blog-contributions/opsec/steganography/index.html

142 lines
7.8 KiB
HTML
Raw Normal View History

2024-09-26 23:58:07 +02:00
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Other sources of Plausible Deniability: Steganography</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
2024-10-06 21:59:43 +02:00
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
2024-09-26 23:58:07 +02:00
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/Zesc.jpg" width="50px" height="50px"> <ba>Zesc - 2024-08-30</ba></p>
<h1>Other sources of Plausible Deniability: Steganography</h1>
<p>Steganography is the craft of hiding messages. It is a close relative of cryptography, but where cryptography strives to conceal the contents of a messages, steganography attempts to conceal its <i>presence</i>. Therefore <b>steganography helps avoiding suspicion and providing deniability</b>.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<p>The important difference between the two fields is adherence to <i><a href="https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle">Kerckhoffs's principle</a></i>: the assumption that an algorithm must be publicly known to guarantee that it has no flaws or backdoors. (This is the reason why you should only use open source crypto software and never roll your own crypto.)<br/>Steganography does the opposite by relying on <i>security by obscurity</i>: the method by which you hid your data must be kept secret.</p>
<p>That means that whilst complementary to cryptography, steganography on itself is less secure than the mathematically provable security provided by cryptography. Think of it as tucking away your valuables in secret location versus putting them into a sturdy safe. The safe may draw immediate attention by burglars, but provides reliable resistance to attacks, whilst it is up to chance whether they find your hidden stash.</p>
<h3>Then why use steganography at all?</h3>
<p>In military science, there is the concept of the <i>Integrated Survivability Onion</i> &mdash; in short, the idea that they can't kill you if they don't hit you, that they can't hit you if they don't shoot at you and that they can't shoot at you if they don't see you. The same thing applies to every good digital defense-in-depth approach. Using steganography can't harm you, but <b>it shouldn't be all your rely on</b>. In our example, a hidden safe is better than either option on its own.</p>
<p>Here a quick overview of using steganography alone, cryptography alone and combining the two:</p>
<div style="text-align: center; margin: 1px;"><img src="comparison.jpg" style="width:90%"></div>
<p>The main strength of steganography is that <b>steganography can conceal metadata</b> to some extent. Metadata (i.e. data about data and communications) is the primary way that state actors identify targets for closer scrutiny. When you can become guilty by association, <b>your primary concern may be communicating in public without anyone noticing</b> and not the confidentiality of your communications. (In fact, many cryptographic schemes attest the identity of the sender via signatures, which you should avoid when looking for <u>plausible</u> deniability in case of compromise.)</p>
<p>However, <b>some form of communication event must always occur</b>, so steganography exploits various side-channels in order to embed additional concealed data. <b>In order to thwart analysis of metadata, communicate through one or multiple uninvolved third party dead-drops</b>, preferably such with broad distribution (i.e. popular websites, like social media or message/image boards).</p>
<p>When relying on such third parties, <b>steganography can help circumventing censors</b>. If an adversary controls a critical link in the network and blocks all communications they can't inspect, you need to conceal your encrypted communications inside of superficially innocuous traffic. An example of this would be a corporate email server which denies all attachments it can not scan for malware.</p>
<div style="text-align: center; margin: 1px;"><img src="circumvention.jpg" style="width:86%"></div>
<p>The major downside of steganography however is the need to tell your target audience how to find your hidden messages. Where cryptography allows for secure key negotiation even in plain sight of adversaries, informing a party you don't already have a secure communication channel with might be impossible.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
2024-11-16 15:54:12 +01:00
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
2024-09-26 23:58:07 +02:00
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
2024-10-03 21:57:20 +02:00
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
2024-09-26 23:58:07 +02:00
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About Zesc</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 46BYryUrGcrcRbXFFgTZMYKg8UVY1FpwVfNfHc4GxCXMFwvVtg2YDuf8x8pF36yh4XFWpC3V2WrDgZh7w46MYZEQ3zJQhhR</p></br><p><u>Contact (Matrix):</u> @zesc:matrix.org </p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>