Subliminal channel

Last updated April 17, 2024

In cryptography, subliminal channels are covert channels that can be used to communicate secretly in normal looking communication over an insecure channel.^[1] Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons.

Signature algorithms like ElGamal and DSA have parameters which must be set with random information. He shows how one can make use of these parameters to send a message subliminally. Because the algorithm's signature creation procedure is unchanged, the signature remains verifiable and indistinguishable from a normal signature. Therefore, it is hard to detect if the subliminal channel is used.

Subliminal channels can be classified into broadband and narrowband channel types.
Broadband and narrowband channels can exist in the same datastream.
The broadband channel uses almost all available bits that are available to use. This is commonly understood to mean {≥50% but ≤90%} channel utilization.
Every channel which uses fewer bits is called a narrow-band channel.
The additional used bits are needed for further protection, e.g., impersonation.

The broadband and the narrow-band channels can use different algorithm parameters. A narrow-band channel cannot transport maximal information, but it can be used to send the authentication key or datastream.

Research is ongoing : further developments can enhance the subliminal channel, e.g., allow for establishing a broadband channel without the need to agree on an authentication key in advance. Other developments try to avoid the entire subliminal channel.

Examples

An easy example of a narrowband subliminal channel for normal human-language text would be to define that an even word count in a sentence is associated with the bit "0" and an odd word count with the bit "1". The question "Hello, how do you do?" would therefore send the subliminal message "1".

The Digital Signature Algorithm has one subliminal broadband^[3] and three subliminal narrow-band channels^[4]

At signing the parameter $k$ has to be set random. For the broadband channel this parameter is instead set with a subliminal message $m'$ .

Key generation
1. choose prime $p=2347$
2. choose prime $q=23$
3. calculate generator $g=266$
4. choose authentication key $x=1468$ and send it securely to the receiver
5. calculate public key $y=g^{x}$ mod $p=2100$
Signing
1. choose message $m=1337$
2. (hash function $H(m)$ is here substituted with a modulo reduction by 107) calculate message hash value $h=m$ mod $q=1337$ mod $107=53$
3. instead of random value $k=?$ subliminal message $m'=17$ is chosen
4. calculate inverse of the subliminal message $m'^{-1}=19$ mod $23$
5. calculate signature value $r=(g^{k}$ mod $p)$ mod $q=(266^{17}$ mod $2347)$ mod $23=12$
6. calculate signature value $s=k^{-1}*(h+x*r)$ mod $q=19*(53+1468*12)$ mod $23=3$
7. sending message with signature triple $(1337;12,3)$
Verifying
1. receiver gets message triple $(m;r,s)=(1337;12,3)$
2. calculate message hash $h=H(m)$ mod $q=1337$ mod $107=53$
3. calculate inverse $w=s^{-1}$ mod $q=8$
4. calculate $u_{1}=(h*w)$ mod $q=53*8$ mod $23=10$
5. calculate $u_{2}=(r*w)$ mod $q=12*8$ mod $23=4$
6. calculate signature $v=(g^{u_{1}}*y^{u_{2}}$ mod $p)$ mod $q=(266^{10}*2100^{4}$ mod $2347)$ mod $23=12$
7. since $v=r$ , the signature is valid
Message extraction on receiver side
1. from triple (1337; 12, 3)
2. extract message $m'=8*(53+1468*12)$ mod $23=17$

The formula for message extraction is derived by transposing the signature value $s$ calculation formula.

$s=m'^{-1}*(h+xr)$ mod $q$
$s*m'=h+xr$ mod $q$
$m'=s^{-1}*(h+xr)$ mod $q$

Example: Using a Modulus n = pqr

In this example, an RSA modulus purporting to be of the form n = pq is actually of the form n = pqr, for primes p, q, and r. Calculation shows that exactly one extra bit can be hidden in the digitally signed message. The cure for this was found by cryptologists at the Centrum Wiskunde & Informatica in Amsterdam, who developed a Zero-knowledge proof that n is of the form n = pq.^{[ citation needed ]} This example was motivated in part by The Empty Silo Proposal.

Example - RSA Case study

Here is a (real, working) PGP public key (using the RSA algorithm), which was generated to include two subliminal channels - the first is the "key ID", which should normally be random hex, but below is "covertly" modified to read "C0DED00D". The second is the base64 representation of the public key - again, supposed to be all random gibberish, but the English-readable message "//This+is+Christopher+Drakes+PGP+public+key//Who/What+is+watcHIng+you//" has been inserted. Adding both these subliminal messages was accomplished by tampering with the random number generation during the RSA key generation phase.

