the steganographic file system ross anderson, roger needlham, adi shamir presented by: pan meng...

The Steganographic File System

Ross Anderson, Roger Needlham, Adi ShamirRoss Anderson, Roger Needlham, Adi Shamir

Presented by: Presented by: Pan MengPan Meng

Outline

IntroductionFirst constructionSecond constructionconclusion

Usually, how do we protect our files?

encryption

But the attacker knows there is a file,

if he forces you to disclose your password, can you say no?

Plausible deniability

Let the attacker even doesn’t know theexistence of the file!

Basic idea

password

Construction 1Simple one file scheme

System is divided into n equal size files—cover

Every cover is initially random data file. C1,…Ci,…Cn When we want to insert a file F, we replace

it with a cover Ci. When we want to get F, we extract it from

the n covers with our password.

How to select the Ci? Suppose password is:

1 0 1 0 0 0 1 P1 P3 P7Select C1, C3, C7 to XOR with F F’ = C1C3 C7 FReplace one of C1, C3,C7 with F’ and XOR

itself. C3’ = F’ C3 C1,C2,C3’,C4,C5,C6,C7

How to get file back?

C1,C2,F’,C4,C5,C6,C7Same password: 1 0 1 0 0 0 1 P1 P3 P7Now select C1, C3’,C7 C1 C3’ C7=C1 (F’ C3) C7=C1 (C1 C7 F) C7=F

More complicated case

If there are more than one file in the system, after inserting a new file ， the old file’s context is changed.

So we must modify the context to make sure we can extract the old file properly.

Example Cover: File inserted: Password: 1110,

0111

1 2 3, ,C C C

1 2,F F

'1 1 2 3 1 1 2 3 1

'1 2 3 4, , ,

C C C C F C C C F

C C C C C

Insert F1:

Insert F2:'2 2 3 4 2 2 3 4 2

' '1 2 3 4, , ,

C C C C F C C C F

C C C C C

Now we can’t get F1 from : ' '1 2 3C C C

So we need a linear equations to decide which combinations of the Cj to alter

An important property of this sysetm is that we have a linear access hierarchy-that is, a user storing a file at a given security level knows the passwords of all the files stored at lower levels-then files can be added in a natural way without disturbing already hidden files.

Solution

Multiple files

Assume there are n covers in the systemEvery cover is m bits.

--whole system

--n passwords

( is orthonormal)

Tmn nccC ],...,[ 1*

Tnnn kkK ],...,[ 1*

nkk ,...,1

Extract file Fi

Fi = Ki C

Modify file Fi

Suppose we want to modify Fi by XORing it with the Binary Difference file D of length m

We modify the whole context like:

CC D [1]

T

iK

extract file after [1]

' ( )

( ) ( )

tj j i

tj j i

F K C K D

K C K K D

Only when i==j, file j is extracted.

Insert file

1. Extract random file Ci2. Calculate D = F – Ci3. Modify context:

CC DtiK

Key management

How a user can be given only his part of the key matrix K without revealing other parts or asking him to remember lots of bits?

1 ( )i ip h p

2. Then map each pi into a random binary vector with an odd number of

1’s-odd parity

3. Finally we use Gram-schmidt method to orthonormalise all the vectors.

1. Map a random initial password p0 by iterating a one way fuction h via :

To extend this ‘multiple secure ’ file system to provide the plausible deniability which we seek, the user must have a number of passwords pi rather than just one or two of them, and user can manage them in any of the standard ways, such as:

A number of pi could be stored on the disc, encrypted under some passphrase

Key management

Limitation known –message attack

If the size of the password is k and the opponent knows more than k bits of plaintext, then after obtaining all the random files from the computer he can write k linear equations in the k unknown bits of the key.

Limitationperformance penalty

Every time we must modify the whole context, so the cost is big. Improvement: Reading or writing a file would involve reading or writing the

whole ‘slices’ of the k*n matrix C, even we just want to modify a bit of this file.

For example, if D is nonzero in a single bit(say, the q-th), then the product :

tik D

Is nonzero.

Construction 2

Fill the whole hard disk with random bits, and then write each file block at an absolute disk address given by some pseudorandom process, and so-on the assumption that we have a block cipher which the opponent cannot distinguish from a random permutation- the presence or absence of a block at any location should not be distinguishable.

Problem: collision If we have N blocks, we will start to get

collisions once we had written a little more than blocks (birthday problem).

N

solution

Write the block at more than one location. But no analytic solutions are known for

deciding how many copies be used can make the overwritten probability the lowest.

Larson TableExperiments by Larson and Kajla showed that with values of m(copy number) in the range 10-25, the disks would not be full until 80-90% of its blocks were occupied.

Larson Table

Larson’s system was designed to allow any record in a database to be retrieved with only one disk access.

The basic idea is that’s a record is written at one of m locations on disc, which are specified pseudorandomly , and a table is kept in memory telling the user at which location to look.

StegFS based on Larson System

btabi-1

……

btabi-2

……

btabi-m

H(pwd)

Write a block i

Normal FS block

Hidden block

Block table

random Normal bitmap

Block table entryBlock number and checksum of the block. To check whether this block has been overwritten.

BitmapJust normal blocks are set .

Whether a blocks is usedCheckBitmap && CheckBlockTable(AllLowerLevel)

Copy complimentChance of overwritten also exists, so every time

read a block,check the copy number, if less than threshold, add

some.

Plausible Deniability

The privacy protection of this is not provided by giving no indication of whether any hidden files are present or not. It is only impossible to find out how many different security levels of files are actually used.

And also low level account can overwrite high level blocks without knowing whether that block is used.

Limitation

Collision also exists.The plausible deniability is not the originals

meaning of steganographic file system.

Conclusion

The Steganographic file system is designed to give users a high degree of protection against coercion, in that they can plausibly deny the existence of whole directories of files on their hard disk, even against an opponent with complete access to the system and the resources .

Thanks