Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secret Data: Steganography v Steganalysis

Posted by CmdrTaco on from the fight-of-the-year dept.

gManZboy writes "Two researchers in China has taken a look at the steganography vs. steganalysis arms race. Steganography (hiding data) has drawn more attention recently, as those concerned about information security have recognized that illicit use of the technique might become a threat (to companies or even states). Researchers have thus increased study of steganalysis, the detection of embedded information."

37 of 280 comments (clear)

  1. Hmm by Sparr0 · · Score: 5, Interesting

    I think this is the way of the future with regards to encryption. You cant crack what you cant find.

    1. Re:Hmm by Anonymous Coward · · Score: 3, Interesting

      You cant crack what you cant find.

      Or in the case of "The Bible Codes", you find what you want to find.

    2. Re:Hmm by dr_dank · · Score: 3, Insightful

      Who says a steg message has to be plaintext?

      --
      Where does the school board find them and why do they keep sending them to ME?
    3. Re:Hmm by PDAllen · · Score: 5, Insightful

      Suppose you == info security guy at $Company. When you see a string of seemingly random bits in a file marked crypto.txt leaving $Company, you may not be able to find out exactly what trade secret your local friendly spy was leaking, but you do know there was a leak and who sent it.

      On the other hand, if you see a load of random pictures leaving $Company from lots of employees, then you have to find which picture has hidden data in it before you even know you have a problem.

      The point of steganography isn't to pass a message that can't be read, it's to pass a message without alerting anyone to the fact that a message has been passed.

    4. Re:Hmm by rokzy · · Score: 3, Insightful

      people making the point you made totally miss an important point. what if you don't want someone to know the data even exists?

      for example, sending a message to someone your government doesn't like:

      -you: "ha! it's encrypted really strongly! suck my balls!"
      -government: "we don't give a flying fuck - even talking to them is a crime. off to jail for you, numbnuts!"

    5. Re:Hmm by 4of12 · · Score: 4, Interesting

      Any sufficiently advanced neural net should be able to deterministically find changes in common data communication where information can be hidden. And do you truly think that your data is not being checked by big brother?

      I doubt there's enough computational resources for a sufficiently advanced neural net.

      If chunks of known ciphertext in something like AES-256 can't be broken in times measured in universe ages, then I can't foresee much success in wholesale scanning of all information, searching for embedded secret strings which, if properly encrypted, should be indistinguishable from random noise.

      An old Slashdot story mentioned one of the most fertile fields for laying down stego messages: within spam.

      --
      "Provided by the management for your protection."
    6. Re:Hmm by AndyL · · Score: 4, Insightful

      It's also security through misdirection. (Ie: If you find someone's secret porn collection, you'll think you know why he's kept it secret. In truth it contains plans for an atom bomb.)

      But your point is really what the article is about. A serious Steganography method must be good enough to pass automated searches (steganalysis) because if the enemy knows where your data is, then you almost might as well have not bothered.

      And of course, what the other post said is implied.

    7. Re:Hmm by bentcd · · Score: 4, Informative

      Steganography is typically used within a closed group. It is typically not used between strangers. Therefore, you don't need to publicize your steganographic protocols beyond a small group of people.
      Furthermore, if you take the trouble to hide your data with steganography chances are that you will also encrypt it. In this scenario, the two accomplish different goals. Steganography ensures that no-one realizes that you have communicated at all and cryptography ensures that even if the steganography is compromised, they cannot tell what it was you were sending.
      Steganography is gold to any mole in need of transmitting information from inside a hostile organization to his people on the outside. So long as the hostile org cannot tell that he is communicating, he is safe. Once they figure out, he is busted.
      Or for anyone transmitting information across an untrusted medium for that matter. If you use PGP to protect your Internet mail, the Feds are going to know that you have _something_ going on and that they might want to keep extra tabs on you. If you also use steganographic techniques, you'll never show up on their radar in the first place.

      --
      sigs are hazardous to your health
    8. Re:Hmm by bentcd · · Score: 3, Insightful

      Cryptography is also security through obscurity in that case. The only thing protecting your information is the fact that you haven't properly documented your private key :-)

      --
      sigs are hazardous to your health
    9. Re:Hmm by uberdave · · Score: 3, Insightful

      The problem with "Security Through Obscurity" is that the decryption algorithm is secret. Once the algorithm is known, any message can be decrypted. Both the sender, and the receiver need to know the secret algorithm, and need to trust each other to not reveal it.

