[2353] in cryptography@c2.net mail archive
More MAC fun
daemon@ATHENA.MIT.EDU (Steve Reid)
Tue Mar 24 23:06:53 1998
Date: Tue, 24 Mar 1998 17:09:05 -0800 (PST)
From: Steve Reid <sreid@sea-to-sky.net>
To: cryptography@c2.net
After reading about Rivest's Chaffing and Winnowing, it occured to me
that MACs by their very nature are excellent channels for steganography.
There's no way to determine if those 1s and 0s are valid without the
secret key. So, you can replace some of those bits with encrypted data
and nobody except the intended recipient would know.
It's an obvious thing to do, and I expect it's practical as well.
Suppose you have a protocol that sends packets of plaintext data along
with a 128-bit MAC to detect tampering. Instead of sending the 128-bit
MAC, send 64 bits of encrypted cargo and a 64-bit MAC of the regular
plaintext and the cargo. This would normally cause the recipient to
reject the packet (the 128 bits is not a 128-bit MAC of the plaintext)
so the software would have to be modified to decrypt the cargo and check
the 64-bit MAC. With this done, however, the protocol behaves just as
before (any tampering is detected by the 64-bit MAC) except that you now
have an invisible channel.
I believe this is more secure than stegoing data into jpegs and such.
Statistical analysis may be able to detect stego in image and sound
files, but MACs are _supposed_ to have the same statistical properties
as encrypted messages.
Comments?
