Steganography in Images

Final Communications Report

Francesco Queirolo

Steganographic image produced on the left with the stego-tool: White Noise Storm.

(Johnson, Steganography)
 Steganography is a very old method of passing messages in secret. This method of

message cloaking goes back to the time of the ancient Greeks. The historian Herodotus

wrote about how an agent wrote a message warning of an invasion on the wood part of a

wax tablet. Since messages were normally inscribed in the wax and not the wood, the

tablet appeared blank to a common observer.

There is also the story of a messenger during the Persian Wars who shaved his

head and had a message tattooed on it. He waited until his hair grew back to make his

journey. When he arrived at his destination, he shaved his head to reveal the message.

During WWII spies on both sides used “invisible” inks. These inks were fluids

such as milk, fruit juice, or urine that would darken when heated. They also sent

messages with very small punctures above characters in a document that formed a

message when combined. (Mc Cullah, Feb 7, 2001).

INTRODUCTION

Many people lump steganography with cryptography, and while they are in many

cases means to the same ends (not letting unauthorized persons view data) they are not

the same thing. Although, they are often sibling processes and first encrypting a message

then using a stego-tool to hide it is more effective in hiding a secret message than either

method by itself. According to Dictionary.com: Steganography is:” Hiding a secret

message within a larger one in such a way that others can not discern the presence or

contents of the hidden message” and Cryptography is “The process or skill of

communicating in, or deciphering secret writing or ciphers.” (Dictionary.com).

 Steganography can be used to cloak hidden messages in image, audio, and even

text files. In this report, we will concern ourselves with hiding messages (meaning either

images, or text) in images.

REPRESENTATION OF IMAGE TYPES

In a computer, images are represented as arrays of values. These values represent

the intensities of the three colors R(ed) G(reen) and B(lue), where a value for each of the

three colors describes a pixel. Through varying the intensity of the RGB values, a finite

set of colors spanning the full visible spectrum can be created. In an 8-bit gif image, there

can be 28 = 256 colors and in a 24-bit bitmap, there can be 224 = 16777216 colors.

Large images are most desirable for steganography because they have the most

space to hide data in. The best quality hidden image is normally produced using a 24-bit

bitmap as a cover image. Each byte corresponding to one of the three colors and each

three-byte value fully describes the color and luminance values of one pixel. The cons to

large images are that they are cumbersome to both transfer and upload, while running a

larger chance of drawing an “attacker’s” attention due to their uncommon size. As a

result, compression is often used. There are two common compression techniques used to

shrink the file size of a bitmap. (Johnson, 1998)

GIF

The first is the GIF (Graphics Interchange Format) format, which will decrease

the number of bits used to represent each pixel from 24 to 8. This is a lossless

compression technique and the data hidden in the message can be recovered without a

problem.
 JPEG

The JPEG (Joint Photographic Experts Group) is a form of lossy compression. It

does a very nice job of decreasing the file size of the image and retaining a great deal of

its quality. The JPEG transformation takes eight pixel by eight pixel blocks and performs

a 64 bit DCT (Discrete Cosine Transformation) does not compute to exact values. With

continuing transforms, the precision of the calculation is decreased and the amount of

error increases. Two methods used to perform a DCT are the Fast Fourier and wavelet

transforms. The downside to JPEG compression is that it may corrupt hidden data.

Palette and Image Composition

The palette and composition of the image also contribute to how well the stego-

tool does its job. An images with gradual color gradients or in grayscale is the best for

stenography because it is easier to insert small “errors” in. The changes also appear more

gradually and as a result are less likely to be detected. Observe the different color palettes

below and how the one on the left changes gradually and is more suitable for a cover

image than the one on the right. (see Figure 1. below)

Figure 1 – Palette Gradients (Johnson, 1998)

 It is also important to use images that do not contain large blocks of a solid color,

as the changed bits in the solid area are easier to detect.

CONCEALMENT

There are three main ways to conceal the secret message/image. The first way is

straight insertion where you just put the message into the cover image. The next way

requires some analysis to find the variations in color and it puts the message in those

areas where it is less likely to be detected. The last way is to randomly insert the message

into the image.

