Steganography

Introduction
Steganography is derived from the Greek for covered writing and essentially means to hide in plain sight. As defined by Cachin steganography is the art and science of communicating in such a way that the presence of a message cannot be detected. Simple steganographic techniques have been in use for hundreds of years, but with the increasing use of files in an electronic format new techniques for information hiding have become possible. This document will examine some early examples of steganography and the general principles behind its usage. We will then look at why it has become such an important issue in recent years. There will then be a discussion of some specific techniques for hiding information in a variety of files and the attacks that may be used to bypass steganography.

G. P. Khamgaon

Page # 1

Steganography

What Is Steganography?
Steganography is the practice of hiding private or sensitive information within something that appears to be nothing out of the usual. Steganography is often confused with cryptology because the two are similar in the way that they both are used to protect important information. The difference between the two is that Steganography involves hiding information so it appears that no information is hidden at all .If a person or persons views the object that the information is hidden inside of he or she will have no idea that there is any hidden information, therefore the person will not attempt to decrypt the information .Steganography comes from the Greek words Stegans (Covered) and Graptos(Writing).Steganography in the modern day sense of the word usually refers to information or a file that has been concealed inside a digital Picture, Video or Audio file. What Steganography essentially does is exploit human perception, human senses are not trained to look for files that have information hidden inside of them, although there are programs available that can do what is called Steganalysis (Detecting use of Steganography.) The most common use of Steganography is to hide a file inside another file. When information or a file is hidden inside a carrier file, the data is usually encrypted with a password.

Steganography Terms
Carrier File: A file which has hidden information inside of it. Steganalysis: The process of detecting hidden information inside of a file. Stego-Medium: The medium in which the information is hidden.Redundant Bits: Pieces of information inside a file which can be overwritten altered without damaging the file. Payload: The information which is to be concealed. or

G. P. Khamgaon

Page # 2

Steganography

Requirements of Hiding Information Digitally

There are many different protocols and embedding techniques that enable us to hide data in a given object. However, all of the protocols and techniques must satisfy a number of requirements so that steganography can be applied correctly. The following is a list of main requirements that steganography techniques must satisfy: The integrity of the hidden information after it has been embedded inside the stego object must be correct. The secret message must not change in any way, such as additional information being added, loss of information or changes to the secret information after it has been hidden. If secret information is changed during steganography, it would defeat the whole point of the process. The stego object must remain unchanged or almost unchanged to the naked eye. If the stego object changes significantly and can be noticed, a third party may see that information is being hidden and therefore could attempt to extract or to destroy it. In watermarking, changes in the stego object must have no effect on the watermark. Imagine if you had an illegal copy of an image that you would like to manipulate in various ways. These manipulations can be simple processes such as resizing, trimming or rotating the image. The watermark inside the image must survive these manipulations, otherwise the attackers can very easily remove the watermark and the point of steganography will be broken. Finally, we always assume that the attacker knows that there is hidden information inside the stego object. 1

G. P. Khamgaon

Page # 3

Steganography

Steganographic Approaches
From a top-down approach there exist three types of steganographic approaches:Pure, Private key, and Public key steganography.

PURE
Pure steganography uses no keyed system to embed clear text or null cipher text into the cover data in order to hide the existence of a secret message. Pure steganography is the least secure method. It is only secure in two aspects which are, the fact only the sending and receiving parties know of the secret messages existence and which steganographic algorithm was used to hide the message. In steganalysis, this type is the easiest to crack since once detected the message can only have been hidden in as many ways as the number of steganographic algorithms which exist. The foremost difficult aspect is in the detection effort. The difficulty lies in the fact that the vast majority of screened data do not include pre-modification copies of themselves.

PRIVATE
The private key method uses a mutual key for encrypting then hiding the secret message within the cover data. As in traditional encryption the private key system is only as robust as the knowledge of the key. Since the private key system requires both parties to know the key, once it is compromised the entire stego message is non-secure.

PUBLIC
Public key encrypted steganography uses the key pair system to add a layer of robustness to the process. As in public key encryption, the public key of the recipient is used to encrypt the secret message and only that users private key may decrypt it after extracting it from the cover data. This is the most secure type of steganography. This approach is recommended since it combines the benefits of hiding the existence of a secret message with the security of encryption.

G. P. Khamgaon

Page # 4

Steganography

Steganography in Images
Figure 3 shows a simple representation of the generic embedding and decoding process in steganography. In this example, a secret image is being embedded inside a cover image to produce the stego image. The first step in embedding and hiding information is to pass both the secret message and the cover message into the encoder. Inside the encoder, one or several protocols will be implemented to embed the secret information into the cover message. The type of protocol will depend what information you are trying to embed and what you are embedding it in. For example, you will use an image protocol to embed information inside images.

