I’ve had mixed feelings about steganography over the years. Sometimes I think it completely sucks as a security model and sometimes I think it’s just as valid a security model as memorized pass codes. A number of years ago (coming up on ten now) I had a conversation with Matthew Kwan about his tool called SNOW (Steganographic Nature Of Whitespace). His theory was that you can embed information at the end of lines with spaces and tabs (instead of ones and zeros). Adding a little encryption just for good measure and compression to increase the payload size, it’s a fairly interesting tool for hiding text in text.

Then I went to DefCon last year and I hear a talk by Bennet Haselton on using a steganographic language translation service to transmit information through national boundries in such a way that it will defeat censorship filters. In that scenario, there are far easier ways to defeat censorship filters, if you ask me, and btw, why would you tell anyone if that was your plan, cuz then the government in question will know anyone using that service is hiding data. Seems retarded to me.

The main point of steganographic file systems is that people don’t know if anything is there when looking directly at it. If the system is designed for the sole purpose of hiding information that’s not particularly good at hiding it, now is it? Well, maybe it is…

I went to a Cypherpunks meeting in San Francisco a few years back where I heard a talk by a lawyer of all things who went by Black Unicorn. Black Unicorn explained that steganographic file systems actually have a valid use for legal issues. With steganographic file systems you can actually have multiple layers of hidden data, each wrapping another layer, like an onion, and only with the correct password can you unlock the next layer, but there’s no way to know if there is another layer beneath the one you are on.

So his idea was to use the first layer to hide things like your passwords, or credit card numbers. The second layer maybe emails from your mistress or something that it’s clear you wouldn’t want someone close to you to know about. Then you get caught for something (like hacking, etc…) and they haul you into the confession room. They know that you have more on that drive, because they know you are using a steganographic file system. They also know you are a hacker type because that’s why you are in the room in the first place.

So let them beat you up for a while or threaten whatever they want. The trick here is to really make them believe you don’t want to give them the next layer. When they finally give you enough hell, give them the next layer. But instead of having that layer be something good, like the secret files you stole, have it be something completely unrelated but ALSO good. His suggestion was dog porn. It’s something that you could reasonably assume the police would want to find, but it’s not at all why they brought you in. Chances are they will let you go at this point. Interesting theory. It’s less applicable to web applications and more applicable to home security, I suppose, but steganographic tools in general, I believe, do have a place. It is assumed that terrorists are using it, for instance.

Obscurity, or obfuscation is a valid security model, if 100% of users don’t know about it, or the only people who do know about it have vested interest in keeping it secure. It’s not a valid security model during an audit, or when outside people are exposed to the secret (hense my problem with Bennett’s talk) or when used in place of a real crypto system but I do believe they have a place in modern application security.

This entry was posted on Thursday, June 22nd, 2006 at 9:09 am and is filed under Webappsec. You can leave a response as well.