The Steganographic File System Ross Anderson, Roger Needlham, Adi Shamir Presented by: Pan Meng Presented by: Pan Meng
Outline Introduction First construction Second construction conclusion
Usually, how do we protect our files? encryption
But the attacker knows there is a file, if he forces you to disclose your password, can you say no?
Plausible deniability Let the attacker even doesn’t know the existence of the file!
Basic idea password
Construction 1 Simple one file scheme System is divided into n equal size files—cover Every cover is initially random data file. C1,…Ci,…Cn When we want to insert a file F, we replace it with a cover Ci. When we want to get F, we extract it from the n covers with our password.
How to select the Ci? Suppose password is: P1 P3 P7 Select C1, C3, C7 to XOR with F F’ = C1 C3 C7 F Replace one of C1, C3,C7 with F’ and XOR itself. C3’ = F’ C3 C1,C2,C3’,C4,C5,C6,C7
How to get file back? C1,C2,F’,C4,C5,C6,C7 Same password: P1 P3 P7 Now select C1, C3’,C7 C1 C3’ C7=C1 (F’ C3) C7 =C1 (C1 C7 F) C7 =F
More complicated case If there are more than one file in the system, after inserting a new file , the old file’s context is changed. So we must modify the context to make sure we can extract the old file properly.
Example Cover: File inserted: Password: 1110, 0111 Insert F1: Insert F2: Now we can’t get F1 from :
So we need a linear equations to decide which combinations of the Cj to alter An important property of this sysetm is that we have a linear access hierarchy-that is, a user storing a file at a given security level knows the passwords of all the files stored at lower levels- then files can be added in a natural way without disturbing already hidden files. Solution
Multiple files Assume there are n covers in the system Every cover is m bits. --whole system --n passwords ( is orthonormal)
Extract file Fi Fi = Ki C
Modify file Fi Suppose we want to modify Fi by XORing it with the Binary Difference file D of length m We modify the whole context like: C C D [1]
extract file after [1] Only when i==j, file j is extracted.
Insert file 1. Extract random file Ci 2. Calculate D = F – Ci 3. Modify context: C C D
Key management How a user can be given only his part of the key matrix K without revealing other parts or asking him to remember lots of bits? 2. Then map each pi into a random binary vector with an odd number of 1’s-odd parity 3. Finally we use Gram-schmidt method to orthonormalise all the vectors. 1. Map a random initial password p0 by iterating a one way fuction h via :
To extend this ‘multiple secure ’ file system to provide the plausible deniability which we seek, the user must have a number of passwords pi rather than just one or two of them, and user can manage them in any of the standard ways, such as: A number of pi could be stored on the disc, encrypted under some passphrase Key management
Limitation known –message attack If the size of the password is k and the opponent knows more than k bits of plaintext, then after obtaining all the random files from the computer he can write k linear equations in the k unknown bits of the key.
Limitation performance penalty Every time we must modify the whole context, so the cost is big. Improvement: Reading or writing a file would involve reading or writing the whole ‘slices’ of the k*n matrix C, even we just want to modify a bit of this file. For example, if D is nonzero in a single bit(say, the q-th), then the product : Is nonzero.
Construction 2 Fill the whole hard disk with random bits, and then write each file block at an absolute disk address given by some pseudorandom process, and so-on the assumption that we have a block cipher which the opponent cannot distinguish from a random permutation- the presence or absence of a block at any location should not be distinguishable.
Problem: collision If we have N blocks, we will start to get collisions once we had written a little more than blocks (birthday problem).
solution Write the block at more than one location. But no analytic solutions are known for deciding how many copies be used can make the overwritten probability the lowest. Larson Table Experiments by Larson and Kajla showed that with values of m(copy number) in the range 10-25, the disks would not be full until 80-90% of its blocks were occupied.
Larson Table Larson’s system was designed to allow any record in a database to be retrieved with only one disk access. The basic idea is that’s a record is written at one of m locations on disc, which are specified pseudorandomly, and a table is kept in memory telling the user at which location to look.
StegFS based on Larson System btabi-1 …… btabi-2 …… btabi-m H(pwd) Write a block i Normal FS block Hidden block Block table random Normal bitmap
Block table entry Block number and checksum of the block. To check whether this block has been overwritten. Bitmap Just normal blocks are set. Whether a blocks is used CheckBitmap && CheckBlockTable(AllLowerLevel) Copy compliment Chance of overwritten also exists, so every time read a block, check the copy number, if less than threshold, add some.
Plausible Deniability The privacy protection of this is not provided by giving no indication of whether any hidden files are present or not. It is only impossible to find out how many different security levels of files are actually used. And also low level account can overwrite high level blocks without knowing whether that block is used.
Limitation Collision also exists. The plausible deniability is not the originals meaning of steganographic file system.
Conclusion The Steganographic file system is designed to give users a high degree of protection against coercion, in that they can plausibly deny the existence of whole directories of files on their hard disk, even against an opponent with complete access to the system and the resources.
Thanks