View
225
Download
3
Category
Preview:
Citation preview
86Steganography: The Art
of Hiding Messages
Mark Edmead
86.1 Hiding the Data .................................................................. 1116
86.2 Steganography in Image Files ............................................ 1116
86.3 A Practical Example of Steganographyat Work................................................................................ 1117
86.4 Practical (and Not So Legal) Usesfor Steganography............................................................... 1117
86.5 Defeating Steganography ................................................... 1118
86.6 Summary ............................................................................. 1119
References.......................................................................................... 1119
Recently, there has been an increased interest in steganography (also called stego). We have seen this
technology mentioned during the investigation of the September 11 attacks, where the media reported
that the terrorists used it to hide their attack plans, maps, and activities in chat rooms, bulletin boards,
and Web sites. Steganography had been widely used long before these attacks and, as with many other
technologies, its use has increased due to the popularity of the Internet.
The word steganography comes from the Greek, and it means covered or secret writing. As defined
today, it is the technique of embedding information into something else for the sole purpose of hiding
that information from the casual observer. Many people know a distant cousin of steganography called
watermarking—a method of hiding trademark information in images, music, and software. Water-
marking is not considered a true form of steganography. In stego, the information is hidden in the image;
watermarking actually adds something to the image (such as the word Confidential), and therefore it
becomes part of the image. Some people might consider stego to be related to encryption, but they are
not the same thing. We use encryption—the technology to translate something from readable form to
something unreadable—to protect sensitive or confidential data. In stego, the information is not
necessarily encrypted, only hidden from plain view.
One of the main drawbacks of using encryption is that with an encrypted message—although it cannot
be read without decrypting it—it is recognized as an encrypted message. If someone captures a network
data stream or an e-mail that is encrypted, the mere fact that the data is encrypted might raise suspicion.
The person monitoring the traffic may investigate why, and use various tools to try to figure out the
message’s contents. In other words, encryption provides confidentiality but not secrecy. With
steganography, however, the information is hidden; and someone looking at a JPEG image, for instance,
would not be able to determine if there was any information within it. So, hidden information could be
right in front of our eyes and we would not see it.
In many cases, it might be advantageous to use encryption and stego at the same time. This is because,
although we can hide information within another file and it is not visible to the naked eye, someone can
still (with a lot of work) determine a method of extracting this information. Once this happens, the
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
1115
hidden or secret information is visible for him to see. One way to circumvent this situation is to combine
the two—by first encrypting the data and then using steganography to hide it. This two-step process adds
additional security. If someone manages to figure out the steganographic system used, he would not be
able to read the data he extracted because it is encrypted.
86.1 Hiding the Data
There are several ways to hide data, including data injection and data substitution. In data injection, the
secret message is directly embedded in the host medium. The problem with embedding is that it
usuallymakes the host file larger; therefore, the alteration is easier to detect. In substitution, however, the
normal data is replaced or substituted with the secret data. This usually results in very little size change
for the host file. However, depending on the type of host file and the amount of hidden data, the
substitution method can degrade the quality of the original host file.
In the article “Techniques for Data Hiding,” Walter Bender outlines several restrictions to using stego:
† The data that is hidden in the file should not significantly degrade the host file. The hidden data
should be as imperceptible as possible.
† The hidden data should be encoded directly into the media and not placed only in the header or
in some form of file wrapper. The data should remain consistent across file formats.
† The hidden (embedded) data should be immune to modifications from data manipulations such
as filtering or resampling.
† Because the hidden data can degrade or distort the host file, error-correction techniques should
be used to minimize this condition.
† The embedded data should still be recoverable even if only portions of the host image are
available.
86.2 Steganography in Image Files
As outlined earlier, information can be hidden in various formats, including text, images, and sound
files. In this chapter, we limit our discussion to hidden information in graphic images. To better
understand how information can be stored in images, we need to do a quick review of the image file
format. A computer image is an array of points called pixels (which are represented as light intensity).
Digital images are stored in either 24- or 8-bit pixel files. In a 24-bit image, there is more room to
hide information, but these files are usually very large in size and not the ideal choice for posting them
on Web sites or transmitting over the Internet. For example, a 24-bit image that is 1024!768 in size
would have a size of about 2 MB. A possible solution to the large file size is image compression. The
two forms of image compression to be discussed are lossy and lossless compression. Each one of these
methods has a different effect on the hidden information contained within the host file. Lossy
compression provides high compression rates, but at the expense of data image integrity loss. This
means the image might lose some of its image quality. An example of a lossy compression format
is JPEG (Joint Photographic Experts Group). Lossless, as the name implies, does not lose image
integrity, and is the favored compression used for steganography. GIF and BMP files are examples of
lossless compression formats.
A pixel’s makeup is the image’s raster data. A common image, for instance, might be 640!480 pixels
and use 256 colors (eight bits per pixel).
In an eight-bit image, each pixel is represented by eight bits, as shown in Exhibit 86.1. The four bits to
the left are the most-significant bits (MSB), and the four bits to the right are the least-significant bits
(LSB). Changes to the MSB will result in a drastic change in the color and the image quality, while
changes in the LSB will have minimal impact. The human eye cannot usually detect changes to only one
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
1116 Information Security Management Handbook
or two bits of the LSB. So if we hide data in any two bits in the LSB, the human eye will not detect it. For
instance, if we have a bit pattern of 11001101 and change it to 11001100, they will look the same. This is
why the art of steganography uses these LSBs to store the hidden data.
