Topic 10a Introduction to Steganography 454 NOTE: some of the enclosed information was adapted from slides created by Professor Gary C. Kessler of Champlain College.
454 Objectives Describe steganography and outline the main categories of steganographic technique Describe how steganography has been used in history and might be used by terrorists today Show some examples of linguistic and technical steganography Explain approaches to detection of hidden messages
454 The art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.
454 Generally involves hiding information Text hidden within text Images hidden within images Text or images hidden within executable files
454 Two components Carrier Data file that is openly available – should offer no clue that other data are hidden Payload Data that is hidden within carrier
454 The recipient Should know how to recognize the carrier Should know how to extract the payload from the carrier
454 Steganography vs Encryption An encrypted file gives away the fact that possibly important data is enclosed Methods can then be used to attempt to decrypt the enclosed data A steganographic carrier should look innocent, and give no clue that it contains hidden data It can then be made available through public methods, and only the intended recipient will recognize it for what it is
454 How steganography works
454 The Stegosystem:
454 Stego-system Criteria Cover data should not be significantly modified i.e. perceptible to humans The embedded data should be directly encoded in the cover & not in wrapper or header. Embedded data should be immune to modifications to cover. If distortion cannot be eliminated, error- correcting codes may need to be included
454 Hidden messages in history In ancient Greece messages were written on tablets then covered by wax – the wax was melted to reveal the message During WW2 the French Resistence sent messages on backs of couriers using invisible ink Crew members of the USS Pueblo, held prisoner by North Korea, communicated in sign language to discredit photos showing them smiling and comfortable
454 Steganography techniques:
454 Linguistic Steganography Involves modification to linguistic systems A message is hidden within another message
454 Semagrams The hidden message is hidden in visual cues Visual semagram The message is hidden in an image Example: A picture of a town square where the time on a clock tower indicates time for a bomb to go off
454 Visual semagram The message is hidden in an image Another example: Slight changes in a text font, or in text size or spacing could indicate the hidden message
454 Text semagram The message is hidden in format of text Example: Slight changes in a text font, or in text size or spacing could indicate the hidden message A barometer begins measurements at 1400 feet altitude during a storm front Message: ‘bomb at 4 am’
454 Open codes The message is hidden the communication according to some pre-arranged method Jargon Code: Use of special terminology with hidden meaning to recipient Example: The library is now open and has 200 paperbacks Message: Pot is available at $200 per ounce
454 Covered ciphers Null cipher: Simple method such as taking first letter of each word Example: News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The [highway is not] knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday First letter of each word reveals message Newt is upset because he thinks he is President.
454 Another null cipher example: Message sent by British during WW1: PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. APPARENTLY NEUTRAL'S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BYPRODUCTS, EJECTING SUETS AND VEGETABLE OILS.
454 Another null cipher example: Message sent by Germans during WW1: PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVESITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. APPARENTLY NEUTRAL'S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BYPRODUCTS, EJECTING SUETS AND VEGTABLE OILS Message: PERSHING SAILS FROM N.Y. JUNE 1
454 Covered ciphers Grille cipher: Involves laying a grille over the text to reveal the letters of the message..
454 Covered ciphers Another form of grille cipher:.
454 Spam as a vector for covered ciphers Spam (unwanted ) can be a wonderful resource for covered ciphers. Most people get so much spam that they simply delete it, or use automated methods of isolating it (spam filters) The ‘Spam Mimic’ program constructs a cover message from a specified embedded message. It includes options for encoding with a password, encoding as fake PGP, and encoding as fake Russian
Spam Mimic Meet at Main and Willard at 8:30 *
454 Dear Friend, This letter was specially selected to be sent to you ! We will comply with all removal requests ! This mail is being sent in compliance with Senate bill 1621 ; Title 5 ; Section 303 ! Do NOT confuse us with Internet scam artists. Why work for somebody else when you can become rich within 38 days ! Have you ever noticed the baby boomers are more demanding than their parents & more people than ever are surfing the web ! Well, now is your chance to capitalize on this ! WE will help YOU sell more & SELL MORE. You can begin at absolutely no cost to you ! But don't believe us ! Ms Anderson who resides in Missouri tried us and says "My only problem now is where to park all my cars". This offer is 100% legal. You will blame yourself forever if you don't order now ! Sign up a friend and your friend will be rich too. Cheers ! Dear Salaryman, Especially for you - this amazing news. If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail ! This mail is being sent in compliance with Senate bill 2116, Title 3 ; Section 306 ! This is a ligitimate business proposal ! Why work for somebody else when you can become rich within 68 months ! Have you ever noticed more people than ever are surfing the web and nobody is getting any younger ! Well, now is your chance to capitalize on his. We will help you decrease perceived waiting time by 180% and SELL MORE. The best thing about our system is that it is absolutely risk free for you ! But don't believe us ! Mrs Ames of Alabama tried us and says "My only problem now is where to park all my cars". We are licensed to operate in all states ! You will blame yourself forever if you don't order now ! Sign up a friend and you'll get a discount of 20% ! Thanks ! Dear Salaryman, Your address has been submitted to us indicating your interest in our briefing ! If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE“ and you will immediately be removed from our mailing list. This mail is being sent in compliance with Senate bill 1618, Title 6, Section 307. THIS IS NOT A GET RICH SCHEME. Why work for somebody else when you can become rich within 17 DAYS ! Have you ever noticed more people than ever are surfing the web and more people than ever are surfing the web ! Well, now is your chance to capitalize on this ! WE will help YOU turn your business into an E- BUSINESS and deliver goods right to the customer's doorstep ! You are guaranteed to succeed because we take all the risk ! But don't believe us. Ms Simpson of Wyoming tried us and says "Now I'm rich, Rich, RICH" ! We assure you that we operate within all applicable laws. We implore you - act now ! Sign up a friend and you'll get a discount of 50%. Thank-you for your serious consideration of our offer.. The resulting spam from this message:
454 Technical steganography Also called ‘digital steganography’ Takes advantage of methods for digital encoding of information.
