Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Images Vulnerable To New Attack

Posted by kdawson on from the bye-bye-deniability dept.

rifles only writes "A German techie has found a remarkably simple way to discern some of the content of encrypted volumes containing images. The encrypted images don't reveal themselves totally, but in many cases do let an attacker see the outline of a high-contrast image. The attack works regardless of the encryption algorithm used (the widely-used AES for instance), and affects all utilities that use single symmetric keys. More significant to police around the world struggling with criminal and terrorist use of encryption, the attack also breaks the ability of users to 'hide' separate encrypted volumes inside already encrypted volumes, whose existence can now for the first time be revealed." The discoverer of this attack works for a company making full-disk encryption software; their product, TurboCrypt, has already been enhanced to defeat the attack. Other on-the-fly encryption products will probably be similarly enhanced, as the discoverer asserts: "To our knowledge is the described method free of patents and the author can confirm that he hasn't applied for protection."

8 of 155 comments (clear)

  1. Confusing by Rui+del-Negro · · Score: 5, Insightful

    Is it just me or does anyone else get the feeling that the original story confuses two completely different concepts (digital photos and drive images)?

  2. Only works on uncompressed bitmaps by mrbah · · Score: 5, Informative

    The article points out that this attack only works with uncompressed bitmaps with extremely low entropy. This is hardly a cause for alarm.

  3. Re:Watermark? by profplump · · Score: 5, Interesting

    Or CBC mode? Or any of a dozen other ways to prevent this well-known attack on ECB mode encryption? http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

    Yes. And apparently TurboCrypt now supports such things too, hence the press release.

  4. Re:Watermark? by mikenap · · Score: 5, Informative

    The cause is similar to the watermarking attack, but the idea is used backwards. The watermarking attack reveals the presence of maliciously constructed decoy plaintext encrypted by the user, whereas this attack reveals information about the change in an unknown plaintext.

    In both attacks the issue is that the salt, as you call it, is constant for a given disk block. If that salt can be predicted, a decoy plaintext can be revealed in the ciphertext. If data is changed while using the same salt, sections of identical plaintext before and after the change can be identified.

  5. Old news for TrueCrypt by martinw89 · · Score: 5, Informative

    Not only is the sensationalist article/summary only pertinent to uncompressed bitmaps, TrueCrypt has warned their users about backing up hidden volumes for a long time (source). In fact, it's the first precaution in how to keep your hidden volume secure.

    So people worrying about steganography on TrueCrypt volumes shouldn't, they've been telling you how to keep these volumes secure already.

  6. Re:Watermark? by mikenap · · Score: 5, Informative

    By breaking the disk up into sectors, each of which start a new chain. The problem is an IV is used to "start" the CBC chain, and this IV is static as the underlying plaintext changes. So new changes on the same point of the HD get encrypted with the same IV.

  7. RLE in images by DrYak · · Score: 5, Informative

    Plain JPEG uses runlength and huffman encoding on the quantized matrix obtained after DCT.
    This is relatively efficient because there are a lot of long string of repeats in the matrix (see Wikipedia article).

    (This is where some applications such as Stuffit have been able to non-destructively increase the compression of JPEGs and gain a couple of 1% by using better algorithms to store the quantized results)

    In lossless mode, JPEG uses instead Arithmetic coding on the raw non-quantized results of DCT.

    PNG uses LZ77 (either on the raw pixels or on a delta) wich is an entirely different beast. As pointed out by other /.ers it's a *dictionary* compression which replace repeat parts with pointer to where to they where repeated first :
    "ABACDABA" becomes "ABACD{go back 5 letters and copy 3 letters}"
    It doesn't need a separate RLE mode, because the dictionary can be abused as follow :
    "ACCCCCC" in RLE is "A{repeat 6xC}" and in LZ77 is "AC{go back 1 and copy 5 letter}"

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  8. Border Agent attack by SmilingSalmon · · Score: 5, Insightful

    Lots of people here are talking about users backing up their own data, but what about a border agent backing up your data? There's some real danger. Let's say you regularly pass through an international border where the country has a policy of making back ups of your laptop drives. Many corporate travelers are in this situation. The border agent takes a quick snapshot of your drive on Monday morning. You leave the country on Friday, but return the following Monday. When you return next Monday, they take another snapshot. Bingo. If any of your files have changed but the drive key is the same, they've got the backup they need to prove you have a hidden drive and even find the vulnerable images.