Note: This article was first published in the March 2002 issue of The ISSA Password Magazine.
In the past year or so, you may have noticed an increased interest in steganography (also called stego). After the Sept. 11 attacks, there were news reports that the terrorists used it to hide their attack plans, maps and activities in chat rooms, bulletin boards and Web sites. Since then more people have been interested in this technology.
The word "steganography" comes from the Greek, and it means "covered or secret writing." As defined today, it is the technique of embedding information into something else for the sole purpose of hiding that information from the casual observer. Many people know a distant cousin form of steganography called watermarking -- a method of hiding trademark information in images, music and software. Watermarking is not considered a true form of steganography. In stego the information
One of the main drawbacks of using encryption is that when you see an encrypted message you know that it's an encrypted message. If someone captures a network data stream or an e-mail that is encrypted, the mere fact that the data is encrypted might raise suspicion. The person monitoring the traffic may investigate why and use various tools to try to figure out the message's contents. In other words, encryption provides confidentiality but not secrecy. With steganography, however, the information is hidden, and someone looking at a .jpg image, for instance, wouldn't be able to determine if there's any information within the image. So hidden information could be right in front of our eyes, and we wouldn't see it. Can encryption and stego be used together? It's possible to combine the two by first encrypting the data and then using steganography to hide it. This two-step process adds additional security. If someone manages to figure out the steganographic system used, he wouldn't be able to read the data he extracted because it's encrypted.
Hiding the data
There are several ways to hide data, including data injection and data substitution. In data injection the secret message is directly embedded in the host medium. The problem with embedding is that it usually makes the host file larger; therefore, the alteration is easier to detect. In substitution, however, the normal data is replaced or substituted with the secret data. This usually results in very little size changes for the host file. However, depending on the type of host file and/or the amount of hidden data, the substitution method can degrade the quality of the original host file.
As outlined earlier information can be hidden in various formats including text, images and sound files. In this article we limit our discussion to hidden information in graphic images. To better understand how information can be stored in images, we need to do a quick review of the image file format. A computer image is an array of points called pixels (which are represented as light intensity). These pixels make up the image's raster data. A common image, for instance, might be 640 by 480 pixels and use 256 colors (8 bits per pixel).
In an 8-bit image, each pixel is represented by 8 bits:
1 1 0 0 1 1 0 1 8-bit pixel
The four bits to the left are the most significant bits (MSB), and the four bits to the right are the least significant bits (LSB). Changes to the MSB will result in a drastic change in the color and on the image quality, while changes in the LSB will have minimal impact. The human eye can't usually detect changes to only 1 or 2 bits of the LSB. So if we hide data in any 2 bits in the LSB, the human eye won't detect it. For instance, if we have a bit pattern of 11001101 and change it to 11001100, they will look the same. This is why the art of stego uses these LSBs to store the hidden data.
Practical (and not so legal) uses for steganography
Perhaps you might see some practical uses for this technology. You can, for instance, store password information on an image file on your hard drive or Web page. In applications where encryption isn't appropriate (or legal), stego can be used for covert data transmissions. Although this technology was used mainly for military operations, it is now gaining popularity in the commercial marketplace. As with every technology there are illegal uses for stego as well. As we discussed earlier it was reported that terrorists use this technology to hide their attack plans. Child pornographers have also been known to use stego to hide illegal pictures inside other images.
Steganalysis is the technique of discovering and recovering the hidden message. Protecting yourself against steganography isn't easy. If the hidden text is embedded in an image and you have the original (unaltered) image, a file comparison could be made to see if the images are different. This comparison wouldn't be to determine if the size of image has changed -- remember in many cases the image size doesn't change. However, the data (and the pixel level) do change. The human eye usually can't easily observe subtle changes. Detection beyond visual observation requires extensive analysis. Several techniques are used to do this. One is the use of stego signatures. This method involves analyzing many types of untouched images that then are compared with the stego images. Much like the analysis of viruses using signatures, comparing the stego-free images to the stego images may make it possible to determine a pattern (signature) that was used by a particular tool used in the creation of the stego image.
Additional sources of information
- Steganography: Another way to hide data -- Ask Mark Edmead your questions on steganography and other security issues in an online event Wednesday, April 10.
- http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html -- Great introduction to steganography by Duncan Sellars.
- http://www.jjtc.com/Steganography/ -- Neil F. Johnson's Web site on Steganography. Has other useful links to other sources of information.
- http://stegoarchive.com/ -- Another good site with reference material and software you can use to make your own image files with hidden information.
- http://www.sans.org/infosecFAQ/covertchannels/steganography3.htm -- Article by Richard Lewis on Steganography.
- http://www.sans.org/infosecFAQ/encryption/steganalysis2.htm -- Great article by Jim Bartel on Steganalysis.
About the author:
Mark Edmead CISSP, SSCP, TICSA, is president of MTE Software, Inc., and has more than 22 years' experience in software development, product development and network systems security. Fortune 500 companies have turned to Mark often to help them with projects related to Internet and computer security. He was managing editor of SANS Digest (Systems Administration & Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. Mark previously worked for KPMG Information Risk Management Group and IBM's Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations and ethical hacking. Other projects included assisting companies develop secure and reliable network system architecture for their web-enabled businesses. Mark is co-author of the book Windows NT: Performance, Monitoring and Tuning, and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
This was first published in April 2002