Distinguishing Encrypted Data From Random Data?

gust5av writes "I'm working on a little script to provide very simple and easy to use steganography. I'm using bash together with cryptsetup (without LUKS), and the plausible deniability lies in writing to different parts of a container file. On decryption you specify the offset of the hidden data. Together with a dynamically expanding filesystem, this makes it possible to have an arbitrary number of hidden volumes in a file. It is implausible to reveal the encrypted data without the password, but is it possible to prove there is encrypted data where you claim there's not? If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?"

iieorjoeghoiuhtr

erjpgoijpoij erghoiehrgoiuh ernnerughoiehrgh poiuhgriuhpoihegh erherhoiuerhgih.

Was that random or encrypted?

Re:iieorjoeghoiuhtr

Trick question! It is random text that's been encrypted!

Re:iieorjoeghoiuhtr

[bennomatic]

Nice. "All your base are belong". You purposely left off the last two words to give a smaller sample to review and potentially recognize patterns.

Re:iieorjoeghoiuhtr

[Volante3192]

Looks Welsh...

Re:iieorjoeghoiuhtr

[flyingkillerrobots]

Neither. It's readily visible the way you just mashed your keyboard, in a rather nonrandom fashion. Dividing the left handed keystrokes from the right handed ones, you get: erg ergerg erergerg greg erererg and jpoijpoij hoihoiuh nnuhoihh poiuhiuhoihh hhoiuhih The 'erg' pattern is near universal with slight variations, and the combination of poiujh (in that order), usually missing one or two of the letters, describes well the vast mojority of the keystrokes with your right hand.

Re:iieorjoeghoiuhtr

[fucket]

Looks more Qwghlmian to me...

Re:iieorjoeghoiuhtr

[by+(1706743)]

Neither. It's readily visible the way you just mashed your keyboard, in a rather nonrandom fashion.

Yeah, but what if he was using Dvorak?

Re:iieorjoeghoiuhtr

[otuz]

Then it would look like:

santeuhsaeouhtsuae auoetnseuoath uaeotnsueo tnsneuaht suanaeu suh saeuohtn saue htseuoatn uaensuehao sueathn euoan sa euons

Re:iieorjoeghoiuhtr

[Mitchell314]

Dammit, I finally get cthulu back to sleep and some jackass wakes him up again.

Re:iieorjoeghoiuhtr

[xaositects]

bloop

Re:iieorjoeghoiuhtr

[batquux]

Well, it's definitely not random. And I doubt it's encrypted. So if it is, you win.

Re:iieorjoeghoiuhtr

[doublebackslash]

Nice reference

Yes he will know

If he works for the NSA

Ignore the person holding the phone book.

[Suki+I]

After a few whacks on the head with the NYC Yellow Pages (old school, print edition) I think someone could find out which file is encrypted and which is garbage.

Re:Ignore the person holding the phone book.

[acnicklas]

Obligatory XKCD: http://www.xkcd.com/538/

Re:Ignore the person holding the phone book.

[parlancex]

I think you're missing the point. Of course after they know that you have some encrypted data on your disk the strength of the encryption becomes moot because they can just drug / beat you until you tell them the key, but what this question is about is hiding encrypted data in unencrypted data so prying eyes can't tell if anything is even there at all.

For example, there may come a day when airport security could demand you disclose your passwords when they find you are carrying storage with encrypted content using the aforementioned techniques, but they aren't going to drug / beat every single person coming onto an airplane or going across a border. If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you. Another example is there may come a day when any traffic on the Internet that cannot be positively identified as a common protocol with statistically "normal" contents is simply rejected. Maybe not here, maybe not right now, but this kind of idea is still very useful.

Re:Ignore the person holding the phone book.

[Suki+I]

I think you're missing the point. Of course after they know that you have some encrypted data on your disk the strength of the encryption becomes moot because they can just drug / beat you until you tell them the key, but what this question is about is hiding encrypted data in unencrypted data so prying eyes can't tell if anything is even there at all. For example, there may come a day when airport security could demand you disclose your passwords when they find you are carrying storage with encrypted content using the aforementioned techniques, but they aren't going to drug / beat every single person coming onto an airplane or going across a border. If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you. Another example is there may come a day when any traffic on the Internet that cannot be positively identified as a common protocol with statistically "normal" contents is simply rejected. Maybe not here, maybe not right now, but this kind of idea is still very useful.

I thought the point was there is one encrypted file and one random file. Properly encrypted data is identical to random data, so let's see how many times the big man can hit you before you tell us which one is which. just like in the XKCD cartoon. Did I miss the point or do we need the drugs and wrench? ;) Even better, a small woman like me and you are helpless. How long do you think you can hold out? LOL

Re:Ignore the person holding the phone book.

[sjames]

That's why the deniability matters. They only have so many people available to whack people with the NYC Yellow Pages. You want them to believe there is a low probability that you have any secret to give up under "questioning".

Re:Ignore the person holding the phone book.

[Suki+I]

I see a market in in automated phone book whacking gadgets! Look for them soon on ThinkGeek.

Re:Ignore the person holding the phone book.

[John+Hasler]

Try to get your head around the idea that they might have possession of your hard disk but not have possession of you. Or they don't even know who you are. Or they are honest cops, trying to determine if you have violated the rules. They've asked you if there is encrypted data on the laptop, you said no, and they are doing a routine check to verify that. Contrary to popular opinion, "The Man" is not always ready, willing, and able to administer a beating.

Then there is the possibility that your opponent is not "the Man" but some sort of furtive criminal...

Re:Ignore the person holding the phone book.

[sjames]

They will need to give it a significant civilian use, so it should come with an attachment that lets you beat the marketing department and PHBs to death with a paper towel roller.

Re:Ignore the person holding the phone book.

[dcollins]

"Did I miss the point or do we need the drugs and wrench?"

You missed the point. The primary question of the OP is this: "...is it possible to prove there is encrypted data where you claim there's not?"

Hint: Include the likelihood of false-positives and false-negatives in your "wrench-based" analysis.

Re:Ignore the person holding the phone book.

[M.+Baranczak]

they aren't going to drug / beat every single person coming onto an airplane

If you fly US Airways, there's a $25 service charge if you want to get beaten and drugged before boarding. I remember when that shit used to be included in the base ticket price.

Re:Ignore the person holding the phone book.

[hitmark]

"Contrary to popular opinion, "The Man" is not always ready, willing, and able to administer a beating."

this largely depends on what kind of nation one live in or visits. Hell, when your traveling between nations your in legal terms outside of all law...

Re:Ignore the person holding the phone book.

[Fjandr]

True, and yet all that is all still completely irrelevant to the question that was asked.

Re:Ignore the person holding the phone book.

[Jeremi]

If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you.

I've developed a fascinating algorithm for encoding hidden data by slightly modulating breast sizes, but this comment is too small to contain it.

Re:Ignore the person holding the phone book.

[hitmark]

as such, feel free to vote the whole branch "off topic".

Re:Ignore the person holding the phone book.

[John+Hasler]

Hell, when your traveling between nations your in legal terms outside of all law...

Not true. You are subject to the jurisdiction of the nation of registry of your craft.

Re:Ignore the person holding the phone book.

[gmhowell]

If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you.

I've developed a fascinating algorithm for encoding hidden data by slightly modulating breast sizes, but this comment is too small to contain it.

rt: Fermat invented Twitter.

Re:Ignore the person holding the phone book.

[rssrss]

Mod it up!

Re:Ignore the person holding the phone book.

[hedwards]

I think the thing is that unless a lot of people start going around with huge files of random bits, that it's hard to hide more than the smallest things. Even a 50mb wav file can only contain a very small fraction of that amount of information without making it obvious. Likewise a full move isn't going to be that much better.

A better strategy in most parts of the world is to acknowledge that there's encrypted data and just go with a hidden volume within it.

Re:Ignore the person holding the phone book.

[Fjandr]

Unfortunately, no mod points left or I would have done exactly that.

Re:Ignore the person holding the phone book.

[mcrbids]

Why does this thread bring to mind this commentary?

Re:Ignore the person holding the phone book.

[pipedwho]

That's also why it's called 'plausible deniability' and not just deniability. If your excuse is highly unlikely, then you have a plausibility problem.

Re:Ignore the person holding the phone book.

[JWSmythe]

For example, there may come a day when airport security could demand you disclose your passwords when they find you are carrying storage with encrypted content ...

    There's an easy, and preferred solution to that. Don't carry your data with you. Use an encrypted channel, and send the data up to your secure points. Explained simpler, use a VPN to work on your VPN accessible server. All your laptop is at this point, is a dumb terminal.

    Besides the OS, the only data that has been on my laptop are maybe photos taken during the trip. If they ever decided to scrutinize my data, they may find tourist snapshots. Obviously, they'd see the VPN connection software, but you're under no obligation to provide the credentials. Having a plan in place that simply states if someone should be held against their will by the government, their credentials should be considered compromised and must be changed immediately. At the outside, that could mean handling an interrogation (refusing to say anything) until the keys would have been changed. It would be simple enough to provide wrong credentials with an explanation "they revoked my credentials already." It could be overexplained that you must check in with your RSA SecurID which you do not have in your possession.

    We had this plan in place at one shop I was at. And no, we didn't have any top secret data. :) If folks didn't check in at boarding time, or check in after they got out of the airport, their credentials were to be removed immediately. If this happened, they would be reinstated after verifying that they were no longer under duress. We never had to use it though. The only times it was invoked were when the person in question failed to call in or show up to work. :)

    I still haven't seen the TSA nor any other law enforcement agency actually demand credentials for a computer, or a subset like an encrypted partition, unless they already had probable cause for that information. I, as a fine upstanding citizen, have been patted down, my luggage examined, stood in the "totally safe" backscatter X-ray machine, and my private parts touched for the sake of security. Sometimes on a long business trip, that makes up for it. :) I've only been told to turn on my laptop once, and when I told him the battery was dead, that was the end of the story. Is there a subset of Slashdot that has red flags coming out of their asses, or are there just a few too many conspiracy nuts around here, believing government thugs are hiding around every corner?

Re:Ignore the person holding the phone book.

[plover]

If your jpgs look like everybody elses jpgs both visually and under close analytical scrutiny they aren't going to bother you.

But steganographic data stored in images (all kinds of images, not just JPGs) is detectable analytically. I would suspect our TLFs (Three Letter Friends) can easily spot steganography in images, especially given privately developed steganographic analysis software like outguess exists today.

I would also suspect they do it on a massive basis, checking images on eBay, Picasa, flickr, photobucket, etc. The TV news has already squawked about "terrorist messages hidden in pictures on eBay." Without further clarification I can't tell if they meant that they detected steganography; or if they meant a guy was selling a book, the picture of which was an opened page written in Arabic that said "start the jihad on the 20th".

If I were pulling images to look for hidden messages, and if I had the resources of the TLFs, I'd run them through an OCR program, a stego detect program, an image verifier program (because no image file contains random data) and I'd probably be looking at all kinds of analysis, such as testing the JPG quantization for consistency with the tables from the same brand of camera claimed in the EXIF info.

Can I analyze all your hard drive picture files while you stand in line in airport security? Not realistically. But can I start analyzing your on-line pictures as soon as you buy a plane ticket? That's a lot more realistic.

Re:Ignore the person holding the phone book.

[plover]

I think the thing is that unless a lot of people start going around with huge files of random bits, that it's hard to hide more than the smallest things. Even a 50mb wav file can only contain a very small fraction of that amount of information without making it obvious. Likewise a full mov[i]e isn't going to be that much better.

Actually, if the full movie were "Battlefield Earth", I think the random bits would have a much higher chance of being better than the movie.

Re:Ignore the person holding the phone book.

[tombeard]

Think they checked alt.anonymous? That is where I would disseminate my plans for world domination.

Re:Ignore the person holding the phone book.

[uvajed_ekil]

If you fly US Airways, there's a $25 service charge if you want to get beaten and drugged before boarding. I remember when that shit used to be included in the base ticket price.

That's why I generally fly Southwest: the torture (in the form of seating plans based on cattle cars) has always been free, just like the miniature bag of miniature pretzels and miniature cup of juice.

Re:Ignore the person holding the phone book.

[JamesRing]

I think in the US airport security *can* demand that you disclose your login passwords and private key passphrases, ask you to decrypt encrypted data, etc, and you are legally required to comply. I think this is part of the PATRIOT act but I can't cite specific sections.

Re:Ignore the person holding the phone book.

[pwizard2]

I'm just brainstorming here, but I wonder if it would be possible to write a utility that splices encrypted data into one or more files while preserving the integrity of those host files. That way, the same hypothetical utility would be able to store small amounts (several hundred KB at most at a time) of encrypted data in a directory full of otherwise normal files that would still behave as they should. (JPG files would still display correctly, MP3 files would still play, etc) Since the spliced data would be small, there would be nothing to arouse suspicion by having the host files be larger than they should be. The only downside is that you would need a lot of files for some situations, but nearly everyone has a large music and/or porn collection that could be used. When the time comes to decrypt, the hypothetical utility would then extract the encrypted data from each file and reassemble it into a complete decrypted file or message. (remember old multi-floppy spanning zip files before USB sticks became common? Same idea) I'm sure that there is a whole lot of loose ends that would make implementation much harder than it sounds on paper (certainly beyond my current abilities when it comes to building something like that from scratch) but I do remember that years ago viruses frequently embedded themselves in files. It would be nice if that could finally be used for a good purpose.

Re:Ignore the person holding the phone book.

[michelcolman]

What if you're swimming?

Re:Ignore the person holding the phone book.

[hesaigo999ca]

>but what this question is about is hiding encrypted data in unencrypted data so prying eyes can't tell if anything is even there at all
There is always a way...even without touching the actual meta tags of a picture, i could turn around and say that each 100 pixel is actually part of my message, the outcome would be a picture with every 100th pixel not looking right, but good enough to pass a quick scan as the color being different is not too bad when we talk just one pixel...and when you combine all those pixels that are not really pixels together to make the overall data, you can actually come out with a few words ....god enough for setting up a next meeting point or hide a password to an encrypted message elsewhere that the location is not known (national treasure style).

With enough drive someone can very well hide digital data indefinitely without worry....
try doing that with money though, good luck...a mattress can be searched, a bank be robbed or forced to give up the safety deposit box access , a hole can be dug up or even built on....there just is no real safe place for money!

Re:Ignore the person holding the phone book.

[YttriumOxide]

Hell, when your traveling between nations your in legal terms outside of all law...

Not true. You are subject to the jurisdiction of the nation of registry of your craft.

Ah, but of course you can always travel by non-registered craft (while entering or exiting a country's borders in such a craft may be illegal (depending on the laws of the land in question), there's nothing stopping you getting off your "<country> registered boat" on to "unregistered boat" once in the open ocean)

Re:Ignore the person holding the phone book.

[ultranova]

Or they are honest cops, trying to determine if you have violated the rules.

You see, the problem with this argument is that honest cops...

Contrary to popular opinion, "The Man" is not always ready, willing, and able to administer a beating.

...are still perfectly willing to let their less than honest brothers-in-arms administer said beatings.

At this point, I sincerely doubt there are any truly honest cops left. Either they are corrupt themselves, or they are helping hide their friend's corruption, or they know there's corruption in their station but refuse to do anything about it. And "The Man" is infamous for outsourcing torture to foreign lands to work around pesky human rights and other hinderances.

No, you need to avoid drawing any attention in the first place. And you need a false trail of some minor offense to throw to the cops so they don't frame you for anything major, in the likeness of a lizard cutting off its tail when cornered by a bloodthirsty predator. If you're actually doing anything illegal, you'll need stronger precautions still.

Re:Ignore the person holding the phone book.

[Macman408]

Still better than RyanAir; they charge you a $10 fee to process the service charge for you.

Re:Ignore the person holding the phone book.

[Chowderbags]

Airport security is a fucking joke. These are people who are somewhere between mall cop and mannequin with a uniform on it. Most of their knowledge of encryption comes from cereal box decoder rings and what they see on CSI (or for more stupidity, anything by Dan Brown). If your computer can turn on and show some sort of boot screen, they won't know the difference, let alone if you have a file buried on your hard drive that's really an encrypted partition.

Besides, everyone knows that if you are doing illegal things, you keep rings of encryption (whole disk encryption, which decrypted leaves a functioning OS and maybe a few games or basics, then maybe a layer of your personal financial/medical data that you're pretty sure they already know, then a layer of regular porn, then a layer of embarrassing porn, then maybe some minor misdeeds that could get you a slap on the wrist, then a layer of the most brain bleach worthy pics off /b/, then anything you really want to hide). Simple, really. Of course, the better solution is to not fly with a laptop full of incriminating evidence (or to have a 4th amendment that actually means something).

Re:Ignore the person holding the phone book.

[FurtiveGlancer]

You make "furtive" sound bad. You insensitive clod!

Re:Ignore the person holding the phone book.

[elucido]

Try to get your head around the idea that they might have possession of your hard disk but not have possession of you. Or they don't even know who you are. Or they are honest cops, trying to determine if you have violated the rules. They've asked you if there is encrypted data on the laptop, you said no, and they are doing a routine check to verify that. Contrary to popular opinion, "The Man" is not always ready, willing, and able to administer a beating.

Then there is the possibility that your opponent is not "the Man" but some sort of furtive criminal...

Most investigators who investigate these sorts of issues are criminals. They don't follow the law so they are criminals, the difference is the laws don't apply to these national security investigations.

Re:Ignore the person holding the phone book.

[bwayne314]

simple - do what they did back in the day - if you need to do this multiple times, commit it to memory ... if you can get away with a WORM approach, tattoo it on your scalp (assuming you aren't bald).

It's all about entropy

[cpghost]

Encrypted files have maximum entropy, just like absolutely random files. Basically, you can't tell which one is which. However, absolute random noise on a disk isn't all that usual, so any encrypted file (or pure random file) will stand like a sore thumb: it will be highly visible. But, again, you can't tell the difference.

Re:It's all about entropy

[rm999]

"However, absolute random noise on a disk isn't all that usual"

Doesn't compressed data look random?

Re:It's all about entropy

[parlancex]

Parent is correct. If you want to disguise encrypted data with plausible deniability in existing files you should choose files that already contain data with very high entropy such as compressed file formats like mp3, gzip, rar, etc. Assuming the file remains functionally intact it would be extremely difficult or impossible to tell it was modified.

Re:It's all about entropy

[Omnifarious]

Doesn't compressed data look random?

As an ideal, yes. But compressed data is still pretty distinguishable from random data. In particular, many compression formats have small markers in various places so that the decompressor can attempt to recover a corrupted file. Also, no compression technique is perfect, so even without these the data is still distinguishable.

Re:It's all about entropy

[mlyle]

Not exactly.

The problem with steg'ing inside known container formats, compressed container formats, is this:

Each implementation of the compression algorithm has its nuances. If the majority of an MP3 looks like it was compressed by the iTunes implementation, but then there's a range of output iTunes would not generate (particularly if the input file is known), that's very suspect. Ditto if things like PSNR change, even subtly, for the portion where steganography is in play. Even though compressed data has a great deal of entropy, it IS significantly constrained over random data in that A) known decompression programs must return specified output from it, and B) known compression programs generated this data as output from possibly-known input data.

If your adversary is the local police or one of your buddies, this stuff doesn't matter. If it's intelligence agencies or research organizations, good luck. Steganography is hard.

Re:It's all about entropy

[bytesex]

make it compressed header-less audio. Give 'em a decoder (which will produce noise), and claim you're a scientist and this is you recording Jupiter.

Re:It's all about entropy

[nullgraph]

What about compressing the files? The encrypted ones (high entropy) will not compress well while the other files, hopefully not all random noise, will compress much better.

Re:It's all about entropy

[LihTox]

Isn't the point of steganography that you add the encrypted data on top of some other data, like a photograph or video, so that it looks like normal noise? I agree that carrying a thumb drive around, filled with random 0s and 1s, would be rather suspicious....

Re:It's all about entropy

[biryokumaru]

From now on, whenever I go on a flight I'm bringing several DVDs of random data.

