|Previous||Table of Contents||Next|
In general the protocol looks like this:
What about cheating? Walter doesnt trust anyone and no one trusts him. He can always prevent communication, but he has no way of introducing phony messages. Since he cant generate any valid signatures, Bob will detect his attempt in step (5). And since he does not know the shared key, he cant read the subliminal messages. Even more important, he has no idea that the subliminal messages are there. Signed messages using a digital signature algorithm look no different from signed messages with subliminal messages embedded in the signature.
Cheating between Alice and Bob is more problematic. In some implementations of a subliminal channel, the secret information Bob needs to read the subliminal message is the same information Alice needs to sign the innocuous message. If this is the case, Bob can impersonate Alice. He can sign messages purporting to come from her, and there is nothing Alice can do about it. If she is to send him subliminal messages, she has to trust him not to abuse her private key.
Other subliminal channel implementations dont have this problem. A secret key shared by Alice and Bob allows Alice to send Bob subliminal messages, but it is not the same as Alices private key and does not allow Bob to sign messages. Alice need not trust Bob not to abuse her private key.
Applications of Subliminal Channel
The most obvious application of the subliminal channel is in a spy network. If everyone sends and receives signed messages, spies will not be noticed sending subliminal messages in signed documents. Of course, the enemys spies can do the same thing.
Using a subliminal channel, Alice could safely sign a document under threat. She would, when signing the document, imbed the subliminal message, saying, I am being coerced. Other applications are more subtle. A company can sign documents and embed subliminal messages, allowing them to be tracked throughout the documents lifespans. The government can mark digital cash. A malicious signature program can leak secret information in its signatures. The possibilities are endless.
Alice and Bob are sending signed messages to each other, negotiating the terms of a contract. They use a digital signature protocol. However, this contract negotiation has been set up as a cover for Alices and Bobs spying activities. When they use the digital signature algorithm, they dont care about the messages they are signing. They are using a subliminal channel in the signatures to send secret information to each other. The counterespionage service, however, doesnt know that the contract negotiations and the use of signed messages are just cover-ups. This concern has led people to create subliminal-free signature schemes. These digital signature schemes cannot be modified to contain a subliminal channel. See [480, 481] for details.
Normal digital signatures can be copied exactly. Sometimes this property is useful, as in the dissemination of public announcements. Other times it could be a problem. Imagine a digitally signed personal or business letter. If many copies of that document were floating around, each of which could be verified by anyone, this could lead to embarrassment or blackmail. The best solution is a digital signature that can be proven valid, but that the recipient cannot show to a third party without the signers consent.
The Alice Software Company distributes DEW (Do-Everything-Word). To ensure that their software is virus-free, they include a digital signature with each copy. However, they want only legitimate buyers of the software, not software pirates, to be able to verify the signature. At the same time, if copies of DEW are found to contain a virus, the Alice Software Company should be unable to deny a valid signature.
Undeniable signatures [343, 327] are suited to these sorts of tasks. Like a normal digital signature, an undeniable signature depends on the signed document and the signers private key. But unlike normal digital signatures, an undeniable signature cannot be verified without the signers consent. Although a better name for these signatures might be something like nontransferable signatures, the name comes from the fact that if Alice is forced to either acknowledge or deny a signatureperhaps in courtshe cannot falsely deny her real signature.
The mathematics are complicated, but the basic idea is simple:
There is also an additional protocol so that Alice can prove that she did not sign a document, and cannot falsely deny a signature.
Bob cant turn around and convince Carol that Alices signature is valid, because Carol doesnt know that Bobs numbers are random. He could have easily worked the protocol backwards on paper, without any help from Alice, and then shown Carol the result. Carol can be convinced that Alices signature is valid only if she completes the protocol with Alice herself. This might not make much sense now, but it will once you see the mathematics in Section 23.4.
This solution isnt perfect. Yvo Desmedt and Moti Yung show that it is possible, in some applications, for Bob to convince Carol that Alices signature is valid .
|Previous||Table of Contents||Next|