LSB

First we will investigate least significant bit insertion, where you literally put the

information in the least significant bits of an image. This is a simple technique but the

down side is that the message is very succeptible to information loss when using lossy

compression techniques. We will now go over an example that involves inserting an A

into 3 pixels of a 24 bit image. Here is the original raster data:

(00100111 11101001 11001000)

(00100111 11001000 11101001)
(11001000 00100111 11101001)

The binary value of A is 10000011 and encoding A into the last bits of this 3 pixel

sequence will change the above sequence to:

(00100111 11101000 11001000)

(00100110 11001000 11101000)
(11001000 00100111 11101001). (Johnson, 1998)

Notice that only the underlined bits had to be changed in order to create the A. On the

average only have of the bits would have to be changed in an LSB(Least Significant Bit)
encoding scheme. With such a small variation in the colors it would be very difficult for

the human eye to discern the difference.

Next we will do least bit insertion with an 8 bit value. Since 8 bit values can only

have a maximum of 256 colors the image must be chosen much more carefully. Consider

a palette with four colors: white, red, blue, and green which have the palette position

entries of 0(00), 1(01), 2(10) and 3(11) respectively. The values of four adjacent pixels

with colored white, white, blue, blue (00 00 10 10). We will try and hide the decimal

number 10 represented in binary as 1010. The resulting raster is: 01 00 11 10, which

corresponds to red, white, green, blue. Thes large changes in the image are very

noticeable in a color image although an 8 bit greyscale image will produce relatively

good results. (Johnson, 1998)

There are multiple tools that implement LSB. One tool, EzStego can change

around the palate to lessen the frequency of adjacent colors with too strong of a contrast.

S-Tools tries to approximate the cover image by changing around the palette to make the

difference between bits only one and sometimes causes very noticeable shifts in the

palette.

Masking and Filtering

Masking and filtering techniques are mostly used on 24 bit and greyscale images.

They hide info in a way simliar to watermarks on actual paper and are sometimes used as

digital watermarks. Masking images entails changing the luminance of the masked area.

The smaller the luminance change, the less of a chance that it can be detected. Observe

that the luminance in Figure 1. (next page) is at 15% in the mask region if it was

decreased then it would be nearly invisible.

 Figure 1. Masking (Johnson, 1998)

Stego-images(images that have been manipulated by steganographic methods)

that are masked will keep a higher fidelity than LSB through compression, cropping and

some image processing. The reason that a stego image encoded with masking, degrades

less under JPEG compression is that the secret message is hid in the significant areas of

the picture. There is a tool called JPEG – J steg that takes advantage of the compression

of JPEG while trying to keep a high message fidelity. The program takes a secret

message and a lossless cover image as input and outputs a stego image in JPEG format.

Digital Watermarking(a slight diversion)

As stated abovce digital watermarking is often performed by masking. The reason

for digital watermarking is very different from steganography. Where the goal of

steganography is to transmit a message undetected, a digital watermark is created as a

sign of ownership/authorship. Since digital copies are ineherently exact replicas of the

original unless noise, or some type of lossy operation is performed, there will be no way

to tell them apart.Therein lies the authorship/ownership problem due to the likeness of the

original and the copy. Digital watermarks can be used to show proof of ownership by

having your mark put into the file, so even if both images are the same, if they contain

your mark then you have a much stronger case for copyright or ownership disputes.

Watermarks can be visible or invisible depending on the luminance in the mask. The

highter the luminance the greater the visibility of the watermark. Attackers can use

different types of image processing to remove or degrade the watermark until it is

illegible. There are different recovery techniques but it is usually helpful to have the

original image when trying to recover the watermark.

Redundant Pattern Encoding

Patchwork and other similar tools do redundant pattern encoding, which is a sort

of spread spectrum technique. It works by scattering the message throughout the picture.

This makes the image more resistant to cropping and rotation. Smaller secret images

work better to increase the redundancy embedded in the cover image, and thus make it

easier to recover if the stego-image is manipulated.

Encrypt and Scatter

The encrypt and scatter technique tries to emulate white noise. White Noise Storm

is one such program that employs spread spectrum and frequency hopping. It does this by

scattering the message throughout an image on eight channels within a random number

that is generated by the previous window size and data channel. The channels then swap

rotate, and interlace amongst each other. Each channel represents one bit and as a result
there are many unaffected bits in each channel. This technique is a lot harder to extract a

message out of than an LSB scheme because to decode you must first detect that a hidden

image exists and extract the bit pattern from the file. While that is true for any stego-

image you will also need the algorithm and stego key to decode the bit pattern, both of

which are not required to recover a message from LSB. Some people prefer this method

due to the considerable amount of extra effort that someone without the alogrithm and

stego-key would have to go through to extract the message. Even though White Noise

Storm provides extra security against message extraction it is just as succeptible as

straight LSB to image degradation due to image processing.