Re:It's all about entropy

[gnasher719]

Each implementation of the compression algorithm has its nuances. If the majority of an MP3 looks like it was compressed by the iTunes implementation, but then there's a range of output iTunes would not generate (particularly if the input file is known), that's very suspect.

Record same LPs to uncompressed audio files. That recording will be pretty unique. Encrypt your data any way you like, then store the encrypted data in the lowest bit of the 16 bit samples. Compress with Apple Lossless or FLAC or whatever you have.

Re:It's all about entropy

[Joce640k]

Nope. Imagine compressing a big file full of zeros. Most compressors will produce repeating output for that.

Re:It's all about entropy

[butlerm]

Encrypted files have maximum entropy, just like absolutely random files

Not true, unless you have a randomly generated key that is as long as the file. You cannot apply any deterministic process to inputs of limited entropy and expect to get output entropy that is strictly speaking (computational complexity wise) higher than the sum of the entropy of the inputs.

Re:It's all about entropy

[Americium]

That's the WHOLE point of encryption, if it didn't look random, you could crack it right away.

Re:It's all about entropy

[sjames]

Yes. What TFA talks about isn't actually steganography, it's just hiding the needle in the haystack a bit.

Real steganography would replace the nearly random least significant bits of something like a photograph with another set of nearly random LOOKING bits that are actually an encrypted message.

Ideally, it should use a one time pad for encryption. That will make it actually impossible to prove that there is an encrypted message at all. Any photo's LSBs can be "decrypted" to anything (within length constraints) using the right key.

Re:It's all about entropy

[Americium]

That's also the entire point of TrueCrypt, hiding an encrypted volume within an encrypted volume.

Re:It's all about entropy

[shentino]

Just say that you copied stuff from /dev/urandom because you like to listen to it better than pirating crap from the RIAA.

Re:It's all about entropy

[Jane+Q.+Public]

They shouldn't. The best (and also most obvious) compression for such a file would be RLE, which would simply result in 2 numbers: 1 for the size of the file, and the other a 0.

Re:It's all about entropy

[Captain+Segfault]

Encrypted files have maximum entropy, just like absolutely random files

Not true, unless you have a randomly generated key that is as long as the file. You cannot apply any deterministic process to inputs of limited entropy and expect to get output entropy that is strictly speaking (computational complexity wise) higher than the sum of the entropy of the inputs.

Strictly speaking you're correct, at least until you invoke computational complexity.

Distinguishing a string whose Kolmogorov complexity is 512 bits from one which is genuinely random is not possible, unless you have some sort of magic oracle for the halting problem. Even if you relax "deterministic process" to "deterministic polynomial time process" it's still (almost certainly) exponentially difficult.

Re:It's all about entropy

[v1]

However, absolute random noise on a disk isn't all that usual,

Actually, nowadays, it's extremely unusual. Blocks are all zero'd from the factory, and anything you save over them that's later marked free will almost certainly be far from random. (like pieces of pictures, documents, applications, etc)

Really, statistically speaking, if you wanted to look on a hard drive for encrypted data, your best bet would be to go looking for blocks of high entropy data.

The only defense against this would be if you did a random wipe of your hard drive when you bought it, and then reinstalled, and patched your OS to automatically random-wipe files before deleting or updating/moving them. But then you get into the area of "this person is obviously going to a lot of work to make it easy to hide something from us", which by itself raises an eyebrow.

And on that note, I'm a little surprised now that I think about it, that I can't come up with a single example anywhere of a native or add-on OS feature for any OS, that does random-wipe-on-delete. OS X has "erase free space" built into disk utility, and you can find an app to do this for other OSs, but obviously zero'd blocks are not what we need to be creating. And the fact that you have to do this step manually, and it takes HOURS to run usually, is also surprising. I don't know offhand if OS X's "secure empty trash" zeros or randoms, but you're not likely to do that for EVERYTHING you throw away since it takes time, and since a lot of files get moved/deleted by the OS automatically without doing this. (end problem: anyone with a clue knows you can't hide anything in a bunch of zero'd blocks)

Re:It's all about entropy

[Goaway]

They shouldn't.

They do, and that is all that matters.

Re:It's all about entropy

[melikamp]

I've been working on this very problem for a while now. An easier version, even: how to encrypt a single file in a way that makes it indistinguishable from random data? The algorithm must allow for a short password (dozens of bytes), and should be able to encrypt very large files. Optimally, an attacker may see the algorithm and may suspect correctly what the plaintext is, but should still be unable to prove that the given cyphertext is the output of the algorithm. That is, the only way to "prove" that should be by a brute-force password search, whereas finding a working password of a few dozen bytes is proof enough. This is good enough because a brute-force search over 60^30 passwords is kind of slow.

I further simplified the problem by saying that the size of a file needs not to be hidden: it's a separate task, and a much easier one.

I have a reason to approach the problem this way. If I have on my computer a file named "one-time-pad.bin", and it looks like a one time pad, then it must be a one time pad. The very existence of an encrypted partition should be enough to convince anyone that there is encrypted data. If a multi-sheaf algorithm is used, then there is a reasonable suspicion that there are multiple sheafs. Either way, the owner seems to be hiding something. Burying data in JPG and similar tricks are also sketchy, as it is almost certainly possible to distinguish (statistically) a benign JPG from the one steganographically altered, although this can be avoided by hiding very little data in very large files. Here, at least, there is an expensive solution.

I can think of at least one other way to do it, here goes my original description on the internet. Say, we want to use passwords with length up to B bits and encrypt files with length up to M bits. Fix forever B random binary strings of length M each, call them N = {n_1, n_2, ... , n_M}. The set of 2^B passwords is in a bijective correspondence with the set of subsets of N, for example a password like 110101... will select the subset {n_1, n_2, n_4, n_6, ...}. Treat n_i in that subset as integers and add them. Threat the plaintext as an integer and add it to (or XOR with) the result. One can think of it as of constructing a one time pad (one of 2^B) and XORing with it. Even if the attacker knows n_i for each i, and the plaintext (without loss of generality, all zero), and the cyphertext, she still has to decompose the cyphertext as a sum of a subset of N, and even deciding whether or not it can be done is np-hard. The complexity will be exponential as long as both M and B are large, which they are in expected applications.

The nicest feature here is that with a non-trivial password, the cyphertext will look as random as they get! It will be a sum of carefully pre-selected random numbers, padded with the plaintext.

One obvious limitation is that each password can only be used once, since similar plaintexts will produce similar hypertexts, but that could be remedied. A bigger problem, IMHO, is that this algorithm requires B random binary strings of length M each to be built-in. Just to give you an idea, if you want to encrypt files of size up to 1 GiB with passwords of size up to 512 bits, then you need to keep around 512 GiB of pad. Either that, or be able to generate really really fast 512 random reals (random here meaning, the same every time, but completely unrelated), which is very sketchy: the reals could easily be so related that the subset sum will allow for a sub-exponential solution.

I would be very interested to hear from anyone about this idea.

I may have another way of solving the same hiding problem, and it has to do with a completely different, yet, IMHO, also very fascinating way of turning a short binary string into a very long and random-looking binary string in a one-way fashion. I decided that I won't implement the subset sum solution unless I am totally sure that I cannot find something more elegant, so feel free to steal my idea above and code it in.

Re:It's all about entropy

[Kjella]

Well, the problem is that it doesn't really apply to compressed data. Compression schemes try packing things as efficiently as possible, so there's relatively little you can add without making it obvious the compression is tampered with. You could try embedding it as some sort of watermark into the photo/video before compression, but that too is difficult and won't hide very much. And most people don't carry tons of BMPs, WAVs and uncompressed AVIs..

So far it seems most people agree the best way to hide encrypted data is within other encrypted data. You don't have to be super-paranoid to use encryption, my last workplace used full disk encryption and I don't think anyone can seriously accuse you of anything if you just say that "I feared by computer would get stolen, and I could be exposed to identity theft or have my family photos posted online" or something like that.

The best solutions I have seen work like this:
1) If you enter both your "normal" password and your "secret password" => access to the normal disk and it'll seamlessly move around any secret data as long as there is room.
2) If you enter only your "secret" password => access to your secret data.
3) If you're under duress, you give just the "normal" password and you get just the normal disk. Your hidden data can get overwritten since the encryption software doesn't know about it, but there's no way to prove that there is a secret container or a secret password.

Re:It's all about entropy

[hitmark]

Would that not depend on the settings used, particularly for recovery/checksum?

Re:It's all about entropy

[cperciva]

If all you ever want to compress is files which contain the same byte repeated many times, then yes, that's how you would compress them.

But most compression formats are tuned to produce good results for the sorts of files which people are more likely to need to compress; so even when run-length encoding is used, it will typically have a low limit -- say, 255 -- on the run length.

Re:It's all about entropy

[earthforce_1]

For the very paranoid:

cat /dev/random to your hard disk before creating an encrypted partition.

Re:It's all about entropy

[parlancex]

Steganography is hard if you demand high density. That is, a higher ratio of your content vs the content it is being inserted into. It really depends how much encrypted data you need to hide and how much unencrypted data you have to hide it in. If you're hiding less than a kilobyte of encrypted high entropy data in a 6MB high entropy mp3, and your algorithm is intelligent to distribute it evenly into many areas of the file, that's much harder to detect. That said, I didn't say modifying a complex compressed file format while leaving it functionally intact would be easy, that's the hard part.

Re:It's all about entropy

[linuxrocks123]

I lol'ed at "this is you recording Jupiter". NICE :)

---linuxrocks123

Re:It's all about entropy

[Jane+Q.+Public]

Good point. IIRC there was an old version of PKZIP that did exactly that: RLE first, then Lempel-Ziv-Huffman. It still resulted in very small files.

Re:It's all about entropy

[AK+Marc]

It is both irrelevant and directly addresses the point. The answer is: "There is no such thing as random data that isn't encrypted, so the question need never be asked. If it's 'random' it is encrypted, even if indistinguishable from truly random data." That may not be true in all cases, but true enough for law enforcement to make your life a living hell for having wiped your HDD with a randomizer.

Re:It's all about entropy

[linuxrocks123]

You (and the submitter) might want to have a look at http://eprint.iacr.org/2009/531 which talks about "known-key attacks" on "AES-like permutations". The goal of these types of attacks is to distinguish AES-encrypted data from random noise. Right now, all they can do is break 8 rounds of AES-128, so the answer to OP's question is "right now, AES-encrypted data is indistinguishable from noise".

---linuxrocks123

Re:It's all about entropy

[LanMan04]

Somebody mod this guy interesting.

Re:It's all about entropy

[AK+Marc]

When they discover you aren't a scientist, live in your mothers basement, and have never held a job, they'll arrest you for obstruction of justice.

Re:It's all about entropy

[CarpetShark]

Encrypted files have maximum entropy, just like absolutely random files.

That's absurd. If it was as random as random data, it would BE random data, and therefore garbage to anything you tried to decode it with. By definition, encrypted data contains a pattern. By definition, patterns are not random.

"Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." -- John von Neumann.

Re:It's all about entropy

[hedwards]

If I hadn't already posted, I'd mod you insightful. While a small number of people doing it would look suspicious, a large number of people would make it really hard to deal with.

Reminds me of that old joke, where's the best place to hide a leaf? In a pile of leaves.

Re:It's all about entropy

And on that note, I'm a little surprised now that I think about it, that I can't come up with a single example anywhere of a native or add-on OS feature for any OS, that does random-wipe-on-delete. OS X has "erase free space" built into disk utility

Open the finder then go to the finder preferences; click on the advanced button and check 'empty trash securely'.

Re:It's all about entropy

[xombo]

"Secure Empty Trash overwrites your data with digital gibberish"
From apple's site about Secure Empty Trash feature @ http://www.apple.com/pro/tips/empty_trash.html

Re:It's all about entropy

[Paracelcus]

Wait, wait...
What idiot carries potentially life-ending data? You remember "special administrative measures"? hide it in pornographic DVD ISO's using encrypted stenography and split it up among many rars/pars on different newsgroups.

Re:It's all about entropy

[kumanopuusan]

Deallocated blocks will have content that's far from random, but still high entropy.

In addition to encrypted data, any compressed data should also have high entropy. Pieces of pictures (PNG, JPEG), documents (MS Office, Open Office), audio files (MP3), and video files (MPEG, AVI) will almost all be compressed. Most file formats that are intended to store large amounts of data will employ compression and if that compression is near to optimal, random pieces of files in those formats will have high entropy.

Re:It's all about entropy

[moonbender]

I'm not so sure high entropy data is all that rare. While the container format makes them distinguishable from completely random data, compressed audio and video files do have very high entropy, I think. And much of the space of a drive will probably be used for movies and music.

Re:It's all about entropy

[melikamp]

I won't make a prediction about a proportion, but it seems to me that orphaned blocks of compressed files would seem pretty darn random, and almost everyone has those.

Also, in GNU/Linux at least, there is shred utility that does what it sounds like: overwrites files with patterns (optionally, with zeroes) before erasing them. May be it works on OS X too?

Re:It's all about entropy

[Courageous]

I think you mean that "the perfect encryption algorithm results in data indistinguishable from random". I don't think that you mean any encryption algorithm.

C//

Re:It's all about entropy

[fast+turtle]

most people don't carry tons of BMPs, WAVs and uncompressed AVIs..

Say's You. I routinely carry over 40GB of Porn on my system in AVI/WMV/MPG formats, so there's lots of room to hide stegographic data and since it's porn, if a few of the damn zits don't look quite right, who's gonna bitch? Maybe the damn encoding used was amatuer instead of Professional (cheap bastards).

Not only is it Porn but it's a damn good distraction from them looking into the system to hard.

Re:It's all about entropy

[v1]

Looks like it uses "srm". manning on srm, I would speculate that secure trash empty does a "medium grade" secure:

overwrite the file with 7 US DoD compliant passes (0xF6, 0x00, 0xFF, random, 0x00, 0xFF, random)

Over the course of a lot of hard drive use, that would create a lot of random information in the free space, probably eventually covering most of your free space. It'd still be a good idea to start with a completely randomized partition though.

Another poster just below says "Deallocated blocks will have content that's far from random, but still high entropy."

Not really. Files nowadays are generally stored unfragmented, due to large hard drive capacities. File headers make for easy pickings to sort out what's compressed and what's not. Many apps that store files in encrypted format have headers that can be easily verified as being created by the encryption program. (encrypted disk images for example) If you can identify the file as being compressed, you can handle it differently.

Re:It's all about entropy

[Jahava]

Interesting read, and I can see you've given the problem a lot of thought. Mind if I ask why simply using standard crypto (AES-256) is not adequate? AES with CBC should not be distinguishable from random data.

As for the password-to-AES-key problem, just generate a random 256-bit key and prepend it to the file. If it's random, it shouldn't be distinguishable from the rest of the AES output data. Perform a 256-bit SHA-2 hash of the password and XOR it in with the key (or use a 160-bit SHA-1 hash and repeat the first 96 bits). Use some combination of the file size and date as a salt. Someone who wants to recover the key cannot do it without recovering the password, so, just as you wanted, the fastest path to proof / validation / recovery is your exhaustive password search.

I dunno, you've probably already thought about this, but in the event that you haven't, and in the event that the scotch hasn't made me miss something obviously wrong with this idea, I hope that you find this useful.

Re:It's all about entropy

Nobody's trying to deny that the data looks suspicious. The question is, if someone tells you there's nothing but random numbers on the drive, can you prove that it's a lie? If I tell you that I wiped the disk with random data to delete my video diary for good, can you prove me wrong? This question has serious implications in countries where you have to disclose encryption keys. It's impossible to prove that random-looking data is actually random data, because there's always the possibility of it being the result of one-time-pad encryption. You'd have to prove the non-existence of something. It is therefore unreasonable (and therefore ultimately unlawful) to demand such proof from anyone. So here we are. I claim that it is random data and you can't ask me to prove it. What do you do? Arrest me for carrying random data on a hard disk?

Re:It's all about entropy

[melikamp]

AES looks neat, but I decided to spend some time on this problem because I like how in my case, a successful attack would involve solving an np-complete problem in sub-exponential time. I wonder if that is true for AES...

Re:It's all about entropy

[mlyle]

Still, that 6MB high entropy MP3 was not created by hand. You must be able to hide the data in such a way that not only is the file functionally intact for decompression, but also that the file could be created by an MP3 compressor (probably a known implementation even). The problem may be even further constrained if the input is known.

If there's 100,000 combinations of MP3 compressors and reasonable settings for them, and playing the audio back returns a certain song such that it appears the song was ripped from MP3 or is otherwise tied to original source material (as most all MP3s are)... for each song there's less than 100,000 likely values. If you can fingerprint based on output the likely compressor and settings (not too demanding of a task for at least the common approaches), you can then evaluate how that compressor would compress the entire song and compare for differences. You can also do things like fuzzy comparison against known circulating copies of songs, etc.

Functionally intact is not hard. Making the file have a plausible non-steganography-related history of how it was created against smart people carefully looking at it is hard.

Re:It's all about entropy

[reiisi]

So, the lesson here is that you don't want to have to carry around large amounts of contraband data.

Carry short messages that can be reconstructed from carefully chosen contents of multiple normal files.

An overly simplified implimentation is, for a ten word message, ten files. Ten offest numbers for the key.

(Hmm. One contraband image. 150,000 files. Ouch.)

Re:It's all about entropy

[tftp]

When they discover you aren't a scientist

The GP should record some LP, at 24 bits per sample, at 96 kSa/s, in stereo. It wouldn't be too unusual, especially if he picks a well known music. Classical music will be particularly good here. A typical opera, in .WAV, will be about 4 GB, and there will be at least 8 lower bits that are yours to play with (they are noise from the turntable.)

Re:It's all about entropy

[cpghost]

Thanks for the hint. Please mod parent up!

Re:It's all about entropy

[russ1337]

each person would want to be creating their random cd's themselves..... If someone was to distribute a CD image of 'random data', one could not know if it was truly random or whether it contains something illegal but with weak encryption that could be brute forced by any TLA (Three Letter Agency).

Re:It's all about entropy

[shadow_slicer]

Read parent again. Your AVI/WMV/MPGs are all compressed.

If the stenographic data is added after compression it can still be detected. It is likely the encoder that created them left a unique "fingerprint" in the way it encoded the files. Any deviation from this fingerprint between multiple parts of the same file will tell a determined adversary that there is stenographic data hidden in them.

If the stenographic data is added before compression, it must survive the lossy compression. Since these lossy compression algorithms are designed to keep only the subjectively relevant information, the stenographic data will be subjectively relevant (i.e. clearly visible).

Re:It's all about entropy

[Bill,+Shooter+of+Bul]

Yeah, but a large number of people will never do it. So anyone who does will probably get the mandatory cavity search.

Re:It's all about entropy

[PvtVoid]

Really, statistically speaking, if you wanted to look on a hard drive for encrypted data, your best bet would be to go looking for blocks of high entropy data.

...which is why my new encryption algorithm maps all input files to zeros. They'll never suspect.

Re:It's all about entropy

[gestalt_n_pepper]

You're telling me that encryption doesn't follow zipf's law? Sorry if this is a naive question, but I'm having a hard time figuring out how it wouldn't.

Re:It's all about entropy

[Rockoon]

You are not precisely correct.

The question is not if there is a pattern, but rather if the pattern is distinguishable from random without knowing precisely the pattern to expect (not just what algorithm was used, but also what key)

This is most certainly the case of all high quality encryption methods. If you don't know the key then the pattern just isnt distinguishable. There is no "Hello! I'm AES!" bits.

There is a simple set of tests to confirm this to within any degree of error you want. Begin by encrypting many sets of arbitrary data of whatever length concerns you and then verify that the probability of a given output bit being 0 (or 1) is 50% (within the margin of error you care about.) Then go on to confirm that the correlation between any of the bits is approximately 0 (again within the margin of error you care about.)

Specifically, there is no test to confirm that a given stream is AES encrypted, unless you succeed in decrypting it and can identify that you did in fact succeed.