 PGP Key. RSA 2020/C0DED00D   Fprint: 250A 7E38 9A1F 8A86  0811 C704 AF21 222C    -----BEGIN PGP PUBLIC KEY BLOCK-----  Version: Private    mQESAgAAAAAAAAEH5Ar//This+is+Christopher+Drakes+PGP+public+key//  Who/What+is+watcHIng+you//Di0nAraP+Ebz+iq83gCa06rGL4+hc9Gdsq667x  8FrpohTQzOlMF1Mj6aHeH2iy7+OcN7lL0tCJuvVGZ5lQxVAjhX8Lc98XjLm3vr1w  ZBa9slDAvv98rJ8+8YGQQPJsQKq3L3rN9kabusMs0ZMuJQdOX3eBRdmurtGlQ6AQ  AfjzUm8z5/2w0sYLc2g+aIlRkedDJWAFeJwAVENaY0LfkD3qpPFIhALN5MEWzdHt  Apc0WrnjJDby5oPz1DXxg6jaHD/WD8De0A0ARRAAAAAAAAAAAbQvQ2hyaXN0b3Bo  ZXIgRHJha2UgPENocmlzdG9waGVyLkRyYWtlQFBvQm94LmNvbT60SE5ldFNhZmUg  c2VjdXJpdHkgc29mdHdhcmUgZGlyZWN0b3IgQ2hyaXN0b3BoZXIgRHJha2UgPE5l  dFNhZmVAUG9Cb3guY29tPokBEgMFEDPXgvkcP9YPwN7QDQEB25oH4wWEhg9cBshB  i6l17fJRqIJpXKAz4Zt0CfAfXphRGXC7wC9bCYzpHZSerOi1pd3TpHWyGX3HjGEP  6hyPfMldN/sm5MzOqgFc2pO5Ke5ukfgxI05NI0+OKrfc5NQnDOBHcm47EkK9TsnM  c3Gz7HlWcHL6llRFwk75TWwSTVbfURbXKx4sC+nNExW7oJRKqpuN0JZxQxZaELdg  9wtdArqW/SY7jXQn//YJV/kftKvFrA24UYLxvGOXfZXpP7Gl2CGkDI6fzism75ya  xSAgn9B7BqQ4BLY5Vn+viS++6Rdavykyd8j9sDAK+oPz/qRtYJrMvTqBErN4C5uA  IV88P1U=  =/BRt  -----END PGP PUBLIC KEY BLOCK-----

Improvements

A modification to the Brickell and DeLaurentis signature scheme provides a broadband channel without the necessity to share the authentication key.^[5] The Newton channel is not a subliminal channel, but it can be viewed as an enhancement.^[6]

Countermeasures

With the help of the zero-knowledge proof and the commitment scheme it is possible to prevent the usage of the subliminal channel.^[7]^[8]

It should be mentioned that this countermeasure has a 1-bit subliminal channel. The reason for that is the problem that a proof can succeed or purposely fail.^[9]

Another countermeasure can detect, but not prevent, the subliminal usage of the randomness.^[10]

Notes

↑ Simmons' Prisoners' Problem is not the same as the Prisoner's Dilemma.^[1]

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems. It was published by Ralph Merkle and Martin Hellman in 1978. A polynomial time attack was published by Adi Shamir in 1984. As a result, the cryptosystem is now considered insecure.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm that was described by Claus Schnorr. It is a digital signature scheme known for its simplicity, among the first whose security is based on the intractability of certain discrete logarithm problems. It is efficient and generates short signatures. It was covered by U.S. patent 4,995,082 which expired in February 2010.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology – Crypto '96. Kleptography is a subfield of cryptovirology and is a natural extension of the theory of subliminal channels that was pioneered by Gus Simmons while at Sandia National Laboratory. A kleptographic backdoor is synonymously referred to as an asymmetric backdoor. Kleptography encompasses secure and covert communications through cryptosystems and cryptographic protocols. This is reminiscent of, but not the same as steganography that studies covert communications through graphics, video, digital audio data, and so forth.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature. Ring signatures are similar to group signatures but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, a three-pass protocol for sending messages is a framework which allows one party to securely send a message to a second party without the need to exchange or distribute encryption keys. Such message protocols should not be confused with various other algorithms which use 3 passes for authentication.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with popular algorithms currently used in the market is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public-domain software.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

