Encrypt Text Message as Image

Question

Is this a good idea to make the following text message encryption:

accept text from the user 1
store the text into a document in the form of some handwritten font
convert the document into an image
apply noise to the image
encrypt the image somehow (hide the fact it is image)
send the image to the user 2
show the image to the user 2 as image

EDIT. My purposes:

Avoid existing widely used smartphone messaging apps, which could be which can be monitored by law enforcement agencies.
Make a simple own secure messaging application to just text exchange p2p
Be sure (as far as possible) that our messages will not be automatically intercepted by standard means used by law enforcement agencies. I don't know that standard means, and also can never know for sure
Provide greater resistance to interception than existing widely used smartphone messaging apps at the expense of some inconvenience

example:

score 3 · Accepted Answer · answered Sep 26 '20 at 18:51

The cryptography in existing apps is usually strong enough. This means that the focus of attackers (including law enforcement) is not to break the cryptography but to compromise the endpoints to get access to the messages before encryption or after decryption.

Your approach does not actually protect against this main attack vector. Instead you add some obfuscation by using an image and some noise. But this isn't actually sufficient to hide the message against someone who compromised the endpoint - especially if the message is intercepted already before obfuscation or after deobfuscation.

The only other obfuscation is to use an atypical application for communication. But if you are the target of an attacker who was able to compromise your endpoint, then this does not help much either. It is simple to check what applications are installed and then have a closer look at suspicious applications and their activity. This is assuming that your device was compromised since you were an explicit target, this means the attacker is actively looking for something interesting on your device.

In other words: it is probably not a good idea. At least it does not really help you to achieve your ultimate goal, which is to protect your communication from a highly capable attacker like law enforcement.

"It is simple to check what applications are installed and then have a closer look at suspicious applications and their activity." What chance is that this is ever possible be made automatically? I meant decoding the message automatically this way, not just the check the application installed. — display_info, Sep 26 '20 at 19:02
@display_info: This is a different question and should not be asked in a comment. But in short: Since the attacker needs to compromise your device first when strong crypto is used, you should focus on a) preventing this and b) detecting this. For prevention it helps to have a device which quickly gets the latest security updates and has only the bare minimum of apps installed and in use to reduce the attack surface. Also switching network (WiFi, mobile, Bluetooth) off most of the time reduces the attack surface and physical security is important too (i.e. prevent physical access by others). — Steffen Ullrich, Sep 26 '20 at 19:10

William Martens · Answer 2 · 2020-09-26T18:14:55.863

1

What you're looking for is probably something called Stenography and/or alternatively Obfuscation Is that correct? If yes;

then the answer to your question "Is this a good idea" would be, yes and no. It depends how you use Steganography or Obfuscation.

To give a really obvious example of the answer no: If you tell someone to find a hidden message inside of the image.

But what if you don't give any clues, and i.e placing the picture in a folder with lot of other pictures that looks kinda the same(like, same colors, and sizes, but different texts)? Then, it would be more secure. And, "a good idea" is maybe is a bit broad, do you mean cryptographicly secure? that it would be indistinguishable from a normal image?

edited Sep 26 '20 at 18:14

answered Sep 26 '20 at 18:09

William Martens

177
9

Please read the edited version of my post – display_info Sep 26 '20 at 18:27
I read it; So it's not obfuscation or steganography you're after? and, " I don't know that standard means, but also cannot know of course." what do you exactly mean here, or is it maybe just me that is confused? If so, I'm sorry. – William Martens Sep 26 '20 at 18:43
I meant that no one can know these interception means used by law enforcement for sure – display_info Sep 26 '20 at 18:49
You mean so that nobody can eavesdrop? Or know the communication is there at all? (Covert channels or communications?) Sorry , please clarify. – William Martens Sep 26 '20 at 18:51
no need to hide the fact of communication itself, only the messages' content shall be hidden – display_info Sep 26 '20 at 18:58
And, forgot to add, what do you mean by "standard means used by law enforcement agencies. I don't know that standard means, and also can never know for sure" And, also specifically what kind of attacks are you trying to avoid? Or be more resistant against? I would recommend using a already standard implementation of a good encryption system, instead of trying to invent your own crypto. Because it is a very very bad idea(to, alone try to invent encryption) +I read your above comment; Then you should really add the tag "covert", or if that's not what you're after; why not just use Tor? – William Martens Sep 26 '20 at 19:00
How can I know what tools law enforcement agencies are used? This is the thing I don't know. Endpoint attacks of course are possible unfortunately. Why not use Tor - because it is really too widely used tool and I heart it is compromised long time ago. – display_info Sep 26 '20 at 19:18
So, it's a problem that Tor is too much widely used? This is actually the power of Tor. Tor compromised? source? – William Martens Sep 26 '20 at 19:20
I trust to the opinion that Tor is compromised – display_info Sep 26 '20 at 19:21
Please, provide me with the source that Tor would be compromised, and okay I agree we can use opinions, but please don't make statements based on opinions. It would be much better if I knew where you heard that Tor would be compromised. Where did you hear it from? I trust you that you heard it, but just where? (So I myself can look at it?) – William Martens Sep 26 '20 at 19:24
1. I heard this mean from my friend. You cannot check that. 2. I cannot trust that really secure tools could be widely used + easily available + free in the same time. Do you can? How law enforcement agencies can allow that? – display_info Sep 26 '20 at 19:27
1

You're asking a totally different question, and okay I did not know your friend said that. My bad :), I must say that I do believe that widely used, easily availble and free security tools is secure. Because that is for example AES. Everyone can learn how it works, but they still cannot decrypt a message encrypted by AES. And, it's used in HTTPS (Which is unbelievable widely used). AES is used in Bitlocker for encrypting disks in windows. It's used in Luks used in Linux. It's used worldwide. how law enforcmenet agencies can allow that, is another completely different question. – William Martens Sep 26 '20 at 19:39
I just answer to your question in turn. For example, Whatsapp uses the encryption proto which was not compromised, but in my country (Russian) people can buy anyone's whatsapp chats history, illegally of couse... – display_info Sep 26 '20 at 19:53

Encrypt Text Message as Image

2 Answers2