Re:It's all about entropy

[chgros]

I suggest you read up on cryptography.
Encryption, in general, is attempting exactly what you're attempting: make plaintext look random.
What you're trying to defend against is known as a "known-plaintext attack".
You can use any standard cryptographic approach such as AES-CBC as suggested above.
For a password-based approach, there are also standard key generation algorithms such as PKCS #5.
Note that your claim that your approach gives "as random as it gets" data is not true; once you've fixed for all time a set of random numbers, they're no longer "random".
As for generating random-like numbers deterministically, that's what stream ciphers (e.g. RC4) do.

Re:It's all about entropy

[Captain+Segfault]

To be clear, I'm perfectly aware that there are issues with AES. I was just taking issue with the assertion that no such functions exist!

Re:It's all about entropy

Fix forever B random binary strings of length M each, call them N = {n_1, n_2, ... , n_M}.

1) Suppose that there is some n_[1-m] for which all but one of the B strings has the bit in that position as 0. The attacker can then determine whether that one string is in the one time pad based merely on whether the bit in that position is flipped between the plaintext and the ciphertext.
2) Gaussian elimination = game over. Your strings form a B by M matrix, the plaintext XOR the ciphertext forms a vector of length M, and the "key" is the vector of length B that Gaussian elimination would solve for.

Re:It's all about entropy

[plover]

If the stenographic data is added before compression, it must survive the lossy compression. Since these lossy compression algorithms are designed to keep only the subjectively relevant information, the stenographic data will be subjectively relevant (i.e. clearly visible).

The thing is, porn with random blocky looking artifacts and halos and funny colors is still porn. Most people would say "oh, another crappy internet porn video" and keep a copy of it anyway, because it's porn! During the heyday of analog scrambled Playboy channel, how many teenage boys watched the scrambled channels anyway? Exactly.

You could hide the entire contents of "Jihad for Dummies" in one of those movies and you'd still get a million downloads on youporn.

Re:It's all about entropy

[multipartmixed]

I tried that, but it keeps running out of disk space.

Re:It's all about entropy

As another poster pointed, what you're talking about is the entire point of encryption. And yes, with good cryptography, it's pretty much impossible to decrypt except by brute forcing with all possible key combinations.

Good cryptography is hard, though, which is why it's generally best to leave it up to the experts. Not saying you can't have fun thinking about it, but realize that you're probably not going to come up with anything really new in the field.

I'd suggest started with Applied Cryptography for a primer.

Re:It's all about entropy

[larsbars]

nautilus-actions + wipe or shred or whatever...

Re:It's all about entropy

[Archangel+Michael]

If you're being interrogated "you're a scientist and this is you recording Jupiter." is going to get you into trouble .. unless you're are 1) scientist, and 2) studying Jupiter Noise. IF you fail either of those two tests, you're in for a long stay.

Best advice, be quiet (don't say nuttin)! And if you have to say something, keep it absolutely truthful, but obscure it anyway you want.

"what is this file"

"mm mm"

"What is this file, or we'll beat the crap out of you"

"My stuff"

"What is in it"

"zero's and ones"

Re:It's all about entropy

[sgunhouse]

I recall an article where they proved an image had been altered by recompressing it and then comparing that to the previous version. (The example used was some Taliban-provided image, which had indeed been altered) ...

This ties in with your comment about watermarks or some such. If you use real steganography on a file that was originally compressed (as in, JPEG from your digital camera) the changes are easy enough to detect - so what you really need to do is make it look like something innocent - a real watermark.

Some cameras can provide original raw image data (maybe not in BMP format, but still uncompressed), you could make slight changes to that and get away with it. But modifying data from an originally compressed (using some lossy compression) file is not going to pass muster if they actually look for it.

Re:It's all about entropy

[novalogic]

You could of just said Truecrypt and made it alot shorter...

Re:It's all about entropy

[Menkhaf]

Better yet: Make it compressed headerless video. Claim you're recording Uranus.

Re:It's all about entropy

[ranulf]

Firstly, it's NOT a lot of effort to go to have a fully encrypted drive under linux. I've got one and it was just an installation option. I don't even have anything to hide, it's more about spiting someone if they ever stole my laptop so it'd make life harder for them to sell the laptop. My hard disk effectively is just full of random data.

However, back to the OP, in my opinion, yes it is possible to distinguish random from encrypted.

The mark of a good random generator is uniform distribution of all possible values. As soon as you start adding data to the mix, you're skewing the distribution and so there will be ever so slight distribution deviances. It still might not be possible to tell what's there, but the fact that the section of disk shows none uniform distribution is a good marker that something is there.

Re:It's all about entropy

[Chrisq]

If I hadn't already posted, I'd mod you insightful. While a small number of people doing it would look suspicious, a large number of people would make it really hard to deal with.

Plus as a side benefit eventually someone would find that they were carrying a lost work of Shakespeare.

Re:It's all about entropy

[roman_mir]

TSA goons in a future airport conversing:

-Hey Jimmy, so what's up with that guy, another scientist with a Jupiter recording?
-Yeah, that's 529 Jupiter scientists this week.
-I know, eh. Must be paying well to be a Jupiter scientist.
-Not sure about that, they all live in some place they call "mom's basement".

Re:It's all about entropy

[geggo98]

Encrypted files have maximum entropy, just like absolutely random files. [...]

Sorry, that is not correct. An encryptred file has the entropy of the unencrypted file plus the entropy of the encryption program plus the entropy of the encryption key.

Of course this is the theoretical entropy. In praxis you will not be able to measure it correctly without decrypting the file.

The definition of entropy: Entropy effectively bounds the performance of the strongest lossless (or nearly lossless) compression possible. In this case this theoretical compression would have to break the encryption. But this is a pure implementation detail.

Re:It's all about entropy

[cstacy]

However, absolute random noise on a disk isn't all that usual,

Actually, nowadays, it's extremely unusual. Blocks are all zero'd from the factory, and anything you save over them that's later marked free will almost certainly be far from random. (like pieces of pictures, documents, applications, etc)

How about using stenography on those fragments, marking them as not deleted, and keeping the indexing in some regular JPEGs. (In other words, a file system layered over the deleted files. When a file is deleted normally, the steno-fragment daemon picks it up and adds it to the stenographic free space.)

Re:It's all about entropy

[CarpetShark]

I stand corrected... and more informed. Thanks :)

Re:It's all about entropy

[buck-yar]

Question, does the system prompt you for normal and secret passwords, or just the normal password and you have to enter a command (like mount) to get the secret pw prompt?

The way I do it is to have cryptsetup/mount not automatically mount encrypted partitions. If it did, every bootup it would halt at a password prompt before the login screen. This would be a tell that a partition is encrypted.

If you look at the data on each drive I'm sure someone with knowledge could see data on the drive was encrypted. But to the casual attempt at simply mounting the drive with various filesystem formats, it would just fail (as if the partition was corrupted or the wrong filesystem type was specified).

Re:It's all about entropy

[Humble+Star]

Creating "absolute random noise on a disk" is not easy either since the entropy available on any given machine is probably minuscule compared to the disk space. Writing pseudorandom bits on a disk will not be sufficient to hide non-pseudorandom, encrypted data, especially if the data is big.

Re:It's all about entropy

[v1]

How about using stenography on those fragments

Yep that was the other option I was waiting for someone to bring up. There are two ways to hide something from discovery... out of sight (stenography) and in plain sight. (as discussed above)

You either have to make your data look normal, or make all the rest of the data look just as abnormal as yours. (make your data look unexceptional, one way or another)

Stenography has the advantage of not having to make everything look abnormal. But it has other drawbacks/tradeoffs, such as limited size and limited application. (usually involving hijacking of lowest order bits in things like images or padding slack space such as at the end of files - both of which run risks of being accidentally destroyed since they're using reserved space)

Re:It's all about entropy

[mlyle]

If you're saying to leave the files unaltered, what you're really doing is using the contents of the files as the key, and carrying the enciphered message in the form of offset numbers. Which is really cryptography (and weak cryptography at that), and not steganography.

If you're proposing editing the files on disk to hide the message in them, well.. that's potentially vulnerable to the types of attack I mentioned above. A small amount of modification is no more innocent than a lot of modification when this attack/detection practice applies.

Re:It's all about entropy

[bingoUV]

It is true for most encryption algorithms. But most encryption algorithms are broken - which means that there is a solution taking less time than the brute force method. E.g. Instead of 2^120, there is a clever solution that takes 2^115 attempts for the same sized key. Doesn't mean anything for the practical cracker.

I guess your algorithm might also turn out to be broken in this sense.

Re:It's all about entropy

[ImprovOmega]

To avoid the source being known, you ought to use pictures you've taken yourself. There's no meaningful way to compute PSNR without the source as a reference. MP3's are vulnerable to this kind of analysis because typically one can get the original CD to compare with, or an uncorrupted iTunes file.

As to hiding data in complex file formats, it's reasonably straightforward if you are very familiar with the file format and the mechanics is uses to compress the material. Stomping the ends of an MP3 packet would have less impact overall because headers would be intact and only low order bits would be corrupted leading to minor degradation in sound quality.

I personally wrote a steganography program that hid data in JPEG-2000 files by distributing data to the tail ends of low order packets. Even overwriting half of a high quality file (intelligently) only degraded the PSNR by 10 points or so. It wasn't immediately obvious to the human eye until you started to hit around 3/4 of the original file size.

Re:It's all about entropy

[Bengie]

Even worse with SSDs since TRIM now zeros sectors when not in use. Delete a file, sector gets Zero'd. If you have ANY data in there that isn't marked by the File System, it's probably encrypted stuff.

Re:It's all about entropy

[ImprovOmega]

If the stenographic data is added after compression it can still be detected. It is likely the encoder that created them left a unique "fingerprint" in the way it encoded the files. Any deviation from this fingerprint between multiple parts of the same file will tell a determined adversary that there is stenographic data hidden in them.

As someone who's written programs to do compression of video/audio/images I will say that any relevant "fingerprint" information is going to be in the headers of compressed media files. If you're overwriting headers trying to hide data then you're doing it wrong. Stomping the low order bits of a compressed stream is very much viable and has a similar effect on an image as it would overwriting the low-order bits of an uncompressed bitmap or AVI - negligible to the eye and practically indistinguishable from random noise.

If you do it right, it is imminently possible to hide files in lossy compressed video/audio/images, as long as you avoid headers and sections of the file defining the highest order bits. This requires knowledge of the format and an understanding of the impact of bits in the compressed stream (to avoid the most visually important ones), but it is very, very doable without leaving a meaningful trace.

Re:It's all about entropy

[StikyPad]

It looks like you read the sentence you quoted incorrectly; specifically that you read "usual" as "unusual".

Re:It's all about entropy

[v1]

I wonder what happens when you ask the system to zero a ssd then? the blocks that had already been zero'd would probably not be touched since they were already zeroed. (for performance reasons)

Reason being, for someone with the proper very expensive toys, it's probably not impossible to determine the last state of a flash block before it was last flashed to zero.

Re:It's all about entropy

[mlyle]

OK, but to say it one more time, adjusted this time for your example...

If you take a given JPEG2000 compressor, not all valid JPEG2000 files can be created by a given compression implementation, no matter what the input is. If the input is further constrained in some way -- whether it's constrained to be a particular input or say, just something that came from a Bayer-filtered sensor... the number of possible output files is decreased further.

A smart adversary may be able to prove that the beginning of the file (or other files you have around) was created by a given compressor, but that other portions could never be created by that implementation, thus detecting the steganography.

Re:It's all about entropy

[brm]

That's why I always use an encryption algorithm that makes the encrypted data indistinguishable from sectors full of 0 bytes.

I call it "one-way encryption."

Re:It's all about entropy

[meloneg]

Not an expert on cryptography and had never heard of Zipf's Law before googling it just now. However, my understanding is that one of the fundamental aims of modern cryptography is to not only eliminate Zipf's Law in the resulting cyphertext, but to end up with a cyphertext such that any frequency table you can derive from it is flat. All "words" have equal frequency.

According to my limited knowledge, all (most) ciphers used up through the beginning of the cold war were very vulnerable to statistical analysis attacks based on something akin to Zipf's Law. Bletchly Park rather famously exploited this fact in reference to the Enigma ciphers.

The whole field has been working on overcoming this issue since.

Experts: Feel free to tear this summary apart. I *think* it's roughly accurate. But, I'm no expert in the field.

Re:It's all about entropy

[reiisi]

Changing one byte per file is detectable?

Heh. Well, depending on just where that byte is, yeah, even one byte could be obvious, especially for long messages.

Choosing the files for the message could also be obvious.

Of course, as you point out, for long messages this mixes steganography with cryptography, and the question of how the list of offsets is stored and transferred becomes important and subject to attack. Also, the method of choosing and mapping the offsets could result in a rather weak code.

But I think that's true of all steganography, whether the method of recovering the message is physically stored somewhere or not. (I don't think that variable recovery methods are excluded from the field of steganography?)

Re:It's all about entropy

[gumpish]

You could of just said Truecrypt and made it alot shorter...

Two of the following are nonsensical:

I could have eaten breakfast this morning.

I have eaten breakfast this morning.

I could of eaten breakfast this morning.

I of eaten breakfast this morning.

No

[trigeek]

Properly encrypted data is indistinguishable from random data. However, just the presence of random files on the system could be incriminating. Perhaps it's better to hide the data in another type of file? Perhaps using the lsb of a bitmap file?

Re:No

[sjames]

It would be best to precondition the media by writing random data over the entire thing. For added fun, encrypt the text of various childrens books and write the result to the drive.

Re:No

[butlerm]

Properly encrypted data is indistinguishable from random data.

That is the ideal, but hardly the reality. It is strictly _impossible_ for an encrypted version of a non-random data file to have as much real randomness as as a random data file, unless the key is as long as the file. Sure it can look pseudo random, much more random than the output of a pseudo random number generator (depending on the source file), but distinguishing it from real random data is just a matter of having sophisticated enough statistical tests. The larger the file, the easier it is to tell the difference.

Re:No

[MBoffin]

However, just the presence of random files on the system could be incriminating. Perhaps it's better to hide the data in another type of file? Perhaps using the lsb of a bitmap file?

Or just name the file JavaRandomNumberSeedFile.txt or similar.

Re:No

[maxwell+demon]

What about naming it "OneTimePad"? And when asked, tell them you haven't used it yet, or you would have deleted it.

Re:No

[owski]

Or, actually use the encrypted data as a one time pad and then when pressed use it to decrypt some ordinary data.

Re:No

[TempeTerra]

You have a low slashdot id and a decisive tone; I expect you're right but I'd love to know why. Can you provide a link?

My layman's knowledge of cryptography tells me that compression and encryption algorithms both increase the apparent randomness of their output data relative to the input. I thought that with a decent encryption algorithm you shouldn't be able to get any statistical information about the plaintext as that leads to attack vectors, but maybe I misunderstand and you just can't get much information.

Re:No

[izomiac]

IMHO, a good target would be ReadyBoost on a flash drive. That data is already kinda random, then compressed and encrypted with AES128. It's common and not meant to be decryptable by really anyone. Just have the crypto product stealthily disable that feature while it's running without leaving a trace. As an added benefit, the data is probably destroyed if someone plugs it into a stock Windows computer (I'm not sure on the specifics).

Re:No

[sjames]

If you use a one time pad and get to select key B after encrypting the data it's a trivial exercise. Otherwise it's practically impossible.

Re:No

[kiwix]

Perhaps it's better to hide the data in another type of file? Perhaps using the lsb of a bitmap file?

The LSBs of a bitmap file do not usually have full entropy, so if you hide encrypted data in it, it's still possible to detect it.

Re:No

[epine]

but distinguishing it from real random data is just a matter of having sophisticated enough statistical tests

It's not just the test that matters, but also the sample size. Can't squeeze blood out of a stone. If the minimum sequence length that distinguishes random from pseudo-random is 2^256 elements, you're also going to need a sophisticated cryopreservation system and a wine cellar of the Long Now.

If your method doesn't involve sampling, it's not actually statistics, and what you're hiding under the word "just" might be a kissing cousin of Chaitin's omega. Good luck with that.

The nested container idea has been around for a long time. It occurred to me a long time ago. Somehow in the meantime the once-famous cryptanalysis rubber-hose has been replaced by a hefty phone book. I guess the phone book seems more medieval than it once did. Most people still have flexible hose in the back yard.

There is indeed a non-zero cost to interrogation. What goes on under the naked bulb is only a small portion of the total cost. Sending out the giant neuralizer vans to cover your agency's traces is a more significant part of the cost. A competent, stress-free Brazilian stenographer and receptionist will also set you back. Even the naked bulb will soon cost more than it used to. There's a fair amount of risk involved in playing this game that you'll have to learn how to type with elephant hands and soft fingertips, but then again, you might get lucky.

The level of risk depends on whether you model this on the asymptotic cost of commodity confession, or whether you model this as an intimidation game.

In the Western intimidation game, whoever moves first winds up with the biggest knuckles on the most thoroughly articulated limbs, before being returned to society as a poster-child for clever smiles.

In the Eastern European intimidation game, the role of the poster-child is socialized into a giant Siberian theme park. Thirty million people can't be wrong, but they can be mighty dead or unhappy.

Let me suggest that apt-get plausible-deniability does not improve your border-crossing credit rating. I doubt it improves your success rate with Swedish twins, either, but that has yet to settle out.

Re:No

[Anonymous+Cowpat]

It occured to me that anyone would have a hard time explaining WHY they have several gigabytes of random-looking data files.

The best idea I've come up with is to leave them in a folder with some (legitimate) random number generators with accurate source code which will generate files the same size as your 'random' ones and which don't use a set seed (so it can't be proved that those files weren't generated with that RNG) and the Marsaglia test suite, and if anyone asks; you're doing research into pseudo-random number generation. Bonus points if you have the results of running the Marsaglia tests on your encrypted files in a spreadsheet in there and the skeleton of a paper about it. Also, leave some genuine random files (trial-and-error to generate genuinely random files which give similar test results to the encrypted files). Even more bonus points if you leave source to a program that you're 'developing' which would require large quantities of random numbers (monte-carlo methods, or somesuch) in a nearby folder.

Now, of course, saying that you're doing RNG work when you're not is technically lying, which could get you in more hot water if it's figured out, so I can't recommend doing that. What you don't want is to be in the situation of being asked to explain in the first place; what you want is for whoever looks at it to figure out for themselves that it's benign and wave it through.

Re:No

[speculatrix]

just don't do this with SSDs as marking all blocks in use prevents the wear levelling working; if you use TRIM the SSD will wipe the unused blocks putting you back where you started

Re:No

[sjames]

Yes, it doesn't work so well on an SSD.

Re:No

[butlerm]

There is no question is is computationally difficult, just not computationally impossible. The reason for that lies in computational complexity theory. You can get a basic summary of the theory here.

In summary, if the data being encrypted is compressible by practically any algorithm whatsoever, it has computational complexity less than its bit length, i.e. a smaller bit string can be used to recover the larger one. Likewise, the computational complexity of any encryption key is at most the length of the key in bits.

Suppose you are encrypting a 256K bit string that can be compressed by a factor of two by an _ideal_ compressor. And then you have a maximally random 1K bit key. The maximum Kolmogorov complexity of any finite deterministic function of those two inputs that is known to the attacker is 129 Kbits. Where the maximum computational complexity of a truly random string of the same length as the input is 256 Kbits.

The difference between those figures opens the door to a statistical attack, because the data is not _really_ random. It just looks that way, sort of like the output of a pseudo random number generator, which isn't really random at all. If you encrypt a string of zeroes with a significantly shorter key, the output of a pseudo random number generator is exactly what you will get, a pattern that is maximally vulnerable to attack.

The lesson to be learned here is if you want to minimize the risk of attacks from folks with far more computer power than you have available, compress it using the best available compression algorithm first. Then the computational complexity of the input string will approach the theoretical maximum for a string of that length, depending on how good the compressor is. Throughout I mean complexity relative to what the attacker knows (such as the encryption algorithm) of course.

Re:No

[maxwell+demon]

More importantly, you'd get questions why you encrypted Alice in Wonderland, and would still be suspected to have some other data hidden in there. If you have a fake decryption, you should have a plausible explanation why you encrypted that data in the first place.