      In other encryption techniques, such as Public Key Encryption, the decryption algorithm is public. The algorithm works like a box with two keyholes. One keyhole locks the box, the other unlocks it. Each person selects two keys, one is public, the other is private. If the sender wants to send a message, she locks the box with the receiver's public key. Once locked, the box can only be opened with the receiver's private key. If the Larry decides to leak his private key, it doesn't compromise the security of messages sent to other people. Heather can still send messages to Jim, using his public key, confident that the messages will remain private because they are encrypted with Jim's public key, not Larry's.

      --
      "I'm not impatient. I just hate waiting." - My Dad
  2. Already was an issue by Sierpinski · · Score: 3, Interesting

    This came out a long time ago with the idea of hiding child pornography in files containing what appeared to be pictures of art, or other benign picture files.

    There was even an episode of Law and Order about this. Its nothing new, but I agree it does pose many questions about security. (Security through obscurity is really good if the level of obscurity is paramount.)

    --
    And they said zombies weren't real!
  3. Can someone explain to me what is meant by... by squarooticus · · Score: 4, Insightful

    "illicit use [of steganography]"? I didn't realize encrypting stuff was illegal. Land of the free and all that.

    --
    [ home ]
    1. Re:Can someone explain to me what is meant by... by eln · · Score: 3, Insightful

      I think they mean the use of steganography to hide illicit materials, like child pornography. At least, I hope that's what they mean.

    2. Re:Can someone explain to me what is meant by... by Bagels · · Score: 3, Interesting

      *cough* Chinese researchers. Perhaps not illegal in the US, but almost certainly extremely illegal over in our favorite semi-communist autocracy...

      --
      --- Bwah?
  4. Great movie title! by Guano_Jim · · Score: 5, Funny
    Secret Data: Steganography v Steganalysis

    Throw in a Stegosaurus and we've got a real Destroy All Monsters vibe going.

    Run! It's Steganalysis!

    /crushes Tokyo

    --
    3D Printing Tips and Tricks at Zheng3.com
  5. This reply is funny, inciteful and informative by Silver+Sloth · · Score: 5, Funny

    But it's hidden

    --
    init 11 - for when you need that edge.
  6. Extinct? by Chappy01 · · Score: 4, Funny

    I thought the Steganalysis was extinct...that's public school education for you.

  7. Hiding data ...pfft by pronobozo · · Score: 5, Funny

    As if you can hide information in places that nobody would find, just doesn't seem like a plausible direction for security.

    --
    ------
    insert sig here,here, and here
    1. Re:Hiding data ...pfft by justforaday · · Score: 4, Funny

      I don't get it...Could someone please tell me what the secret message is?

      --
      I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
    2. Re:Hiding data ...pfft by Darth_brooks · · Score: 5, Informative

      There's some truth to the idea of a hidden message in comic strips.

      During the 50's and 60's the air force used a particular comic strip ("smokey stover" i think. http://www.toonopedia.com/smokey.htm, also the origin of "foo" and "foo fighter") to train recon. photo interpreters. The artist would hide his wife's name somewhere in every strip, and the new recruits would have to find it.

      --
      There are some people that if they don't know, you can't tell 'em.
  8. An easy way to hide information by Anonymous Coward · · Score: 5, Funny

    Hide it on slashdot by posting at level 0. No one will think to look, and there's an unlimited storage potential.

  9. fun stuff by Darth_brooks · · Score: 5, Interesting

    I tinkered with this for a while. Start up gnucleus, do a search for *.jpg, and grab a bunch of files to scan. Not surprisingly, many of the images were porn (it's for research purposes, I swear!)

    The biggest problems were 1. most (actually, all) of the images that came back as good candidates for having embedded images came back as false positives and 2. lack of a brute-force steg break utility.

    number 2 is probably a result of poor searching on my part, but I honestly couldn't find a recent, (and free) tool that would do a brute force crack on embedded images. At the time (a few months back) I was using stegbreak and stegdetect.

    So, is there anything better? anyone else have any luck?

