8/4/2019 Crypt Analysis
1/52
Cryptography and Steganography
Dr. Abhijit Das
Department of Computer Science and Engineering
Indian Institute of Technology Kharagpur
Kharagpur 721302 India
8/4/2019 Crypt Analysis
2/52
Hash Functions
8/4/2019 Crypt Analysis
3/52
Hash Functions: Introduction
Input: A string (message) M of any length.
Output: A string of a fixed length. The output is calledthe hash-value or the hash of M.
The hash of a message is a short representative of the
message. Easy to compute.
Provide message compression.
Alternate names: Message digest, digital fingerprint andimprint.
May be used in conjunction with secret keys.
8/4/2019 Crypt Analysis
4/52
Hash Functions: Classification
Unkeyed hash function or modification detection
code (MDC): used to preserve integrity of message,i.e., to detect modification of the message by an activeadversary or by transmission errors.
Keyed hash function or message authenticationcode (MAC): used to authenticate the source of a
message (since secret keys are used to hash amessage) in addition to preserving integrity of themessage.
8/4/2019 Crypt Analysis
5/52
Hash Functions: Desirable Properties
Collision:A hash function H maps an infinite set to a
finite set and so there must exist messages x and xsuch that H(x) = H(x). Such a pair (x,x) of messages iscalled a collision for H.
First preimage resistance: Except for few hashvalues y, it should be difficult to find a message x suchthat H(x) = y.
Second preimage resistance: Given a message x, itshould be difficult to find another message x with theproperty that H(x) = H(x).
Collision resistance: It should be difficult to find twomessages x and x with H(x) = H(x).
8/4/2019 Crypt Analysis
6/52
Hash Functions: Design
Acompression function f maps strings of length m to
strings of length n. Let r = m - n.
Break the message M into blocks M1,M2,,Ml of length r.
Start with an initial hash value H0.
For k = 1,2,,l compute the next hash valueHk+1 = f (Hk|| Mk).
Output Hl+1
as the hash value H(M) of M.
If f has the desirable properties, then H too has those.
A symmetric cipher may be used for designing one-waycompression functions. Example: f (M || K) = DES
K(M)
maps 120-bit strings to 64-bit strings.
8/4/2019 Crypt Analysis
7/52
Hash Functions: Examples
Custom-designed hash functions work based on the
general principle described earlier.
The MD family: MD2, MD4 and MD5 (128-bit hash).
The SHA family: SHA-1 (160-bit), SHA-256 (256-bit),SHA-384 (384-bit) and SHA-512 (512-bit).
RIPEMD-128 (128-bit), RIPEMD-160 (160-bit).
8/4/2019 Crypt Analysis
8/52
Hash Functions: Examples
HMAC (a keyed hash function)
Notations:M = the message to be hashedH = an unkeyed hash function
K = key for HMACP,Q = short padding blocks (not secret).
HMAC(M) = H (K || P || H (K || Q || M)).
HMAC involves two calls of H.
HMAC is efficient, since the outer call involvescomputation of hash of a short message.
8/4/2019 Crypt Analysis
9/52
Hash Function: Attacks
Birthday attack: Let H be a hash function that
produce n-bit hash values. If about 2n/2 randommessages are hashed by H, then it is highly probablethat we have found two messages x and x satisfying
H(x) = H(x). The bit-size n of hash values should be at least as large
as 128. The values greater than or equal to 160 are
recommended. Other attacks:
Attacks on the compression function
Chaining attacksAttacks on the underlying block cipher
8/4/2019 Crypt Analysis
10/52
Digital Signatures
8/4/2019 Crypt Analysis
11/52
Digital Signatures: Introduction
Digital equivalent of hand-written signatures.
Bind pieces of digital data with particular entities.
Based on public-key technology.
Signing: The signer uses his private key d to sign. Difficulty of forging:An entity without knowledge of
this private key d cannot generate a valid signature on anew piece of data.
Verifying:Anybody having access to the signers publickey e can verify the signature.
Non-repudiation:An entity should not be allowed todeny valid signatures made by him.
8/4/2019 Crypt Analysis
12/52
Digital Signatures: Classification
Signature with appendix:A representative H(M) of
the message M is computed. The signing transformationis applied on H(M). Verification requires the message M.
Signature generation:
m = H(M)s = fs(m,d)Output the signed message (M,s).
Signature verification:Compute m = H(M)
Compute m = fv(s,e)If (m=m) output signature verified
else output signature not verified
8/4/2019 Crypt Analysis
13/52
Digital Signatures: Classification
Signature with message recovery: The signing
transformation is applied to the message itself. Theverification transformation retrieves the message.