Re:No

[sjames]

The best answer is to claim no encryption at all. If they find anything, let them wonder if it is something you put there or if they are just chasing their own tails.

Re:No

[ResidentSourcerer]

But if you compress it with a well known compression program will it not produce a standard header? Knowing that it has a standard header gives you a crib which should speed up breaking it, yes?

You would want to modify the compression program to put the header info in a non-standard place.

Teach me.

Re:No

[butlerm]

Absolutely. You want to get rid of any gratuitous headers, unless they are applied after the encryption process takes place, for the very reason you describe.

The other thing is that you really want a compression algorithm (or pre-pass) that is tailored to the type of data you are compressing. If you are compressing data in a known format (a file system image for example) you might have necessary header information (like tables of offsets known to be within a certain range) that a run of the mill compression algorithm is not going to compress very well.

So if you are maximally paranoid, you might write a pre-pass tailored to the format you are compressing that eliminates predictable aspects of the data (like zero bytes in certain places, or even a high probability of zero bits in certain places) as much as possible.

Re:No

[TheRedWheelbarrow]

"the presence of random files on the system could be incriminating"

That's why I like Truecrypt's ( http://www.truecrypt.org/ ) approach:
"... there is practically no plausible explanation for the existence of a file containing solely random data. However, plausible deniability can still be achieved with a file-hosted TrueCrypt volume (container) by creating a hidden volume within it."

Basically, you create a hidden volume inside your encrypted data. If you are compelled to reveal the contents of the encrypted data, you so so. What is revealed are some possibly sensitive files but not the data that you are most concerned with. The really sensitive data is in a hidden volume which you can plausibly deny exists. After all, you gave up the password to the encrypted file - any residual random data in the file is just an artifact of the encryption process (you can plausibly assert) when, in fact, it actually contains another hidden volume with the real goods.

Re:No

[Chowderbags]

Then they've got you on copyright infringement. I don't know which is worse, copyright industry or shadowy government operatives. At least the shadowy government operatives give you vacations to exotic locales where you can explore local traditions and all the water you could ever want!

Re:No

[Mark+Hood]

The worst thing you can do is use a one-time-pad twice, hence the name... If you show them it decrypts one file (innocent.bin) then they're going to try it on every other file in the system.

OTP are unbreakable if used correctly - if used incorrectly they're worse than just marking the file as 'hidden' and hoping no-one knows where the 'show all' option is ;)

Mark

Re:Well

[Kjella]

As far as I know finding patterns in the output is tightly linked to reducing the number of possible keys, so good encryption algorithms should not create patterns. Of course if your encryption software writes some kind of header - which wouldn't affect the security of the encrypted contents - then it will be obvious to anyone looking that you have an encrypted container. So this is 99% about implementation and 1% about encryption algorithms.

Re:perhaps...

[NFN_NLN]

you're not the best one to write this kind of software if you don't know the answer. start here:

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

I think this is the software version of the ADE 651 http://en.wikipedia.org/wiki/ADE_65.

Crunch, Crunch, beep, bop, boop.... yup, our software says that is encrypted data right there. Now give us the decryption key.
What, you can't? Looks like you're just trying to hide terrorist information from us.

It depends....

[TrumpetPower!]

If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?

The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.

Cheers,

b&

Re:It depends....

[zill]

If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?

The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.

Then why does the field of steganography exist at all? If your claims are true, then there is absolutely no point in studying and researching steganography. Yet dozens of paper are published on the subject matter every year.

Re:It depends....

[TrumpetPower!]

zill wrote:

Ben Goren wrote:

The point of steganography is to not get caught in the first place. If you need plausible deniability, you've already lost.

Then why does the field of steganography exist at all?

To keep from getting caught. Duh.

Cheers,

b&

Re:It depends....

[Joce640k]

Simple: Because there's a difference between "the card in this camera has some holiday snaps on it" and "the card in this camera has a file on it which is indistinguishable from random noise".

One will get you waved through, the other will get you tied up in the back room, drugged and being hit with a wrench.

Re:It depends....

[maxwell+demon]

Well, the point is: If you send someone pictures of your last holiday, someone noticing that will not suspect anything, and will not even think of applying tests to the pictures you sent. Therefore if you hide information in them, you will not need plausible deniability, because nobody will question you.

Re:It depends....

[John+Hasler]

The point of steganography is to not get caught in the first place. If you need plausible deniability, you've already lost.

No. You are not "lost" if the party examining the files is doing a routine search for encrypted files which usually comes up empty and/or has no access to your person anyway.

Re:It depends....

If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

Does the person to whom you give these two files have a rubber hose? Is he a member of the “extraordinary rendition” team?

The point of steganography is to not get caught in the first place. If you need plausible deniability, you’ve already lost.

Cheers,

b&

Speaking of rubber hoses, the rubber hose file system, aka Maru Tukku hides data in the (potentially discontiguous) free space, and was done by Julian Assange (of wiki leaks fame I believe). The intent of this was to use plausible deniability, since there could be multiple hidden aspects (sort of like partitions), each with an encryption key. I think they were set up hierarchically, much like in onion routing, to increase resistance to losing a single key.

Re:It depends....

[Tarsir]

From TFS:

[Is] it possible to prove there is encrypted data where you claim there's not? If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?

TFS is asking precisely whether you can hide your data without getting caught (cf the sentence preceeding the one you quoted). What you quoted is just a hypothetical to highlight the fact that the actual question [Will someone know if I have hidden data?] turns on an adversary's ability to distinguish random data from (for example) AES encrypted data.

Furthermore, everyone here knows you can beat crypto keys out of someone once you suspect they're hiding something. That doesn't need to be said, and if you feel it does, you could at least refer to it as thermorectal cryptanalysis, which is funnier, and less well-known.

Re:Lifting the Lid on the Guilty Yid

[ian(at)union.io]

Let me guess... Random!.. No, wait, too obvious. Encrypted!

At the risk of doing someone's homework in a forum

[bytesex]

No. You cannot distinguish between the two. If you could, you would have an attack vector against the encryption. The trick, once you have a key, is to have authentication-strings in your data structure, so you can see whether the key you used is actually correct, and the decrypted data is actually useful. An attack based on this authentication string, is one of the many, many possible attack vectors against encryption. Also, 'random' is not always very 'random'. In the world of cryptography, we need serious random. C'mon dude, how far are you with this ?

Wrong question to ask?

[mclearn]

Perhaps the question is incorrect. If i have a volume with data and a volume with encrypted data, then the encrypted data can be discerned from the non-encrypted data by virtue that there will be patterns detectable in the non-encrypted volume. So technically if you have a drive and there is random data on it but no discernible patterns, then there is either encrypted data on it, or it is an empty drive. It is likely not even factory default since that it likely to have some structure imposed upon it as well. What is the point of carrying around an encrypted volume with the ability for plausible deniability if that plausible deniability requires you to have random data as a volume? The existence of random data will render your plausible deniability claim useless since, by definition, your claim is no longer plausible.

Re:Wrong question to ask?

[mysidia]

I'm guessing you have three partitions on your hard drive... a 20 gigabyte Windows partition, a 5 gigabyte Linux partition, and a third partition that appears to be random data, the descriptor in your partition table reads type 0 UNKNOWN, or some random type that other OSes won't treat as valid.

To mount this volume you boot another OS first, or boot the 'unknown' partition from external media.

Re:Wrong question to ask?

[Dare+nMc]

The existence of random data will render your plausible deniability claim useless

The other option is that someone had financial data/etc on that partition and used a secure erase program to erase the partition. This is the condition where since no good data is stored on the disk anymore, you can't produce a password. The other option is something like the dual true crypt volumes, where one volume is harmless data (tax return for example) stored with one password, and you have a second password with the data you want to hide. By passing the first password, you give a deny-ability to the second volume. Since true crypt first fills the entire partition with random data, then starts encrypting data for one volume from the beginning of the partition, and the other from the end of the partition, if the encrypted data is in-distinguishable from the random data, then it can't be shown otherwise. (you can also encrypted any number of partitions inside a partition with true crypt, so you could have dozens of passwords to get to some final data.)

It depends.

[Delta]

If everything is perfect? No.

If you have two plaintext blocks, and encrypt using ECB mode with the same IV though, then the two cipher blocks would turn out identical cipher blocks. Would make it trivial to see which was the encrypted one.

So basically the answer is; it depends.

If you need to ask the question, do more research before you continue your work. This is stuff you really should understand before you embark on such a project.

Simple: encrypt a bunch of stuff

[KPU]

LUKS has a header. When I run cryptsetup on an uninitialized volume
# cryptsetup luksOpen /dev/sdb1 foo
Device /dev/sdb1 is not a valid LUKS device.

That means it can tell if the header is valid without a password. So now every offset needs valid LUKS header. Once you've done that, just make a bunch of perfectly valid encrypted volumes. Put real data in them. Install a working operating system that looks used.

Re:Well

[zero.kalvin]

I was always baffled by this. If you run your encryption algorithm on the encrypted data again(n times). wouldn't produce something indistinguishable at then end from random data?

Does it matter?

[Burning1]

Do you think that 'I'm just sending random garbage' is going to offer any kind of plausible denyability in any situation where you could expose yourself to prosecution simply for using encryption?

Yes

[ceoyoyo]

Unless you're using a properly constructed one time pad, which the poster is not, encrypted data is distinguishable from random. The more of it you have, the more distinct it is. With a good encryption algorithm it's not easy, and investigators would probably use other techniques, but it is possible.

Re:Well

[bennomatic]

Weird. I guess I there's a bug in my ROT13 implementation. If I run my text through twice, I just get the original message.

Simple

[PPH]

The files on employees computers containing seemingly random data can be assumed to be just that unless they're driving brand new Porsches and have vacation condos in Whistler.

Shouldn't

[dachshund]

AES is designed to be a pseudo-random function (meaning it's evaluated against that criteria). What this means is that /when used properly/ AES encrypted data should be indistinguishable from random data, at least for a distinguisher running in bounded time. If anyone discovers an efficient algorithm that can distinguish this, it'll be a big nail in AES's coffin (and yes, at the very theoretical level I realize that there already are some known weaknesses in AES, but for the moment you're in good shape).

Re:Shouldn't

[dachshund]

Erp, I meant Pseudo-Random Permutation, which is indistinguishable from a PRF if the amount of data is realistic.

Re:Shouldn't

[butlerm]

AES encrypted data should be indistinguishable from random data, at least for a distinguisher running in bounded time

That is a mathematical impossibility. The computational complexity of any finite deterministic function of inputs of finite complexity is finite. That means that any necessary analysis can also be conducted in finite time. The only thing protecting AES is the lack of computational resources on the part of attackers. Does anyone really think that thirty years from now it won't be commonplace to break the encryption of data encrypted using the key lengths we use now?

Re:Shouldn't

[linuxrocks123]

Yes. People do.

We know you can brute-force AES. We also know that if you had a computer the size of the Earth where every piece of matter the size of a grain of sand was an ALU, you wouldn't be able to do it in thousands of years. The only hope attackers have is more sophisticated cryptanalysis techniques. This may or may not happen within 30 years.

---linuxrocks123

Re:Shouldn't

[AK+Marc]

Does anyone really think that thirty years from now it won't be commonplace to break the encryption of data encrypted using the key lengths we use now?

Me. Unless there are flaws in the algorithm, there are already people using keys which would result in the heat death of the known universe to solve.

Re:Shouldn't

[butlerm]

Brute force is called "brute" for a reason. Realistic attacks generally use much more sophisticated techniques. Counting on the incapacity of mathematicians is a sucker's bet. Your only sure hope is if the value / sensitivity of your data decreases faster than the ability of cryptographers to analyze it.

Re:Shouldn't

[linuxrocks123]

Say, how's cryptanalysis of that Blowfish algorithm from 1993 coming along?

---linuxrocks123

Re:Shouldn't

[butlerm]

Unless there are flaws in the algorithm...

All finite encryption algorithms are _intrinsically_ flawed by their very nature, in that it is impossible for a encryption algorithm to do the impossible. An encryption algorithm that produces an output string strictly indistinguishable from random data is not just a physical impossibility, it is a logical impossibility.

Re:Shouldn't

[butlerm]

With a key length significantly smaller than the source text, of course.

Re:Shouldn't

[dachshund]

The computational complexity of any finite deterministic function of inputs of finite complexity is finite. That means that any necessary analysis can also be conducted in finite time. The only thing protecting AES is the lack of computational resources on the part of attackers.

This is my fault for being imprecise in a Slashdot post. Of course the security of AES is based on attackers' limited resources. If attackers had unlimited resources, they could simply brute-force the keyspace. Of course, without quantum computers this might require the solar system and many nearby star systems to be processed into computing devices. 2^256 is an awfully large number.

When I said "distinguisher running in bounded time" I should have said "probabilistic Turing machine running in a number of time steps that can be expressed as a polynomial function of an adjustable key size".

Does anyone really think that thirty years from now it won't be commonplace to break the encryption of data encrypted using the key lengths we use now?

This is why many modern cryptosystems use adjustable key sizes. However, barring some dramatic new advance (quantum computers), or some as-yet-undiscovered flaw in AES (much more likely), ciphers with 128, 192 and 256 key sizes should be ok in 30 years.

Re:Shouldn't

[ras]

AES encrypted data should be indistinguishable from random data

Nope. This assertion has been made here over and over again, and it is out and out wrong . See: http://opensource.dyc.edu/random-vs-encrypted

In essence, encrypted data sticks out like dogs balls because of its high entropy, yet there are enough patterns in it to make it obvious to an expert it isn't just random data. Even if it did look like random data who in the hell is going to believe you are carrying around gig's of data you can trivially generate as needed from /dev/urandom? Nobody.

So, the problem you have to solve is how you are going to plausibly explain away gig's of what is clearly encrypted crap. Forget TrueCrypt, or any special tools that don't normally come with your Operating System. Their very presence screams "liar!". Forget large encrypted files that don't have any conceivable use, even if they aren't named "my-porn-collection.zip.gpg". After all, its your laptop so a program you use must have put them there, so some program should break if you move them out of the way.

And finally, once you come up with a way of hiding your encrypted crap, don't go blasting it over the internet. If it became common knowledge the men with rubber hoses may hear of it, rendering your lovely invention useless.

Some evidently don't agree with this last piece of advise because they have posted their solutions to the problem right here, on one the largest megaphones on the 'net. Fortunately for them, Slashdot has in typical Slashdot fashion come to their rescue. Unlike the piece of miss-information I am responding to which is rated "5, informative", these insightful and informative posts are rated 1. Probably because they necessarily involve long complex commands which are utterly beyond your average slashdotter, which probably means they will rarely be used, which probably means they are right - my last piece of advise is alarmist.

Re:Shouldn't

[hoytak]

What about http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.7206? Seems that fits your bill; in essence, there are certain statistical biases in many of the encryption schemes that can be calculated quite quickly.

Re:Shouldn't

[butlerm]

The NSA is probably more qualified to answer that question. My point is that _in principle_ it is impossible to know when and whether a mathematical discovery is going to make (or has already made) attacking a particular encryption algorithm a practical possibility.

The reason why that is the case is that it is mathematically impossible to transform non-random data into maximally random data and back in a lossless manner. So whether it is thirty years or thirty thousand years, at some point a mathematician is liable to discover a practical means of attacking the algorithm using all the non-random data that any information bearing signal necessarily contains.

Re:Shouldn't

[linuxrocks123]

I know what you're saying. Your argument boils down to, "because it's not provably perfect, someone in principle could discover some new cryptanalysis technique no one thought about and break the algorithm." You are right, in principle. Encryption is an eternal game between cryptologists and cryptanalysis.

My counterpoint is that, starting after World War 2, the cryptanalysts have been losing this game. And they've been losing really, really badly. I'm sure you're aware of the insecurity of DES. Well, the method that was used, in practice, to break DES-encoded data wasn't a fancy attack discovered by clever cryptanalysts: it was brute force. And key sizes are big enough now that brute force will never be effective again.

---linuxrocks123

Re:Shouldn't

[butlerm]

Well said. My only quibble is that in it is impossible (*) to make a "perfect" encryption algorithm, for the same reason that encrypted data in general isn't truly random. It is an information bearing signal, and that makes it vulnerable to some sort of attack. Theoretically speaking of course. Practically speaking, I think you are probably right.

(*)Excepting a random one time pad of course.

Re:Shouldn't

[dachshund]

What about http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.7206? Seems that fits your bill; in essence, there are certain statistical biases in many of the encryption schemes that can be calculated quite quickly.

See http://eprint.iacr.org/2002/149.pdf.

Re:Shouldn't

[dachshund]

In essence, encrypted data sticks out like dogs balls because of its high entropy, yet there are enough patterns in it to make it obvious to an expert it isn't just random data.

So, look, in fairness you're a little bit right and a little bit wrong. It is unusual to spot high-entropy data on a filesystem, and that's what encryption looks like. However, if you read the grandparent post, "encrypted data looks like random data" is precisely what I claimed. Nothing more, nothing less.

Most "rubber hose" steg filesystems address the entropy problem by putting lots of random cover data on your disk, whether or not you choose to store secrets. For example, the empty sectors on your drive can be formatted with pseudo-random noise. Reasonable people can disagree about whether this will work (if everyone does it, then perhaps; if only people with secrets do it, then probably not). It'll also be very time consuming.

Furthermore, the article you linked to doesn't say what you think it does. It simply points out that some encryption packages add recognizable headers. If you don't add headers ("hey, look, this is AES data!"), then the result should not have any recognizable patterns.

Some evidently don't agree with this last piece of advise because they have posted their solutions to the problem right here, on one the largest megaphones on the 'net. Fortunately for them, Slashdot has in typical Slashdot fashion come to their rescue. Unlike the piece of miss-information I am responding to which is rated "5, informative", these insightful and informative posts are rated 1. Probably because they necessarily involve long complex commands which are utterly beyond your average slashdotter, which probably means they will rarely be used, which probably means they are right - my last piece of advise is alarmist.

I don't really have anything to say in response to this, but I thought I'd quote it just the same.

Re:Shouldn't

[hoytak]

Ah, very interesting. Thanks for the link.

Re:Shouldn't

[ras]

Furthermore, the article you linked to doesn't say what you think it does.

Gezzz, you should at least take the time to read beyond the first few paragrahps before making such a comment, but then I guess this is slashdot.

He dismisses LUKS and TrueCrypt because they don't offer plausible deniability - because of the headers, as you say. He then moves onto Linux's loopback device in crypto mode. It doesn't write headers. He then comes up with a technique of comparing the raw encrypted data with random text. Turns out using his techniques it is easy to spot the difference. And that is the point of the paper: even without headers or any other tell tale signs, there is no way to hide the fact that you have encrypted data on your disk.

Ergo, there is no plausible deniability when you have great gobs of encrypted data on your disk - which is to say you won't be able to deny it is there. if you are going to avoid the rubber hose, you are going to have to use some social engineering trick to explain it away.

However, if you read the grandparent post, "encrypted data looks like random data" is precisely what I claimed. Nothing more, nothing less.

Here you are playing with words. "Encrypted data looks like random data" in this case means in this case "looks identical to the novice, but an expert will find it easy to distinguish the two". But no one would take that meaning from your post. It was poor communication at best.

I don't really have anything to say in response to this, but I thought I'd quote it just the same.

Yes, it was pretty clear, wasn't it? I think your original post was too, by the way.

Re:Shouldn't

[dachshund]

He dismisses LUKS and TrueCrypt because they don't offer plausible deniability - because of the headers, as you say. He then moves onto Linux's loopback device in crypto mode. It doesn't write headers. He then comes up with a technique of comparing the raw encrypted data with random text. Turns out using his techniques it is easy to spot the difference. And that is the point of the paper: even without headers or any other tell tale signs, there is no way to hide the fact that you have encrypted data on your disk.

