The embodiments of the invention relate generally to data communications and, more specifically, relate to broadcast stenography of data communications.
Data communications suffer from the weakness of intentional invasion by snoopers and other third party interlopers. Even in cases where data communications are encrypted using some secure mechanism, such as Secure. Sockets Layer (SSL), it is still possible for traffic analysis to be conducted where both endpoints of the communications and how much traffic is passed between them may be determined. This is information that the endpoints may not have wanted to be public. In addition, some data communications may operate in environments where certain types of cryptography and ciphering are not a legal alternative for implementation.
Some conventional techniques for protection of broadcast data communication schemes generally present a few problems with data security. One problem is that the end points of the data communication cannot reliably authenticate who they are speaking with. Another problem is that the information contained within the data communication may be disclosed to parties whom the endpoints do not want to see the information.
In light of the above problems, a way to ensure that broadcast of data communications are not vulnerable to traffic analysis schemes as described above would be beneficial. In addition, such a solution would be beneficial if it allowed for the reliable authentication of the end points of the data communication, as well as if it provided for the security of the information within the data communication.
The invention will be understood more fully from the detailed description given below and from the accompanying drawings of various embodiments of the invention. The drawings, however, should not be taken to limit the invention to the specific embodiments, but are for explanation and understanding only.
Embodiments of the invention provide for broadcast stenography of data communications. In one embodiment, a method of broadcast stenography includes creating a plurality of messages for transmission to one or more recipients, the plurality of messages including one or more real messages intended for one or more of the recipients and one or more bogus messages intended for none of the recipients. The method further includes for each intended recipient of the one or more real message, calculating a message authentication code (MAC) based on the message and a shared secret key kept between a broadcaster of the plurality of messages and the intended recipient, and for each of the plurality of messages, creating a plurality of unique pseudo-MACs that have an identical format to a real MAC. In addition, the method includes sending the plurality of messages to the one or more recipients, with the calculated MACs for each intended recipient attached to the one or more real message and the associated unique pseudo-MACs attached to each message of the plurality of messages.
In the following description, numerous details are set forth. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present invention.
Some portions of the detailed descriptions which follow are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise, as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “sending”, “receiving”, “attaching”, “forwarding”, “caching”, or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear as set forth in the description below. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.
The present invention may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present invention. A machine-readable medium includes any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium (e.g., read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.), a machine (e.g., computer) readable transmission medium (electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.)), etc.
In one embodiment, broadcaster 110 includes a message authentication code (MAC) module 112, while recipients 130 each also include Mac algorithm modules 132. In addition, broadcaster 110 includes a broadcast stenography module 115 and recipient(s) 130 each include a broadcast stenography module 135. In some embodiments, broadcast stenography module 115 and broadcast stenography module 135 are the same. In one embodiment, MAC algorithm modules 112, 132 and broadcast stenography modules 115, 135 enable broadcaster 110 and recipients 130 to engage in an anonymous, yet authenticated, message passing service using broadcast stenography as described in embodiments of the invention below. In particular, the broadcaster 110 may broadcast a continuous stream of message traffic, signed in such a way that the intended recipients can easily determine which messages are intended for them, but no other actor can determine which messages are intended for any other particular recipient.
Method 200 begins with block 210, where the broadcaster creates a plurality of messages for transmission to the one or more recipients. These messages include a real or authentic message that is intended for the one or more of the recipients, as well as multiple bogus messages that have no intended recipients. These bogus messages may be constructed in such a way as to look as if they are real or authentic messages.
Then, method 200 proceeds to block 220, where for each intended recipient of the real message, a MAC is calculated. In one embodiment, the MAC algorithm modules 112 and 132 of
In one embodiment, the shared secret key is created using a Diffie Hellman key exchange protocol. The Diffie Hellman key exchange protocol is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. One skilled in the art should have knowledge of how to establish a shared secret key using Diffie Hellman key exchange protocol. In yet other embodiments, other cryptographic protocols may be utilized to establish a shared secret key.
At block 230, for each message, the broadcaster creates pseudo-MACs. These pseudo-MACs are fake message authentication codes (MACs) that are in an identical format to the real MACs calculated in block 220. Finally, at block 240, the broadcaster sends the messages to the one or more recipients. In some embodiments, the messages are sent to all of the recipients simultaneously, although this is not required. In addition, the message may be encrypted in some embodiments.
At block 240, the calculated MACs for the real messages are attached to the real messages. The pseudo-MACS that were created at block 230 are attached to all of the messages being sent. In summary, the real messages will be sent out not only with the real MACs that were calculated for the intended recipients, but also with the pseudo-MACs. The bogus messages will only be sent out with the pseudo-MACs attached.
