• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Steganography.

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
SecureSavvy
Just Arrived
Just Arrived


Joined: 29 Jul 2004
Posts: 0


Offline

PostPosted: Thu Jul 29, 2004 6:44 pm    Post subject: Steganography. Reply with quote

Hi, I'm new here and I have keen intrest in security.

I'v read very little on Stegnography which seems to me like Black Magic, unlike cryptography which has a sound mathmatical foundation. I would very much appreciate if you guys could give a low-down on it, and with particular intrest to practical issues. Also are there any strong commerical software available for consumers?

Thanks in advance.
Back to top
View user's profile Send private message
mjuarez
Just Arrived
Just Arrived


Joined: 15 Jun 2004
Posts: 0


Offline

PostPosted: Thu Jul 29, 2004 6:53 pm    Post subject: Re: Stegnography Reply with quote

SecureSavvy wrote:
I'v read very little on Stegnography which seems to me like Black Magic, unlike cryptography which has a sound mathmatical foundation. I would very much appreciate if you guys could give a low-down on it, and with particular intrest to practical issues. Also are there any strong commerical software available for consumers?

Thanks in advance.


Give the search function a try. I found 24 references to steganography in the forums. Google brings up almost 100,000.

Marcos
Back to top
View user's profile Send private message
midnitrcr
Just Arrived
Just Arrived


Joined: 13 Jul 2004
Posts: 0


Offline

PostPosted: Thu Jul 29, 2004 10:30 pm    Post subject: Reply with quote

From what I've seen and heard it has yet to really catch on... There are some cool open-source projects out there. Check out Hydan (stego in exe's without changing the file size) and StegFS (a stego filesystem that will allow you multiple layers of hiding).
Back to top
View user's profile Send private message
Xtra
Just Arrived
Just Arrived


Joined: 29 Jul 2004
Posts: 0


Offline

PostPosted: Thu Jul 29, 2004 11:50 pm    Post subject: Reply with quote

hey how did you manage to find 24 refernce to stegnography? I only found 4 when seraching?
Back to top
View user's profile Send private message
UziMonkey
SF Reviewer
SF Reviewer


Joined: 19 Dec 2003
Posts: 5


Offline

PostPosted: Fri Jul 30, 2004 12:42 am    Post subject: Reply with quote

midnitrcr wrote:
From what I've seen and heard it has yet to really catch on... There are some cool open-source projects out there. Check out Hydan (stego in exe's without changing the file size) and StegFS (a stego filesystem that will allow you multiple layers of hiding).


I think this is due to its relative uselessness. Often, the act of surreptitiously sending someone a message is more suspicious than sending them an encrypted message in plain view. And hiding your own data is just crazy, hide it from whom, yourself? I just don't see too many uses for it. Strong encryption is a safer bet, who cares if they can see where your data is, unless someone knows something we don't, it's quite safe anyway..
Back to top
View user's profile Send private message Visit poster's website
Xtra
Just Arrived
Just Arrived


Joined: 29 Jul 2004
Posts: 0


Offline

PostPosted: Fri Jul 30, 2004 1:58 am    Post subject: Reply with quote

yeah but people will argue with you saying that both stegnography [hiding] along with cryptography is better than just the latter on its own ?
Back to top
View user's profile Send private message
UziMonkey
SF Reviewer
SF Reviewer


Joined: 19 Dec 2003
Posts: 5


Offline

PostPosted: Fri Jul 30, 2004 2:52 am    Post subject: Reply with quote

My point was, why bother hiding it if evesdroppers have no chance of reading the message anyway? Who cares if they know you're sending data. I mean, sure, this would have uses in cases of espionage and all sorts of James Bondish stuff, but it doesn't make it any more secure for normal users. It's only practical use is if you're trying to be sneaky.
Back to top
View user's profile Send private message Visit poster's website
ghost16825
Just Arrived
Just Arrived