From what I can tell, the paper makes several points:

1. Implementations that write headers leak info on what's encrypted
2. Poor crypto implementations (i.e., not using modes of operation correctly) leak info on what's encrypted
3. Encrypted data stands out when compared with non-random background
4. If you can look at the way a filesystem changes over time, you'll spot people writing encrypted data

I think (1) and (2) are fairly obvious and irrelevant --- if you do things wrong, then of course you'll get caught. I think we've addressed (3) already in this thread. So it remains for us both to agree that you can learn things by observing the way a filesystem changes over time. That doesn't exactly correspond to "using his techniques it is easy to spot the difference [between encrypted data and random text]". In fact, it sounds to me like a whole different flavor of attack, though certainly a powerful one that people should be careful of.

Here you are playing with words. "Encrypted data looks like random data" in this case means in this case "looks identical to the novice, but an expert will find it easy to distinguish the two". But no one would take that meaning from your post. It was poor communication at best.

I would argue that the attacker's expertise is irrelevant to this discussion. If an attacker can obtain periodic snapshots of a user's system, they don't have to be an expert --- they're just blessed with an unusually rich amount of data. No cryptographic technique (short of completely re-randomizing the noisy portions of the disk) is going to hide the fact that you're making suspicious changes to the data. I would further claim that, absent such a history, encrypted data does look like random data. But you are welcome to disagree.

It's been a good long time since I took part in a nice, angry Slashdot flame war, particularly in my PhD subject area. It's been fun.

Re:Shouldn't

[ras]

Gawd, I hate this part.

I went and re-read that paper, and you are right. Done correctly, CBC does generate random looking data. My only excuse is I read it years ago, missed the rather plain statement in the very paper I quoted that it did, and have been relying on memory since. Somehow the pretty ECB pictures stuck in my mind.

Anyway I guess on the positive side this discussion has fixed a misapprehension I have been labouring under for years. Thanks for taking the time to point it out.

Re:Well

[bytesex]

It depends what you call an 'encryption algorithm'. If you mean 'DES', then no - DES is nowadays considered a weaker algorithm. If you mean 'AES-256', then still no - you need to *apply* AES-256 before it's any good, because AES is a block-cipher and will re-encrypt identical blocks of plain-text with the same key to identical blocks of ciphertext. If you mean 'AES-256 in CBC mode with random IV and SHA-256 HMAC authentication', then that's an algorithm that can be safely used. Under certain real-world circumstances.

Re:At the risk of doing someone's homework in a fo

[mysidia]

Perhaps. But if you use cryptsetup with LUKS, there is a readable header for the encrypted file, you don't need the key to determine encryption has been used. In fact, you can set multiple passphrases that have the authority to decrypt the partition.

GPG Encrypted data is also distinguishable, regardless of whether you use ASCII armoring or binary .GPG files. There are headers in the encrypted output that can be recognized without having the key to decrypt anything.

Now if you run 'openssl' from the command line, and choose 'aes-256-cbc', supply a true random key, and enter data bits interspersed with random 'padding bits'. It will be probably impossible for anyone to determine from the output whether there are any data bits or not, without knowing the key.

Re:At the risk of doing someone's homework in a fo

[Joce640k]

Maybe you should design it so the encrypted data has some patterns in it (ie. interleaved with the ciphertext)

Re:Ideally, Yes, but No

[maxwell+demon]

Data encrypted with a one-time pad looks completely random. Provably. Indeed, if you were given the pad and the encrypted data, you'd not be able to say which is which.

crypto is hard

[Tom]

Hard to say from your question, but if you haven't done already, get yourself some crypto knowledge. Crypto is hard, there is a reason that you are laughed out of the room if you say you've invented a new crypto algorithm and you don't already have strong credentials.

Randomness is one of the harder computer problems. Especially in steganography, many implementations have been defeated by creating not enough or too much randomness. If you want to hide your message in something, it doesn't matter if your output is distinguishable from randomness, it matters if it is distinguishable from what should be there. Simple approaches like LSB tricks have often fallen because those happen to be not random in many input data.

Re:crypto is hard

[Spykk]

Randomness is one of the harder computer problems.

Random isn't so hard...

Re:crypto is hard

[mrmeval]

/dev/random does something like this by using environmental noise

Re:crypto is hard

[bill_mcgonigle]

Hard to say from your question

You're too kind - it's of course pretty obvious that the submitter is trying to write a cryptosystem and hasn't even gotten around to reading (and comprehending) Applied Cryptography. That's the link to the used page with $11 options, submitter. Curl up with it for a couple months' of night reading.

Re:crypto is hard

[rippeltippel]

Randomness is one of the harder computer problems.

Random isn't so hard...

Just add the .RND extension to your encrypted file: I bet that a certain famous OS wouldn't spot the difference... (it might also display "Random data" in the file description). This technique is not portable though.

Re:crypto is hard

[Tom]

I'm far from an expert, but having looked into this a few years ago for a personal project, I determined stego. was (at that time) not useful for anything beyond novelty encryption.

There is good and bad stego just like there is good and bad encryption.

For one, yes if you give someone the original and the copy with the steganographically hidden information in it, there will be a difference, easily found.

Good stego means, among other things, that you can't tell which one is the original and which one has hidden data.

Years ago, several crucial flaws were identified in practically all available steganographic software. The one you mention is one of them, unequal distribution over the destination data means that it has different entropy in different places, which is a surefire sign that something strange is going on.
Those flaws have since been fixed in any halfway good stego software. It's not that easy anymore. But this is exactly why you need to know a little about it - otherwise how do you even identify a good stego program?

Re:Well

[SeanTobin]

Weird. I guess I there's a bug in my ROT13 implementation. If I run my text through twice, I just get the original message.

Just do what they did with DES... use 3rot13 and you're much more secure than the original implementation.

chaining is essential

[pedantic+bore]

If you use AES in ECB mode, then the answer is that it's usually painfully obvious that the original data was structured.

If you do use chaining (CBC, or something similar), then it will look quite random.

Excellent example here: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29

Sure, you have to use...

Math.

Be sure to use some math and it'll all be good

Re:Random bytes are incriminating themselves

[maxwell+demon]

(Yes, your giant porn collection is a great place to hide the evidence from your secret conspiracy investigation.

But what if my giant porn collection is exactly the information I'm trying to hide? ;-)

Plausible Deniability - TrueCrypt

[thetinytoon]

what you want is plausible deniability and that is not easy to achieve, as some states have started to have laws allowing to hold you hostage if you do not provide an decryption key to an encrypted container (which, with your method, would be corrupted). Have a look as TrueCrypts technical details behind their plausible deniability feature: http://www.truecrypt.org/docs/?s=plausible-deniability

Re:Plausible Deniability - TrueCrypt

[Black+Parrot]

some states have started to have laws allowing to hold you hostage if you do not provide an decryption key to an encrypted container

Which could be a problem, if someone else has put an encrypted file on your computer.

Re:Plausible Deniability - TrueCrypt

[thetinytoon]

Sure thing, but the "okay, I give you the password, but don't tell my gf about all the porn on there"-story is way more believable than the "some guy put an encrypted 200gb file on my laptop without me noticing".

Well...

[symes]

Arthur Conan Doyle wrote that the best place to hide something was right under the nose of the person looking for it - if someone spots an encrypted file, no matter how well hidden, it says you have something to hide. Instead you could simply print out your secret file in the form of a glossy magazine, something no one in the security world would really be interested in flicking through. Gardeners World or Philosophy Today. And then just leave it lying around, literally. It will be the last place they look. And the last thing they will confiscate.

Re:Well...

[pedantic+bore]

Edgar Allan Poe made a similar point in The Purloined Letter. It's probably been around even longer than that.

Re:At the risk of doing someone's homework in a fo

[butlerm]

You cannot distinguish between the two.

This is categorically not true, unless the key is as long or longer than the data file (and never used again). There is indeed an attack vector against any encrypted data file if the key length is small by comparison. Statistical analysis plus the slightest idea of what type of data is being encrypted is more than adequate to mount a successful attack (given sufficient computational resources) unless the key is _much_ longer than what is typical today. The lack of computational resources is the only thing that keeps typical encrypted data secure.

metadata...

[Chris+Snook]

While the data within the encrypted volume should be indistinguishable from randomness, the metadata headers are quite distinguishable. It's pretty obvious if something is a LUKS volume, but within that you shouldn't be able to tell.

Unfoilable Steganography in LSB Plane of Imagery

[mirkurius]

Steganographic attempts are considered foiled if someone can detect that there is a secret message, they don't need to be able to retrieve the message in order for the attempt to be considered a failure. I did my Master's project on hiding data in the least significant bitplane of imagery. The trick is to "randomly" scatter your secret message throughout this plane. I showed methods that would allow you to do this so that the data was indistinguishable. You should always encrypt your secret message first so that it looks random, or better yet, shape the statistics of your encoded message to match the noise characteristics that were in the original LSB plane. If you use an image created from a very noisy source, such as a digital camera, and you encrypt the embedded message and scatter it using a reversible algorithm, and iteratively ensure that the statistics of the altered LSB plane look the same as the original LSB plane, I proved that it is not possible for someone to tell that there is a secret message hidden there. However, you need to be careful to use an original image you created yourself, and to destroy the original, because if someone ever compared the original to the one with the embedded message, they could definitely tell there was something altered by comparing the LSB planes.

Both usable

[SuperKendall]

I thought the point was there is one encrypted file and one random file.

With stenography, one is encrypted and the other normal data. But both are usable - say a JPG image, where both load. So who is to say one has encrypted data, and they weren't just compressed using different settings? The question is, could anyone tell that (though with any given file format it seems like sophisticated enough analysis might be able to tell you that).

Re:Both usable

[Korin43]

Or a more related example, trying to tell the difference between a hard drive with nothing on it ("random data"), and a hard drive with something encrypted. I'm not sure what the point would be with a normal file, since most people don't have large files containing random data, but empty partitions are somewhat believable.

Re:Both usable

[Altrag]

My thought is that the encrypted one will be the one that asks for a password when you try to open it.

I suppose the big question is.. "who are you trying to hide this from?" If you're just trying to hide from basic security screenings at the airport and whatnot well, just make sure your encrypted data is on a USB drive or some such, hide the files/partitions and make sure you don't have your decrypting tools with you. Your average security screener isn't going to have the time or technical skills to delve in too deeply, even if you get flagged for additional screening. Short of being on the terrorist watch list, you're probably pretty safe here as long as you don't make it too obvious that you have hidden data.

On the other hand, if you're under investigation for one reason or another and your equipment gets confiscated, you've got a much bigger problem. Even if your data is 100% undetectable from a pure bits-and-bytes perspective, there's a simple fact that you (presumably) need to be able to access the data yourself somehow. And that means you'll need some form of tool.. software programs or hardware dongles or whatever. If you're using any sort of common tools, the investigators will simply note that those tools exist and assume you're hiding something.

Your only real hope is to roll your own encryption software AND mask it as something innocuous (say an IM clone where if you type in a different "hidden" password it unlocks your hidden partition). Of course, I doubt there's more than a few thousand people in the world (if even that many) who would have the knowledge and abilities to write such a program (and again, you can't just use something common or it would be a dead giveaway).

Re:Both usable

[Jessified]

One idea that has occurred to me for airports, is to come up with a random key by smashing the keyboard, save it on the web (or at home on a networked drive), and you don't know memorize it. If border security is allowed to search anything you bring over the border, AND they are allowed to legally compel you to hand over a key in your head (I believe this point is still under debate), hopefully this would be enough to keep the info from them (legally speaking).

I guess the question is are border agents legally allowed to search things you aren't physically taking over the border (your online email accounts, or drives at home you can access remotely etc.)?

Also, is encrypting your data in and of itself reasonable grounds for more thorough searches? Of course, this question is moot at the border, but generally speaking?

Re:Both usable

[Korin43]

My thought is that the encrypted one will be the one that asks for a password when you try to open it.

That would be neither. I've never written encryption software, but here's a trivial example: My theoretical encryption program creates a file with random data in it. It creates a header at the beginning of the data to identify it ("This is data encrypted with x program"). You add whatever you want in the remaining space. When it's time to encrypt, we encrypt the whole thing (including the header). When you want to decrypt the data, you enter a password and my program decrypts the data (whether the password is right or not). Then we check to make sure the header matches. If it doesn't, then the password was wrong. The interesting thing is that you can't prove that the data is encrypted without successfully decrypting it (well that's the goal at least).

Of course, there are a bunch of potential problems like:
* A big "random" file on your hard drive is really obvious
* Maybe it's not as random as you hope it is (there's some pattern that occurs in your encrypted data)
* A big "random" partition is less obvious than a "random" file, but my guess is that real empty partitions don't usually look very random

Re:Both usable

[tftp]

* A big "random" file on your hard drive is really obvious

Have software on the laptop that routinely generates large, random files. For example, MSVC produces .pdb files, but you don't need them to run the code.

Maybe it's not as random as you hope it is (there's some pattern that occurs in your encrypted data)

Yes, block ciphers can do this to you. Just XOR the AES output with a PRNG output.

* A big "random" partition is less obvious than a "random" file

But it's a dead giveaway because unused partitions are very uncommon, you have to create them intentionally. Uncommon things are bad for deniability.

If you really want to transport some material across the checkpoint, store your encrypted data in free blocks of your C: drive as a bunch of PAR2 volumes. Nobody will ever question you about the contents of the free space.

Re:Both usable

[tombeard]

If all you are hiding from is grunt level TSA then just rename your encrypted data as graduation2008.mpg . Who would be suspicious if wma reported the file unplayable, it does that 20% of the time anyway? Just be sure VLC isn't installed, that failure might create suspicion.

Re:Both usable

[IndustrialComplex]

Also, is encrypting your data in and of itself reasonable grounds for more thorough searches? Of course, this question is moot at the border, but generally speaking?

A search for an item is either justified, or it is not. It is fairly boolean when you get down to it. I'll explain. The car analogy works well in this case, as there are multiple levels of 'encryption' that can be placed on a car. Obviously we will assume that a search was not authorized.

Let's say you are in a traffic stop and the police officer wants to search you. He will require some justification for that search, and will have to state just what he thought he was going to find, and why he thought he was going to find it. At this point, let's say he had some reasonable justification for a search. He searches your vehicle, and then asks you to open your trunk as it is locked. (This requires a greater level of justification to search)

Now, all that aside:

Your trunk is EXPECTED to be locked. It's how they work. The same thing can be said of encryption on a computer. A locked container is NOT suspicious and therefore can not be used as justification for a search. It can however, cause them to try and find evidence that whatever they are looking for is IN your trunk.

ie: It isn't suspicious in itself, but they will try to find out what is in it if they can't find it elsewhere.

Re:Both usable

[TheCRAIGGERS]

I think there is a fallacy in your argument. Nearly all cars have trunks, and as you said, all of them are locked by default.

No computers to my knowledge come pre-installed with encryption software, and even if they did it takes intent to use it. Basically, a locked trunk is not rare, but an encrypted file is.

A more apt analogy would be a hardened safe in the back seat or trunk of your car. If it's seen, it will probably arise some suspicion- at least enough for the cop in a traffic stop to ask you what's in it.

For better or worse, suspicion is earned when you do something out of the ordinary. A safe in the car, an encrypted HD, being more nervous around a cop than expected, etc. All of those have fairly legal and/or mundane possible explanations, but will still likely get you detained.

IANAL, so I don't know those various reasons would stand up in court. But I do know there seem to be plenty of loopholes and other reasons they could give the judge after having plenty of time to think about it after the search has been conducted.

Subscribe to external random data

[equex]

What about some sort of web service where you can download tidbits of random data to overwrite unused blocks on your drive ? Doesn't even have to be random all the time; it could be pieces of non copyrighted material for instance. So if anyone ask why you have random data, then you can say 'oh, thats just some stuff from the internet i downloaded'. That would be better than leaving your current unused blocks with pieces of your old deleted data too. If this became common, completely random data wold be unsuspicious. And on top of that it could be used as part of a disk-checking software to test your disk much like memcheck. /2cent

One time pad test

[Fractal+Dice]

It is my understanding that if you start with a random one-time pad of 1s and 0s, it should be impossible to determine whether or not you have XORed a file of any entropy against it. If any background communication has surplus bits that are random 1s and 0s, that is your ideal stenography sub-channel. So any a test for encrypted data is really a test for a channel of random bits being transmitted.

The other half of the question is whether a test for random data is sufficient to detect a stenography channel? The smallest encrypted message that can be sent is a single bit - basically just a flare going up. And from a single bit, you can grow over time that channel to any arbitrary length. So that means your algorithm would be required to detect the existence of any pattern of random (unexplained) bits in a file or communication channel that the receiver could be flagging to read as a string of bits.

That's as far as I get ... I think that it probably reduces to being able to put a statistical upper bound on the size of a file that could be hidden given the number of random/unexplained bits in a data stream, but I don't think you could "prove" stenography wasn't happening.

( standard disclaimer: I am not a $profession )

Re:One time pad test

[maxwell+demon]

What about hiding data in ping packets? This would probably not be practical for large amounts of data (and would need a reliable Internet connection, although some of the reliability could be built in a higher-level protocol built on it), but I guess not many people monitor ICMP traffic, therefore this should have a good chance to go unnoticed.

Re:One time pad test

[Fractal+Dice]

The problem with clever tricks like pings that is that the mere fact that 1s and 0s are moving between computer A and computer B creates a link. I would assume that the first pass at stenography detection is just create a big facebook-friends style map of who's communicating bits. All the talk of randomness and entropy really only applies if you first assume that some meandering channel of communication exists from A to B that isn't, in itself, unusual or unexpected.

Don't do it yourself

[Mashiara]

Unless you're Bruce (Schneier).

It seems rubberhose is dead, but look at it and especially the fundamental ideas in it if you really wish to pursue this (I like the idea of having N encrypted volumes and the fact that you cannot prove that you have fully co-operated [and they cannot prove that you're not], of course you need some interesting data on the "bait" volumes as well).

The problem with properly used encryption being indistinguishable from random data is that you need a lot of good quality random data to hide your encrypted data in, because it will be distinguishable from the not-so-random data that you get out of /dev/urandom.

If you are in a situation where you will actually need encryption (especially deniable the sort) then don't trust your own code. As they say: A lawyer who represents himself has a fool for a client. (Don't trust someone elses code either unless it has been actually reviewed by more than two people who actually know how to do cryptoanalysis)

Re:Don't do it yourself

[Mashiara]

Replying to myself, seems like PhonebookFS has many of the same ideas as Rubberhose, but is probably easier to get into (it's not been pronounced officially dead yet but things are not looking good for it either)

How about simple answers to his questions?

[Jane+Q.+Public]

A lot of people have been beating about the bush. Put simply:

(1) Well-encrypted data, by itself (i.e., without any other container or header) is pretty much indistinguishable from random data or "noise".

(2) If you are actually planning to use steganography (hiding the resulting data by modifying another file, like say a photo image), you should be aware that sloppy steganography can often be detected, even if the "hidden" data is random. It depends a lot on the type of file in which you are hiding the data, and the method of encoding.

You should also be aware that effective steganography requires files that are very much larger than the actual data you are trying to hide.

The real advantage of steganography is misdirection: the resulting file appears innocuous. Don't count on it hiding your data well, all by itself.

Actually, you've spotted the problem

[bagofbeans]

All the investigators need to do is run some fake but seemingly complex program that looks at the file under inspection and says "yes, stenography in use". Then the full weight of the law comes down, because now the suspect has to prove the negative - impossible of course.

So actually what is needed is a suspect's right that investigators prove any assertion that files have been hidden if that assertion/analysis is used as evidence in court.

Re:Actually, you've spotted the problem

[rdnetto]

If that were used as evidence, then the defense would be able to simply turn around and ask for the details of the program, or have it analysed/reviewed by an expert witness.
Anyone who did that would be up for perjury (and maybe distorting the course of justice, if they have that in your jurisdiction) and get hit pretty hard.

Statistics

[Spazmania]

If you find a file on my hard drive with data you can't readily decode, is it:

A) Compressed with an unknown compressor
B) Encrypted with an unknown encryptor
C) Random bytes used for an encryption process
D) Random bytes used for something else

I can't prove that answer D is wrong... but I don't have to because I know that 99% of the time, it's one of the other answers.

