Monday, May 28, 2007

Random Obfuscation Tool


With current companies seeking to extort money from anyone sharing files, it's always a good idea to try finding ways around their BS. One thought I've been mulling over is sending computer based random data. The original idea was that of a one time pad, where you XOR a message with random data and then use this new set of data with the random data you used earlier to retrieve the message.

To break it up into steps:
  1. sender: message XOR rand_data = pad
  2. receiver: rand_data XOR pad = message

The problem with this is that any data you wanted to get you'd need twice as much to reconstruct it, so it becomes terribly inefficient with large files. But assume instead of true random data used to XOR you used computer generated random data. This type of random data can be reconstructed given a seed value. So instead of the above scenerio:
  1. sender: message XOR rand(seed) = pad
  2. receiver: pad XOR rand(seed) = message
But this seems troublesome too, not because of inefficiency but since now one would be saying that the random data isn't actually random by giving the seed value. So instead what if we had a mechanism to guess the seed without being given it. Lets say pad in the example above has a md5sum of chksum then lets assume that the first values of message are chksum, we can then try all possible seed values until we get that the first few bytes are equal to chksum. So in steps:
  1. sender: message XOR rand(seed) = pad
  2. sender: md5sum(pad) = chksum
  3. sender: (chksum XOR rand(seed) ) = rand_chksum
  4. sender: rand_chksum + pad = new_pad
  5. receiver: md5sum(new_pad - rand_chksum) = chksum
  6. receiver: rand(all_seed) XOR rand_chksum until equals chksum
  7. receiver: Now knows seed that sender used
  8. receover: Mptes tjat pad = new_pad - rand_chksum
  9. reciever: pad XOR rand(seed) = message
A little more complicated, but still efficient, and keeps it so sender is transmitting random bits and no additional information.

Currently I have a working prototype that does the same thing except the chksum is replaced by known plaintext. I want to finish it in it's entirety before publishing it. Below is a list of what I need to do before it's done:
  • Check that user input is correct, very simple 5 minutes of coding
  • Use checksums instead of plaintext for the known text
  • Write a couple of layers to run underneath popular P2P apps to automatically accomplish this
Thankfully the main program was easy to write after I brushed up on binary I/O, it can transfer large files moderately quickly although it does use a decent amount of memory, which I might eliminate if I find it is too big a problem.

The main reason I think this is better than encryption is that there is deniability over the contents of the data since any piece of data coupled with other data crafted through XOR can be made into any other piece of data. So saying that the random data is a song is really baseless from a technical standpoint since it could just as easily be a copy of Firefox. Another plus is that even if it was decided to be an encryption method anyone attempting to sue would have violated criminal law since they circumvented a protection mechanism thus violating the completely fucking retarded DMCA(No need to mince words).

One other thing I have been thinking about is perhaps multiple, easy to render, legitimate reconstructions of the same random data. This may not fool anyone, but may make it easier to show the down syndrome patients that run the courts that random data truly can be made into anything. For example if they say that you could brute force a seed value to retrieve a song, you could also say that using a built in hash function it creates an animated picture. There are obviously major hurtles to this, without getting back into the whole redundant data problem, so for now it's just an idea.

Finally this is all a moot issue if the thought crime law ever passes. Basically it says that attempted copyright infringement is illegal, so if a large media conglomerate puts up popular_song.mp3, and someone downloads it, even if it's a garbage file that doesn't have the song in it, you're still legally liable as if you had downloaded the song. Although IIRC downloading songs is still a legally gray area, so they may just wait for you to be sharing it, so then they can say you were attempting to distribute copyrighted material.


No comments: