The trouble with encryption

Lots of us encrypt files using the likes of AxCrypt and TrueCrypt. If there’s a risk of losing a device carrying sensitive information such as contacts, email, bank statements, invoices etc, then it is worth using such a tool. The ease with which a file, folder or even complete hard drive or USB device can be encrypted always beggars the question as to why more people, and particularly government and other official departments do not use it as a matter of course.

Encryption is the only sure way to keep prying eyes from reading your private data. Unfortunately, encryption comes at a price: an encrypted file is so obviously hiding something that law enforcement, thieves or anyone else for that matter can deduce almost immediately that a file that has been encrypted must be important in some way and so might focus cracking efforts on that file or drive because extracting the raw data could be so profitable.

Now, many experts will tell you that “security through obscurity” is not a sensible way to protect one’s data. However, the honey pot of encrypted files is too sweet for many with malicious intent that obscurity might be the only way to approach securing your data. Such an option might be the best choice in a totalitarian regime where the authorities might use torture or other brutal means to extract a password for an obviously encrypted file from an activist citizen during an uprising, for instance.

George Weir and Michael Morran of the Department of Computer and Information Sciences, at the University of Strathclyde, UK, explain that textual steganography is a means of concealing an encoded message within text. “The appeal in such a system is its potential for hiding the fact that encoding is taking place,” they explain. “The failure to hide the presence of encoding is a form of information leakage and an inherent risk since it suggests that there is important or valuable information in transit.” After all, if an uprising in a non-democratic regime fails and the secret police come knocking on your door because you were so vocal on Twitter, Facebook and out on the streets during the revolution, then a stack of encrypted files on your computer are obvious bait for their efforts.

“To an adversary, or even the authorities, the presence of encrypted traffic between two individuals may be enough to arouse suspicion. Although the information may be securely encrypted, a third party may be motivated to intercept the information and either tamper with the message or prevent it ever reaching its destination. This risk will remain as long as encryption is adopted as the sole solution to information security needs,” the researchers say.

There has been much work done in the development of steganography in the digital age in which a multimedia file, a photo or music track, for instance, is used as a vault into which hidden information might be embedded. However, activist sharing photos and music files are just as likely to arouse suspicion as their sharing obviously encrypted documents. The Strathclyde team is now developing and testing an approach to steganography that uses natural language to embed information in an innocuous text document that to all intents and purposes appears to be nothing more than an innocuous document.

Their approach is to utilize synonyms and deliberate errors to “encrypt” data within a block of text. By ensuring the changes are sparse enough within a given block of text the encryption becomes essentially invisible without it arousing suspicion. It’s almost akin to the kind of mock spy talk we hear in popular culture – Roberto will bring the blue flamingo to Moscow once the spare wheel is in the nest” – that kind of thing, but operating on a much more sophisticated and automated level.

“The main goals of the final system lay in the ability to hide information in text in such a way that hidden content is undetectable,” the team says. Their tests demonstrate that it is possible to recover complete messages from the textual steganography. However, the prototype while successful generates text that in 40-50% of the encrypted messages might appear odd to a human, as opposed to computer, reader. But, the system is manually configurable so that the person encrypting the information can tweak the substitutions and errors so that an entirely plausible text results within which the hidden message is invisibly embedded.

Research Blogging IconGeorge R.S. Weir, & Michael Morran (2010). Hiding the hidden message: approaches to textual steganography Int. J. Electronic Security and Digital Forensics, 3 (3), 223-233