FIG 3: Generic process of encoding and decoding

G. P. Khamgaon

Page # 5

Steganography

A key is often needed in the embedding process. This can be in the form of a public or private key so you can encode the secret message with your private key and the recipient can decode it using your public key. In embedding the information this way, you can reduce the chance of a third party attacker getting hold of the stego object and decoding it to find out the secret information. In general the embedding process inserts a mark, M, in an object, I. A key, K, usually produced by a random number generator is used in the embedding process and the resulting marked object, , is generated by the mapping: I x K x M . Having passed through the encoder, a stego object will be produced. A stego object is the original cover object with the secret information embedded inside. This object should look almost identical to the cover object as otherwise a third party attacker can see embedded information. Having produced the stego object, it will then be sent off via some communications channel, such as email, to the intended recipient for decoding. The recipient must decode the stego object in order for them to view the secret information. The decoding process is simply the reverse of the encoding process. It is the extraction of secret data from a stego object. In the decoding process, the stego object is fed in to the system. The public or private key that can decode the original key that is used inside the encoding process is also needed so that the secret information can be decoded. Depending on the encoding technique, sometimes the original cover object is also needed in the decoding process. Otherwise, there may be no way of extracting the secret information from the stego object. After the decoding process is completed, the secret information embedded in the stego object can then be extracted and viewed. The generic decoding process again requires a key, K, this time along with a potentially marked object, . Also required is either the mark, M, which is being checked for or the original object, I, and the result will be either the retrieved mark

G. P. Khamgaon

Page # 6

Steganography

from the object or indication of the likelihood of M being present in . Different types of robust marking systems use different inputs and outputs.

LSB Least Significant Bit Hiding (Image Hiding)

This method is probably the easiest way of hiding information in an image and yet it is surprisingly effective. It works by using the least significant bits of each pixel in one image to hide the most significant bits of another. So in a JPEG image for example, the following steps would need to be taken 1. First load up both the host image and the image you need to hide. 2. Next chose the number of bits you wish to hide the secret image in. The more bits used in the host image, the more it deteriorates. Increasing the number of bits used though obviously has a beneficial reaction on the secret image increasing its clarity. 3. Now you have to create a new image by combining the pixels from both images. If you decide for example, to use 4 bits to hide the secret image, there will be four bits left for the host image. (PGM - one byte per pixel, JPEG - one byte each for red, green, blue and one byte for alpha channel in some image types) Host Pixel: 10110001 Secret Pixel: 00111111 New Image Pixel: 10110011 4. 4. To get the original image back you just need to know how many bits were used to store the secret image. You then scan through the host image, pick out the least significant bits according the number used and then use them to create a new image with one change - the bits extracted now become the most significant bits. Host Pixel: 10110011 Bits used: 4 New Image: 00110000

G. P. Khamgaon

Page # 7

Steganography

FIG 3: Least Significant Bit Hiding. To show how this technique affects images, Figure 3 shows examples using different bit values. Dr. Ryans image on the left is the host image while Mr. Sextons on the right is the secret one we wish to hide. This method works well when both the host and secret images are given equal priority. When one has significantly more room than another, quality is sacrificed. Also while in this example an image has been hidden, the least significant bits could be used to store text or even a small amount of sound. All you need to do is change how the least significant bits are filled in the host image. However this technique makes it very easy to find and remove the hidden data.

G. P. Khamgaon

Page # 8

Steganography

Steganography in Audio
Spread Spectrum:
Spread spectrum systems encode data as a binary sequence which sounds like noise but which can be recognized by a receiver with the correct key. The technique has been used by the military since the 1940s because the signals are hard to jam or intercept as they are lost in the background noise. Spread spectrum techniques can be used for watermarking by matching the narrow bandwidth of the embedded data to the large bandwidth of the medium.

MIDI:
MIDI files are good places to hide information due to the revival this format has had with the surge of mobile phones, which play MIDI ring tones. There are also techniques which can embed data into MIDI files easily. MIDI files are made up of a number of different messages. Some of these messages control the notes you hear while others are silent and make up the file header or change the notes being played. The message we are interested in is one called Program Change (PC). A PC basically changes the type of instrument being played on a certain channel. If there are multiple PC messages in succession the instrument played will be the one selected at the very end of the message chain and due to the fact these messages occur so frequently, there are no noticeable side effects to the sound. Each PC message can contain a number from 0 to 127, which corresponds to the number of different instruments that can be played. So all you need to do is string together the necessary number of PC messages to contain the hidden data. Obviously this method doesnt allow for huge amounts of data to be stored nor is it a very good way of hiding data as it can be easily seen.