DETECTION

Even though stego-images can rarely be spotted by the naked eye, they usually

leave behind some type of fingerprint or statistical hint that they have been modified. It is

those descrepancies which an analysis tool may be able to detect. Since some techniques

and their effects are commonly known, a statistical analysis of an image can be

performed to check for a hidden message(s) in it.

The simplest technique is to measure the entropy of redundant data and check if

its statistical properties have deviated from the data collected from the original image.

Since we do not always have the unaltered cover image readily availible a detection

system can compare the amount of 1’s and 0’s to detect the presence of a stego-image. A

similar method of analysis can be used for JPEG’s but the coefficients of the DCT are

looked at instead of individual bits. Yet another method is to create a new color and sort

the palette of the image and look for statistical anomalies that way. These simple methods

do not conclusively proove that there is a secret message but are merely the first step.
After a suspected image is found then a dictionary attack must be conducted to verify that

there is a hidden message.

USES OF STEGANOGRAPHY

Steganography can be used anytime you want to hide data. There are many

reasons to hide data but they all boil down to the desire to prevent unauthorized persons

from becoming aware of the existence of a message. In the business world

steganography can be used to hide a secret chemical formula or plans for a new

invention. Steganography can also be used for corporate espionage by sending out trade

secrets without anyone at the company being any the wiser. Steganography can also be

used in the non-commercial sector to hide information that someone wants to keep

private. Spies have used it since the time of the Greeks to pass messages undetected.

Terrorists can also use steganography to keep their communications secret and to

coordinate attacks. It is exactly this potential that we will investigate in the next section.

TERRORISTS AND STEGANOGRAPHY

Now that we have investigated the basics of steganography we will examine what

part it has had in the communication for terrorist networks and more specifically how it is

linked to the activities of Osama bin Laden and the al-Qaida network. There is a general

belief that some of the plans for the September 11 attacks were hidden in images and put

into sports and pornographic bulletin boards.

Known Communications

The al-Qaida terrorist network has been known to use encryption. They receive

money from Muslim sympathizers, buy computers and then go online and download
encryption programs from the web. (Kelley 6/19/01) Here are brief accounts from USA

Today, that describe three instances where terrorists have used some sort of encryption:

• Wadih El Hage, one of the suspects in the 1998 bombing of two U.S. embassies in East Africa,
sent encrypted e-mails under various names, including "Norman" and "Abdus Sabbur," to
"associates in al Qaida," according to the Oct. 25, 1998, U.S. indictment against him. Hage went
on trial Monday in federal court in New York.

• Khalil Deek, an alleged terrorist arrested in Pakistan in 1999, used encrypted computer files to plot
bombings in Jordan at the turn of the millennium, U.S. officials say. Authorities found Deek's
computer at his Peshawar, Pakistan, home and flew it to the National Security Agency in Fort
Meade, Md. Mathematicians, using supercomputers, decoded the files, enabling the FBI to foil the
plot.

• Ramzi Yousef, the convicted mastermind of the World Trade Center bombing in 1993, used
encrypted files to hide details of a plot to destroy 11 U.S. airliners. Philippines officials found the
computer in Yousef's Manila apartment in 1995. U.S. officials broke the encryption and foiled the
plot. Two of the files, FBI officials say, took more than a year to decrypt. (Kelley, 6/19/2001)

Osama bin Laden has used mobile phones, and satellite communications in the past

but it is believed that he has stopped using them to make it more difficult to detect him.

(Sieberg, 9/21/01) Some experts believe that he only uses messengers now. For a military

commander this would be highly ineffective as they have to be in contact with their

subordinate commanders at all times, but bin Laden is considered a spiritual or

inspirational leader and as a result does not have to maintain constant contact with his

troops. They can operate in smaller cells.

The events that took place on September 11 were obviously very coordinated and the

terrorists must have had to use some form of communication to coordinate their attacks.

Since their communications were not detected, it would lead one to believe that they were

using some type of encryption and/or message hiding system.

Steganography for Terrorists

Whether or not al-Qaida uses steganography, it would be a very effective high tech

communication method. They can use bulletin boards and other public places where you
can put images as cyber dead drops for stego-images. A dead drop is a place where you

drop off a deliverable at some pre-determined time and place without ever meeting or

directly communicating with the other party. Of course, communication will have to be

initiated but after that, all communications/exchanges can be made in the manner outlined

above. For covert purposes, this communication technique has two very distinct

advantages over most other forms of communication. The first is that the communication

is asynchronous, which means that it is simpler to implement and helps to avoid

suspicion as involved parties aren’t directly associated with each other. The second

reason is that only one of the parties is required to know who the other is. This is

especially valuable if one party is caught then they may not be able to divulge who they

were dealing with, regardless of the interrogation methods used. The last point makes

steganography an especially appealing method of communication to the al-Qaida network

because they operate as cells and the anonymity that dead drops provide will help to

avoid uncovering of the entire network even if some members are caught.