    --
    There are some people that if they don't know, you can't tell 'em.
    1. Re:fun stuff by BillyBlaze · · Score: 3, Interesting

      Don't know what you're talking about, but I remember when graphics hardware used to suck, and the most common way to make something selected was to overlay it with a halftone of blue. So what you would do is, figure out where that halftone would go, and in the pixels that remain exposed, mix in your porn image, at say about 25% opacity. Now, on the pixels that are obscured by the halftone, mix in the inverse of your porn image at the same opacity. When the halftone is gone, it would be hard to notice the change - the most you would notice is a subtle checkerboard effect where the porn was contrasting with the flowers. But when the halftone obscured the negative that previously was balancing the positive porn image in adjacent pixels, you would see the porn in much higher contrast.

  10. Passwords by White+Roses · · Score: 4, Interesting
    I played around with this for a time. Stored all my various passwords in one of my desktop pictures at work. In the end, while it was certainly interesting, I didn't see a personally practical use for it. Perhaps integration with a keyring type of application? A replacement for the DB file that is used to store the passwords? I send so few iamges to my friends that a sudden influx of images being sent back and forth with hidden communications would draw more attention to anyone seriously interested in my boring life. I feel secure because I am obscure.

    I can certainly see the use in espionage, hiding the real message in the static, as it were (Didn't a Tom Clancy book use this plot device? I think the message was sent in the connect noises for the modem). And NS's Baroque Cycle had some interesting steganographic bits in it (excessively long and boring letters about the nobility's obsession with fashion hiding an encrypted message for all to see). But on a day to day basis, I doubt this will affect most people.

    --
    Do not touch -Willie
  11. Re:Hmm (cracked) by product+byproduct · · Score: 4, Funny

    I think thIs iS The way of the FutuRe
    with regardS To encryPtiOn.

    You've got a nicely steganographed "first post" there.

  12. Problem with statistical analysis by grahamsz · · Score: 4, Interesting

    The suggestion is that if data is being hidden in the LSB of a photo then you can use statistical analysis to spot this anomoly.

    The problem here seems to be that if you were to compress your hidden data prior to hiding it, then the data inserted would appear random and should thwart statistical analysis. You'd need some redundancy there if you intent to jpeg compress the image, but it might work.

    I've toyed with the idea of hiding data in the vectors used in a mpeg file. Exploiting the nature of the compression algorithm rather than the source data.

    1. Re:Problem with statistical analysis by Kjella · · Score: 5, Informative

      There's a good story on something vaugely related that has to do with the frequency of digits in measured numbers. (That is, it isn't equally probable to see every digit -- earlier digits in a number favor lower digits, like "1".) People who were falsifying accounting records were caught because the numbers they used were "too random".

      Actually, here the fault is that they didn't understood the target. Expenses have no "natural" size, they're likely to be scale invariant. Basicly, you're looking for a distribution where C*f(x) = f(x). If you took 1..9, try C=2: 2,4,6,8,10,12,14,16,18... suddenly you have 5 leading 1s.

      Turns out the right distribution is following Benford's law:

      30.1% 17.6% 12.5% 9.7% 7.9% 6.7% 5.8% 5.1% 4.6%

      The second example you have is that the human "RNG" is flawed.

      A computer doesn't really suffer from this problem. The stenagography problem is really this.

      1. Find randomness in source data
      2. Replace random data with pseudorandom data

      Of course, if you overwrite non-random data, you're doing it wrong. If you're going to use the LSB, you need to verfiy that it is random, or find the portion of it that is random (which is kinda what you're doing when you pick the LSB from a pixel anyway).

      The biggest problem is really to hide it in a "reasonable" way.

      Perfect steganography should replace all randomness with noise.

      Perfect compression should eliminate all randomness.

      In other words, steganography operates on the thin slice between good compression (jpg, mp3, divx) and perfect compression. It's much easier to hide information in bmp, wav, uncompressed avi, but it also looks damn obvious.

      Kjella

      --
      Live today, because you never know what tomorrow brings
  13. Re:An easy way to hide information (PART 2) by zoloto · · Score: 4, Interesting

    actually this is a really good thing. not just on slashdot, but on other sites where you can search the documents for key words.

    Heck, post as ac with a unique subject and post encrypted (gpg) ascii in multiple parts. the data will be here still next year or five (plausible) and you can retrieve it, and decrypt (assuming you have the public key or password if it's symmetric

  14. DCT + spread spectrum by dangil · · Score: 3, Interesting

    I have done a small experiment in steganography using DCT coefficients and spread spectrum technique, spreading a 4 bit number in 4 high frequency coeficients in a DCT transformed image

    It works pretty well.. but I did it in PHP+GD, so it's pretty slow...

    if anyone is interested, I have a paper that describes the methods, the PSNR and everything else... you can reach me at my gmail server, under the dangil alias

  15. Secret Stuff by Anonymous Coward · · Score: 3, Funny

    I hide all my secret information in fake research papers on steganalysis. They never think to look there.

