Sunday, 9 March 2008

Steganography

I wrote this article quite a while ago for a previous website called Evil systems, unfortunately they have closed down so I thought it would be useful to post this older article on my blog as it still as some relevence today. So I hope you enjoy it.

This article includes a download of BlackBox 1.0. Download Black Box 1.0


This program uses the .NET framework 1.1. If you do not have it you can download it here.



What is Steganography?

The technique, known as steganography, is the practice of embedding secret messages in other messages -- in a way that prevents an observer from learning that anything unusual is taking place.

The practice of steganography has quite a history behind it. Some the earliest examples can be dated tp The Greek historian Herodotus, who describes how one of his cunning countrymen sent a secret message warning of an invasion by scrawling it on the wood underneath a wax tablet. To casual observers, the tablet appeared blank.

Roman empirers would hide secret messages in ordinary messages that only a certain formula when applied could reveal the real message. This was of course to prevent the real message from falling into the wrong hands.

Both Axis and Allied spies during World War II used such measures as invisible inks such as tiny punctures above key characters in a document that form a message when combined or 'invisbile inks' that could only be read when heat was applied.

Modern steganographers have more modern tools that enable this, which we shall see under techniques later in this article.

The Difference between Stego and Encryption.


Often dictionaries have defined steganography the same as Cryptography, however there is a clear difference between the two.

Cryptography can be understood as the conversion of data into a secret code for protection of privacy using a specific algorithm and a secret key.

Steganography can be understood as the process of hiding data inside other data.

So the key difference is that with Cryptography you are able to jide data by 'randomising' it which may arouse suspesion when seen. However the idea of steganography is prevent the suspesion by hiding the message in an normal to avoid anyone from looking it.

A good example is lets say you have a safe in your living room. That would be encryption as people can see it and will obviously wonder what is in it. Steganography is like having a secret hole behind a painting that you could hide your stuff. People would look at the painting and not be suspecious as what it is. However the best case would probaly be having the safe beind a painting, in that way you can enjoy the best of both.

Techniques

There are three techniques that shall be discusses, I am sure there are more but I am not so familar with them.

Least significant bit insertion (LSB):

This is the method is probaly the most common technique and is what Blackbox (refer to bottom of article) uses as well. To under stand LSB you need to nderstand that an computer understands an instruction in 8 bit binary number such as 01111111. The idea behind this is that a bit (ie the last 1 in the example) can be used to hide that data, so in a file there would be many binary numbers where the program can simply be used to only read the a particular bit of the whole number and compile that to other data.

To hide data we take a binary number of a color and simply replace a simgle bit. This would result in a slight difference in the colour but it is so minor that now human eye would be able to pick it up. However you might think that a computer could then, well yes that is possible if you know what you looking for of course ;) This technique would prbaly work best with grayscale images as the shades of gray would be so minute.

So to illustrate this lets say a single color pixel for a 8-bit image is:

00 01 10 11
White, Red, Green, Blue

So if we want to insert 0011 (bold shows the change in data)

00 00 11 11

White, Red, Green, Blue

Another example for a 24-bit image is:

00100111 11101001 11001000
Red, Green, Blue

So lets insert 101

00100111 11101000 11001001
Red, Green, Blue

However this method can only work for uncompressed images. It has the inability to retain its 'secret' data when it is transferred to a Jpeg or any other compressed image format, except GIF.

Masking and filtering

Masking and filtering techniques hide information by marking an image and is usually restricted to 24-bit and gray-scale images. Digital watermarks include information such as copyright, ownership, or license. While traditional steganography conceals information, watermarks extend information since it becomes an attribute of the cover image.

Masking techniques hide information in such a way that the hidden message is more integral to the cover image than simply hiding data in the "noise" level. Masking adds redundancy to the hidden information. This makes the masking technique more suitable than LSB with lossy JPEG images. It may also help protect against some image processing such as cropping and rotating.

Algorithms and transformations

Another steganography technique is to hide data in mathematical functions that are in compression algorithms. The idea is to hide the data bits in the least significant coefficients. An advantage of this is that you can use it for compressed image formats such as JPEGs.

JPEG images use the discrete cosine transform (DCT) technique to achieve image compression. In a JPEG file, the image is made up of DCT coefficients. When a file is embedded into a JPEG image, the relation of these coefficients is altered. Instead of actual bits in the image being changed as in LSB steganography, it is the relation of the coefficients to one another that is altered.

A huge advantage to this is that are not dependent on the image format so that the hidden message is retained after conversion between lossless (GIF, BMP) and lossly formats (JPEG).