Detection

There have been multiple congressional committees dealing with encryption over the

past few years. The US government has done some private contracting to develop

steganography detection tools. One such contract is with WetStone Technologies who

have been contracted to develop a “blind steganography detection prototype”. (Mc

Cullah, February 21, 2001) There is no doubt more research going on but not all of it will

be made public and it is most probable that the NSA is developing or has detection

programs already.
 In academia, graduate students Niel Provos and Richard Honeyman at the University

of Michigan have written a web crawling program to detect steganographic images in the

wild. The program has already digested 2 billion JPEG’s on popular sights such as ebay

and has so far found only one stego-image in the wild. The detected image was on an

ABC web page that dealt with the topic of steganography. It had a picture of a B-52

graveyard at Davis-Monthan Air Force Base embedded into a surreal image of clocks and

the earth. Even though there is much speculation on the subject and al-Qaida has used

high tech information hiding methods in the past there is no proof that steganography was

used to orchestrate elements of the September 11 bombing. However, since this search is

was not exhaustive there is no conclusive proof either way.

CONCLUSION

Where does this leave us now, in the very precarious position of trying to balance

personal freedoms with national safety. There has been debate in different sectors of

government as the issue has come up before and was a rather hot issue after the first

World Trade Center attack. During the Clinton administration restrictions on the

exportation of cryptography, hardware and software tools were laxed. After the

September 11 attack, there will be no doubt a very close inspection of many aspects of

our national security and there will be new proposals to try to stop another tragedy from

occurring.

Author’s Closing Thoughts

It is the hope of the author of this paper that judicious limits on cryptography and

steganography will be implemented. As I believe that in our current position if terrorists

used a good stego-tool and a solid encryption algorithm it would be very difficult to

discover their plans before they are executed. Of course, there will be some that argue

encryption should not be mitigated as it is an academic pursuit and helps preserve

privacy. Even so, I believe we must rely on our government (for they are accountable to

the citizens of this country) to make the correct decisions in the matter because privacy is

important but not to the point where people can use it as shield to kill people.
 Bibliography

How Stego Online Works. Visited on: 11/7/01.

http://www.stego.com/howto.html

Johnson, N, & Jajodia, S. (February 1998) Exploring Steganography: Seeing the Unseen.
Visited on: 11/8/01. http://www.computer.org/computer/co1998/r2026abs.htm

Johnson, N. Steganography. Visited on: 11/8/01.

http://www.jjtc.com/stegdoc/stegdoc.html

Johnson, Neil F. Steganography. Visited on 11/9/01.

http://www.jjtc.com/stegdoc/sec313.html

Kelley, Jack (June 19, 2001). Terror groups hide behind Web encryption. Visited on:
11/8/01. http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm

Kuhn, Markus (July 3, 1995). Steganography. Visited on: 11/7/01.

http://www.iks-jena.de/mitarb/lutz/security/stegano.html

Levy, Steven (2001). Did Encryption Empower These Terrorists?. Visited on 11/5/01.
http://msnbc.com/news/627390.asp?cp1=1#BODY

Mc Cullah, Declan (Feb 7, 2001). Bin Laden: Steganography Master?. Visited on:
11/4/01. http://www.wired.com/news/politics/0,1283,41658-2,00.html

Mc Cullah, Declan (February 21, 2001). Secret Messages Come in .Wavs. Visited on:
11/7/01. http://www.wired.com/news/print/0,1294,41861,00.html

McGrath, Peter (Sept 21, 2001). Coded Communications: Did the hijackers hide their
messages in harmless-looking images on the Internet?. Visited on 11/4/01.
http://www.msnbc.com/news/632358.asp?cp1=1#BODY

Mendell, Ronald (Sept 20, 2000). Steganography - Electronic Spycraft. Visited on

11/7/01. http://www.earthweb.com/article/0,,10456_624101,00.html

PDF files from: http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf

Provos, Niel (October 12, 2001). First Steganographic Image in the Wild. Visited on:
11/7/01. http://www.citi.umich.edu/u/provos/stego/abc.html

Schneier, Bruce. (September 24, 2001). Terrorists and steganography.

http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html

Sieberg, Daniel (Sept 21, 2001). Bin Laden exploits technology to suit his needs. Visited
on 11/4/01. http://www.cnn.com/2001/US/09/20/inv.terrorist.search/