Cryptographic Steganography CSM25 Secure Information Hiding Dr Hans - - PowerPoint PPT Presentation

Cryptographic Steganography

CSM25 Secure Information Hiding Dr Hans Georg Schaathun

University of Surrey

Spring 2007

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 1 / 27

Learning Outcomes

be able to apply cryptographic methodology to evaluate stego-systems. understand the Backes-Cachin Stego-system as an example of a Cryptographic Approach to Steganography be able to compare the above stego-systems to systems based on Data Hiding, in terms of security and practicality.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 2 / 27

Reading

Core Reading Michael Backes and Christian Cachin: ‘Public-Key Steganography with Active Attacks’. in Theory of Cryptography, Springer Lecture Notes in Computer Science, volume 3378/2005.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 3 / 27

The security model Overview and example

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 4 / 27

The security model Overview and example

Chosen cover-text oracle model

1

Alice chooses a key pair (kP, kS)

2

Eve can choose any ciphertext c and get decryption dkS(c) from an oracle

3

Eve chooses a message m

4

Alice draws b ∈ {0, 1} at random, and creates c∗, where

if b = 1, c∗ is a random (innocent) covertext if b = 0, c∗ is a stegogramme containing m

5

Eve can choose ciphertexts c = c∗ and get decryption dkS(c) with some exceptions from an oracle

6

Eve makes a guess ˆ b ∈ {0, 1}, and wins if ˆ b = b.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 5 / 27

The security model Overview and example

Security assessment in general

Hypothetical attacker (Eve)

Do some research Make a guess

A random guess (ˆ b is uniformly distributed) wins 50% of the time.

Note that b is uniformly distributed.

If Eve is unable to win significantly more than 50% of the time,

then the system is secure

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 6 / 27

The security model Overview and example

The oracle

The oracle is Eve’s research tool,

answers decryption queries Eve may chose cipher-/cover-texts the Oracle decrypts with the secret key

Eve does not have the secret key,

she can only use it via the Oracle.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 7 / 27

The security model Overview and example

Chosen cipher-text oracle model

1

Alice chooses a key pair (kP, kS)

2

Eve can choose any ciphertext c and get decryption dkS(c) from an oracle

3

Eve chooses messages m0 and m1

4

Alice draws b ∈ {0, 1} at random,

• utputs ciphertext c∗ = EkP(mb)

5

Eve can choose ciphertexts c = c∗ and get decryption dkS(c) with some exceptions from an oracle

6

Eve makes a guess ˆ b ∈ {0, 1}, and wins if ˆ b = b.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 8 / 27

The security model Overview and example

Probabilistic cipher

Observe that Ek(m) is non-deterministic

Same message and key gives different ciphertexts Ciphertext randomly chosen (according to probability distribution)

Suppose Eve

gets decryption m = Ds(c), pass m to Alice

Alice’s encryption c∗ = Ek(m) = c most of the time

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 9 / 27

The security model Overview and example

Overview

1

Alice chooses keys

2

Eve executes her first attack A1

3

Alice generates a cipher-/stego-text

from message(s) generated by A1

4

Eve executes her second attack A2

5

Eve makes a guess,

which message was encrypted? (cipher) has the message been embedded? (stego)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 10 / 27

The security model Key features

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 11 / 27

The security model Key features

Adaptive

Eve choses cipher-/cover-texts one by one

choses based on previous decryptions

Compared to non-adaptive,

Eve makes a list of ciphertexts first, then the Oracle decrypts all of them Eve cannot add further ciphertexts after decryptions are obtained

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 12 / 27

The security model Security definition

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 13 / 27

The security model Security definition

The second attack

In the first attack, the oracle answers any request. In the second attack, restricted oracle For CCA-security,

returns not-allowed when asked to decrypt c∗

For RCCA-security,

returns not-allowed if c decrypts to m or ⊥ (m1 or m2)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 14 / 27

