Wednesday, May 5, 2010

Would you like to play a (security) game?

It looks like the Red Chinese* are making equipment manufacturers divulge security information, possibly including encryption keys:

Chinese government rules due to come into force on Saturday would oblige security vendors to disclose encryption information.

The regulations mean that suppers of six categories of products - including smart cards, firewall and routers - will need to submit trade secrets to a government panel in order to receive a license to sell to government departments.

Details of the scheme are a little murky. It's unclear whether EU and US would be obliged to simply disclose encryption techniques, such as AES, which are publicly documented, or cryptographic keys, which must be kept secret.

Of course, giving up encryption keys is bad juju, 'cause then your secret messages aren't secret anymore. Or are they?

If you work at it, they still can be. One way is to encrypt before you send it through your router, but let's assume that the ChiCom.Gov is 100% effective in getting all the keys from all the devices. Now what?

Steganography is a way for you to hide your secret - text, picture, audio, whatever you like - in a picture. The picture will look the same as before your stuff was added, and only people who know your secret password will be able to get it.

The cool thing is that now you don't need to encrypt your transmission. You can put it in a public place, like this:

Crash the cat is keeping my secrets from you. But if you use your 31337 h4X0R skillz, you can find them out (don't tell the ChiCom.Gov)!

Here are some hints:

1. You might think that the stego work was done with the Linux Outguess utility. I couldn't possibly comment.

2. You'll need to guess the password. This shouldn't be hard.

3. Don't assume that there's only one secret message, or that all messages use the same password.

I know that some of you have some pretty serious tech cred. Anyone who leaves the secret phrase(s) in the comments gets eternal bragging rights. And a plush child's toy suitable for shooting at the next blogger get together.

* I only say "Red Chinese" to annoy all Right Thinking People™.

UPDATE 5 May 2010 13:54: Added the name of the stego utility, Outguess. Blog post editing FAIL.


Lissa said...

Silly Borepatch. We're yellow, not red!

George said...

Hmmmm...stegdetect says is it jphide.

Can't get jpshow to run on the Mac...downloaded the Windows version...haven't hacked the password yet.

Borepatch said...

George, I used Outguess:

George said...

Well, stegdetect did only give jphide one star. :)

Anonymous said...

Rumor has it that our own .gov has tried going down that same path with the whole Clipper chip thing. I'm sure there's no shortage of .gov employees now who are chomping at the bit to have all our keys (encryption and otherwise).