

Chaffing and Winnowing: Confidentiality without Encryption (1998) - ronancremin
http://people.csail.mit.edu/rivest/Chaffing.txt

======
zepolud
It's cool but basically solves a problem that no longer exists. Once you've
caused enough suspicion, they can simply dig up the records of all the data
you've sent, both chaff and wheat, and serve you with an order to disclose
your authentication key/lawfully hack you computer and obtain it without
asking/apply some lead pipe cryptanalysis and get it anyway. In the end, it's
no better than regular encryption, at the cost of being at least twice more
inefficient.

Still, for all the crypto export nonsense, 1998 appears to have been a more
innocent time:

> "But access to authentication keys is one thing that government has long
> agreed that they don't want to have."

~~~
Lexarius
Near the bottom they mention using more than one wheat stream to achieve
something like deniable encryption. If they ask you for the key, give them the
one that produces innocent-looking messages.

~~~
ionforce
I'm sure if law enforcement doesn't like your innocent looking messages they
can just keep demanding that you give them the real key.

How easy is it to produce a stream of messages that is fake but looks real?

~~~
Lexarius
Depends, how good are you at creative writing? I can think of a lot of
messages you might send to someone that you'd want to be private that aren't
nefarious plots. Weird fan fiction. Deviant porn. Messages exchanged with a
secret mistress. Depending on the situation, you might even want to give them
a fake copy of your nefarious plot. Include more than one extra set of
messages if you like and give them whatever keys you like in whatever order is
appropriate.

------
DanBC
See also "Chaffinch: Confidentiality in the Face of Legal Threats" by Richard
Clayton and George Danezis from University of Cambridge, which has some more
plausible deniability.

([http://www.cl.cam.ac.uk/~rnc1/Chaffinch.html](http://www.cl.cam.ac.uk/~rnc1/Chaffinch.html))

------
crb002
I've thought about writing a Chrome plugin to do something similar. While on
it would randomly chaff the low order bits of any image you upload, and would
automatically add a chaff postscript to every Gmail. An adversary would have
no clue which images/messages contain ciphertext, and which contain nothing
but random chaff.

------
Cyranix
Was unreachable for me, here's the cached version:
[http://webcache.googleusercontent.com/search?q=cache:zgl1Lf2...](http://webcache.googleusercontent.com/search?q=cache:zgl1Lf25QRIJ:people.csail.mit.edu/rivest/Chaffing.txt)

------
sirmarksalot
I'm probably misunderstanding this. The way I'm envisioning this is basically
a half-dozen parallel conversations, with only one of them being the actual
conversation.

Couldn't it be easily defeated with contextual analysis? I mean, if it were
English sentences, the attacker could just choose a set of packets that make
grammatical sense. Or in more real-world examples, you'd just choose the
packets that form a valid HTTP session.

To work around this, you'd have to choose your chaff packets to flow
seamlessly from one to the other, which would make chaffing a really hard
problem.

~~~
ronaldx
Keep reading: the first example is a bit misleading (for the reason you state)
and the article gets more interesting.

They deal with this problem by coding the message with single-bit packets,
always contrasting 0s with 1s.

~~~
sirmarksalot
Yup, that was the critical piece I was missing. Thanks!

------
theboss
Kind of interesting scheme that doesn't really work in 2013.

Wouldn't this be vulnerable to replay attacks, or am I missing something?

~~~
hellcow
If Alice's messages could all be intercepted and manipulated prior to Bob's
receiving them, then yes, they could be changed without either party knowing.

Combined with asymmetric encryption of the messages, you should be able to
prevent that from happening.

~~~
theboss
Without any manipulation why wouldn't this be vulnerable to a replay attack?

------
lucb1e
Might be just me, but I'm thinking encryption is way easier than this.

~~~
Cyranix
But that's rather missing the point, isn't it? The premise is "Under
circumstances where encryption is not a viable option, what secure
communication methods might be possible?" so responses that ignore the
premise, like "just use encryption" or "just don't get into such
circumstances", aren't the most salient critiques.

------
knowaveragejoe
Isn't this still, in essence at least, Steganography?

~~~
zepolud
Nope. You would be painting a huge red target on yourself if you tried
something like this.

The purpose of steganography is not to get noticed in the first place. It's
orthogonal to regular cryptography.

~~~
ozi
Unfortunately, common steganography algos used on images are easy to detect
with statistical analysis.

~~~
akkartik
Can you elaborate?

~~~
DanBC
People read a book, they see a simple description of steganography, they whip
up an implementation as a proof of concept, they share that code, other people
think it's secure when it's not meant to be.

([http://www.ifp.illinois.edu/~ywang11/paper/CISS04_204.pdf](http://www.ifp.illinois.edu/~ywang11/paper/CISS04_204.pdf))

([http://eprint.iacr.org/2005/305](http://eprint.iacr.org/2005/305))

([http://vision.ece.ucsb.edu/publications/sullivan_ICIP06.pdf](http://vision.ece.ucsb.edu/publications/sullivan_ICIP06.pdf))