G. P. Khamgaon

Page # 9

Steganography

MP3:
The MP3 format is probably the most widespread compression format currently used for music files. Due to this, it also happens to be very good for hiding information in. The more inconspicuous the format, the more easily the hidden data may be overlooked. There are very few working examples of hiding information in MP3 files but one freely available program is MP3Stego.The technique used here is similar to the frequency transformations discussed earlier. Basically the data to be hidden is stored as the MP3 file is created, that is during the compression stage. As the sound file is being compressed during the Layer 3 encoding process, data is selectively lost depending on the bit rate the user has specified. The hidden data is encoded in the parity bit of this information. As MP3 files are split up into a number of frames each with their own parity bit, a reasonable amount of information can be stored. To retrieve the data all you need to do is uncompress the MP3 file and read the parity bits as this process is done. This is an effective technique which leaves little trace of any distortions in the music file.

Steganography In Video:
When information is hidden inside video the program or person hiding the information will usually use the DCT (Discrete Cosine Transform) method. DCT works by slightly changing the each of the images in the video, only so much though so its isnt noticeable by the human eye. To be more precise about how DCT works, DCT alters values of certain parts of the images, it usually rounds them up. For example if part of an image has a value of 6.667 it will round it up to 7.Steganography in Videos is similar to that of Steganography in Images, apart from information is hidden in each frame of video. When only a small amount of information is hidden inside of video it

G. P. Khamgaon

Page # 10

Steganography

generally isnt noticeable at all, however the more information that is hidden the more noticeable it will become.

Steganography in Documents:
While it is very easy to tell when you have committed a copyright infringement by photocopying a book, since the quality is widely different, it is more difficult when it comes to electronic versions of text. Copies are identical and it is impossible to tell if it is an original or a copied version. To embed information inside a document we can simply alter some of its characteristics. These can be either the text formatting or characteristics of the characters. You may think that if we alter these characteristics it will become visible and obvious to third parties or attackers. The key to this problem is that we alter the document in a way that it is simply not visible to the human eye yet it is possible to decode it by computer.

Fig4:Document Embedding process Figure 4 shows the general principle in embedding hidden information inside a document. Again, there is an encoder and to decode it, there will be a decoder. The codebook is a set of rules that tells the encoder which parts of the document it needs to change. It is also worth pointing out that the marked documents can be either identical or different. By different, we mean that the same watermark is marked on the document but different characteristics of each of the documents are changed.

Line Shift Coding Protocol:

G. P. Khamgaon

Page # 11

Steganography

In line shift coding, we simply shift various lines inside the document up or down by a small fraction (such as 1/300th of an inch) according to the codebook. The shifted lines are undetectable by humans because it is only a small fraction but is detectable when the computer measures the distances between each of the lines. Differential encoding techniques are normally used in this protocol, meaning if you shift a line the adjacent lines are not moved. These lines will become a control so that the computer can measure the distances between them. By finding out whether a line has been shifted up or down we can represent a single bit, 0 or 1. And if we put the whole document together, we can embed a number of bits and therefore have the ability to hide large information.

Word Shift Coding Protocol:

The word shift coding protocol is based on the same principle as the line shift coding protocol. The main difference is instead of shifting lines up or down, we shift words left or right. This is also known as the justification of the document. The codebook will simply tell the encoder which of the words is to be shifted and whether it is a left or a right shift. Again, the decoding technique is measuring the spaces between each word and a left shift could represent a 0 bit and a right bit representing a 1 bit.

In this example the first line uses normal spacing while the second has had each word shifted left or right by 0.5 points in order to encode the sequence 01000001 that is 65, the ASCII character code for A. Without having the original for comparison it is likely that this may not be noticed and the shifting could be even smaller to make it less noticeable.

Detecting Steganography

G. P. Khamgaon

Page # 12

Steganography

The art of detecting Steganography is referred to as Steganalysis.To put it simply Steganalysis involves detecting the use of Steganography inside of a file. Steganalysis does not deal with trying to decrypt the hidden information inside of a file, just discovering it. There are many methods that can be used to detect Steganography such as: Viewing the file and comparing it to another copy of the file found on the Internet (Picture File.)There are usually multiple copies of images on the Internet, so you may want to look for several of them and try and compare the suspect file to them. For example if you download a JPEG and your suspect file is also a JPEG and the two files look almost identical apart from the fact that one is larger than the other, it is most probable your suspect file has hidden information inside of it. Listening to the file. This is similar to the above method used for trying to manually detect Steganography in picture files. If you are trying to detect hidden information inside of a MP3 audio file you will need to find an audio file to compare it to that uses the same compression (MP3.) The same applies to finding hidden information inside Picture files.

Could Steganography Be Used By Terrorists?