Signature generation:
Compute the signature s = fs(M,d) Signature verification:
Recover the message M = fv(s,e)
If M looks like a valid message,output signature verified
else
output signature not verified
8/4/2019 Crypt Analysis
14/52
Digital Signatures: Classification
Deterministic signatures: For a given message the
same signature is generated on every occasion thesigning algorithm is executed.
Probabilistic signatures: On different runs of the
signing algorithm different signatures are generated,even if the message remains the same.
Probabilistic signatures offer better protection against
some kinds of forgery. Deterministic signatures are of two types:
Multiple-use signatures: Slow. Parameters are used multiple
times.One-time signatures: Fast. Parameters are used only once.
8/4/2019 Crypt Analysis
15/52
Digital Signatures: Examples
RSA with appendix
Parameter selection:
Select two large primes p and q.Compute n = pq and (n) = (p - 1)(q - 1).Select a random integer e with gcd(e,(n)) = 1.
Compute an integer d satisfying ed = 1 (mod (n)).
Publish (e,n) as the verification key.Keep d secret as the signing key.
8/4/2019 Crypt Analysis
16/52
Digital Signatures: Examples
Signature generation:
Generate the short representative m = H(M) of M.Sign m as s = md (mod n).Output (M,s) as the signed message.
Signature verification:Generate the short representative m = H(M) of M.Invert signature as m = se (mod n).
If (m = m), output signature verified,else output signature not verified.
Forging: If any key other than d is used to sign m, the
equality m = m will not be satisfied. So forging RSAsignatures is as difficult as knowing d.
8/4/2019 Crypt Analysis
17/52
Digital Signatures: Examples
RSA with message recovery
Parameter selection: Same as before.
Signature generation:Compute s = Md (mod n).
Output the signature s.
Signature verification:Compute M = se (mod n).
If M is a valid message, output signature verified,else output signature not verified.
Forging: If any key other than d is used to generate s,
the recovered message M will almost certainly look likea meaningless sequence of symbols.
8/4/2019 Crypt Analysis
18/52
Digital Signatures: Examples
Rabin Signature ElGamal signature
Schnorr signature
Nyberg-Rueppel signature
Digital signature algorithm (DSA)
Elliptic curve version of DSA (ECDSA)
XTR signature
NTRUSign
. . .
8/4/2019 Crypt Analysis
19/52
Digital Signatures: Blind Signatures
The signer is not allowed to know the message to sign.
Still his active participation is necessary for signing. Blind RSA signature:
Parameter generation:As before.
Signature generation:A generates a random integer k coprime to n.A blinds m as m* = mke (mod n).B signs s* = (m*)d (mod n).
A retrieves Bs signature s = s*k-1 (mod n).
Signature verification:As before.
8/4/2019 Crypt Analysis
20/52
Digital Signatures: Undeniable
Signatures
An active participation of the signer is necessary duringsignature verification.
A signer is not allowed to deny a legitimate signaturemade by him.
An undeniable signature comes with a denial ordisavowal protocol that generates one of the followingthree outputs:
Signature verified
Signature forged
The signer is trying to deny his signature by not properly
participating in the protocol.
8/4/2019 Crypt Analysis
21/52
Digital Signatures: Attacks
Total break: An attacker knows the signing key or has
a function that is equivalent to the signature generationtransformation.
Selective forgery:An attacker can generatesignatures (without the participation of the legitimatesigner) on a set of messages chosen by the attacker.
Existential forgery: The attacker can generatesignatures on certain messages over which the attacker
has no control.
8/4/2019 Crypt Analysis
22/52
Digital Signatures: Attacks
Key-only attack: The attacker knows only the
verification (public) key of the signer. This is the mostdifficult attack to mount.
Known-message attack: The attacker knows some
messages and the signatures of the signer on thesemessages.
Chosen-message attack: This is similar to the known-
message attack except that the messages for which thesignatures are known are chosen by the attacker.
Adaptive chosen-message attack: The messages to
be signed are adaptively chosen by the attacker.
8/4/2019 Crypt Analysis
23/52
Digital Certificates
8/4/2019 Crypt Analysis
24/52
Digital Certificates: Introduction
Bind public-keys to entities.
Required to establish the authenticity of public keys.
Guard against malicious public keys.
Promote confidence in using others public keys.
Require a Certification Authority (CA) whom every entityover a network can believe. Typically, a governmentorganization or a reputed company can be a CA.
In case a certificate is compromised, one requires torevoke it.