The security model Security definition

Replayability

With the CCA-oracle,

Eve can get decryption of c = c∗||z, where z is rubbish which will be ignored by the decoder, so that c and c∗ has the same decoding.

thus CCA-security may be insufficient. RCCA-security is designed to prevent this

The RCCA-oracle will refuse to decrypt c = c∗||z. because Ds(c) = Ds(c∗)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 15 / 27

The security model Security definition

(R)CCA-security

Cryptosystem Indistinguishability of encryptions against an adaptive chosen-ciphertext attack (CCA-security) replayable CCA-security (RCCA-security) Steganography steganographically secure against adaptive chosen-covertext attacks (SS-CCA) steganographically secure against replayable adaptive chosen-covertext attacks (SS-RCCA)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 16 / 27

A cryptographic stego-system Overview

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 17 / 27

A cryptographic stego-system Overview

Cipher and Stego-system

Similarities

(R)CCA-security is analogously defined for

Steganography Crypto-graphy

Theorem An SS-(R)CCA stego-systems can be constructed from an (R)CCA-secure cryptosystem with pseudo-random ciphertexts.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 18 / 27

A cryptographic stego-system Overview

Pseudo-random ciphertexts

Definition A cryptosystem has pseudo-random ciphertexts if the encryption of a known message m is indistinguishable from a random text. For any message m, Alice draws random b, and gives Eve

if b = 0, c = Ek(m) if b = 1, c is drawn uniformly at random

Eve knows m, k, and c, and

tries to guess b

If she cannot do better than a random guess,

then ciphertexts are pseudo-random.

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 19 / 27

A cryptographic stego-system Algorithm

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 20 / 27

A cryptographic stego-system Algorithm

Encoding Algorithm

Backes and Cachin

Input: Security parameter k Public Key (p, g) Message m Output: Cover-text c y = Ep(m) write y = y1||y2|| . . . ||yt for i = 1, 2, ldots, t ci := Sample(k, g, yi) end for return (c1, . . . , ct)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 21 / 27

A cryptographic stego-system Algorithm

The Sample Algorithm

Backes and Cachin

Input: Security parameter k Function g : C → {0, 1}f Message {0, 1}f Output: Cover-text c j := 0 repeat x

R

← C j := j + 1 until g(x) = b or j = k return x

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 22 / 27

A cryptographic stego-system Algorithm

Decoding Algorithm

Backes and Cachin

Input: Security parameter k Secret Key (s, g) Covertext c = (c1, . . . , ct) Output: Message m for i = 1, 2, ldots, t yi := g(ci) y := y1||y2|| . . . ||yt return Ds(y)

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 23 / 27

A cryptographic stego-system Potential issues

Outline

1

The security model Overview and example Key features Security definition

2

A cryptographic stego-system Overview Algorithm Potential issues

3

Exercises

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 24 / 27

A cryptographic stego-system Potential issues

Do pseudo-random ciphertexts exist?

Pseudo-random ciphertexts possible against chosen plaintext attacks (CPA) But CCA is harder However, we can encrypt twice

Encrypt using a CCA-secure system first; and then Encrypt using a CPA-secure system with pseudo-random ciphertexts

Refer to cryptography for complete details

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 25 / 27

Exercises

Pros and cons

Exercise

List the advantages and the flaws of this cryptographic approach

compared to data hiding techniques seen earlier

Can this system be practically implemented? Can this system be broken? Are data hiding techniques sufficiently secure? Is the Backes-Cachin system Kerckhoffs-compliant?

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 26 / 27

Exercises

This house believes...

Discussion exercise

This house believes that that stego-systems based on data hiding techniques are insufficiently secure for practical use, and that any real stego-system will have to be based on cryptographically acknowledged techniques. Class divided into two groups (houses)

One defends the statement above The other argues against it

Dr Hans Georg Schaathun Cryptographic Steganography Spring 2007 27 / 27