steganography

Steganography takes an alternative approach to conventional cryptography, such as PGP or GPG.

Cryptography focusses on making sensitive data incomprehensible, whereas steganography attempts to make it impossible to tell that you *have* any sensistive data in the first place.

The principle is that obviously encrypted data on your hard drive is unsafe, as law enforcement agencies can force you to reveal it. This will become a bigger problem if the UK RIP bill is implemented in full.

Some Open Source solutions are:

• StegFS:
  • A steganographic file system, hidden inside a conventional filesystem. Again the benefit here compared to Linux (International Kernel Patch) cryptofilesystems is that there is no indication that the hidden stegFS even exists.
• Steghide:
  • This tool hides data inside insignificant bits of GIF files. This gives you the unique opportunity to hide your warez inside your pR0n...

A really cool idea is hiding secret messages inside spam. See www.spammimic.com.

The idea behind this tool is that spam has become such a serious problem that spam has effectively become invisible.

Consider this: If you were trawling through a felons mailbox, would you spend time trying to crack this message:

 -----BEGIN PGP MESSAGE-----
 Version: PGP 6.5.1i

 qANQR1DBwE4DNw3N/eEKvwUQBACyVVucdC+BxjpIfQXrHUq8hCBWTmfCiU5qlBQv
 FjadN56jweCNVXHDt2f3SLFsX/Vjsc6rKrnKzsZhSFls/cimcLKfkzb+7T8fqMMm
 3OH0kX70viGRksGsISPqPnR33sHM65sq6mM17Lhbre4bDY16lnnnv6DWwc0eaTmI
 L5cITAP/dnh5MMt40NN8GSuQjJZrPiMBuVsnGEg8kfPv24SWQM2qZsdqu/eahX1k
 H+BfuZhq9OIn3KrCqiK+7TfMzOAYMhyurtsAikpYPzW+c9n7AQyosJ3/3pqqHUBw
 jwfTUVd6SJxb65BMjdUyDu0L3m7nP3ga4FmQmE1I8gEA4xesBkrJjNvRqbDrZbLA
 MB5t6aMqOdySzDPXI1Nuo37trigifjA3NuYumhbRzIZUXjtpQCBrooc0J+5F8hIT
 h7prvYnefFvLjQvNtAPrO4vRctFIzfNBwRmUvhc7ySR2Wi/aubPbXv/53P308oRW
 Zdpak80F9J5UhvUEirOhTB1Dkzhl6GZx1KGhplhAPKW7DSSV
 =QKZr
 -----END PGP MESSAGE-----

or this one?

Dear Friend , Thank-you for your interest in our publication
. We will comply with all removal requests . This mail
is being sent in compliance with Senate bill 1623 ,
Title 9 , Section 301 . This is a ligitimate business
proposal ! Why work for somebody else when you can
become rich inside 51 DAYS ! Have you ever noticed
how long the line-ups are at bank machines plus people
love convenience ! Well, now is your chance to capitalize
on this . WE will help YOU deliver goods right to the
customer's doorstep plus deliver goods right to the
customer's doorstep ! You can begin at absolutely no
cost to you ! But don't believe us ! Mr Anderson who
resides in Illinois tried us and says "Now I'm rich,
Rich, RICH" . We assure you that we operate within
all applicable laws . Don't delay - order today . Sign
up a friend and your friend will be rich too ! Thank-you
for your serious consideration of our offer ! Dear
Professional ; This letter was specially selected to
be sent to you ! If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 2516 , Title 1 ; Section
304 ! This is not multi-level marketing . Why work
for somebody else when you can become rich as few as
83 WEEKS . Have you ever noticed people love convenience
& most everyone has a cellphone . Well, now is your
chance to capitalize on this ! WE will help YOU deliver
goods right to the customer's doorstep plus decrease
perceived waiting time by 200% ! You can begin at absolutely
no cost to you . But don't believe us ! Ms Ames of
North Dakota tried us and says "My only problem now
is where to park all my cars" . This offer is 100%
legal ! We urge you to contact us today for your own
future financial well-being ! Sign up a friend and
you get half off ! Thank-you for your serious consideration
of our offer . Dear Salaryman , This letter was specially
selected to be sent to you ! We will comply with all
removal requests . This mail is being sent in compliance
with Senate bill 1622 , Title 5 ; Section 309 ! This
is different than anything else you've seen . Why work
for somebody else when you can become rich within 40
days . Have you ever noticed people love convenience
plus nearly every commercial on television has a .com
on in it ! Well, now is your chance to capitalize on
this ! WE will help YOU use credit cards on your website
plus decrease perceived waiting time by 180% ! You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson of Delaware tried
us and says "My only problem now is where to park all
my cars" ! This offer is 100% legal . We implore you
- act now ! Sign up a friend and you get half off !
God Bless !

(Both contain the same message). Of course, once the site becomes well-known, this will be a lot less useful (the encryption algorithm involved is weak as piss), but the designers state that this will cause Echelon to decrypt all spam messages it receives, which will slow them down significantly.

I must admit I've started to paste random spam messages into it, just in case Salma Hayek is sending me secret messages.

Steganography is the art of hiding information in a covert channel. Unlike cryptography, which tries to hide the content of a message, steganography tries to hide the very existance of a message.

There are three basic kinds of modern steganography: pure steganography, secret key steganography and public key steganography. Before talking about the differences, a little terminology should help.

Cover
A harmless message that won't raise suspicion. Many modern steganography systems use digital pictures or digital audio as covers.
Stego-object
A cover that has a message embedded in it.
Secret Key
This is a key that both parties must have before encoding or decoding a message(just like in secret key cryptography).
Public Key
A key that can be used to encode a message which can only be decoded with its private key(just like in public key cryptography).
Private Key
A key that can be used to decode a message encoded with its public key(just like in public key cryptography).
Alice
One of the participants in steganographic exchange(yes, steganography literature makes use of cute names, just like most cryptography literature).
Bob
The other legitimate participant in the exchange.
Wendy
Wendy is the warden. She is a passive, active or malicious attacker.

Steganography literature often uses the prisoners' problem to illustrate message exchanges, so I will too. The situation is, Alice and Bob are prisoners kept in seperate cells. They want to talk to each other about an escape plan, but the only way they can communicate is by giving messages to the warden, Wendy, for delivery to the other person. If Wendy notices anything suspicious, she'll throw both of them into solitary and refuse to relay further messages. So Alice and Bob have to hide their messages in a harmless message(a cover).

Pure Steganography requires two functions, one to encode message into a cover and another to decode. Since it's security lies only in the secrecy of the two functions, it is not very secure in practice(it violates Kerckhoffs' principle).

Secret key steganography uses a secret key to encode the message into a cover. This means that even is the warden knows the algorithm being used, she still cannot decode the stego-object until she learns the key. This makes it much more secure in practice.

Public key steganography uses a public key to encode the message into a cover and a private key to decode the message. Just like public key cryptography, public key steganography is vulnerable to the "man in the middle" attack. This is where Wendy replaces the public keys with her own during the key exchange. So when Bob encodes a message for Alice, he is really encoding it using Wendy's public key. From there, Wendy can either decode the message and encode it with Alice's public key before passing it on, or be malicious and send her own message to Alice, pretending to be Bob.

For more information, check out Katzenbeisser and Petitcolas' excellent book "Information Hiding" or:
http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html

Steg`a*nog"ra*phy (?), n. [Gr. covered (fr. to cover closely) + -graphy.]

The art of writing in cipher, or in characters which are not intelligible except to persons who have the key; cryptography.

 

© Webster 1913.