Method 300 begins at block 310 where the recipient receives a message and associated MACs from a broadcaster. The MACs may include one or more real MACs, as well as pseudo-MACs. The real MACs and pseudo-MACs are the same as those described above with respect to
Then, at block 320, the recipient calculates a MAC utilizing a MAC algorithm with the inputs of the message and a shared secret key kept between the recipient and the broadcaster. The shared secret key is the same as that described above with respect to
In some embodiments, to guard against replays, the recipient may keep a record of the MACs of messages they have accepted. In cases where the broadcaster may want to send the same message as previously sent, each message should have a unique identifier.
In yet another embodiment, instead of discarding messages at block 350, the recipient could store the messages for some time period. If the recipient runs out of storage space, the messages may be discarded based upon, for example, a first-in-first-out (FIFO) system. Then, the broadcaster could refer to these messages at a later point in time by creating an otherwise bogus message, and attaching a MAC of the referenced message. In one embodiment, the broadcaster may create the MAC over the entire message and its associated pseudo-MACs. However, this is not required.
One concrete example of this embodiment is discussed below. Assume that the broadcaster sends the following messages, all initially assumed to be bogus messages, to a recipient:
Then, at a later point, the broadcaster sends one or more messages with associated MACs over the entirety of messages 1, 3, 4, 7, 10, and 6 (in that order). At this point, the recipient could interpret this transmission as “operation [4] horse [1] is [7] a [10] go [3]”, where the numbers in brackets correspond to the contents of message 6. In one embodiment, to keep storage requirements to a minimum, the recipients may just store the message and the MAC.
Broadcaster X 420 creates four messages: i 422, ii 424, iii 426, and iv 428. Messages i 422, ii 426, and iv 428 are all bogus messages with no intended recipients. Message ii 424 is a real or authentic message that is intended for recipients A 430 and B 440, but not for recipient C 450. Messages i 422, ii, 424, iii 426, and iv 428 each have unique pseudo-MACs associated with the messages. In addition, message ii 424 has 2 real MACs calculated using the message and the respective shared secret key between broadcaster X 420 and recipient A 430, and broadcaster x 420 and recipient B 440.
The messages i 422, ii 424, iii 426, and iv 428 are simultaneously sent via the network 410 to recipients A 430, B 440, and C 450. Each recipient 430, 440, 450 then calculates their own MAC for each received message based on the respective message and the shared secret key between the recipient 430, 440, 450 and the broadcaster X 420. Each recipient 430, 440, 450 then compares the calculated MAC for each message 422, 424, 426, 428 to the list of MACs sent with each message 422, 424, 426, 428.
As a result, recipient A 430 discards messages i 422, iii 426, and iv 428 as there were no matching MACs to the MAC calculated by recipient A 430. However, recipient A will accept message ii 424 as intended for recipient A 430 because the MAC calculated by recipient A 430 matches one of the MACs sent with the message.
Recipient B 440 also discards messages i 422, iii 426, and iv 428 as there were no matching MACs to the MAC calculated by recipient B 440. However, recipient B will accept message ii 424 as intended for recipient B 440 because the MAC calculated by recipient B 440 matches one of the MACs sent with the message.
Lastly, recipient C 450 will end up discarding all of the messages i 422, ii, 424, iii 426, and iv 428 as none of the MACs included with these messages match any of the MACs calculated for the messages by recipient C 450. As such, recipient C will not be able to tell that message ii 424 was actually a real message meant for recipients A 430 and B 440 due to the plurality of real and bogus messages 422, 424, 426, 428 sent in the communication, as well as due to the plurality of MACs included with each message 422, 424, 426, 428. For the same reasons, recipients A 430 and B 440 will not be able to tell which messages 422, 424, 426, 428 were meant or not meant for the other recipients.
In one embodiment, the broadcast stenography process described above may be applied to a secret sharing scheme. A secret sharing scheme is a cryptographic scheme that divides a secret into ‘n’ pieces (or shares) such that any ‘k’ of them (k<n) may be used to reconstruct the secret. For example, the secret may be a bulk encryption key used in an encryption scheme among multiple communicators.
The broadcast stenography process described above in embodiments of the invention may be utilized to distribute the shares to a subset of the recipients in an anonymous, but reliable, way. The broadcaster could take each share and run it through the secret sharing scheme, and then send the shares being distributed, along with several other fake shares, using the methods of the embodiments of the invention, such as those described with respect to
To guard against brute-force recovery of the shares, the broadcaster should send enough shares (i.e., fake and real shares) to make reconstruction implausible. In some embodiments, the number of fake and real shares should be approximately equal. For example, the number of fake shares should be roughly equivalent to the number of bits in a comparable encryption key (e.g., 128 fake shares would provide approximately the same security as a bulk encryption algorithm using a 128 bit key, assuming the number of authentic shares was somewhere in the neighborhood of 128 shares also).
The exemplary computer system 500 includes a processing device 502, a main memory 504 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) (such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 518, which communicate with each other via a bus 530.
Processing device 502 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computer (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 502 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 502 is configured to execute the processing logic 526 for performing the operations and steps discussed herein.
The computer system 500 may further include a network interface device 508. The computer system 500 also may include a video display unit 510 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 512 (e.g., a keyboard), a cursor control device 514 (e.g., a mouse), and a signal generation device 516 (e.g., a speaker).
