What is Steganography? A Quick Primer
Since the beginning of the War on Terrorism, there has been much fear and suspicion that terrorists may be using steganography to communicate covertly over the Internet. In October 2001, the New York Times publish an article claiming that al-Qaeda has used steganography to covertly coordinate the execution of the September 11th terrorist attack on Washington DC and New York (Kolata, 2001).
Although these suspicions have yet to be substantiated, the concerns do highlight the fact that steganography is an effective means of protecting data (Westphal, 2004). Some might even suggest that the technique is more effective, for unlike the approach taken by cryptography of protecting the contents of a message, steganography focuses on hiding the existence of a message itself, making it much more detect than to decipher.
Steganography versus Cryptography
One might confuse the techniques of steganography with cryptography; however, they differ in their approach on how to protect information. Cryptography is the technique of obscuring the contents of a message. Below is an example of how the message “Meet me at noon” would appear after being encrypted with an AES 128 encryption algorithm:
When one examines the encrypted string above, one cannot decipher its meaning, for the contents of the message have been obscured; however, one does realize that some information is being protected. Now consider the statement below:
"My ever eating turtle must eat a turnip now or over night"
Unless one knew the cipher of taking each letter of each word in the statement, for example: "My ever eating turtle must eat a turnip now or over night,” they would never realize that the same message “Meet me at noon” was hidden in it. This is, albeit a very unsophisticated, example of steganography. Steganography is the technique of not obscuring the contents of a message (or file), but hiding it in plain sight, generally embedded within or masquerading as another message (or file type), in such a way that no one would realize that it exists. Although the example listed above may not seem too difficult to decipher, it becomes much more difficu
lt if one does not know there a hidden message is contained within it. This is the strength of steganography: although it only hides a message in plain sight, doing so can make the detection of a message just as difficult to detect as it would be to break the encryption on a message whose contents are obviously being protected.
Today, steganography has many uses; some for good, some for not.
Some of the more common reputable uses of the technique are in watermarking (also known as fingerprinting) copyrighted materials, such that the copyright is overlaid on the original text in a way that makes it very difficult for the average person to detect, and therefore to remove, particularly if one does not know it is there. Ad
ditionally, several of the most common printers on the market today also use steganography to hide the serial number of the printer and the time of printing in a series of inconspicuous little yellow dots on each print out (Lee, R; Schoen S; Murphy P).
Some of the more common but less-than-reputable uses of the technique is to hide stolen data within another file (or disbursed across files) and send it out as an innocent looking email attachment. As mentioned before, terrorists may be using the technique to communicate covertly over the fast openness of the Internet. (Westphal, 2004).
Whether leveraged for good or evil means, the technique of hiding information in plain sight is not simply limited to hiding text-within-text. One can also hide text, or even binary files, within other binary files. A common application of steganography is to hide text or small binary files within an image file.
Using a program called SecurEngine, I was able to hide message within a BMP. Consider the two images below:
The first one is of my son Erich with his new hat. The second photo is also of my son Erich, but it contains a textile with the message “Meet me at noon” hidden inside of it. If you wish to extract the message yourself, simply download SecurEngine and run the second image through its “UnHide” feature. (Note: SecurEngine also encrypts the hidden message, so you’ll need to supply the password “abcd” if are attempting to recreate this.
Visual comparison seems to offer no indication that the two images are not identical; however, by exporting each of the images above to Hex code and comparing them, it reveals that the files are definitely not the same. Note the screen shot below with each different highlighted in red:
So How Does It Work?
There are two primary ways in which a file (or message) can be steganographically hidden within another file. The first, is the simplest means of hiding one file in another is to simply inject the bytes of it into the host file’s dead spaces or by replacing spaces which are not commonly examined (e.g. the header space on a TCP/IP packet) . The second is to distribute the hidden file’s bytes through the host files least significant bytes (LSB). In image formats, this means replacing one of the 3 red-green-blue bytes used to represent the color of a pixel. Although this results in a different color being rendered, the differences are not generally noticeable to the eye, particularly when high resolution images are used.
If Steganography is the art of obscuring the existence of messages; Stegananalysis is the discipline of trying to detect the existence of hidden messages or prevent the insertion of hidden messages. This is done by trying to detect the degradation or unusual characteristics of a file that are common in one that is hosting a steganographically hidden message. In image files, visual inspection is usually not very fruitful; instead, statistical analysis is what is frequently used in steganography detection. This is accomplished by comparing the color of a pixel to the one next to it, called a color pair, to observed how close each color in the image to its adjacent color. An image that does not contain a message generally will have few color pair discrepancies; this being an indicator of the present of a steganographically hidden file.
Kolata, Gina. (2001). Veiled Messages of Terror May Lurk in Cyberspace. The New York Times. Retrieved March 14, 2008 from http://query.nytimes.com/gst/fullpage.html?res=9B01E3D91730F933A05753C1A9679C8B63
Westphal, K. (2003). Steganography Revealed. Security Focus. Retrieved March 14, 2008 from http://www.securityfocus.com/infocus/1684
Lee, R; Schoen S; Murphy P; Alwen, J; Huang, A. DocuColor Tracking Dot Decoding Guide. Electronic Frontier Foundation. Retrieved March 14, 2008 from http://w2.eff.org/Privacy/printers/docucolor/