Information leakage explained

Information leakage should not be confused with whistleblowing.

Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. In other words: Information leakage occurs when secret information correlates with, or can be correlated with, observable information. For example, when designing an encrypted instant messaging network, a network engineer without the capacity to crack encryption codes could see when messages are transmitted, even if he could not read them.

Risk vectors

A modern example of information leakage is the leakage of secret information via data compression, by using variations in data compression ratio to reveal correlations between known (or deliberately injected) plaintext and secret data combined in a single compressed stream.[1] Another example is the key leakage that can occur when using some public-key systems when cryptographic nonce values used in signing operations are insufficiently random. Bad randomness cannot protect proper functioning of a cryptographic system, even in a benign circumstance, it can easily produce crackable keys that cause key leakage.[2]

Information leakage can sometimes be deliberate: for example, an algorithmic converter may be shipped that intentionally leaks small amounts of information, in order to provide its creator with the ability to intercept the users' messages, while still allowing the user to maintain an illusion that the system is secure. This sort of deliberate leakage is sometimes known as a subliminal channel.[3] [4]

Generally, only very advanced systems employ defenses against information leakage.

Following are the commonly implemented countermeasures :

See also

Notes and References

  1. Book: Kelsey . J. . Compression and Information Leakage of Plaintext . 10.1007/3-540-45661-9_21 . Fast Software Encryption . Lecture Notes in Computer Science . 2365 . 263–276 . 2002 . 978-3-540-44009-3 .
  2. Web site: Schneier. Bruce. Fredrikson. Matthew. Kohno. Tadayoshi. Ristenpart. Thomas. 2015. Surreptitiously Weakening Cryptographic Systems. live. https://web.archive.org/web/20190414143224/https://eprint.iacr.org/2015/097. April 14, 2019. Schneier on Security. Alt URL
  3. Web site: 6.857 Computer and Network Security Lecture Notes 9 : DSA/DSS, RSA, chosen-ciphertext attack. Ron Rivest. October 3, 2002. MIT. 2012-09-14.
  4. 10.1155/2018/5823439 . free . A Data Leakage Prevention Method Based on the Reduction of Confidential and Context Terms for Smart Mobile Devices . 2018 . Yu . Xiang . Tian . Zhihong . Qiu . Jing . Jiang . Feng . Wireless Communications and Mobile Computing . 2018 . 1–11 .