Steganylsis

Yes I think you guessed it, Steganylsis is the study of detecting Steganography. Steganalysis is a relatively new research discipline with few articles appearing before the late-1990s.

The main factors that are looked at are variances between bit patterns and unusually large file sizes. However it is difficult to detect what is Stego and what is not. Some the challenges include:

  • The suspect information stream, such as a signal or a file, may or may not have hidden data encoded into them.
  • The hidden data, if any, may have been encrypted before inserted into the signal or file.
  • Some of the suspect signal or file may have noise or irrelevant data encoded into them (which can make analysis very time consuming).
  • Unless it is possible to fully recover, decrypt and inspect the hidden data, often one has only a suspect information stream and cannot be sure that it is being used for transporting secret information.

However as there has been more public awareness towards this 'science' there are some new commercial tools being released. These new tools have the ability to pick up the more popular Stego tools out there. So it just be a matter of time before we have have anti-stego tools on our servers...

Where can Stego Exist?

Well Almost anywhere on the Internet. Here are some examples, there are several places on a webpage to hide information:

  • Text : Text information can be hidden by making it the same color as the background. Small shift in word and line spacing may be difficult to visually detect. To find any invisible text, do a Control-A (for Windows users) on the page. This will select all the text on the page. To reveal distortions in the text, view it in a word processor. Hidden message can also be placed into the general context of the web page. The easiest way to detect this is to look for awkward sentence structures.
  • Non-text elements : Any graphic or media clip can contain hidden links or messages.
  • Links : Links can be created without it being underlined, or change color when the mouse cursor moves over them. The easiest way to find links on a page is to view the source and search for href=. Alternatively, one can also use the tab key to highlight all the clickable items on the page.
  • Comments : The contents of a comment is viewable only in the source code of a page.
  • Structure : Most browsers ignore information provided in the source code that is not interpretable. For example, unusual options in markup tags can possibly hide clues.
  • Frames : View the source code of each frame on a web page. Sometimes a site disables the right-click or use of the menu function to find the source code. In these cases, try using the command view-source:http://(site url) in the address line of the browser.

We have not used any Stego on our site, just so you know.

Some Tools

I can tell you some tools but I am will not provide you any links to these tools as I have no implication to these tools what so ever. You may use a simple search engine to find them, they are all there somewhere.

These are choice of my favourites.

Snow

Snow (Steganographic nature of Whitespace) is a program written by Matthew Kwan. Snow is command based application that uses 'whitespace' (line spaces and tabs that appear as blanks in text viewers). The program works by adding spaces and tabs to the end of lines in ASCII text files. Within these spaces and tabs lie the pieces that make up the secret message.

To deter the enemy, Snow makes use of the Information Concealment Engine (ICE) algorithm for encryption. ICE is similar to DES in that it is a 64-bit private key block cipher. However, unlike DES, ICE key sizes can be any multiple of 64, up to 1024. What this actually means that is quite hard to break the encrypion especially if you using somewhere close to 1024 encryption..

Snow leaves a very small footprint. The program size is very small. At 61KB, Snow fits on a floppy with room to spare for files and secret message files. As a result, finding evidence of Snow on a hard drive may prove to be an irritating task or perhaps even futile. Comparing file sizes of the output file and the original cover file (assuming the original unaltered cover file is available) may give away the use of a stego program, but without concrete footprints to distinguish what program was used, Snow may walk away quietly. To add further frustration, Snow leaves no major modifications to the Windows Registry, so searching for keys will not prove to be a successful endeavor. As a last resort, check the winzip32.ini file for snwdos32.zip. If Snow was recently installed using WinZip, there may be a record of that there too.

S-Tools

S-Tools (Steganography Tools) is a program written by Andy Brown. It is perhaps the most widely recognized steganography tool available today. BMP, GIF, and WAV files can be used as the cover files which conceal the secret messages.It is probaly the only drag and drop stego tool that I have encounted.

S-Tools hides the secret message within the cover file via random available bits. These available bits are determined through the use of a pseudo-random number generator. This non-linear insertion makes the presence and extraction of secret messages more difficult. S-Tools makes use of the concept of least significant bit (LSB), refer to techniques section.

What makes S-Tools very cool in my opinion is that you can first use many formats but more importantly you can choose which type encryption you like to use. These include: IDEA, DES, TripleDES, and MDC.

Lastly apparantly you may email the creator Any Brown and receive the source code if you just ask for it, I have have not done this but that the rumour out there.

BlackBox

Well of course I had to add BlackBox, It still is in the development phases but it can do some basics such as hidden text messages into BMP images. There are much more features being added to the next version, so check it out.

Download Black Box 1.0


This program uses the .NET framework 1.1. If you do not have it you can download it here.