A GPG version of the PGPstealth program?
Andrew Marlow
apm35@student.open.ac.uk
Sun Aug 19 21:50:01 2001
I have had some more thoughts about integrating
GPG with deniable steganography. I posted a msg
about this a while ago which provoked quite a bit
of discussion. The overall feeling at that time was
that it cannot be done. This was mainly because steg
is generally felt to be 'security through obscurity'
(STO) and we all know that STO doesn't work.
I think it can be done. Here's how. I establish a
convention with the people with whom I communicate
via email that my public GPG key is a symmetric
encryption key when I am using SNOW (which is
a steg program that carries the secret msg via
whitespace at the end of lines in ASCII files).
So far this is just STO. But the message extracted
is a GPG msg that has been 'stealthed', i.e it
has been altered so that it resembles noise.
Using a program such as GPGdump will not reveal
the deSNOW'd data to be anything readable. This is
the bit where I *deny* that there is a secret msg.
The recipient de-stealth's the deSNOW'd msg then
decrypts it as normal using GPG. These steps would
probably be combined via a script for convenience.
So when I want to send a msg I take the following
steps:
1) Encrypt my message using GPG.
2) Stealth it.
3) SNOW the stealth'd data onto an
innocent-looking ASCII file using my
public GPG key.
I can do this right now provided I use PGP 2.6
instead of GPG. That is why I raised this matter
again. I would much rather use GPG, especially
in view of the recent controversy over ADKs,
closed-source, Phil Zimmerman's annoucements,
and so on. Peer reviewed open source is surely
the better way.
The reason I have to use PGP is that there is a
stealth program for PGP but not for GPG. The
stealth program only supports version 2.6.n of
PGP. I have looked at the code to see how easy
it would be to adapt it for GPG and it is beyond
my skill, unfortunately. How do the other GPG
developers and users feel about adapting the
stealth program to conform to the open standard
for GPG/PGP ? I have talked to the author about
this but to no avail. I think he's just too busy
and has moved onto other things.
Regards,
Andrew Marlow.