If you want to hide your data, the file must ostensibly have some other purpose... something that isn't obviously a lie. That's what steganography is about. For example, you might download as much of the 1 meter-resolution Google Maps satellite image as fits on your hard disk, save it uncompressed and then store encrypted data in the low-order bit of each byte (3 bytes to a pixel). Coupled with a map application that can display the imagery, it would appear to be one thing (a map) while really being another (a container for encrypted information).

At that point, unless you capture the encryption software it becomes hard to suspect that there is encrypted data, let alone prove it.

Re:Statistics

[evilWurst]

> If you want to hide your data, the file must ostensibly have some other purpose... something that isn't obviously a lie

Hmm. I bet you could hide a lot in the form of actual executable machine code. Part of it would, of course, be dummy code that doesn't accomplish anything if run (but doesn't do any damage either). Considering "Hello World" C++ compiles to a 450+ KB executable, who's going to notice a few extra functions in a program that has a big executable and a bunch of libraries? Your data hider/"compiler" could be arbitrarily complex at making the hidden data look like real code. Possibly to the level of the data retrieval process involving running parts of it in a VM to pluck out a few bytes here and there that would be left on the stack.

Further, if the legit runnable program with data hidden in it is something really big like a game, you could probably have extra things stuffed into the non-executable resources of the game. If your big compressed glob of textures *works*, containing all the structure you'd expected out of it, who's going to notice the few MB of textures that the game loads but never uses? Maybe you use an indie game with lots of mods available, and you say some of the mods you downloaded were a bit sloppily put together. It's just that if you jump at the right spot in the right map, you fall out of the world and into the real application.

For extra kicks, it doesn't have to be code for the actual hardware you're running - it could be java or .net bytecode. Hell, the java bytecode could be sitting in your browser's cache.

One more level...

[bagofbeans]

Imagine if investigators simply state that their analysis, not disclosable under state secrets privilege, shows hidden text saying "We'll bomb the Eiffel Tower on Thursday". The suspect is now stuffed with no defense.

Re:One more level...

[netsharc]

Presumably a simple XOR would make them be able to come up with that sentence... hell, any sentence thinkable in the world! "Look, if we apply these bytes, the secret message says [...]!"

Re:One more level...

[lgw]

But a good defense attorney would apply the same principle to show that the prosecution's legal submissions were really steganography hiding insults to the judge's mother.

Re:One more level...

[Mitchell314]

It's super easy to make up a key. XOR = key.

NSA? Bah.

[denzacar]

I don't work for any 3-letter agency and even I could easily get the information needed.
With the right tools.

Re:NSA? Bah.

[Eskarel]

Actually this question is rather relevant to that example.

If said three letter agency doesn't know you have encrypted information they probably won't bother to hit you with the wrench until you tell them.

Re:NSA? Bah.

[WrongSizeGlass]

Clearly you're not watching enough TV ...

Re:NSA? Bah.

[Shakrai]

See, the "drug him" part I have an issue with. I have personal experience with both mind altering drugs and truecrypt. Let me assure you that drugs do not help you to remember a complex pass phrase.... ;)

Re:NSA? Bah.

[denzacar]

Not that kind of drug.

Also, drugs are to be used in sequence with the beatings - not simultaneously.
No point in beating up someone who can't feel anything just for the sake of beating him up.
Leave the personal enjoyment for later.

Re:NSA? Bah.

[ePhil_One]

I suspect his point is he wants to be able to bury multiple "encrypted needles" in a "random haystack" file. When they ask for the password, you give them password to needle A, which decrypts. Hopefully they say great and stop hitting you with the wrench, never realizing the super secret plans are in needle B or needle C.

Then the question becomes, could they scan the haystack and count the number of needles?

Re:NSA? Bah.

[Teancum]

It is one of the tools found in Hollywood OS, isn't it? This is the same operating system that has tools to take a 50x50 pixel J-peg image of a parking lot and enlarge the photo to the point you can read not just the license plates but the serial numbers on the plate renewal stickers. It also has these cool animated graphics for e-mail, has advanced AI, and can hack into any computer undetected even if it isn't connected to any physical network by instead hacking through the power lines to extract information... except for those evil government computers that are on your tail the whole time you are doing the hacking, but of course you have a tracking bar for those government computers that can keep track of how close they may have been to discovering your hack attempt where you are able to stop your attempt just moment before they discover who you really are.

So yeah, I'm sure there must be some tool that will be able to determine if a data stream is encrypted.... unless there is a reason in the plot for the software to conveniently fail so the protagonist will be frustrated and be able to swear while on camera and increase the dramatic tension.

The proper way to encrypt an entire disk.

[mliesenf]

LUKS can be easily detected.
The specifications for the on-disk format are published online.
http://code.google.com/p/cryptsetup/wiki/Specification.

What I would recommend and personally employ... First, fill the disk with a random background:
# cryptsetup --cipher=aes-xts-essiv:sha256 -s 256 --key-file=/dev/random create mapper1 /dev/sdz
# cryptsetup --cipher=twofish-xts-essiv:sha256 -s 256 --key-file=/dev/random create mapper2 /dev/mapper/mapper1
# dd if=/dev/zero of=/dev/mapper/mapper2 bs=512

Don't bother creating a partition table or anything else. Leave the entire disk full of this background data.
Then create an encrypted volume using a hash for key material and offset and skip sector counts from the hash string:
# echo "secret_password@drive_serial_number" | sha512sum
4839 eeac 06 a 2045 d 60 6dbf519ba5e9[...]e312009896441a5
# cryptsetup --cipher=twofish-xts-essiv:sha256 -s 256 -o 483906 -p 204560 create encrypted /dev/sdz
Password:
# pvcreate /dev/mapper/encrypted
# vgcreate
# lvcreate

If questioned I would respond with nothing, no words, and just chill there.

Rebuttal

[multimediavt]

Ok, I think this guy's question has been answered (almost before he asked it, honestly). Uhhh, no, the random data and encrypted data will be indistinguishable, however, random data does not occur without human intervention (intent). Meaning, if your rouse of carrying random data to confuse and supply deniability is your plan, think of another plan.

My question is, what are you trying to hide? You don't have to be overly specific, but it helps to hide similar data within a similar structure. Steganography works well for hiding pictures within other pictures, sound within other sound, etc. Why? Because even the encrypted data looks like errors in the image file that might just be due to a corrupted file. If you're thinking of hiding entire filesystem contents within a single image then you're about as dumb as a post and will be hiding nothing from anyone who knows what they are doing, let alone what they are looking for.

So, think about what you're hiding and why. If you're hiding financial or other personal information and the like, why steganography? Just use TrueCrypt to lock it down. If you're transmitting the data, encrypt it as a file, encrypt the connection, and physically send the key with a carrier that uses a tracking number. If you're doing something legally questionable, think again. You just outed your intentions on a global public forum and no amount of random data will save you from prosecution.

Re:perhaps...

[Goaway]

Exactly. If you do not already know the answer to this question, there is no way on earth you will write a program that is at all secure.

Back to the books and study.

Encrypted frequency

[munky99999]

If you're smart the feds or whoever can only look at the in between. So if your entire com between safehouse -> hq is say ipsec tunnel. The feds are left with simply a frequency factor. That is to say... they cant decrypt coms between alleged talban safehouse and hq... but typically they have only 1-2 connections a day... but suddenly there's 10 on a day. Something's going to happen soon! However if you randomly pipe /dev/urandom for no reason at all. Then they dont even have that. How do you tell the difference between encrypted random data and encrypted data? pretty unlikely.

Re:Well

[Kjella]

Actually for something emulating a block device you would not use a CBC mode since you need to decrypt the entire chain from the beginning to get to a piece of data. Usually you use some kind of block offset mixed into the IV so the same data stored in block 12543 and block 46424 look different. But yes I agree that post was inaccurate, if you use ECB mode then there's plenty patterns.

Re:Unfoilable Steganography in LSB Plane of Imager

[maxwell+demon]

However, no matter how well your secret files are hidden, there's one thing which may still reveal you: The very existence of the steganography program on your hard disk. Therefore your steganography executable should be hidden, too. One possible way to hide it in would be to have the same executable do something completely different, unless you give a special, secret option to turn it into the steganography program.

Re:Random bytes are incriminating themselves

[Zsub]

's obvious. Start a conspiracy investigation to hide your porn in.

Have a look at Rubberhose

[PhunkySchtuff]

Rubberhose (Pronounced Marutukku) is transparently deniable encryption, developed by (among others) Julian Assange.
This seems to do exactly what you're trying to do, so even if you want to go ahead and implement it yourself from scratch, it's worth reading up on what they've done to get some ideas and avoid some potential pitfalls.

Rubberhose is a computer program which both transparently encrypts data on a storage device, such as a hard drive, and allows you to hide that encrypted data. Unlike conventional disk encryption systems, Rubberhose is the first successful, freely available, practical program of deniable cryptography in the world. It was released in an earlier form in 1997, but has undergone significant changes since that time. The design goal has been to make Rubberhose the most efficient conventional disk encryption system, while also offering the new feature of information hiding.

Rubberhose is a type of deniable cryptography package. Deniable cryptography gives a person not wanting to disclose the plaintext data corresponding to their encrypted material the ability to show that there is more than one interpretation of the encrypted data. What deniable crypto means in the Rubberhose context is this: if someone grabs your Rubberhose-encrypted hard drive, he or she will know there is encrypted material on it, but not how much -- thus allowing you to hide the existence of some of your data.

Re:Have a look at Rubberhose

[multipartmixed]

> Rubberhose (Pronounced Marutukku)

How did I know this was going to be a link to open-source software?!!

No, you ALL miss the point.

[Doctor+O]

No, you ALL miss the point. How are you going to explain having a HDD or partition full of "garbage"? Nobody with half a brain will believe you there's nothing encrypted in the noise.

(Yeah, an entropy file would be easy to explain, but entropy files usually don't come in sizes big enough to hide data in, PLUS, who apart from us here understands what an entropy file is? A judge sure doesn't.)

Steganography, OTOH, would be very useful. I have around 50 GB of family photos on my machine, that would make for a nice data storage.

Re:No, you ALL miss the point.

[HeronBlademaster]

No, you ALL miss the point. How are you going to explain having a HDD or partition full of "garbage"? Nobody with half a brain will believe you there's nothing encrypted in the noise.

You tell them you just visited your cousin Jim, who had an old hard drive he didn't want anymore, and you needed a spare so he gave it to you, but not before he ran "dd if=/dev/urandom of=/dev/sda1" because he didn't want you having his old tax documents. All you've done with it since is install the OS...

Re:No, you ALL miss the point.

[cetialphav]

You tell them you just visited your cousin Jim, who had an old hard drive he didn't want anymore, and you needed a spare so he gave it to you, but not before he ran "dd if=/dev/urandom of=/dev/sda1" because he didn't want you having his old tax documents.

And now you have just fallen victim to a classic interrogation technique. They have just gotten you to tell a story that then can investigate and determine its credibility. They will talk to your cousin Jim; they will look for signs of an OS installation at the date and time you said. They then ask more follow up questions (for which they already know the true answer) to get you to dig a bigger grave for yourself. Then they show you that they know you are lying and inform you of the penalty for that crime and offer you a "deal" to tell the truth.

The fact is that when you are dealing with good interrogators, you cannot lie your way out of it. If you have a huge file full of random data, that is suspicious and there is nothing you can say to change that. The whole point of steganography is to hide the data in something innocent so that no one ever asks you anything. The goal is to blend in and give them no reason to give you a second though.

Re:No, you ALL miss the point.

[pipedwho]

You tell them you just visited your cousin Jim, who had an old hard drive he didn't want anymore, and you needed a spare so he gave it to you, but not before he ran "dd if=/dev/urandom of=/dev/sda1" because he didn't want you having his old tax documents. All you've done with it since is install the OS...

...and a copy of Truecrypt into Program Files.

Re:No, you ALL miss the point.

[HeronBlademaster]

Well of course you would want to *have* a cousin Jim who is willing to say he had given you a spare hard drive. Or replace "cousin Jim" with "friend Steve" or whoever. It's not *that* hard. Heck you could even *get* your cousin/friend to give you an old hard drive, so that what he tells the police is true!

As for the "signs of an OS installation", that's easy... say you haven't gotten home yet so it's still just /dev/urandom output, as you didn't have your OS installation media with you.

Re:No, you ALL miss the point.

[Whiternoise]

No, you ALL miss the point. How are you going to explain having a HDD or partition full of "garbage"? Nobody with half a brain will believe you there's nothing encrypted in the noise.

Both Mac and I presume Linux both have options within the operating system to overwrite free space with random data. I have my Empty Trash settings in OS X set to secure erase things when I delete them. One would presume this is filling up the empty space on my drive with random data. Windows as far as I'm aware does not have this facility (at least it's not as well publicised) although there are plenty of free applications that will clean up your free space with Gutmann passes, etc.

Were I to be questioned about it, I could provide a believable and - for now - truthful alibi. I don't do it because I have anything to hide, but every now and again I blam the free space on my disk just to make sure there's no personal information (I've needed to make scans of my passport and other ID documents which I no longer require, for instance) that can be recovered in the event that I sell the laptop or it gets stolen.

To sum up, it's plausible to have random data on your hard drive and it's perfectly deniable. What would be suspicious is a file on its own that appears to contain only random data.

I was under the impression that plausible deniability involved encrypting something twice, providing the password to unlock the first layer and having a hidden layer underneath that you could keep secret, assuming that your interrogators would not think that you'd hidden more. Naturally the problem with this is that you'd need to have something pretty damn good in the first layer to provide the illusion that there was nothing else.

As for steganography, the key is storing the data in plain sight, is it not? So you would need to store the data in such a way that even if your attacker can open your JPEG and analyse its binary "code" form, it is not possible to determine that there is hidden data there.

The trouble with storing random data is that it needs to be statistically random. Consider the most basic, a substitution cipher. It is easy to attack since the frequency of letters such as E or S occur often within the English language and you can perform a frequency attack on it to try to break it. More advanced encryption methods try to mask this and also to attempt to mask any patterns that may occur during the encryption process. The last thing you want is for someone to be able to run your file through some code that has been trained (say using a neural net or another machine learning method) to identify patterns present in data encrypted using your encryption algorithm. Programs like TrueCrypt have been designed specifically to address this problem and attempt to minimise traces of the encryption algorithm itself (like not leaving behind headers, for instance).

If I had to hide anything, I would just encrypt it and stash it inside some program's DLL directory (install the program at the same time you encrypt the data to avoid obvious time differences). If it's an obscure application like an old game, who's to argue that that file shouldn't be there? Hell, use your steganography technique and hide your data inside a game save file - at worst you'll try to open it and it'll appear corrupt in the game - at best you could be sneaky and store your secret data within the game's world somehow.

Re:No, you ALL miss the point.

[wvmarle]

who apart from us here understands what an entropy file is? A judge sure doesn't.)

That's where expert witnesses are for. To explain this and the many many many other things a judge doesn't understand. There is way too much going on in this world for a single person to understand.

And I think many judges will accept an expert witness' statement without personal understanding of the tech/science behind it: 'expert witness says "it could be an entropy file" so it could be an entropy file instead of encrypted data'.

Re:No, you ALL miss the point.

[Eivind]

That's why you use two internal containers. The question is, why reimplement this ? It's been donw (well!) again and again, and frankly, if the original poster does not know the answer to these kinds of questions, he's not the right guy to do it.

What you do is, you have a partition full of what seems like random noise. If someone gets access to it, no problem, since the data there is encrypted, they get nothing.

If they get access *and* are in a position to force your compliance, you fret some, and then reluctantly say; "Yeah well, actually it's encrypted, you can read it by using this passphrase: 'superS333kr1t'.

When they do, they found you told the truth. The 100GB random-noise partition, contains an encrypted filesystem which has 60 GB of private files, some modestly embarassing (say some porn, or nudiepics of the girlfriend), but nothing of serious consequence.

Now, there's 40GB worth of free space on this device, free space that's filled with seemingly-random noise. Except, it's possible that a second secret password, if used to decrypt the free space, would yield a second encrypted filesystem, with much more sensitive data, data you could get in real trouble for.

"plausible deniability" is maintained, if there is absolutely no way for the attackers to know if there's just -one- encrypted filesystem, with some free space -- or if there's really 2, one on top, and anothe hidden in the free unused space of number 1.

It's the same idea as carrying a bit of cash in your wallet, if you're having a larger sum of cash hidden on you. The hope is that -if- you're robbed, the assaulter will let you be after you reluctantly hand over the wallet, with the $170 in it.

No, it's not 100% foolproof, it's possible they'll continue to beat you until you hand over password 2, on the off chance that password 2 even exists. The existence of encrypted-container 1, also serves to explain why there's decryption-software on the machine, which would be a lot harder to do if you claimed "that's just random noise".

TrueCrypt and other data-protection-software has been doing this for decades.

Re:No, you ALL miss the point.

[ArsenneLupin]

Solution:

If you plan to set up an encrypted "random" area, buy a used hard drive at a flea market. When interrogated answer truthfully that you bought the drive at a flea market, but you didn't ask the seller's name, don't remember the specifics. Done.

Re:No, you ALL miss the point.

[TheVelvetFlamebait]

The goal is to blend in and give them no reason to give you a second though.

Your typo almost pulled the same trick on me. ;)

Re:No, you ALL miss the point.

[sco08y]

Well of course you would want to *have* a cousin Jim who is willing to say he had given you a spare hard drive. Or replace "cousin Jim" with "friend Steve" or whoever. It's not *that* hard.

And you're going to rehearse the stories together? Now you're conspiring, so you've added another charge. And there are more points of failure, as all your stories have to match, which they won't.

Re:No, you ALL miss the point.

Agree
If you have something suspicious, it will not be easy to hide.
If you have a HD with 80Gs of random data, that would obviously raise concerns.
If you want to have an encrypted volume it should be a sparse one, that takes the unclaimed space from other files. I.e. the unused bytes from innocent looking files that do not match the HD format cluster size.

I dare you to write a hidden FS, thus plausible deniability, from the waste space of host FS, and keep it protected.

Re:No, you ALL miss the point.

[meloneg]

There is way too much going on in this world for a single person to understand.

I'm working on it though. Or at least the interesting parts. And with my rampant ADD, that's a pretty broad brush.

You presume everyone can or will go that far

[Sycraft-fu]

Please remember that encrypting data isn't only to protect it from authoritarian governments. It isn't even to protect it from governments at all. There are plenty of other reasons to encrypt your data. We encrypt things to work to keep it safe and private, but not from the government. If they show up with a subpoena, I'll decrypt whatever they need. However they aren't the ones we are worried about. We are worried about hackers and the like. I'm not very worried about a hacker, even a determined one, trying to come and hit me on the head. Crossing in to the physical exposes you to a lot of risks. While I personally might not be a threat to them, the campus police and city SWAT would be, and they'd come when called for that.

In regards to that, there are plenty of legit questions, like can they identify encrypted data, or an encrypted stream or not? Lets say we toss some HDDs. Some are DBAN'd. Others got missed, but are encrypted. Can they tell which is which? If so they can focus their efforts. If not, they will waste a lot of time on dead ends.

It is a legit question, even ignoring governments.

Sometimes.

[jd]

In principle, it should be impossible to tell the difference between encrypted data and a random oracle. In practice, many encryption algorithms leave tell-tale signs. (Suggest taking a look at the 2DEM encryption mode paper on the NIST website for an example.) One-Time Pads, if the encryption key is truly random, are guaranteed to yield data that is indistinguishable from random, but that is the only time you have a guarantee of that.

Modern cryptography is divided over the issue, but my understanding is that if you heavily compress data first and then encrypt it, you will get something much closer to the "ideal" of appearing random.

