January 23, 2021
Hot Topics:

Zen and the Art of Breaking Security - Part II

  • By Razvan Peteanu
  • Send Email »
  • More Articles »
ven NP-complete, by means of molecular biology.

The idea is to map all nodes to DNA sequences, allow a chemo-biological reaction to happen so that more complex structures are formed, then extract the "winning" combination, of known length/weight, via magnetic separation, and analyze it so that the actual sequence is obtained. The key here is the massive parallelization of the combinatorial work that takes place when all DNA sequences are mixed up and shaken.

In fact, as noted in [3], this is a rare case in which the attacker and not the cryptographer is helped by the parallelization. The entire technique is useless, for the creators of the message would encrypt the data much faster with existing software or DES chips. Molecular cryptanalysis is still an emerging field.

The techniques are still prone to errors, but here is yet another example in which security can be broken by taking a totally different approach from those considered by the designers of a mechanism. The strength of DES remains in only being attackable through brute force and, with classic computing, this takes a lot of time. Not necessarily so if we look at it with a "beginner's mind."

Traffic Analysis

Let us go back to the digital world now. In many of the examples above, we wrote about breaking an encrypted message or a system. Knowing that "something is going on" is already a significant step for an attacker and, in fact, perhaps one of the most devastating. The best spy is one that the counter-intelligence service does not know of. If someone is suspected, already his covert activity is endangered and, as the Real World shows us, breaking PGP is not necessarily the only way to get to the cleartext message (perhaps it would be the most difficult; it is far easier to plant a keystroke logger, as FBI recently did against Nicodemo Scarfo, to use TEMPEST or plain old espionage).

Excerpt for relying on sheer good luck, people have turned to steganographic techniques to hide the presence of a message, without necessarily protecting it further. In the past, steganography relied on cleverness or technology (invisible ink, microdot photography). In the Internet age, software allows us to hide messages in images, sounds or text. It is even used for copyright watermarking of multimedia artworks, so easily stolen and reproduced. It is a wonderfully covert channel to send information — who would even suspect the JPEG I sent to my friend had hidden data? Or is it that simple?

Steganography has its disadvantages. It relies on a well-chosen container that does not reveal the hidden information. For instance, synthesized images with large areas with the same color information show the "noise." The data-hiding algorithm itself, if naïve, can lead to the compromise of the message and all subsequent ones. Public packages use known algorithms, and it might be possible that interested agencies already have developed detection techniques. See [5] and [6] for attacks against watermarking techniques.

It matters a lot whom you are up against. However, we will not dwell into the pros and cons of steganography itself. After all, as the attacker does not yet know, there is a hidden message.

Yet, there is something in the big picture that can lead to suspicions: the traffic itself. Out of nowhere, there is a flurry of multimedia attachments between two people. Especially for large quantities of hidden data, you might need many containers. For a party that has access to the larger data pipes, it is possible to compile statistical information on the email patterns and signal any significant change. If I s

Page 2 of 3

This article was originally published on April 16, 2001

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date