G. P. Khamgaon

Page # 13

Steganography

Terrorist organizations have mastered the art of combining steganography with encryption. As the USA Today reported on February 5th 2001, since 1993 these groups have engaged in malicious and criminal behavior using shareware encryption and steganography tools. As early as1993 Ramzi Yousef encrypted files which planned the destruction of 11 airliners. The U.S.government was successful in capturing his laptop computer, extracting the files and decrypting them. However, FBI officials say it took them one year to decipher two of the critical files. The troubling aspect is there was no need for spending time on steganalysis or detection of a stegomessage since these were standalone encrypted files. According to U.S. officials, in early 2001Osama bin Laden posted steganographic material in sports chat rooms and pornographic web sites with instructions for terrorist activities. Presently most terrorist instructions are also carried out this same way, but there has been an increase in the use of photographic images used forsteganography. This method adds an enormous complexity which is detection of the mere existence of a secret message. The U.S. government uses supercomputers working around the clock to only detect the presence of a secret message. In case of detection, one must decide how to react. If one has truly intercepted a message, then is it worth taking the time to decrypt the secret portion of the message? In a passive attack scenario, one could allow the message to be delivered (if in transit) but make a copy of the stego message for later forensic steganalysis. An active attack represents either forging a new secret message, simply removing a message or tampering with a message in order to make it useless. Terrorist activity via steganography and encryption using the internet as the conduit has become a major concern in everyday life to the point where governmental agencies have been trying to mandate that encryption and steganography vendors supply them with a master key to every algorithm. This has drawn much fire from the ACLU which vows to fight them in federal court.

Steganography Tools

G. P. Khamgaon

Page # 14

Steganography

MP3Stego:
MP3Stego will hide information in MP3 files during the compression process. The data is first compressed, encrypted and then hidden in the MP3 bit stream.

JPHide and JPSeek:

JPHIDE and JPSEEK are programs which allow you to hide a file in a jpeg visual image. There are lots of versions of similar programs available on the internet but JPHIDE and JPSEEK are rather special.

BlindSide Cryptographic Tool:

Blindside is an example of the art of Steganography - the passing of secret messages in a form such that one would not suspect the message is being passed. This is an area of cryptography that is attracting considerable interest of late. The Blindside utility can hide a file (or files) of any variety, within a Windows Bitmap image (BMP file).

GIFShuffle:
The program Gifshuffle is used to conceal messages in GIF images by shuffling the colourmap, which leaves the image visibly unchanged. Gifshuffle works with all GIF images, including those with transparency and animation, and in addition provides compression and encryption of the concealed message.

WbStego:
WbStego is a tool that hides any type of file in bitmap images, text files, HTML files or Adobe PDF files. The file in which you hide the data is not optically changed.

StegoVideo:

G. P. Khamgaon

Page # 15

Steganography

MSU StegoVideo allows hiding any file in a video sequence. When the program was created, different popular codecs were analyzed and an algorithm was chosen which provides small data loss after video compression. You can use MSU StegoVideo as Virtual Dub filter or as standalone.exe program, independent from Virtual Dub.

Steganalysis Tools

G. P. Khamgaon

Page # 16

Steganography

Steganography Analyzer Artifact Scanner (StegAlyzerAS):

StegAlyzerAS gives you the capability to scan the entire file system, or individual directories, on suspect media for the presence of Steganography application artifacts. And, unlike other popular forensic tools, you can perform an automated or manual search of the Windows Registry to determine whether or not any Registry keys or values exist that can be associated with a particular Steganography application.

Steganography Analyzer Signature Scanner (StegAlyzerSS):

StegAlyzerSS gives you the capability to scan every file on the suspect media for the presence of hexadecimal byte patterns, or signatures, of particular Steganography applications in the files. If a known signature is detected, it may be possible to extract information hidden with the Steganography application associated with the signature.

Conclusion

G. P. Khamgaon

Page # 17

Steganography

Steganography is not a threat in general and Steganography is hardly something that is used by Terrorists and I seriously doubt that it will be used by Terrorists. I think that Steganography is a potential threat. However I do not believe it will be used for purposes that are being pushed by the media. The most probable use of Steganography is probably to hide illegal material such as child pornography. I believe that Steganography may also be used to hide sensitive information and transfer it from one place to another. For example a foreign military may have a double agent working inside the US Military, the agent steals some sensitive documents, and he wants to copy them onto CD to take home and email to his superiors. He knows that if he burns the documents to the disk there is a disk of the disk being checked. So what could he do? Simple, hide the documents inside picture files that look nothing out of the ordinary. People should be focusing on the important aspects of Steganography, such as what it is really used for, instead of believing propaganda put out by the media.

G. P. Khamgaon

Page # 18