In steganography, the problem is slightly different. Image data isn't truly random. You can analyze the level of randomness and see if that level is within the bounds you would expect to find in an image. Your problem, then, is not to produce something that looks like a random oracle, but rather to produce something that looks like a natural oracle. I would imagine you could space the encrypted data out a bit and inject garbage that artificially kept the level of randomness within the bounds you would expect to find in an image. Do a bit of interpolation, come up with something that would make some sort of sense if it were all natural image data. Remember, the analysis will be done by computers and computers won't look at the aesthetics or the plausibility of the image, they'll only be looking for whether some algorithmically-defined metric falls inside or outside some given bounds. Algorithms are great for "what" questions, not so good for "why" questions.

Stop right there!

[jlebar]

If you need to ask this question, you shouldn't be developing a crypto tool. Seriously, don't.

There are a million ways to get something like this wrong. Doing it right requires deep domain knowledge, which it seems you don't have.

(To answer the question, the definition of a secure encryption function E(k, m) is that, when k is random, E(k, m) is indistinguishable from random. If you believe that AES CBC mode is secure, then you believe that an attacker can't distinguish AES-encrypted text from random text.)

here is a super simple solution and answer

[soybean]

It's very possible that either or both of your random number generator or AES has some artifacts that make them stand out. Even if you can't find anyone with such knowledge, you shouldn't be too sure that they don't exist. So, just do this:

Run your random number generator numbers through your AES encryption to create your "random" blocks. The encrypted real data and the encrypted random data will be absolutely indistinguishable.

Re:Well

[swillden]

DES is nowadays considered a weaker algorithm

DES is considered too weak for many uses due to its small key size.

Nonetheless, if you can find a way to reliably distinguish DES output from random bits, without knowledge of the key and with remotely-practical efficiency, you can publish a paper that will gain you substantial name recognition among the world's cryptographic elite.

Assume encrypted until proven otherwise

[petes_PoV]

Such is the level of paranoia (and unrestrained power) that our wonderful security services have, I think they would assume any large block of "garbage" would be encrypted data - no matter what you claim or deny. So, once you're bangind up in "holding" on the basis that your PC contains encrypted data, but you're being uncooperative by not supplying the password - what would be your approach?

Merely saying "it's not an encrypted dataset, it's just random numbers" cuts no ice, simply because Occam's razor kicks in. Which is more likely- some *suspicious" guy has a 100MB encrypted file or he's just created a 100MB of randon noise just for the hell of it?

You will rapidly discover that all this "innocent until proven guilty" nonsense is merely the stuff of TV drama and that in the real world the burden of proof will be in your lap. The reason is that the security people (and any jury, if it came to that) would all assume that the data is encrypted. So you're left with the philosophical knot of proving that your data is not encrypted and the only way to do that is to exhaustively demonstrate that no key will decrypt it.

Good luck with that!

The answer is no

[luis_a_espinal]

If I give someone one file containing random data and another containing data encrypted with AES, will he be able to tell which is which?"

The answer is no, sort of. With a properly chosen key, and a sufficiently strong (read "good") encryption algorithm, it should not be possible to distinguish random data from encrypted data. Obviously, there are caveats to this, but in general, it should not be case.

The reason for this is that in a true random (or near random) stream (or block) of data, the following two conditions hold (or should hold):

1. the symbols in the datum have uniform distribution, meaning, they are equally likely to occur at any position in the stream. 2. the probability of a symbol appearing at a position X in the stream is an event independent of all symbol have have occurred prior to X. That is, a random stream has maximal information capacity (or entropy), according to Shannon's theory of information. It is impossible to predict what value will occur at a given location in the stream by analyzing the values that have occurred before (which is how you search for patterns.)

A properly secured encryption algorithm (with a suitable key and conditions) attempts - via substitution and permutation - reduce the statistics of a plain text down to symbols exhibiting uniform or near uniform distribution. Once you do that, then the statistics characteristics of the plain text (which is what you use for pattern searching) are no longer there. The information is unrecoverable, maximum entropy, maximum information potential.

You would need the original key (and original conditions) to reverse the uniform distribution of the ciphertext symbols

Without the key, then it is impossible to find patterns on the ciphertext without knowing something about the plain text, or a sample ciphertext other than the ciphertext you are trying to attack. There are attack vectors than can be used, but then this is no longer about trying to distinguish patterns in the ciphertext, but reversing (usually by brute force) the encryption process.

The reliability of an encryption algorithm is inversely proportional to the number of potentially recognizable patterns that remain in the ciphertext. With AES, the answer to your question should be no.

Having said that, experiment, play with it. Just don't use it in real-world products, though :)

Use the right primitive

[pehrs]

Technically it's possible to do what you want to do, but to avoid leaking information and get good performance you have to use non-trivial cipher modes. I suggest you have a look at the documentation for TrueCrypt, which covers most of the mathematics:

http://www.truecrypt.org/docs/

The problems you are likely to run into are related to the handling of identical data in several files. A naive implementation will leak a lot of information.

Protecting it will give it away

[Jaime2]

The steganographic payload has to be protected from damage. If it's randomly scattered on a partition, it has to be marked as used blocks, or it will get overwritten by the OS. If it's not part of a partition at all, then it's immediately suspect. So, it has to be embedded in a file. Same issue here -- the data has to make sense in terms of the file format. Some image formats like TIFF have internal pointers that allow you to make unused areas, but it's painfully easy to read the header and find that you did this.

The only time it really works is when you have a single, unchanging payload. Stick it in a carefully crafted payload and go on you way. But data that regularly gets used can't easily be hidden.

Re:Obvious solution

[CarpetShark]

Result: It shouldn't be possible to tell...

Unless someone looks at his plaintext shell history that is.

Re:Well

[nospam007]

There is no file with random data.
Why would one want to create a file with random data?
The point of creating a file is that it ain't random data what you are saving, otherwise you wouldn't save it.

Re:Well

[icebike]

If you are talking about an encrypted block of storage in an otherwise intelligible file it will be patently obvious that there is something there that is not like the rest of the file.

However if you had an encrypted block of storage in an file that was itself stored encrypted you might be able to plausibly deny the existence of the secret block.

Lets assume you had an encrypted item, movie, book, etc. Call this the innocuous payload.

Embedded in that you add a secret payload encrypted with a totally different key.

You might be able to develop an encryption system that simply ignored these blocks, and decrypted the innocuous payload when the provided the key. Pass it off as your DRM mechanism. Provide the key to the innocuous payload when pressed to do so.

If the secret payload was small relative to the innocuous payload, and perhaps scattered, most investigators would simply assume its encryption padding and ignore it once they decrypted the innocuous payload.

The secret portion would look largely similar to the innocuous portion in its encrypted form.

Two words

[almightyons]

Information entropy. In other words, yes.

Re:perhaps...

[icebike]

I think this is the software version of the ADE 651 http://en.wikipedia.org/wiki/ADE_65.

Your link seems only weakly encrypted to me.

Did you mean: http://en.wikipedia.org/wiki/ADE_651 ??

Re:Unfoilable Steganography in LSB Plane of Imager

[John_Sauter]

Steganographic attempts are considered foiled if someone can detect that there is a secret message, they don't need to be able to retrieve the message in order for the attempt to be considered a failure. I did my Master's project on hiding data in the least significant bitplane of imagery. The trick is to "randomly" scatter your secret message throughout this plane. I showed methods that would allow you to do this so that the data was indistinguishable. You should always encrypt your secret message first so that it looks random, or better yet, shape the statistics of your encoded message to match the noise characteristics that were in the original LSB plane. If you use an image created from a very noisy source, such as a digital camera, and you encrypt the embedded message and scatter it using a reversible algorithm, and iteratively ensure that the statistics of the altered LSB plane look the same as the original LSB plane, I proved that it is not possible for someone to tell that there is a secret message hidden there. However, you need to be careful to use an original image you created yourself, and to destroy the original, because if someone ever compared the original to the one with the embedded message, they could definitely tell there was something altered by comparing the LSB planes.

Would you be kind enough to provide Slashdot readers with a pointer to your master's thesis? I would like to experiment with this.

group effort can provide plausible deniability

[John_Sauter]

If you find a file on my hard drive with data you can't readily decode, is it:

A) Compressed with an unknown compressor
B) Encrypted with an unknown encryptor
C) Random bytes used for an encryption process
D) Random bytes used for something else

I can't prove that answer D is wrong... but I don't have to because I know that 99% of the time, it's one of the other answers.....

OK, let's, as a community, add an (E). Everyone create a file on your laptop, in your home directory, named random.bin, as follows:

dd if=/dev/urandom of=random.bin bs=4096 count=10000

The actual value of the count isn't important, as long as it is large enough to create lots of random bits. If lots of people do this, we have “(E) Random bytes because Slashdot told me to”, providing plausible deniability for anyone who needs to use that file to encrypt something important.

Beware of watermarking attacks.

[DamnStupidElf]

With cryptsetup, make sure you use essiv:sha256 or AES LRW. There are watermarking attacks against the earlier versions of AES-CBC with unprotected block-based IVs used by cryptsetup and truecrypt.

Re:Well

[Omnifarious]

Nonetheless, if you can find a way to reliably distinguish DES output from random bits, without knowledge of the key and with remotely-practical efficiency, you can publish a paper that will gain you substantial name recognition among the world's cryptographic elite.

If you have enough DES output you can do this. Someone already mentioned that if you use a strong cipher, even AES-256 in ECB (electronic codebook mode) then the output is nearly trivially distinguishable because repeated plaintext patterns of the size of the block the block cipher algorithm uses will encrypt to identical ciphertexts.

Even if you use CTR mode or CBC mode, patterns in the plaintext show up in the output if you encrypt enough data.

For example, if you by chance end up with the same ciphertext output block in CBC mode you can obtain the XOR of the corresponding plaintext blocks by XORing the two immediately preceeding ciphertext blocks. If you encrypt enough blocks, the laws of statistics favor two blocks ending up being identical by chance. And this XOR equality allows you to determine if the data is encrypted because it's generally relatively easy to tell if the XOR is the result of XORing two pieces of unecrypted data.

CTR mode has a different sort of relationship that can be exploited. You know that the XOR of any two ciphertext blocks is not equal to the XOR of the corresponding two plaintext blocks. This can eventually leak information about the plaintext with enough blocks to work with. But using the inequality to determine if the bunch of data is truly random or encrypted data takes a lot fewer blocks.

And, of course, if your blocks are larger you need many more of them for the statistics to work out in your favor for attacking the cipher. This is why block ciphers should be re-keyed periodically when encrypting a lot of data. It's also why it's much easier to write a distinguisher for DES (64-bit blocks) than AES (128-bit blocks) that distinguishes between encrypted and random data.

A tool claims to be able to but the claim is bogus

[Kayret]

In Q2 2009, a company called Forensic Innovations, Inc. claimed to be able to distinguish random data from TrueCrypt containers. See http://www.forensicinnovations.com/blog/?p=7 However, I downloaded their tool (Version 2.23 of File Investigator TOOLS) and it identified truly random data as a truecrypt container... In fact it identified any container of truly random data bigger than a certain size as encrypted data. Therefore, their $249 tool (or this particular version at least), which claims to "Detects Encrypted Files, including TrueCrypt" is not performing as advertized. Try it for yourself.

State of the art: Impossible without the key

[gweihir]

This is in fact a major design principle for modern ciphers, so forget it.

Re:Well

[Jahava]

DES is nowadays considered a weaker algorithm

DES is considered too weak for many uses due to its small key size.

Nonetheless, if you can find a way to reliably distinguish DES output from random bits, without knowledge of the key and with remotely-practical efficiency, you can publish a paper that will gain you substantial name recognition among the world's cryptographic elite.

Agreed, but his point is well-taken regarding the identical encryption of duplicate blocks and the need for a rotating key schedule.

Re:Random bytes are incriminating themselves

[Courageous]

One could buy a random wiping program and use it regularly; perhaps by a scheduled task.

Later, when asked what all the random data is, one points to the random wiper.

C//

Re:Well

[selven]

What if the encryption algorithm, or at least an implementation, inserts some kind of headers or other marking so that anyone can tell that it's not random data? Can any actual security experts chime in, does anything like this ever happen or is an encrypted file just pure encrypted bits start to finish?

Re:Random bytes are incriminating themselves

[selven]

Then hide it in secret conspiracy information.

Encypted = random

[emt377]

A cipher is basically just a random sequence generator seeded with the key and an initialization vector (so the same key can generate different sequences), so the answer is no; you can't differentiate a data stream that has been XORed with a random sequence, from a random sequence. In practice though, if you see a random sequence it's a safe bet that it's either encrypted or a decoy. In some cases you can detect handshakes and key/iv exchanges (like diffie-hellman).

Re:Well

[lgw]

As far as I know finding patterns in the output is tightly linked to reducing the number of possible keys, so good encryption algorithms should not create patterns.

And that's the fundamental problem. It's hard to have a convincing explantion for random data on your hard drive. Steganography tneds to work with the "noise bits" in images or music, but those bits normally create patterns, so you can distinguish cryptography. It's possible to produce crypto tuned specifically to the bit distributions in whatever you're using to mask your payload, but it's a hard problem by crypto standards (which is saying something).

I'm sure the NSA can do it. I'm sure I don't trust anyone else to. I'm also sure I'm going to get in trouble one of these days, because I wipe drives with TrueCrypt before I use them (even unencrypted), as a handy way of seeing if the drive is going to fail early on me, and there's no way I could ever convince someone that my unencrypted drive really isn't hiding anything in those unused areas filled with "random" bits.

Re:It's all about entropy -- but you can fix that!

[louarnkoz]

Encrypted files have maximum entropy, just like absolutely random files. Basically, you can't tell which one is which. However, absolute random noise on a disk isn't all that usual, so any encrypted file (or pure random file) will stand like a sore thumb: it will be highly visible. But, again, you can't tell the difference.

Absolutely correct. Any "investigator" who finds a pure random file will immediately suppose that it contains encrypted data. I mean, what else? Compressed files are not random, and there is no real good reason to store gobs of random data on a disk. OK, maybe you can come with a good reason, such as doing research on random numbers, but that will be highly suspicious.

On the other hand, it is possible to systematically add entropy to a file. One very simple way may be to consider the random bits as codes in a variable length alphabet, much like a Huffman code. You can then "decompress" the random file using the variable length code. Voila, a larger file with the desired entropy/redundancy. It will look like binary data, not encrypted data.

Use a random number testing suite

We've discussed this on MetaOptimize.

Short answer: Download an empirical testing script like dieharder, and see if the encrypted output looks "random" under this battery of tests.

On The Practical Side

[BoRegardless]

What happens if you use the old "torn sheet of paper" routine?

Each drive or device moving from A to B goes with a different courier/ISP/method and no "piece" contains enough information to be identifiable or usable.

All the pieces need to arrive at the destination to be able to be re-constructed back into usable form.

Any time you send a complete message in one burp, one hard drive or one CD or one image, there is a chance for decryption by any number of accidents or threat of death to all your family members one person at a time while you watch.

No encryption was used in the creation of this message...thus I have deniability.

Re:On The Practical Side

[wvmarle]

Shouldn't be too hard. Two pieces is probably enough.

Take your data, compress it in a single file, then break it in two: the odd bytes in file1, the even bytes in file2.

I don't think it's practically possible to decompress any information from file1 without access to file2.

Re:On The Practical Side

[mikeee]

No, no, no. For this, use a one-time pad.

What you do is this:

Take your file (A). Generate a block of high-entropy random data (B).

Now generate (A xor B), and throw away A. You now have two random files, B and (A xor B), and B xor (A xor B) will give you A again.

A cute variant: instead of generating a really random B, use pseudo-random data generated from a known key (mp3 rip of some song of a particular version of a CD, gzip of linux kernel source), and don't even keep B with you; regenerate it on the other side. There are lots of ways to screw this trick up, though, so consult a cryptographer.

You could use more than 2 files if you want, the idea is basically the same.

calculate randomness

[Fuzzums]

as far as I know you can calculate the randomness of a sequence of 0's and 1's.
it has to do with the distribution of the length of strings with the same value.

taking the true crypt model as example (hidden partition in encrypted partition) the hidden encrypted part hidden, it should at least be indistinguishable from the not hidden encrypted part, so they should be equally random. also unused space in both partitions should have the same amount of randomness as the used space.

Re:Well

[LambdaWolf]

Of course if your encryption software writes some kind of header - which wouldn't affect the security of the encrypted contents - then it will be obvious to anyone looking that you have an encrypted container. So this is 99% about implementation and 1% about encryption algorithms.

TrueCrypt implements a headerless encryption protocol for just this reason. Its ciphertext files should be indistinguishable from a sequence of random bytes. So all you have to do is hide those bytes steganographically, or have a plausible excuse for sending/storing a bunch of random bytes.

you're famous!

[Lord+Ender]

If you can distinguish encrypted data from random noise without knowing the encryption key, you've found a weakness in the encryption algorithm! That doesn't happen too often these days. I'm sure the job offers will be lining up once you publish.

Re:you're famous!

[hoytak]

As in http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.7206?

Advanced steganography

[reiisi]

Advanced steganography is indistinguishable from propoganda.

try it and see.

[reiisi]

nt;

Yes and Probably

[DynaSoar]

I've used recurrence plot analysis and surrogate data testing for this. Both are more suited to time series analysis, but can be used with any data. In principle these examine compressibility, and any form of compression could be adapted and give you a yes/no), but these give you meaningful statistical analyses (if yes, then how much). Be aware that your random isn't rally, and so will give you a non-zero result. But you'll get very close to the same very small result, whereas with surrogate it'll be different and some data set will acutually improve with scrambling. But you should bw ablew to trell yes/no ns how diferent dfrom random

Don't reinvent the wheel (it won't work if you do)

In cryptography, reinventing the wheel is very bad - you usually end up with something that's broken in a way that isn't at all obvious. It's better to go with something that's been peer reviewed. In this case, the product you're looking for is TrueCrypt. TrueCrypt volumes look like random data, and you can have multiple encrypted volumes inside the same container. Each volume has either random data in its free space, or another volume that looks like random data in there. So you make one or more decoy volumes with your tax/banking information, non-incriminating diary, etc, and then put the thing you're really trying to hide in another volume. Since resizing TrueCrypt volumes is very inconvenient, you have a plausible reason for making it too big.

Also note that regardless of how well hidden your steganographic data is, the fact that you have steganography software installed (which you can't effectively hide if you want to use it) is enough to damn you if you're trying to make it look like you don't have any encrypted data.

Re:Unfoilable Steganography in LSB Plane of Imager

[sugarmotor]

Sounds good!

What's the ratio of jpeg file size to how many encrypted payload?

Or, the other way around, to encrypt+hide 1 MB how many
MB of jpegs would be needed?

(I am guessing that you are saying the ratio is less than 1 to 8)

Also did you look at audio files?

Stephan

YOU miss the point...

[RichiH]

Why does OP talk of offsets? Because he wants to hide more than one partition! Give up two to police in a pinch. Is there a third? They can't know...

Re:YOU miss the point...

[Doctor+O]

Oh, come on. There's 80 GB of garbage, you give them the key to one partition, they look at the file sizes of stuff in there and go "And how about the rest? You could store about 80 GB in there and we've only got the key to 20 of them."

Don't assume people are stupid. If the suspected crime is bad enough, they will look closely.

Re:YOU miss the point...

[RichiH]

Can they prove it? No.

The point of plusible deniability ( http://en.wikipedia.org/wiki/Plausible_deniability ) is that you can plusibly deny havingmore data on it.

Obviously, they will try real hard to get at whatever is in there. And obviously, if you decide that you will give up all keys and offsets because they will kill your family if they don't and they _still_ think you are hiding stuff.... Tough luck. But that is what OP wants, downsides and all.

Re:YOU miss the point...

[RichiH]

Can they prove it? No.

The point of plausible deniability is that you can plausibly deny having more data on that disk.

Obviously, they will try real hard to get at whatever might be in there. And obviously, if you decide that it's in your best interest to give up all keys and offsets because they will kill your family if you don't and they _still_ think you are hiding stuff.... Tough luck. But that is what OP wants, downsides and all.

Re:YOU miss the point...