Joined: 24 Nov 2003
Posts: 2


Offline

PostPosted: Fri Jul 30, 2004 3:04 am    Post subject: Reply with quote

The problem is that there is no standardised method. Both the sender and receiver need a single specialised program because of incompatabilities between the stego products.
Back to top
View user's profile Send private message
cpconstantine
Trusted SF Member
Trusted SF Member


Joined: 15 May 2004
Posts: 0
Location: Denver, CO

Offline

PostPosted: Fri Jul 30, 2004 5:00 am    Post subject: Reply with quote

midnitrcr wrote:
Check out Hydan .


heh! the author is a friend of mine! I've been looking for a new job for him recently!
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Xtra
Just Arrived
Just Arrived


Joined: 29 Jul 2004
Posts: 0


Offline

PostPosted: Fri Jul 30, 2004 6:53 pm    Post subject: Reply with quote

so i guess its not a hot topic in the security circles, so what is hot at the mo? quantum cryptology?
Back to top
View user's profile Send private message
cpconstantine
Trusted SF Member
Trusted SF Member


Joined: 15 May 2004
Posts: 0
Location: Denver, CO

Offline

PostPosted: Fri Jul 30, 2004 7:00 pm    Post subject: Reply with quote

Hot Topic? I consider things that have real application in the real world to be 'hot topics', such as the new round of sub-$100,000 automated code/binary review systems hitting the market, the current state of IPS vs IDS, and the security implications of outsourcing work to India..

Most of the real security community feels the same. 'Hot Topics' are not things we aren't going to see practical uses for for a decade, that make the uninformed go 'oooooooh!' a lot. We have enough problems with existing cryptography, in that people are too stupid to implement it correctly as it is. Quantum cryptographyt sure as hell isn't going to change that.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
necro1234
Just Arrived
Just Arrived


Joined: 13 Oct 2003
Posts: 0


Offline

PostPosted: Sun Aug 01, 2004 7:19 pm    Post subject: Reply with quote

hi guys

I dont know about it been "useless", I use Hip for example at work.
I have alot of apps that I use from time to time, for example for tunneling through the proxy.
People ofcause have full access runinng through my user directory(my fellow admins that is, including head office) and have fits when finding apps they consider to be "hacking apps"(or any apps in general)
And even though it is my employers right to lock me down as tightly as he wants, its up to me if I want to obey that or not.
Now I have say a 2Mb BMP image, a 2mb image would raise no eyebrow, this gives me roughly a 50% saving of sapce compared to the host file, which is ample room for something like HttPort.

If the hiding of data is done well and in a random way, especially with a unique image (like one youve generated with a bmp generator) then this I think is an ideal way to hide data in large graphic files on a CD.
Most printing departments have image files of over 4Gb per image, this can be used as an excuse easily for why the image is of such a large size.
And better than a volume encryption program that has "no headers", the graphic file will open and work as per normal where the fake volume will not.
That to me would be a problem in explaining on why you have a 4Gb image/sound file/movie that does not even work.

My favorite for GIF/BMP hiding is still Hide In Picture, I think its a brilliant concept.
The issue with many programs is that they simply take file1 and then encrypt it and glue it to the butt end of the image.
This then ofcause bloats the size and is easy to see where the image ends and the file starts when you open the image with the likes of a hex editor.
Hide In Picture takes your password, generates key numbers from this password, then uses these key numbers to choose the spaces in the image file where it will hide the data, it then splits the file up into the needed amount of pieces and encrypts it with the algorithm you specify (Blowfish/AES)
So unlike the others you have no way of knowing which sectors of the image are the image and which sectors are infact the hidden file.
The only way to know is to know the numbers that where generated, and for this you would need the password+the generator algorithm which would equal this key.

This brilliant app is available for free and is a standalone executabel for both DOS and WIN32 from: http://www16.brinkster.com/davitf/hip/

Cheers

Sheldon
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Sun Aug 01, 2004 10:36 pm    Post subject: Steganography. Reply with quote

Setting aside convenience, or any consideration for additional overhead associated with other layers coupled with encryption, any component that adds to the workload of an attacker, and to the complexity of the attack he or she wishes to perform, is essentially an effective component, even if the degree is small and the effect is too insignificant to go to this extreme. To be politically correct, it isn't entire useless, depending on the methodology.