The data storage device 518 may include a machine-accessible storage medium 528 on which is stored one or more set of instructions (e.g., software 522) embodying any one or more of the methodologies of functions described herein. The software 522 may also reside, completely or at least partially, within the main memory 504 and/or within the processing device 502 during execution thereof by the computer system 500; the main memory 504 and the processing device 502 also constituting machine-accessible storage media. The software 522 may further be transmitted or received over a network 520 via the network interface device 508. In one embodiment, the network interface device 508 may be operable to receive messages from the broadcaster or the recipient as described above in various embodiments of the invention.
The machine-readable storage medium 528 may also be used to store a broadcast stenography module (e.g., broadcast stenography module 115 or 135 of
Whereas many alterations and modifications of the present invention will no doubt become apparent to a person of ordinary skill in the art after having read the foregoing description, it is to be understood that any particular embodiment shown and described by way of illustration is in no way intended to be considered limiting. Therefore, references to details of various embodiments are not intended to limit the scope of the claims, which in themselves recite only those features regarded as the invention.
Number | Name | Date | Kind |
---|---|---|---|
5500897 | Hartman | Mar 1996 | A |
6021203 | Douceur et al. | Feb 2000 | A |
6343281 | Kato | Jan 2002 | B1 |
6449473 | Raivisto | Sep 2002 | B1 |
6907473 | Schmidt et al. | Jun 2005 | B2 |
6948661 | Silverbrook et al. | Sep 2005 | B2 |
7140726 | Silverbrook | Nov 2006 | B2 |
7234059 | Beaver et al. | Jun 2007 | B1 |
7330838 | Rogers et al. | Feb 2008 | B2 |
7770032 | Nesta et al. | Aug 2010 | B2 |
7848517 | Britz et al. | Dec 2010 | B2 |
7992006 | She | Aug 2011 | B2 |
20020087729 | Edgar | Jul 2002 | A1 |
20030005284 | Euchner | Jan 2003 | A1 |
20030126091 | Rogers et al. | Jul 2003 | A1 |
20040003116 | Munger et al. | Jan 2004 | A1 |
20040015999 | Carlucci et al. | Jan 2004 | A1 |
20040098485 | Larson et al. | May 2004 | A1 |
20040107285 | Larson et al. | Jun 2004 | A1 |
20040107286 | Larson et al. | Jun 2004 | A1 |
20050097569 | Chandrasekaran | May 2005 | A1 |
20050166046 | Bellovin et al. | Jul 2005 | A1 |
20050246546 | Takagi et al. | Nov 2005 | A1 |
20060123134 | Munger et al. | Jun 2006 | A1 |
20060209766 | Britz et al. | Sep 2006 | A1 |
20060274856 | Dunn et al. | Dec 2006 | A1 |
20070035566 | Silverbrook | Feb 2007 | A1 |
20070237145 | Adhikari et al. | Oct 2007 | A1 |
20070260879 | Dzung | Nov 2007 | A1 |
20070288768 | Nesta et al. | Dec 2007 | A1 |
20080016549 | Smithson | Jan 2008 | A1 |
20080022174 | Bancel et al. | Jan 2008 | A1 |
20080040791 | Munger et al. | Feb 2008 | A1 |
20080040792 | Larson et al. | Feb 2008 | A1 |
20080123124 | Smithson | May 2008 | A1 |
20080209214 | Schrijen et al. | Aug 2008 | A1 |
20080216168 | Larson et al. | Sep 2008 | A1 |
20090044025 | She | Feb 2009 | A1 |
20090063850 | Joram et al. | Mar 2009 | A1 |
Entry |
---|
RSA Laboratories, “What is Diffie Hellman?” May 6, 2007, 2 pages www.rsa.com/rsalabs/node.asp?id=2248, from Internet Archive Wayback Machine. |
Red Hat, Inc. Office Action for U.S. Appl. No. 12/074,006 mailed Mar. 22, 2011. |
Red Hat, Inc. Final Office Action for U.S. Appl. No. 12/074,006 mailed Jul. 13, 2011. |
Red Hat, Inc. Office Action for U.S. Appl. No. 12/074,092 mailed Jan. 24, 2011. |
Red Hat, Inc. Final Office Action for U.S. Appl. No. 12/074,092 mailed Apr. 11, 2011. |
Red Hat, Inc. Office Action for U.S. Appl. No. 12/074,092 mailed Sep. 30, 2011. |
Red Hat, Inc. Advisory Action for U.S. Appl. No. 12/074,006 mailed Sep. 27, 2011. |
USPTO, Notice of Allowance for U.S. Appl. No. 12/074,006 mailed Jul. 20, 2012. |
USPTO, Notice of Allowance for U.S. Appl. No. 12/074,092 mailed Jan. 25, 2012. |
Number | Date | Country | |
---|---|---|---|
20090220081 A1 | Sep 2009 | US |