454 LSB substitution Allows message to be encoded into a graphic Takes advantage of way that raster graphics are encoded into digital files.
454 LSB substitution Raster graphics are encoded with numbers that indicate various levens of red, green and blue Also called RGB.
454 LSB substitution Often each of the levels of R, G and B are in three individual bytes The least significant bits of these bytes can be substituted without a human noticing a major change to the image.
454 LSB substitution 24-bit color Called ‘True Color’ 1 pixel requires three bytes, each representing level of red/green/blue (RGB) color. 16,777,216 (224) possible colors/image
454 LSB substitution 8-bit color Also True Color, but... Image contains a palette with up to 256 (28) unique colors, each of which is denoted by a 24-bit RGB value Each pixel requires 1 byte to point to palette entry
454 LSB substitution Example: Hide "G" ( ) in 3 pixels Original data Stego data
+ = Example: Copyright Fabian A.P. Petitcolas, Computer Laboratory, University of Cambridge TOP SECRET
Sacrificing 2 bits of cover to carry 2 bits of secret image Original ImageExtracted Image
Sacrificing 5 bits of cover to carry 5 bits of secret image Original ImageExtracted Image
454 LSB Steganography works best in cover files with high energy: Bright colors High volume
454 Audio Steganography There are various methods for hiding data in an audio file Embedding audio message in very high or very low frequencies Slight manipulation of LSB Adding what appears to be noise to the file
454 Steganography tools: Primary carrier files are image and audio formats Any type of binary file can be hidden Examples: S-Tools: Designed for lossless compression; hides information inside BMP,GIF, or WAV files using LSB overwriting (password used for LSB randomization and encryption) Gif-It-Up: Designed for lossless compression; hides information inside GIF files using LSB overwriting JP Hide-&-Seek: Designed for lossy compression; hides information inside JPEG files using LSB overwriting of DCT coefficients Camouflage: Append hidden file to carrier file
Examples Hide map in: 1.GIF file (Gif-It-Up) 2.JPEG file (JP Hide- &-Seek) 3.WAV file (S-Tools) 4.JPEG file (Camouflage)
Steganography Tools Gif-It-Up: Gif files LSB Substitution Encryption JP Hide-&-Seek: JPEG files LSB Overwriting Blowfish Crypto S-Tools: Gif, BMP, WAV files LSB Substitution Encryption – DES, IDEA Password Stegdetect: JPEG files Camouflage: JPEG files
Example 1 -GIF File (Gif-It-Up)
Example 1 -GIF File Properties
Example 1 - GIF File Palettes
Example 2 - JPEG File (JPHS)
Example 2 - JPEG File Properties
Example 3 -WAV File (S-Tools)
Example 3 -WAV Spectrum Analysis
Combating Stegonography WetStone Technologies' (Commercial): Gargoyle (née StegoDetect): Finds remnants of stego (or other malware) software Stego Suite (Stego Analyst, Stego Break, Stego Watch): Applies statistical methods on suspect files to determine probability that stego was employed, a guess as to the algorithm employed, and attempts to break the password Neils Provo (Outguess.org): stegdetect: Detects stego in JPEG images using several algorithms
stegdetect
454 Is steganography still used? According to an article in USA Today (Feb 5, 2001) steganography is being employed by Al Queda to hide messages in pornographic images on the Web binladen.htm
454 Is steganography still used? A search for hidden images on the Internet, by Niels Provos and Peter Honeyman (Univ. of Michigan) uncovered 1 hit It was an image created by ABC news for a report on steganography – and contained the hidden image of a B-52 bomber They used the ‘Steganography Detection Framework’ program
454 Summary: Steganography is a set of methods for hiding one set of data in another set of data If done correctly it can be difficult to detect The vast array of images, audio files and binary files on the Web make this an effective tool for secret message transfer Tools exist for detecting hidden messages, but these rely on an understanding of methods used and are not foolproof