the steganographic file system ross anderson, roger needlham, adi shamir presented by: pan meng...
TRANSCRIPT
The Steganographic File System
Ross Anderson, Roger Needlham, Adi ShamirRoss Anderson, Roger Needlham, Adi Shamir
Presented by: Presented by: Pan MengPan Meng
Outline
IntroductionFirst constructionSecond constructionconclusion
Usually, how do we protect our files?
encryption
But the attacker knows there is a file,
if he forces you to disclose your password, can you say no?
Plausible deniability
Let the attacker even doesn’t know theexistence of the file!
Basic idea
password
Construction 1Simple one file scheme
System is divided into n equal size files—cover
Every cover is initially random data file. C1,…Ci,…Cn When we want to insert a file F, we replace
it with a cover Ci. When we want to get F, we extract it from
the n covers with our password.
How to select the Ci? Suppose password is:
1 0 1 0 0 0 1 P1 P3 P7Select C1, C3, C7 to XOR with F F’ = C1C3 C7 FReplace one of C1, C3,C7 with F’ and XOR
itself. C3’ = F’ C3 C1,C2,C3’,C4,C5,C6,C7
How to get file back?
C1,C2,F’,C4,C5,C6,C7Same password: 1 0 1 0 0 0 1 P1 P3 P7Now select C1, C3’,C7 C1 C3’ C7=C1 (F’ C3) C7=C1 (C1 C7 F) C7=F
More complicated case
If there are more than one file in the system, after inserting a new file , the old file’s context is changed.
So we must modify the context to make sure we can extract the old file properly.
Example Cover: File inserted: Password: 1110,
0111
1 2 3, ,C C C
1 2,F F
'1 1 2 3 1 1 2 3 1
'1 2 3 4, , ,
C C C C F C C C F
C C C C C
Insert F1:
Insert F2:'2 2 3 4 2 2 3 4 2
' '1 2 3 4, , ,
C C C C F C C C F
C C C C C
Now we can’t get F1 from : ' '1 2 3C C C
So we need a linear equations to decide which combinations of the Cj to alter
An important property of this sysetm is that we have a linear access hierarchy-that is, a user storing a file at a given security level knows the passwords of all the files stored at lower levels-then files can be added in a natural way without disturbing already hidden files.
Solution
Multiple files
Assume there are n covers in the systemEvery cover is m bits.
--whole system
--n passwords
( is orthonormal)
Tmn nccC ],...,[ 1*
Tnnn kkK ],...,[ 1*
nkk ,...,1
Extract file Fi
Fi = Ki C
Modify file Fi
Suppose we want to modify Fi by XORing it with the Binary Difference file D of length m
We modify the whole context like:
CC D [1]
T
iK
extract file after [1]
' ( )
( ) ( )
tj j i
tj j i
F K C K D
K C K K D
Only when i==j, file j is extracted.
Insert file
1. Extract random file Ci2. Calculate D = F – Ci3. Modify context:
CC DtiK
Key management
How a user can be given only his part of the key matrix K without revealing other parts or asking him to remember lots of bits?
1 ( )i ip h p
2. Then map each pi into a random binary vector with an odd number of
1’s-odd parity
3. Finally we use Gram-schmidt method to orthonormalise all the vectors.
1. Map a random initial password p0 by iterating a one way fuction h via :
To extend this ‘multiple secure ’ file system to provide the plausible deniability which we seek, the user must have a number of passwords pi rather than just one or two of them, and user can manage them in any of the standard ways, such as:
A number of pi could be stored on the disc, encrypted under some passphrase
Key management
Limitation known –message attack
If the size of the password is k and the opponent knows more than k bits of plaintext, then after obtaining all the random files from the computer he can write k linear equations in the k unknown bits of the key.
Limitationperformance penalty
Every time we must modify the whole context, so the cost is big. Improvement: Reading or writing a file would involve reading or writing the
whole ‘slices’ of the k*n matrix C, even we just want to modify a bit of this file.
For example, if D is nonzero in a single bit(say, the q-th), then the product :
tik D
Is nonzero.
Construction 2
Fill the whole hard disk with random bits, and then write each file block at an absolute disk address given by some pseudorandom process, and so-on the assumption that we have a block cipher which the opponent cannot distinguish from a random permutation- the presence or absence of a block at any location should not be distinguishable.
Problem: collision If we have N blocks, we will start to get
collisions once we had written a little more than blocks (birthday problem).
N
solution
Write the block at more than one location. But no analytic solutions are known for
deciding how many copies be used can make the overwritten probability the lowest.
Larson TableExperiments by Larson and Kajla showed that with values of m(copy number) in the range 10-25, the disks would not be full until 80-90% of its blocks were occupied.
Larson Table
Larson’s system was designed to allow any record in a database to be retrieved with only one disk access.
The basic idea is that’s a record is written at one of m locations on disc, which are specified pseudorandomly , and a table is kept in memory telling the user at which location to look.
StegFS based on Larson System
btabi-1
……
btabi-2
……
btabi-m
H(pwd)
Write a block i
Normal FS block
Hidden block
Block table
random Normal bitmap
Block table entryBlock number and checksum of the block. To check whether this block has been overwritten.
BitmapJust normal blocks are set .
Whether a blocks is usedCheckBitmap && CheckBlockTable(AllLowerLevel)
Copy complimentChance of overwritten also exists, so every time
read a block,check the copy number, if less than threshold, add
some.
Plausible Deniability
The privacy protection of this is not provided by giving no indication of whether any hidden files are present or not. It is only impossible to find out how many different security levels of files are actually used.
And also low level account can overwrite high level blocks without knowing whether that block is used.
Limitation
Collision also exists.The plausible deniability is not the originals
meaning of steganographic file system.
Conclusion
The Steganographic file system is designed to give users a high degree of protection against coercion, in that they can plausibly deny the existence of whole directories of files on their hard disk, even against an opponent with complete access to the system and the resources .
Thanks