A revoked certificate cannot be used to establish the
authenticity of a public key.
8/4/2019 Crypt Analysis
25/52
Digital Certificates: Contents
A digital certificate contains particulars about the entity
whose public key is to be embedded in the certificate. Itcontains:
Name, address and other personal details of the entity.
The public key of the entity. The key pair may be generated byeither the entity or the CA. If the CA generates the key pair,then the private key is handed over to the entity by trustedcouriers.
The certificate is digitally signed by the private key ofthe CA.
If signatures are not forgeable, nobody other than the
CA can generate a valid certificate for an entity.
8/4/2019 Crypt Analysis
26/52
Digital Certificates: Revocation
A certificate may become invalid due to several reasons:
Expiry of the certificate
Possible or suspected compromise of the entitys private key
An invalid certificate is revoked by the CA.
The CA maintains a list of revoked certificates theCertificate Revocation List (CRL).
An entity A willing to use Bs public key looks up the
certificate for Bs public key. If the CAs signature isverified on this certificate and if the certificate is notfound in the CRL, then A gains the desired confidence to
use Bs public key.
8/4/2019 Crypt Analysis
27/52
Steganography
8/4/2019 Crypt Analysis
28/52
Steganography: Introduction
Literally means covered writing (Greek).
Hiding messages in innocent media.
May be used in conjunction with cryptography, i.e., themessage may be encrypted before hiding.
An encrypted message arouses suspicion duringtransmission. A hidden message is invisible and is notexpected to arouse suspicion.
Digital watermarking embeds copyright, ownership,license and similar information in a medium. It isdifferent from steganography only in the intent of
hiding. They share same operational and functionalbehaviors.
8/4/2019 Crypt Analysis
29/52
Steganography: History
Shave the messengers head, tattoo the secret message,
allow hair to grow and then send the messenger. Whenthe messenger reaches the destination, his head can beshaved once again in order to see the hidden message.
German spy sent this message during World War II:
Apparently neutrals protest is thoroughly discounted and ignored.Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suets and vegetable oils.
Extracting second letters from the words gives:
Pershing sails from NY June I.
8/4/2019 Crypt Analysis
30/52
Steganography: Terminology
Formula:
Cover-medium + embedded message + Stego-key= Stego-medium.
Multimedia files are good covers for hiding messages:
ImagesSound files
Movies
Binary filesText files
We will concentrate on embedding messages in image
files. The media are then called cover-image andstego-image.
8/4/2019 Crypt Analysis
31/52
Steganography: Image Files
Size of an image is determined by pixels. A pixel is an
instance of color.A color can be specified by the primary components:
Red, Green and Blue. Each component is represented by
a byte (an 8-bit value between 0 and 255).Example: 00 00 00 is black, FF 00 00 is red, FF FF 00 isyellow, and FF FF FF is white.
Each pixel can be represented by an 8-bit value (GIF) ora 24-bit value (JPEG, BMP).
The image data is usually compressed.
Lossless compression: The exact pixel values are stored.Lossy compression: Approximate pixel values are stored.
8/4/2019 Crypt Analysis
32/52
Steganography: Image Files
A GIF (Graphic Interchange Format) image is an 8-bit
image file. Supports at most 256 colors per image.
Color-map table: An index of 256 (or less) colors
occurring in the image. Each pixel is represented by an 8-bit value which refers
to the index of the color in the color-map table.
A JPEG (Joint Photography Experts Group) image is a24-bit image file that uses lossy compression based onthe discrete cosine transform (DCT).
Both GIF and JPEG formats use adaptations of theLempel-Ziv (LZ) compression algorithm.
8/4/2019 Crypt Analysis
33/52
Steganography: Methods
Least significant bit (LSB) insertion: Modify the LSB
of a pixel value based on the message to hide. Smallchanges in the pixel values cannot be noticed by humanobservers.
Properties:Simple to implement.
Compatible with lossless compression.
Better adapted to 24-bit images.Often works well with gray-scale images.
Causes expansion of the number of colors in an image.
Extremely vulnerable to image manipulations.
8/4/2019 Crypt Analysis
34/52
Steganography: Methods
Masking and filtering: Marks the image in a non-
detectable manner, for example, by increasing theintensity subtly at certain locations of the image.Typically noisy and busy areas of an image are chosen
to hide the message.
Properties:
The hidden message is more integrated to the cover image.Robust against image manipulations like rotation, smoothing.
Multiple insertion of the hidden message makes stego-imagesrobust again cropping.
Can withstand some amount of compression.