86.3 A Practical Example of Steganography at Work
To best demonstrate the power of steganography, Exhibit 86.2 shows the host file before a hidden file has
been introduced. Exhibit 86.3 shows the image file we wish to hide. Using a program called Invisible
Secrets 3, by NeoByte Solution, Exhibit 86.3 is inserted into Exhibit 86.2. The resulting image file is
shown in Exhibit 86.4. Notice that there are no visual differences to the human eye. One significant
difference is in the size of the resulting image. The size of the original Exhibit 86.2 is 18 kb. The size of
Exhibit 86.3 is 19 kb. The size of the resulting stego-file is 37 kb. If the size of the original file were known,
the size of the new file would be a clear indication that something made the file size larger. In reality,
unless we know what the sizes of the files should be, the size of the file would not be the best way to
determine if an image is a stego carrier. A practical way to determine if files have been tampered with is to
use available software products that can take a snapshot of the images and calculate a hash value. This
baseline value can then be periodically checked for changes. If the hash value of the file changes, it means
that tampering has occurred.
86.4 Practical (and Not So Legal) Uses for Steganography
There are very practical uses for this technology. One use is to store password information on an image
file on a hard drive or Web page. In applications where encryption is not appropriate (or legal), stego can
be used for covert data transmissions. Although this technology has been used mainly for military
operations, it is now gaining popularity in the commercial marketplace. As with every technology, there
are illegal uses for stego as well. As we discussed earlier, it was reported that terrorists use this technology
EXHIBIT 86.2 Unmodified image.
EXHIBIT 86.1 Eight-Bit Pixel
1 1 0 0 1 1 0 1
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
Steganography: The Art of Hiding Messages 1117
to hide their attacks plans. Child pornographers have also been known to use stego to illegally hide
pictures inside other images.
86.5 Defeating Steganography
Steganalysis is the technique of discovering and recovering the hidden message. There are terms
in steganography that are closely associated with the same terms in cryptography. For instance,
a steganalyst, like his counterpart a cryptanalyst, applies steganalysis in an attempt to detect the existence
of hidden information in messages. One important—and crucial—difference between the two is that in
cryptography, the goal is not to detect if something has been encrypted. The fact that we can see the
encrypted information already tells us that it is. The goal in cryptanalysis is to decode the message.
EXHIBIT 86.3 Image to be hidden in Exhibit 86.2.
EXHIBIT 86.4 Image with Exhibit 86.3 inserted into Exhibit 86.2.
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
1118 Information Security Management Handbook
In steganography, the main goal is first to determine if the image has a hidden message and to determine
the specific steganography algorithm used to hide the information. There are several known attacks
available to the steganalyst: stego-only, known cover, known message, chosen stego, and chosen message.
In a stego-only attack, the stego host file is analyzed. A known cover attack is used if both the original
(unaltered) media and the stego-infected file are available. A known message attack is used when the
hidden message is revealed. A chosen stego attack is performed when the algorithm used is known and
the stego host is available. A chosen message attack is performed when a stego-media is generated using a
predefined algorithm. The resulting media is then analyzed to determine the patterns generated, and this
information is used to compare it to the patterns used in other files. This technique will not extract the
hidden message, but it will alert the steganalyst that the image in question does have embedded (and
hidden) information.
Another attack method is using dictionary attacks against steganographic systems. This will test to
determine if there is a hidden image in the file. All of the stenographic systems used to create stego images
use some form of password validation. An attack could be perpetrated on this file to try to guess the
password and determine what information had been hidden. Much like cryptographic dictionary attacks,
stego dictionary attacks can be performed as well. In most steganographic systems, information is
embedded in the header of the image file that contains, among other things, the length of the hidden
message. If the size of the image header embedded by the various stego tools is known, this information
could be used to verify the correctness of the guessed password.
Protecting yourself against steganography is not easy. If the hidden text is embedded in an image, and
you have the original (unaltered) image, a file comparison could be made to see if they are different. This
comparison would not be to determine if the size of the image has changed—remember, in many cases
the image size does not change. However, the data (and the pixel level) does change. The human eye
usually cannot easily detect subtle changes—detection beyond visual observation requires extensive
analysis. Several techniques are used to do this. One is the use of stego signatures. This method involves
analysis of many different types of untouched images, which are then compared to the stego images.
Much like the analysis of viruses using signatures, comparing the stego-free images to the stego-images
may make it possible to determine a pattern (signature) of a particular tool used in the creation of
the stego-image.
86.6 Summary
Steganography can be used to hide information in text, video, sound, and graphic files. There are tools
available to detect steganographic content in some image files, but the technology is far from perfect.
A dictionary attack against steganographic systems is one way to determine if content is, in fact, hidden
in an image.
Variations of steganography have been in use for quite some time. As more and more content is placed
on Internet Web sites, the more corporations—as well as individuals—are looking for ways to protect
their intellectual properties. Watermarking is a method used to mark documents, and new technologies
for the detection of unauthorized use and illegal copying of material are continuously being improved.
References
Bender, W., Gruhl, D., Morimoto, N., and Lu, A. 1996. Techniques for data hiding. IBM Syst. J., 35, 3–4,
313–336, February.
Additional Sources of Information
http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html—Great introduction to
steganography by Duncan Sellars.
http://www.jjtc.com/Steganography/—Neil F. Johnson’s Web site on steganography. Has other useful
links to other sources of information.
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
Steganography: The Art of Hiding Messages 1119
http://stegoarchive.com/—Another good site with reference material and software you can use to make
your own image files with hidden information.
http://www.sans.org/infosecFAQ/covertchannels/steganography3.htm—Article by Richard Lewis on
steganography.
http://www.sans.org/infosecFAQ/encryption/steganalysis2.htm—Great article by Jim Bartel on
steganalysis.
AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.
1120 Information Security Management Handbook
Recommended