" refers to the art of hiding a message within another, and can thus be compared to other art-forms, such as steganography
. It deals strictly with the concealment of the message, not scrambling
, thus one will often want to combine it with the use of one or more forms of encryption
A subliminal channel can be the number of words in a sentence, it can be that the second character in the first word in a sentence represents a 0 if the ASCII number for that char is even, and a 1 if it is odd. There are countless ways you can manually hide messages by spreading their bit around in innocent looking messages.
In todays world, it is often combined sending the message in such a way that it is not possible to detect who the intended recipient is. This can be achieved by, for example, posing innocent looking messages which are on-topic to various innocent USENET groups. That's another story though.
This first reached its full potential when Gustavus Simmons discovered a way to hide a message in a digital signature. Armed with that skill, it's possible to sign a innocent communique with a valid digital signature, and hide a relatively big chunk of information in the signature, such that it can only be recovered if one have access to the private part of the key.
To anyone without any knowledge of the key, or with access to the public key, it looks like a valid normal signature, and one has no reason to suspect the signature is being use for other purposes as well.
The number of possible applications for this is limited only by ones own imagination.
To make an example. A spy have been captured, and is forced to sign a message saying all is well etc to his employers, using his field laptop. Assuming the program has been written with some bits of foresight, he should easily be able to include a secret message in his signature, such that he could both tell them the message is bogus, as well as give up other useful information, like the location he's being held at. The message, as well as the signature, could be verified, checked and rechecked, and the captors should not be able to detect the message. That is, assuming the following conditions.
To get the subliminal channel, in a normal use situations, all the following would have to be broken:
- The attackers would need access to the private key.
- The attackers would need knowledge about the public key encryption being used.
- The attackers would need access to the symmetric key used to encrypt the subliminal channel (assuming this is done).
- The attackers would need knowledge about the symmetric encryption used.
In a secure setup, it's generally assumed that if someone gets access to your private key, you're basically SOL
. It's therefore tempting to assume this to be a secure way of communication, however this is not one of the subjects of cryptography
that has been studied the most, and I can therefor do nothing but recommend that it's used with care, and coupled with strong symmetric encryption as well.
So far, this sounds all well and good. That's because we've been viewing it from the point of the person taking advantage of the subliminal channel. It all gets a lot worse when you start looking at this from a broader perspective, and realize how painful this can quickly get if it starts getting combined with all the various applications for blind signatures.
If you need to get a document timestamped, if you wish to use digital cash and so on, the dangers of subliminal channels suddenly look a lot worse. One of the things one can look forward to with the arrival of digital cash is completely anonymous transactions, however if the digital cash have been "marked" using subliminal channels, only the bank (or other owners of the private key belonging to the bank) will be able to even detect the presence of the mark. I would greatly recommend reading up on how digital signatures work to better understand this risk.
The fears of all the dangers involved have lead to the creation of subliminal free signatures, which cannot be modified to contain subliminal channels.
If you wish to learn more about those, I suggest reading papers 1 and 2 in the literature listing.
Of the signature algorithms that allow the use of subliminal channels ElGamal is the best known, however the first subliminal channel designed was based on the Ong-Schnorr-Shamir identification scheme. Both of these designs was made by Simmons. Modifications to ESIGN have also been made to allow for a subliminal channel. Again thanks to Simmons.
Amongst the algorithms one can imagine Simmons had fun finding a subliminal channel in, or rather several subliminal channels, is the US's Digital Signature Algorithm (aka Digital Signature Standard, or the short forms DSA and DSS). You can actually fit a whooping 160 bit message in each signature.
Finally I'd like to note that ANY digital signature algorithm can be converted into a subliminal channel. There are however protocols for protecting against such usage, depending on the use of a third party to render the signer unable to choose any of the bits of k (see Digital Signature Algorithm), without him/herself knowing any of the bits (thus not being able to fake a signature). More on this can be found by referring to 10, 12 and 13 in the literature listing (credits once again to Simmons).
Simmons later discovered the protocol discussed in those papers would allow the trusted third party to make a subliminal channel him/herself. Fixes can be found in papers 11 and 13.
Nodes (some might not be done by the time your read this):
Full literature listing:
"Subliminal-Free Authentication and Signature" by Y. Desmedt in "Advances in Cryptology-EUROCRYPT '88 Proceedings" pages 23-33.
"Abuses in Cryptography and How to Fight Them" by Y. Desmedt in "Advances in Cryptology-EUROCRYPT '88 Proceedings" pages 375-389.
"Special Uses and Abuses of the Fiat-Shamir Passport Protocol" by Y. Desmedt, C. Goutier and S. Bengio in "Advances in Cryptology-CRYPTO '87 Proceedings" pages 21-39.
"A Subliminal Channel in Codes for Authenticating without Secrecy" by J. Seberry in "Ars Combinatorica" pages 337-342.
"The Prisoner's Problem and the Subliminal Channel" by G.J. Simmons in "Advances in Cryptology: Proceedings of CRYPTO '83" pages 51-67.
"The Subliminal Channel and Digital Signatures" by G.J. Simmons in "Advances in Cryptology: Proceedings of CRYPTO '842 pages 364-378.
"A Secure Subliminal Channel (?)" by G.J. Simmons in "Advances in Cryptology-CRYPTO '85 Proceedings" pages 33-41.
"The Subliminal Channels of the U.S. Digital Signature Algorithm (DSA)" by G.J. Simmons in "Proceedings of the Third Symposium on: State and Progress of Research in Cryptography, Rome: Fondazone Ugo Bordoni" pages 35-54.
"Subliminal Communication is Easy Using the DSA" by G.J. Simmons in "Advances in Cryptology-EUROCRYPT '93" pages 218-23
"An Introduction to the Mathematics of Trust in Security Protocols" by G.J. Simmons in "Proceedings: Computer Security Foundations Workshop VI" pages 121-127.
"Protocols that Ensure Fairness" by G.J. Simmons in "Codes and Ciphers" pages 383-394
"Cryptanalysis and Protocol Failures" by G.J. Simmons in "Communications of the ACM" pages 56-65.
"Subliminal Channels: Past and Present" by G.J. Simmons in "European Transactions on Telecommunications"
Literature listing, some info about the DSA subliminal channel as well as credits fetched from Applied Cryptography by Bruce Schneier.