Steganography satisfies one particular goal - security through obscurity, by obfuscating the actual existence of data, whether it's encrypted or not. It's obvious that obfuscating the existence of encrypted could either frustrate an attacker more so, or just not do any good at all. At the most, it would cost additional overhead. Personally, I don't use steganographic techniques to secure any data; I feel cryptography is sufficient enough at securing data, be it stored personally, or disseminated to colleagues through transit. However, there are very ingenious concepts being developed amongst the community; my "favorite", thus far, is Hydan, since it actually demonstrates promising applications for steganography in conventional practice.

Perhaps the one solid reason that steganography hasn't gained such partnership with the cryptographic community is because as cryptographers, we design primitives to rely on structure soundness; we design them to not rely on security through obscurity. We strive for confidentiality. In other words, when an attacker applies traffic analysis, we expect to be comfortable with the fact that they know communication is being initiated, who is initiating and communicating, the amount of data is being communicated, and when the communication takes place, so long as they aren't capable of revealing the plaintext meaning of the data being handled during such communication. Steganography attempts to mask the "scent" of these issues that sparks the awareness of an attacker; thus, obscuring the existence of encrypted data that would prompt traffic analysis.

There is no de facto methodology, or specified standard, and via cryptography, we can achieve levels of security that are sufficient for most applications. It's actually good practice, since it teaches us to build cryptographic primitives and protocols that are resilient enough to allow open dispersal. This security is achieved when all cards are on the table, but are of no use to the attacker. Steganography attempts to fill a niche that doesn't practically need filling, in my opinion. It definitely has its merit, and I can't see a reason to believe that it's worthless, but at the same time, I can't see an imminent reason to require integration into a cryptographic policy or methodology. For those who wish to use it - go ahead. If you're using weak cryptography, the most it could do is lengthen the time it takes for an attacker to become aware of this. If you're using strong cryptography, you probably have little need for it.

Security through obscurity, in itself, isn't a good habit to fall into, and if you can design a system to rely on Kerckhoffs's Principle, and on this principle only, you're benefitting yourself. The fact is, if you use steganography, use it as an added, optional measure. If you must rely on it, you should probably take a second look at the cryptography you're trying to obscure. The increase of security in relying on security through obscurity is a magnitude smaller than the decrease of security in doing so. Designing a channel to be secure diminishes the need for it to be covert. Overall, steganography is an interesting branch of study, and carries beneficial properties. If overhead, and other cost-conscious aspects, is not of any concern, by all means, keep on playing with it. Most importantly, pay much more attention to the cryptography and the security of its deployment. This is a bigger issue.
Back to top
View user's profile Send private message Visit poster's website
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Sun Aug 01, 2004 11:20 pm    Post subject: Reply with quote

UziMonkey wrote:
My point was, why bother hiding it if evesdroppers have no chance of reading the message anyway? Who cares if they know you're sending data. I mean, sure, this would have uses in cases of espionage and all sorts of James Bondish stuff, but it doesn't make it any more secure for normal users. It's only practical use is if you're trying to be sneaky.


Check RIP act, encryption alone may not be enough to safeguard your freedom. Also note previously made points about suspicion - Sometimes the very act of sending a concealed message will attract unwanted attention.

Unconvinced? Imagine that you live in a hardline country where your particular ideology could get you killed and encryption is considered sure sign of subversion ... you will see that, in such circumstances, it is not enough to conceal the content of a message - you must also operate via covert and plausible channels.

Steganography aims to provide just such covert channels within credible traffic. It makes a great deal of sense if done correctly.

I guess the problem is that many people seem to confuse the two technologies... encryption and steganography address two completely different issues and are NOT interchangeable. Once this is understood and accepted then the unique value of each becomes apparent.