[AigariusDebian]

You fill the whole hard drive with garbage - all 1 Tb of the drive is completely random. No you create 20 encrypted partitions on that drive: with no headers, no partition table, random offsets, semirandom size, the random partitions take up barely 700 Gb all together. 2-3 partitions are designated decoys - they are large and contain ebarassing and private data, but nothing criminally incriminating or trully secret. If you are ever questioned you (after much negotiation) give the offsets, algorythms and passwords to the decoy partitions and say that the rest of the drive is just random noise you made to hide these 3 partitions. Disk space is cheap you did not need so much yet and you planned to use more of it later as needed.

The question is if NSA can tell or prove that there is more decryptable information on that drive besides the parts that you already told them about?

For the laptop at the border scenario

wouldn't it be more useful to mod your laptop so it's got two drives, the goodies being on the drive that only becomes accessible when you put the little magnet in the right place to energize the reed relay that powers up the dark drive? No seeum drive in directory, no drive there, Kemo Sabe.

Re:For the laptop at the border scenario

[Kaenneth]

I was thinking of modifying drive firmware to ignore a platter or two.

Plausability

[shish]

is it possible to prove there is encrypted data where you claim there's not?

prove 100%, no; prove beyond reasonable doubt, sure -- unless you happen to be really good at convincing juries that carrying around a hard drive full of noise is common practice

Would you recommend counter mode?

[tepples]

If you use AES in ECB mode, then the answer is that it's usually painfully obvious that the original data was structured.

If you do use chaining (CBC, or something similar), then it will look quite random.

Is there painfully obvious structure in data encrypted with AES in a counter mode, where the key is some function of the IV and the offset? Counter mode is easier to parallelize across multiple cores than chaining modes.

Re:Would you recommend counter mode?

[butlerm]

Counter mode is clearly far superior to ECB mode. But if you are really worried, and want multi-core scalability you might break up the input into parallel streams and then run a something like AES in chaining mode on each one independently...

You are not qualified if you need to ask here

[khchung]

Cryptography is hard, very hard, to get right. If you don't know if you can distinguish random data vs encrypted data, then either (1) you are an crypto expert and this is an unsolved question like P=NP, or (2) you know very little about crypto.

Well, since you are asking HERE, my bet is (2) is the actual situation.

So my answer to you would be: STOP, don't write this program. You are not qualified, and anyone using your program (including yourself) will be given a false sense of security which may end up worse than knowing your data is not hidden.

If you insist on proceeding, then first plan a couple years of self education before you start. And /. is NOT the place to begin.

You're missing the point

[nhtshot]

The op wants to know if the output is distinguishable from random garbage. He doesn't ask about the difficulty of decrypting.

One of the goals of most crypto systems is to generate output that approaches random garbage.

The question isn't whether the file with the AES'd data can be decoded, it's whether a third party can detect which file is which. To that end, I would say the odds are fairly low. Especially if the OP is embedding the encrypted data inside a block of noise.

The GP is dead on, AES was designed with exactly this in mind.

Re:It's all about entropy -- but you can fix that!

[Rockoon]

Your arguments about compression arent precisely true. Its true for archives but not true for a wide array of todays general purpose compression algorithms that use high order arithmetic encoding, and are bijective.

The bijective class of compressors are ones where any arbitrary stream is a valid input for the decompressor.

If you think that you can find entropy that isnt squeezed out of text with algorithms like PAQ, then you can also eliminate it and improve PAQ and win some cash offered by the Hutter prize. We are talking about algorithms that compress English text to about 1 bit per character for large inputs.

Re:Well

[shrtcircuit]

Also consider the entropy of your "random" data. The encrypted data could be distinguishable by being *too* random compared to other samples which maintain some sort of detectable pattern or base. Random usually isn't with respect to computers (hard to guess or predict != random), and folks go to great length to make it as unpredictable as possible when it counts the most. If an encryption algorithm, which is by design patternless, is compared to a bunch of randomly inserted data, it's possible that it could be detected by as much of what it isn't as what it is.

I think you'd be better off inserting random data which has been encrypted by the same routine and key size. If it's a good, patternless method, you will end up with many samples of data only one of which is useful. Anyone not knowing the offset of the target data could waste a bunch of time trying to get into the other pieces.

Re:Well

[user32.ExitWindowsEx]

Why not do a couple passes of pure 0s after the random wiping? Clears out the random bits and gives you an additional load test.

Re:Unfoilable Steganography in LSB Plane of Imager

[electrosoccertux]

Steganographic attempts are considered foiled if someone can detect that there is a secret message, they don't need to be able to retrieve the message in order for the attempt to be considered a failure. I did my Master's project on hiding data in the least significant bitplane of imagery. The trick is to "randomly" scatter your secret message throughout this plane. I showed methods that would allow you to do this so that the data was indistinguishable. You should always encrypt your secret message first so that it looks random, or better yet, shape the statistics of your encoded message to match the noise characteristics that were in the original LSB plane. If you use an image created from a very noisy source, such as a digital camera, and you encrypt the embedded message and scatter it using a reversible algorithm, and iteratively ensure that the statistics of the altered LSB plane look the same as the original LSB plane, I proved that it is not possible for someone to tell that there is a secret message hidden there. However, you need to be careful to use an original image you created yourself, and to destroy the original, because if someone ever compared the original to the one with the embedded message, they could definitely tell there was something altered by comparing the LSB planes.

That's a fascinating idea.

Lots of 1600 ISO images from your camera. Feed them into the software so it can analyze the noise characteristics for imitation later, then it loads the image into RAM, modifies them, and overwrites the old image on the harddrive.
Gotta love slashdot for posts like yours.

Re:Unfoilable Steganography in LSB Plane of Imager

[multipartmixed]

> Gotta love slashdot for posts like yours.

Yeah, uh, me too. Thanks masters dude.

Re:Well

[GrumblyStuff]

Red herrings. Don't make them on your computer. Spreading them via automated means would be another topic though.

Re:Well

[fluffy99]

You mean like http://www.truecrypt.org/ already does?

Classical music

[Jaxoreth]

The GP should record some LP, at 24 bits per sample, at 96 kSa/s, in stereo. It wouldn't be too unusual, especially if he picks a well known music. Classical music will be particularly good here.

How about this one? http://www.youtube.com/watch?v=Nz0b4STz1lo

Re:Classical music

[tftp]

How about this one?

You never want to be a smartass with border guards. Especially if you have something to hide.

You're answering the wrong question

[JoeBuck]

Useful data are not random. If it looks random, and you're devoting disk space to it, the investigator will assume that it is encrypted, or is key material for encryption (e.g. a one-time pad). Why else would you have lots of random data around?

Re:You're answering the wrong question

[melikamp]

But if it's a one time pad, then it doesn't make any sense to ask for decryption key, right? The pad is the decryption key. To nab you, a court would have to assume that not giving a key to a one time pad is illegal somehow. Then everyone in possession of a one time pad would be a criminal. Do you think that would fly in USA, for one?

Re:You're answering the wrong question

[Chrisq]

But if it's a one time pad, then it doesn't make any sense to ask for decryption key, right? The pad is the decryption key. To nab you, a court would have to assume that not giving a key to a one time pad is illegal somehow. Then everyone in possession of a one time pad would be a criminal. Do you think that would fly in USA, for one?

Of course you should probably have the false "one time pad" on some separate storage like a USB key, and have a "semi interesting" file on your computer actually xor encrypted with it. Then you can say "these are company confidential sales figures, and this is the key".

Slightly Off-Topic

[jshackney]

I ran across a website years ago where you could type in your plain text, e.g. "I mow the lawn every Thursday." and it would encrypt it to some other plain-language sentence or paragraph, e.g. "The merry-go-round is painted yellow with red stripes. Neighborhood children rake cans from the park."

Anybody know what this is called or where that website can be found?

Re:Encrypt the random data?

[md65536]

Or randomize the encrypted data...

Better cover story

[Thomas+Shaddack]

The hard drive may have been freshly bought off ebay (leave a record!) or a garage sale or a gift (make sure the person that provides you cover is willing to back your story and is beyond the legal reach of the goons from the country you are dealing with). A disk whose earlier life was being a part of encrypted RAID is fairly likely to look like random garbage. Alternatively, you can claim it is YOUR disk, which contained sensitive data and you did a complete DoD-grade wipe with /dev/random last pass before shipping. (Or, better, used a software that does it for you.) The best alternative would be modding the hard drive firmware to look like empty or so. If you have a clean room, you can disconnect the heads or simulate other kind of a failure, and claim the disk is faulty and goes for data recovery. Without a clean room, remove the circuitboard from the disk, cover the right contacts with insulating tape, and mount the board back; the disk will behave like not spinning up or having broken heads. A technician carrying a broken disk is a good "legend".

How about hiding it using the file metadata?

[hamster_nz]

In my iTunes collection I have many GB of audio and podcasts, and I assume that the first bytes of all the blocks would be different. If only I could just get the files to fragment in such a away that when reading the raw device the first character of each sector was the values I wanted... I could even use RC4 or some other stream cypher to generate block offsets, giving a password and further defying analysis. As long as I don't defrag the disk, my data is safely hidden in files that just look like files.

Just hope I don't need to update the data often, as read and write time would be rather shabby...

Different approach

[T+Murphy]

What if you had an encrypted partition with multiple passwords- each password decrypts different files from that partition. You could go even further and set it up to generate random files and passwords, along with some parts that are just random data that do not correspond to a password. If someone asks about the encrypted partition, you type in a password and the corresponding files come up with no indication there were more passwords. If the size of the files you showed them compared to the partition makes them suspicious enough (or some other indicator), you can use more passwords, but they would have no way to know whether you've used all your passwords. Of course they would realize your security is at paranoia-level, so if you explained the random passwords, you understandably would have no way to actually show them everything on the partition.

On the up-side, instead of trying to convince someone that encrypted partition is just random data, you actually decrypt stuff for them- plus with the random passwords they can't prove if you're lying. On the downside, you can never show them everything (unlike a 1-password system), so there is no "cut your losses" route. This leads to two questions: could this plausibly work, and how bad could it be for you should law enforcement ask to see what's on your computer?

Other encryption methods leave you dead in the water should someone figure out you've got encryption- by being out in the open it may be more dangerous (it always raises suspicion), but it possibly mitigates the damage that suspicion can do.

Give yourself a cookie

[Chrisq]

Give yourself a cookie. You've just invented steganography.

movie quote Contact: 18 hours of static

[Gunstick]

"What interests me is that it recorded approximately eighteen hours of static."
http://www.imdb.com/title/tt0118884/quotes?qt0379375

Truecrypt FTW

[grking]

Hasn't this whole subject already been addressed by Truecrypt?

Hey, it can't hurt to try.

[denzacar]

they probably won't bother to hit you with the wrench until you tell them.

That is - it won't hurt THEM.

And besides, a little preemptive beating with a wrench never did kill anyone.
Anyone doing the beating that is.

Re:Hey, it can't hurt to try.

[Eskarel]

That's true, but you really need to disappear someone either literally or metaphorically(by turning them into a terrorist or kiddy fiddler) so that the fact that you beat them with a wrench doesn't lose you votes.

It's not that you can't do that to an innocent person, but they can't do it to everyone or else there wouldn't be anyone left to pay taxes and the security officers would have to go do a real job for a living instead of beating up innocent people(not that this is all that security people do, but they wouldn't have much time for anything else in this theoretical world).

Now randomly pulling someone out of the crowd and making them into a terrorist/kiddy fiddler your brave officers arrested is good for morale, but they hardly need to decrypt your content to do that to you, so logically the only reason they would bother trying to beat your crypto password out of you is if there might be some actual value in it for them to do so.

Finding patterns in random data

[mhkohne]

OK, I wanted to try to find out if there were encrypted data at some offset in a chunk of random data, I'd start with Knuth's tests for randomness. I'd break the thing up into decent sized chunks (1 meg or so) and run a bunch of different randomness tests on each chunk and on the whole data set and see if any patterns emerge.

The thing is, even if the encrypted data looks pretty random, it's likely to look DIFFERENT than the surrounding random data.

The worse problem is that if you have someone who's asking you if there is encrypted data, and they find some bogus pattern in the random noise, then you've got a problem because you can't prove that there ISN'T any data there. If you are being prosecuted in a normal US court, you might get away with this (if they can't prove that you've got anything encrypted, it may be hard to hold you in contempt trying to get you to give up the keys), but if you fall under the sway of some intelligence agency that doesn't like the look of you, it's not likely that they'll just let you go because you claim there isn't any data.

Good encryption

[Revvv]

When you use full disk encryption only the crypt header reveals your using it. Using: cryptsetup luksDump /dev/device You can get the length of the header to make a backup: dd if=/dev/device of=./backupfile count=length Then you can overwrite it with: dd if=/dev/urandom of=/dev/device Now your disk cannot be recognized as encrypted, storing the cryptheader on a micro-SD card allows you to quickly eat it when necessary. You can also carry a very strong magnet Neodymium magnet, this allows you to wipe your harddrive in a second.

Can we make random data a standard feature?

[sco08y]

What if a few popular distros simply had, turned on by default, a low priority process that wrote random data to free blocks?

Then you've got a perfectly legitimate excuse for a drive full of random data. You really can't beat, "it's a security measure enabled by default on Debian," as excuses go.

if you're worried about borders

[alizard]

why bother with crypto on HDs? Simply do as many businesses do. Move your drive image to a server, wipe the drive, reinstall the base OS, and once you're at your destination, open an ssh channel to the server and rsync your data back to the drive. Of course, you might have to rent a colo for a day to get access to a pipe big enough to move that data in a reasonable length of time.

If ctypto use is illegal at your destination, what are you doing there?

Re:Well

[CarpetShark]

Did you save these in binary, no ascii formatting or line numbers? Negative numbers as well as positive, covering the entire range of bits in the integer (or other) length? I'm assuming they were integers, since floats have a specific format. Any sort of formatting would have constituted a non-random pattern.

Beat the Beatings: Have a fake parition...

[jlcooke]

Just as with your laptop. Create a fake login.

So when someone beats you with a phone book or a tirewrench, you can say "the login is jdoe, password 123!" and they'll login and see your not so important files. When actually your login is janedoe password abc.

Same applies with encrypted partitions in your setup. Have a partition A at index N and a partition B at index M. A,N is the fake one, complete with files recently modified (.bashrc and cron will help with that). And B,M is your normal secure parition.

Not so well

[thethibs]

In a moderately large file, it would be very suspicious if no two blocks were the same.

Remove the road signs....

[ibsteve2u]

You might encrypt and steg away, and then use a bit of software to remove the record of said file(s) from the fat/mft and mark those sectors as "bad". Email yourself the backup fat/mft, travel, and reverse the process at your destination.

Or you might (in a rush) encrypt and steg away on a partition, then mark the partition as unallocated while you go through security. Won't fool a reasonably competent computer tech, which is not going to be a problem in most countries but might be a risk in America, seeing as how we've offshored enough IT that your airport security grunts might just be very "technical", indeed.

Re:Unfoilable Steganography in LSB Plane of Imager

[batquux]

Couldn't you just establish a code using the content of the images? Something using the names or hair colors or whatnot of the subjects. Then just make a slideshow of family photos in a specific order and name it TOP SECRET MESSAGE.

You're solving the wrong problem

Don't worry about hiding the data - there are many ways of doing that. Worry about hiding the software that accesses it. The thing that gets most folks using steganography caught is the `investigator' finding steg. software on their machine. After that it's just a question of searching through each of the formats it does or threatening them with obstruction of justice / other crimes until they tell you what they used it for. Or, at least, that's what I learnt from the high tech crime squad...

Random is good!

[ResidentSourcerer]

By stuffing files with encrypted random data (indistinguishable from encrypted compromising data until decrypted) you dilute the the attempts of the Other Side.

Even with weak systems such as DES decryption without the key is enormously more time consuming than encryption.

If the Other Side requries a 10,000 core server farm to break 1 message a minute, and you can keep them busy by generating 1 false message a minute with a single core, and still have cpu cycles to spare, you are ahead of the game.

A second reason for encrypting random data: Thwart operational traffic analysis. A darknet that spends free cycles moving encrypted random chunks around makes it more difficult (impossble?) to figure out who is talking to who.

Hide it in plain sight

[jbeaupre]

How about killing two birds with one stone: Create a new picture file type. Call it jpeg-V (for verify). It would have to have a major feature making it worth widely adopting. As part of the spec, it would contain a 1024 byte random string. Heck, call it a unique identifier string to facilitate indexing.

But ...

There's nothing to prevent encrypted date from being buried in there. Maybe file pointers so pieces can be appended and also so you'd need both the password and the starting file.

Now just populate the web with billions of pictures, most perfectly innocent. A thousand photos, taking up around a GB or two or three, might hold a meg of encrypted data.

Now you're faced with just what the original question asks: can random and encrypted strings be indistiguishable.

probably

[grikdog]

From your description of what you think you're doing, the odds are fairly high that you're not implementing correctly. As a recursive proof, your question suggests doubt (a newbie would be done with the hack by now), your doubt suggests fear, your fear suggests potential wisdom, your potential suggests its own answer, your answer suggests you should listen to yourself.

Re:Well

[swillden]

Valid points, given very large volumes of ciphertext. VERY large volumes for ciphers with 128-bit block sizes. Large enough that the attacks are impractical, though theoretically possible.

Re:Unfoilable Steganography in LSB Plane of Imager

[ImprovOmega]

If he was stashing it in the LSB's then he was using uncompressed BMP most likely. The first thing JPEG throws out is the LSB's for lossy compression.

They don't follow laws.

[elucido]

If you have information that they want and it's encrypted, the laws no longer apply in situations like these. They'll covertly torture and drug you until you tell them some lies or tell them the truth.

Only governments can use encryption in real world

[elucido]

Only governments have the resources to protect Alice and Bob from Gordon. Basically only governments can use encryption, you can experiment with it to see how it works but you wont be able to practically use it and it doesn't matter what algorithm you choose because all algorithms are only as strong as Alice and Bob, and usually Alice and Bob are physically defenseless.

That depends, but even if they don't find out

[elucido]

They can torture you for the rest of your life whether they find out or not.

CTR mode

[pimproot]

Yes, XORing each plaintext block with an encrypted block index/counter would be enough to render the output theoretically indistinguishable from random data. This is "CTR" mode, and I'd be surprised if most hard drive encryption systems aren't using it.

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29

Use bijective compression

[advid.net]

Use a bijective compression program: output has no headers.

Use it several times, 4 pass.

Some include encryption.

See http://webcache.googleusercontent.com/search?q=cache:mw0S9v_ew1UJ:www3.sympatico.ca/mt0000/bicom/

I have a question?

[MooseTick]

Does anyone here actually use stenography for more than fun or school or some side project? Other than spy vs spy stuff I can't imagine using it on a regular basis.

To use it properly you would need to have your decryption software installed on a totally different computer, otherwise when they look for the secret encrypted stuff they will see your stego encryption/decryption software and be tipped off. Also, since you can't hide much data using stenography without tipping someone off it seems to be of limited use for nearly all real world applications. I particularly can't see a business or even a government using this to protect their data.

Don't get me wrong. It seems like a cool thing to do. So, if you are using it regularly for a reasonable purpose, what exactly is that?

Re:Well

[TheTrueScotsman]

If it's correctly written, it will be random. Any header required by the implementation should just be encrypted with the plaintext. There may be an initialization vector at the beginning (16 bytes with AES), but this will also be a pure random number.

Re:It's all about entropy - not quite

[plover]

No, they don't. That's the one flaw.

Hint. Take one of the unencrypted image formats - with a relatively simple image, encrypt everything but the image header - display.
You'll probably be able to tell what the image was.

Compressed encrypted files on the other hand are pretty close to maximum entropy.

My favorite demonstration of why ECB is almost always the wrong choice for block modes of operation, regardless of the algorithm, can be seen in the Tux series of pictures on this page. http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation It's a great picture to show people when they don't understand why "just encrypt the data" isn't secure enough, and why they need a competent cryptographer.

But for this discussion, notice that your eyes can not detect a pattern in the encrypted data, even though the source is an uncompressed BMP file.

Cool

[e838shopping]

I may agree with you,that really very important.