  16. Layered Implementation by Kobun · · Score: 3, Insightful

    Because an encrypted stream is obviously hiding, it gives the attacker something to focus on. What a person might do instead with Steganography is embed encrypted information, so that the set of information is not only hard to detect in a field of dummy files, but that once the encrypted data is found one still has to decode it.

  17. v Stegosaurus! by Mustang+Matt · · Score: 3, Funny

    I'll put my money on the dinosaur

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  18. Googlefight by Anonymous Coward · · Score: 3, Funny

    Googlefight!

    Steganography wins.

  19. Explanation: Espionage by Bonhamme+Richard · · Score: 3, Insightful
    Many posters have addressed the idea of child pornography, but it's not just a matter of images hidden inside of images. By going through the 1s and 0s that make up an image a written message can be composed.

    Method: An image is built of bytes representing shades of colors. If you go through and change the least significant bit of each byte you can encode a message. Note: this is achieved without substantially changing the image.

    Example: 10001000 becomes 10001001

    Significance: If two people were to set up a system, like "go to site XYZ on every 3rd Friday and download the pic of the day," it would be nearly impossible to track them. An agent in the field checks the image, noting the value of the last bit of each byte. Stringing these values together he creates a message. Two individuals can communicate from across the world without anyone else suspecting.

    This can be used for anything: 1) Terrorists coordinating timed attacks 2) Americans selling national security secrets to foreign powers. 3) Communication between intelligence community agents (ours or theirs).

    Land of the free yes, but all three of the above uses are illegal.

  20. Re:Wasn't that his point? MOD PARENT DOWN by Winkhorst · · Score: 4, Interesting

    You can actually say a lot in plaintext without actually saying openly what you mean. Aleister Crowley was a master at this. The way this works is you talk directly to those who know the context in which you are speaking and it all just looks like mere verbiage to anyone not familiar with your topic. Or you refer to your predicates in such a way that the casual observer can't tell what your final conclusion refers to. This is not steganography per se, but goes to the origins of the concept. I have done this myself and it allows you to say things you wouldn't dare say outright for fear of retribution from certain third parties.

    --
    "Is this Winkhorst a nova criminal?" "No just a technical sergeant wanted for interrogation."
  21. Metasteganography by Dylan+Thomas · · Score: 5, Insightful

    What strikes me as most curious is that the current debate about steganography is in itself an exercise in steganography--at least, in the sense of hiding important information in plain sight. Through the use of technical-sounding words, concerned parties manage to conceal what seems to be a genuinely frightening disrespect of the freedom of information.

    Simply take "steganography" out of the equation. It's easy to scare the masses by using intimidating neologisms. But steganography is simply a manner to transmit information privately. So let's recast the sentence, "...illicit use of the technique might become a threat to the security of the worldwide information infrastructure." Let's simply say, "Individuals attempting to keep their private information private might become a threat to the security of the worldwide information infrastructure."

    What used to be a preferred method for sending private information to a friend? The mail? Didn't we used to have a respect for the privacy of letters we sent via post? So how come no one said, "Sealing envelopes might become a threat to the security of the worldwide information infrastructure"?

    What's being steganographically hidden in this debate is the reality that these days, quite a few people--many of them in power--simply no longer believe that a person has any right to private or personal information. Why would a technology such as this arise in the first place? Because we know that the first anthrax envelope made the private post public for everyone? Because we know our e-mail can be read, our servers can be hacked, our telephone calls recorded and our houses ransacked simply because fear of terrorists convinced us to sign over our civil liberties as if we no longer desired them?

    This technology arose because some people realized that they were losing any pretense at privacy they might have had, and so were motivated to develop tools to maintain it. And now, we take the new word "steganography" and talk about how dangerous it is... perhaps because we're trying to conceal inside the hidden message that all privacy is dangerous, that anything you do, say or think should always be subject to review by the appropriate authorities.

    --
    What he wants is more important that what I want. What he wants is also more important that what you want.
  22. Re:Wasn't that his point? MOD PARENT DOWN by nacturation · · Score: 4, Funny

    ... and so's your mother! Sheesh, you thought I wouldn't catch that insult buried in your text?

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.