References

1 2 Gustavus J. Simmons. The Prisoners Problem and the Subliminal Channel . In Advances in Cryptology – CRYPTO ’83, pages 51–67, New York, 1984. Lecture Notes in Computer Science, ed. D. Chaum.
↑ Gustavus J. Simmons. The subliminal channel and digital signatures . In Proc. of the EUROCRYPT 84 workshop on Advances in Cryptology – theory and application of cryptographic techniques, pages 364–378, New York, NY, USA, 1985. Springer-Verlag New York, Inc. doi : 10.1007/3-540-39757-4_25
↑ Gustavus J. Simmons. Subliminal communication is easy using the DSA . In EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 218–232, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc.
↑ Gustavus J. Simmons. The subliminal channel in the U.S. Digital Signature Algorithm (DSA), in Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography (SPRC '93), Rome, Italy, February 15–16, 1993.
↑ Gustavus J. Simmons. A Secure Subliminal Channel (?) . In CRYPTO ’85: Advances in Cryptology, pages 33–41, London, UK, 1986. Springer-Verlag.
↑ Ross J. Anderson, Serge Vaudenay, Bart Preneel, and Kaisa Nyberg. The Newton Channel . In Proceedings of the First International Workshop on Information Hiding, pages 151–156, London, UK, 1996. Springer-Verlag.
↑ Yvo Desmedt. Abuses in Cryptography and How to Fight Them . In CRYPTO ’88: Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, pages 375–389, London, UK, 1990. Springer-Verlag.
↑ Yvo Desmedt. "Subliminal-free authentication and signature". p. 24 of Christoph G. Günther, editor. "Advances in Cryptology - EUROCRYPT '88". 1988.
↑ Desmedt, Yvo (1996). "Simmons' Protocol is Not Free of Subliminal Channels". Proc. of 9th IEEE Computer Security Foundations Workshop. pp. 170–175. CiteSeerX 10.1.1.56.4816 .
↑ Choi, Jong Youl; Golle, Philippe; Jakobsson, Markus (2006). "Tamper Evident Digital Signatures: Protecting Certification Authorities Against Malware". Proceedings of the 2nd IEEE International Symposium on Dependable Autonomic and Secure Computing. CiteSeerX 10.1.1.61.9340 .

Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C, 2. Ed. Wiley Computer Publishing, John Wiley & Sons, Inc., 1995.

External links

Seminar: "Covert Channels and Embedded Forensics"

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[3] Simmons' Prisoners' Problem is not the same as the Prisoner's Dilemma.^[1]

[Simmons:PrisonersProblem-1] 1 2 Gustavus J. Simmons. The Prisoners Problem and the Subliminal Channel . In Advances in Cryptology – CRYPTO ’83, pages 51–67, New York, 1984. Lecture Notes in Computer Science, ed. D. Chaum.

[Simmons:SubliminalChannelAndDigitalSignatures-2] Gustavus J. Simmons. The subliminal channel and digital signatures . In Proc. of the EUROCRYPT 84 workshop on Advances in Cryptology – theory and application of cryptographic techniques, pages 364–378, New York, NY, USA, 1985. Springer-Verlag New York, Inc. doi : 10.1007/3-540-39757-4_25

[Simmons:EasyDSACom-4] Gustavus J. Simmons. Subliminal communication is easy using the DSA . In EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 218–232, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc.

[5] Gustavus J. Simmons. The subliminal channel in the U.S. Digital Signature Algorithm (DSA), in Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography (SPRC '93), Rome, Italy, February 15–16, 1993.

[Simmons:ASecureChannel-6] Gustavus J. Simmons. A Secure Subliminal Channel (?) . In CRYPTO ’85: Advances in Cryptology, pages 33–41, London, UK, 1986. Springer-Verlag.

[NewtonChannel-7] Ross J. Anderson, Serge Vaudenay, Bart Preneel, and Kaisa Nyberg. The Newton Channel . In Proceedings of the First International Workshop on Information Hiding, pages 151–156, London, UK, 1996. Springer-Verlag.

[Desmedt:AbusesFight-8] Yvo Desmedt. Abuses in Cryptography and How to Fight Them . In CRYPTO ’88: Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, pages 375–389, London, UK, 1990. Springer-Verlag.

[9] Yvo Desmedt. "Subliminal-free authentication and signature". p. 24 of Christoph G. Günther, editor. "Advances in Cryptology - EUROCRYPT '88". 1988.

[Desmedt:SimmonsNotFree-10] Desmedt, Yvo (1996). "Simmons' Protocol is Not Free of Subliminal Channels". Proc. of 9th IEEE Computer Security Foundations Workshop. pp. 170–175. CiteSeerX 10.1.1.56.4816 .

[TamperEvident-11] Choi, Jong Youl; Golle, Philippe; Jakobsson, Markus (2006). "Tamper Evident Digital Signatures: Protecting Certification Authorities Against Malware". Proceedings of the 2nd IEEE International Symposium on Dependable Autonomic and Secure Computing. CiteSeerX 10.1.1.61.9340 .

[1]

[2]

[lower-alpha 1]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]