Key safety vs Backup : History of a bad day (key-restoration problem)

Robert J. Hansen rjh at
Sun Oct 28 12:08:18 CET 2007

Atom Smasher wrote:
> but this has me thinking... why not combine the "hidden in plain sight" 
> part with the encrypted part using steganography... use a reasonably 
> strong passphrase ("reasonable" depends on the needs of the end user) for 
> your secret key, then hide it in a JPG and post it in a public place.

A couple of years ago there was some smoke from reliable sources that
the USG was concerned about the possibility of terror cells
communicating steganographically, and for that reason funding would be
available to researchers tackling the problem.  I don't know if the
funding ever took off, but I did see a handful of papers published on
the subject.  Clearly, steganography is on academia's radar.  It's
probably on the NSA's radar, too.

If you are comfortable with the NSA and/or GCHQ wondering why you've got
AES-encrypted data hidden in a JPEG that's floating around the internet,
then go ahead with this.

> i know... to many people on this list steganography, like one time pads, 
> is more of a toy than a real crypto solution

It's a dangerous toy.

There is a paper I enthusiastically recommend every time this subject
comes up.  To my knowledge, this is the first paper that establishes
formal mathematical limits for steganography--what it can do, what it
can't, what tradeoffs there are, how optimizing a system for one part of
the steganography problem cripples it for another.

As you can imagine, it is a really, really important paper for anyone
who wants to take steganography seriously.  And without exception, I
have yet to meet any designer of a steganographic system who has read
it.  This does not fill me with much confidence for the steganographic
systems out there.

Moulin, P., and O'Sullivan, J.  _Information-Theoretic Analysis of
Information Hiding_.  IEEE Transactions on Information Theory, Vol. 49,
No. 3., pp. 563-593 incl.

Available online at:

> even with a reasonably strong pass-phrase i wouldn't want to walk around 
> with my secret key on a flash-drive with my physical keys, but hidden in a 
> JPG of family/friends/pets it would be easily overlooked if i lost 
> possession of the flash-drive.

Why not?

I do not understand this irrational belief that people have in the
inadequacy of AES to protect their private keys.  Will it make people
feel better if I post my own private key to the list?  (I'm perfectly
willing to, if that's what's necessary to prove a point.)

More information about the Gnupg-users mailing list