integrating GPG with deniable steganography

Stefan Fendt stefan at
Wed Mar 21 06:41:06 CET 2001

> Of course, the attacker will never obtain a complete proof that a
> secret message was hidden, but he will be able to obtain enough
> evidence to get you into trouble.

I can't agree here... This is just why I used crypto *and* stegano in
my example. The used Vegeniere-Algo is the only one which (AFAIK) ever
was (under certain well defined conditions) was mathematicaly prooven
to be absolutely secure (and BTW under this conditions is known to be
near absolute unusablility...). These conditions were:

1) key is of same length as the cyphertext...
2) key is only known to sender and receiver of the message...

With these conditions any attempt to break the cipher will fail as it
can produce *any* output depending on the used key. One key will produce
an excerpt of Goethes "Faust I" another an excerpt of "Faust II" and just
another key an exerpt out of the bible. Millions by millions of keys
will just give nonsense or any known text --- and only one key will
give the correct result. The ciphertext or the key -- you can't
distinguish any more which one is containing more bits of the message...

Combine this with steg and you're out of bounds. It's very very unlikely
that they can *find* the message (even if they know how it could have
been hidden) and even if -- *IF* they find the message in the noise
they can just do nothing with it. Not even if they had a
super-computer which were able to try all keys at once...

just a few more words to the stegano-algo I used...

In a first step it takes the signal and analyses the noise within. In
a second step it adopts the message to meet exactly this noise
conditions which were in that file. The resulting signal is as smooth
as the "original" was. In the last step the "original" should have
been destroyed and only the signal with the hidden message should have
been left as the new "original". (This was not done in this special
It only will work if there is no possibility to bit-compare both
"originals". That is: You have to create the data to hide the message
within by yourself... Every other attempt will fail. The file you send
*has* to *be* the original it must not try to be close to it...


PS: Cryptography tries to make things secure even if the *message* was
listened to by a third party. Steganography is the art of hiding
*messages*. See the difference? Steganography only can be secure if the
third party can not *find* the message. You only can *try* to hide
your message that good that they cannot find it. There is no absolute
security that they wont... So IMHO steg only makes sense in
conjunction with crypto. The other way round crypto makes sense even
without stegano... It's a totally different approach.

More information about the Gnupg-devel mailing list