challenge"
- Reply: Dennis Landi: "Re: Steganography - Encryption challenge"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
