Cryptography Reference
In-Depth Information
fraudulent maneuvers', as Mallory hypocritically says [DobMD4]. Now you
understand why we required Property 4, no collision in hash functions, in
Section 6.3.1.
Subliminal Channels
For signatures,
subliminal channels
can be thought of as 'true steganography':
together with her signature, Alice sends additional information, the existence
of which can be proven only if one knows a certain secret key. This secret key
can be Alice's private key, but not for all signature methods.
Notice the difference to steganography: steganography does not use a key, and
it hides information in a way similar to a picture puzzle. Those who know
the trick can easily recover the hidden information (unless it is encrypted). In
contrast, subliminal channels in signatures hide information cryptographically
well. A signature with additional information is still innocuous, even after
most thorough analysis. Only the use of a secret key opens up the treasure box,
showing its inner life.
Subliminal channels were first designed by Simmons in 1983 [Simmsubl]. They
are used in several signature methods. Simmons even showed that such channels
can be constructed in every signature method. The DSA signature algorithm
designed by the NSA, of all methods, offers channels that can be read without
knowing the private key. Allegedly nobody knew about it. 'Is that so bad?',
you will ask.
Yes, it is. If you buy a program for digital signatures and the signature algorithm
has such subliminal channels, then the program vendor can feed a few bits
of your secret key into the subliminal channel together with each of your
signatures. You can look at the program's output — nothing provable there.
However, the program vendor or their allies record your signatures regularly.
Only they know the secret additional key for the subliminal channel. After
a sufficiently large number of signatures, they will have your private key on
their desk. Now they can perfectly forge your electronic signature, compute
all your session keys, read all your secret messages
...
that's a fine prospect!
Section 6.7 deals with such fraudulent maneuvers.
DSA allows you to 'plug up' the channel using a suitable cryptographic protocol
between Alice and Bob. However, Bob can then set up his channel in a manner
that's named
cuckoo channel
. Luckily, there are ways to prevent this, too.
To protect yourself from this kind of espionage, use the freely available PGP
program. You can then be sure that it has been studied and analyzed as to