JustinT wrote:
Steganography attempts to fill a niche that doesn't practically need filling, in my opinion. It definitely has its merit, and I can't see a reason to believe that it's worthless, but at the same time, I can't see an imminent reason to require integration into a cryptographic policy or methodology. For those who wish to use it - go ahead. If you're using weak cryptography, the most it could do is lengthen the time it takes for an attacker to become aware of this. If you're using strong cryptography, you probably have little need for it.


As much as I respect Justins superior understanding of cryptographic method I feel we diverge slightly on this. Perhaps it is simply because I feel that steganography cannot be valued accurately against purely cryptographic values - there is a deeply political element that is not addressed by pure crypographic strength. Out-in-the-open cryptography may work well in countries which tolerate it, democracies protecting free thought and speech for example - but there are others living in ruthless states where the mere use of crypto could result in imprisonment, torture or capital punishment. As a member of Amnesty International I know just how common these injustices are and, whilst such conditions exist, there will remain a VERY real need for strong steganography.

M3Dz
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Mon Aug 02, 2004 1:12 am    Post subject: Differing views. Reply with quote

M3DU54 wrote:

As much as I respect Justins superior understanding of cryptographic method I feel we diverge slightly on this. Perhaps it is simply because I feel that steganography cannot be valued accurately against purely cryptographic values - there is a deeply political element that is not addressed by pure crypographic strength. Out-in-the-open cryptography may work well in countries which tolerate it, democracies protecting free thought and speech for example - but there are others living in ruthless states where the mere use of crypto could result in imprisonment, torture or capital punishment. As a member of Amnesty International I know just how common these injustices are and, whilst such conditions exist, there will remain a VERY real need for strong steganography.


Point well taken and appreciated.

I can't disagree with the politics that surround the use of cryptography. Actually, this is right on the money, when considering other portions of the globe that look at cryptography as a resistance movement, rather than harboring of one's natural right to privacy. In many of these areas, one's natural right to privacy often isn't honored. My thoughts on the matter focus on the design of cryptographic systems, in the sense that I've noticed the integration of steganography as a "relied upon" component for the overall security of the system. It seems my focus is directed towards the system of security, rather than the system of politics. However, I can't argue with the realistic need for such a covert and plausible channel of communication, within the confinement of a governing area that abhors the mere use of confidential conversion.

It is vital that one understand the purposes of encryption, as opposed to what steganography aims to provide. Encryption provides confidentiality by concealing the meaning of information; steganography conceals the existence of that information. It's more so a secondary layer, when approached from that standpoint, but they are quite the opposite, in purpose. My opinion isn't so much related to the realistic political need for this technology, as a standalone measure, but rather, what folks realize about what it can and can not provide, as a component in a cryptographic system.

Practically, where one can assume that cryptography is a non-legally-stifled activity, steganography's method of existence-obfuscation isn't as much of a necessity and can sometimes pose false hopes to those who misunderstand its definition. I design with raw semantics in mind, which naively disregard politics, but you're absolutely right. When you zoom out on the wider application of privacy, steganography does provide a relatively secure manner of being confidential. This is one of the naive trademarks of a cryptographic designer - everything is kept on a mathematical and structural basis. As such, our conditional and environmental concerns revolve around the inner-workings, rather than the outer-applications. When you disregard the politics, instead, the scale tips the opposite way. Necessity fades into optionality.

Perhaps this calls for another branch of political science - politicryptography [/play_on_words]. I never said I was a comedian. ;) But, in all honesty, your opinion does raise a very imminent threat to the future of privacy. Sometimes, privacy isn't enough; sometimes, you have to ensure that your privacy is private. It goes to show that totalitarianism is more than a 1984-Orwell-scented term; it's a reality.

(How ironic, that my existence began in the year of that literature's setting. Spooky. ;))
Back to top
View user's profile Send private message Visit poster's website
AnonViper
Just Arrived
Just Arrived


Joined: 13 Mar 2004
Posts: 0


Offline

PostPosted: Mon Aug 02, 2004 7:02 pm    Post subject: Reply with quote

*deleted*

Last edited by AnonViper on Sat Dec 04, 2004 2:14 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register