Stego file system (Was: Inaccurate study)

Richard Watts Richard.Watts at cl.cam.ac.uk
Sun, 5 Apr 1998 17:48:55 +0100 

On Sun 5 April 1998, Ross Anderson
<Ross.Anderson@cl.cam.ac.uk> wrote:

>Peter Sommer:
>
>> Interestingly enough, the "old" DTI TTP proposals specifically 
>> excluded many of the devices / technologies that are used for 
>> file and disk encryption.    The alternative legal route here is 
>> to allow / extend the ability of the court to issue orders for
>> decryption keys to be released (under certain conditions) or to
>> allow adverse comment to be made if someone refuses to do so.
[snip]
>imaginable from the point of view of a police forensic lab. Crooks
>could hide their drug deals, kiddieporn and so on on their laptops
>together with some `innocuous' secrets such as lists of sales
>prospects for their cover business. Given a decryption warrant, 
>they hand over the password for the directories containing these
>cover secrets.
>
>Of course, the stego file system will be completely unaffected by
>the DTI's proposed legislation - whether the previous government's
>version or the new, spun, version.
>
>The paper's at http://www.cl.cam.ac.uk/users/rja14/#Tempest

 Legally, you can probably get around this by reversing the burden of
proof (or even acting on the balance of probabilities). This still
leaves the problem that most crooks would rather go to jail for
refusing to supply evidence than for the crime the evidence would have
revealed. This could be taken as an argument for hardware escrow[1].

 I haven't read the paper terribly thoroughly yet, but surely another
way of doing this is simply to hide one or more encrypted filesystems
in the free block list of a standard filesystem ? (and another inside
that if you want another level).

 Given some known plaintext, there's the standard attack of searching
through the space of possible filesystems until you get to one which
gives valid information, but I don't think that's likely to be 
practical.


[snip]


Richard.
[1] The most logical of which would probably be a display adaptor
that has some AI to detect `illegal' text or images, and then leaks
them via TEMPEST to your friendly neighbourhood TV detector van for
the vice squad's computers to screen. For copyright protection 
reasons, naturally. One might even speculate that certain PGP-keys
could, when displayed, modify the behaviour of TEMPEST-leaking 
display adaptors.