Secret Data: Steganography v Steganalysis

gManZboy writes "Two researchers in China has taken a look at the steganography vs. steganalysis arms race. Steganography (hiding data) has drawn more attention recently, as those concerned about information security have recognized that illicit use of the technique might become a threat (to companies or even states). Researchers have thus increased study of steganalysis, the detection of embedded information."

Can someone explain to me what is meant by...

[squarooticus]

"illicit use [of steganography]"? I didn't realize encrypting stuff was illegal. Land of the free and all that.

Re:Can someone explain to me what is meant by...

[eln]

I think they mean the use of steganography to hide illicit materials, like child pornography. At least, I hope that's what they mean.

Re:Hmm

[dr_dank]

Who says a steg message has to be plaintext?

Layered Implementation

[Kobun]

Because an encrypted stream is obviously hiding, it gives the attacker something to focus on. What a person might do instead with Steganography is embed encrypted information, so that the set of information is not only hard to detect in a field of dummy files, but that once the encrypted data is found one still has to decode it.

Re:Hmm

[PDAllen]

Suppose you == info security guy at $Company. When you see a string of seemingly random bits in a file marked crypto.txt leaving $Company, you may not be able to find out exactly what trade secret your local friendly spy was leaking, but you do know there was a leak and who sent it.

On the other hand, if you see a load of random pictures leaving $Company from lots of employees, then you have to find which picture has hidden data in it before you even know you have a problem.

The point of steganography isn't to pass a message that can't be read, it's to pass a message without alerting anyone to the fact that a message has been passed.

Re:Hmm

[rokzy]

people making the point you made totally miss an important point. what if you don't want someone to know the data even exists?

for example, sending a message to someone your government doesn't like:

-you: "ha! it's encrypted really strongly! suck my balls!"
-government: "we don't give a flying fuck - even talking to them is a crime. off to jail for you, numbnuts!"

Explanation: Espionage

[Bonhamme+Richard]

Many posters have addressed the idea of child pornography, but it's not just a matter of images hidden inside of images. By going through the 1s and 0s that make up an image a written message can be composed.

Method: An image is built of bytes representing shades of colors. If you go through and change the least significant bit of each byte you can encode a message. Note: this is achieved without substantially changing the image.

Example: 10001000 becomes 10001001

Significance: If two people were to set up a system, like "go to site XYZ on every 3rd Friday and download the pic of the day," it would be nearly impossible to track them. An agent in the field checks the image, noting the value of the last bit of each byte. Stringing these values together he creates a message. Two individuals can communicate from across the world without anyone else suspecting.

This can be used for anything: 1) Terrorists coordinating timed attacks 2) Americans selling national security secrets to foreign powers. 3) Communication between intelligence community agents (ours or theirs).

Land of the free yes, but all three of the above uses are illegal.

Re:Hmm

[AndyL]

It's also security through misdirection. (Ie: If you find someone's secret porn collection, you'll think you know why he's kept it secret. In truth it contains plans for an atom bomb.)

But your point is really what the article is about. A serious Steganography method must be good enough to pass automated searches (steganalysis) because if the enemy knows where your data is, then you almost might as well have not bothered.

And of course, what the other post said is implied.

Re:Hmm

[bentcd]

Cryptography is also security through obscurity in that case. The only thing protecting your information is the fact that you haven't properly documented your private key :-)

Re:Hmm

[uberdave]

The problem with "Security Through Obscurity" is that the decryption algorithm is secret. Once the algorithm is known, any message can be decrypted. Both the sender, and the receiver need to know the secret algorithm, and need to trust each other to not reveal it.

In other encryption techniques, such as Public Key Encryption, the decryption algorithm is public. The algorithm works like a box with two keyholes. One keyhole locks the box, the other unlocks it. Each person selects two keys, one is public, the other is private. If the sender wants to send a message, she locks the box with the receiver's public key. Once locked, the box can only be opened with the receiver's private key. If the Larry decides to leak his private key, it doesn't compromise the security of messages sent to other people. Heather can still send messages to Jim, using his public key, confident that the messages will remain private because they are encrypted with Jim's public key, not Larry's.

Metasteganography

[Dylan+Thomas]

What strikes me as most curious is that the current debate about steganography is in itself an exercise in steganography--at least, in the sense of hiding important information in plain sight. Through the use of technical-sounding words, concerned parties manage to conceal what seems to be a genuinely frightening disrespect of the freedom of information.

Simply take "steganography" out of the equation. It's easy to scare the masses by using intimidating neologisms. But steganography is simply a manner to transmit information privately. So let's recast the sentence, "...illicit use of the technique might become a threat to the security of the worldwide information infrastructure." Let's simply say, "Individuals attempting to keep their private information private might become a threat to the security of the worldwide information infrastructure."

What used to be a preferred method for sending private information to a friend? The mail? Didn't we used to have a respect for the privacy of letters we sent via post? So how come no one said, "Sealing envelopes might become a threat to the security of the worldwide information infrastructure"?

What's being steganographically hidden in this debate is the reality that these days, quite a few people--many of them in power--simply no longer believe that a person has any right to private or personal information. Why would a technology such as this arise in the first place? Because we know that the first anthrax envelope made the private post public for everyone? Because we know our e-mail can be read, our servers can be hacked, our telephone calls recorded and our houses ransacked simply because fear of terrorists convinced us to sign over our civil liberties as if we no longer desired them?

This technology arose because some people realized that they were losing any pretense at privacy they might have had, and so were motivated to develop tools to maintain it. And now, we take the new word "steganography" and talk about how dangerous it is... perhaps because we're trying to conceal inside the hidden message that all privacy is dangerous, that anything you do, say or think should always be subject to review by the appropriate authorities.