integrating GPG with deniable steganography

Bernd Jendrissek berndj at prism.co.za
Tue Mar 20 18:33:06 CET 2001 

On Tue, Mar 20, 2001 at 04:44:03PM -0000, Marlow, Andrew (London) wrote:
> Bernd Jendrissek wrote:
> > Some thoughts on steg, encryption and RIP (whatever that is)
> 	[Marlow, Andrew (London)]  RIP is now law in the UK. It gives the
> 	authorities power to force you to decrypt. Refuse and you go to jail
> for 2 years.
> 	Tell anyone and you go to jail for 5 years. See www.fipr.org for
> full details.
> 

> > If I were  strapped to a chair with a nice bright light  shining right
> > into
> > my eyes, and a friendly  voice said, "Please  decrypt this  message for
> > us"
> > I would still say, "Sorry, there's  nothing there.  It's random data."
> > 
> 	[Marlow, Andrew (London)]  The question is "how believable are
> you?".
> 	If the data looks like an encrypted msg then you will not get far.

I don't think so either.  This seems to be the crux of the problem with
RIP: even if there is no encrypted message, if it looks like there is,
you have a problem.

> > The  mentality  that  says "If you're  hiding  something you're  guilty
> > of
> > *something*, I don't  know what"  This  places the  burden of  proof on
> > the
> > accused, not on the prosecution, where it belongs.

What can be done to sensitise non-privacy-valuers to the idea that
encryption should be regarded as "normal"?

> 	[Marlow, Andrew (London)]  Among the chief complaints against RIP we
> have the reversal of the
> 	burden of proof (it is now a crime to forget your password) and we
> have users of public key
> 	cryptography are suspected of being criminals just because they use
> crypto.

This is so important I'll keep it here even if I don't reply.

> > I lean  toward  thinking that  steganography is
> > security-through-obscurity,
> > with the proviso that it must be *very* obscure.
> > 
> 	[Marlow, Andrew (London)]  Not obscure. Deniable. There is a
> difference.

Taking liberties,
	[Jendrissek, Bernd (Cape Town)]  The question is "how believable
	are you?".  If the data looks like an steganographically hidden
	msg then you will not get far.
If you are known to use steganography you won't be very believable.  And
if *you* know how to discover steg'ed messages, how do you prevent the
RIP Police from knowing?  If you don't tell them how, you go to jail, do
not pass begin, do not collect 200 rand.

Bernd Jendrissek

More information about the Gnupg-devel mailing list