8/4/2019 Crypt Analysis
35/52
Steganography: Methods
Algorithms and transformation: These are the most
sophisticated hiding mechanism that use specialalgorithms to hide a message in an image. For example,the DCT algorithm may be exploited in order to hide a
message in a JPEG file. The DCT uses floating-pointcalculations with rounding-off errors and so thecompression is lossy. Suitably modifying the floatingpoint arithmetic may hide a message.
Properties:
Integrates the message in the image in the best way.
Most robust against image manipulation.
Compatible with lossy compression.
8/4/2019 Crypt Analysis
36/52
Steganography: LSB Example
Suppose we want to hide the letter C in a GIF image.
The ASCII value of C is 67, i.e., 01000011. Suppose that the first eight pixels of the GIF image are:
00110101 01001000 00101000 00110101
00101111 00011100 01001000 01001000 Modifying the LSBs corresponding to C gives:
00110100 01001001 00101000 00110100
00101110 00011100 01001001 01001001 Changes in the index values (in the color-map table)
may lead to easily detectable patterns in the image (for
example, a red spot in the blue sky). More sophisticated algorithms smooth out the patterns.
8/4/2019 Crypt Analysis
37/52
Steganography: Examples
StegoDos: handles 8-bit images, uses LSB insertion. Hide and Seek: LSB-based.
Hide4PGP: LSB-based.
S-Tools: LSB-based. SysCop: LSB-based.
White Noise Storm: LSB-based.
Mandelsteg: hides messages in a fractal image.
Jsteg-Jpeg: handles Jpeg images by manipulation ofDCT coefficients.
8/4/2019 Crypt Analysis
38/52
Steganography: Examples Text message to hide:
Steganography is the art and science of communicating in a way which hides the
existence of the communication. In contrast to cryptography, where the enemy isallowed to detect, intercept and modify messages without being able to violatecertain security premises guaranteed by a cryptosystem, the goal of steganographyis to hide messages inside other harmless messages in a way that does not allowany enemy to even detect that there is a second secret message present.
Cover image Stego image produced by StegoDos
8/4/2019 Crypt Analysis
39/52
Steganography: Examples
Image file to hide:
Image of a major Soviet strategic bomber base
8/4/2019 Crypt Analysis
40/52
Steganography: Examples
Cover image:
Pierre-Auguste Renoirs Le Moulin de la Galette.
8/4/2019 Crypt Analysis
41/52
Steganography: Examples
Stego-image produced by White Noise Storm:
8/4/2019 Crypt Analysis
42/52
Steganography: Examples
Stego-image produced by S-Tools:
8/4/2019 Crypt Analysis
43/52
Steganography: ExamplesWatermarked image obtained by masking:
8/4/2019 Crypt Analysis
44/52
Steganalysis
8/4/2019 Crypt Analysis
45/52
Steganalysis: Introduction
Steganalysis refers to the art of detecting and
rendering useless covert messages. Classification:
Stego-only attack: Only the stego-medium is available to the
attacker.Known-cover attack: Both the original cover medium and the
corresponding stego-medium are available.
Known-message attack: The hidden message and the stego-
medium are available.
Chosen-message attack: Similar to the known-message attackexcept that the message(s) are chosen by the attacker.
Adaptive chosen-message attack: Same as chosen-messageattack, but the messages are chosen adaptively.
8/4/2019 Crypt Analysis
46/52
Steganalysis: Detection of Hidden
Information
Looking for unusual features in a medium:
May be done by a human observer. Example: Red dot in animmaculately blue sky. Another example of a stego-imageproduced by Hide and Seek is given below:
Unusual features may be detected electronically. This isparticularly needed, because our eyes (and ears) are insensitiveto small variations. Examples: Slightly colored pixels in a gray-scale image, rapid change in pixel values in a small region.
8/4/2019 Crypt Analysis
47/52
Steganalysis: Detection of Hidden
Information
Search for signatures of known steganographicsoftware.
Look for obvious and repetitive patterns.
In a known-cover attack, one should compare theoriginal cover medium with the stego medium.
Image processing: Luminance defined as
L = (0.299 x R) + (0.587 x G) + (0.114 x B)
is a promising message detection parameter.
8/4/2019 Crypt Analysis
48/52
Steganalysis: Detection of Hidden
Information
S-Tools handles 8-bit images by first reducing the
number of colors in the original image to 32 and thenapplying LSB insertion. So many indexes of pixels differonly by one bit (the LSB). Therefore, the variance in
colors produced by normal images is usually muchlarger than stego-images produced by S-Tools.
Mandelsteg produces images with 256 palette entries
with two entries for each of 128 different colors. Hide and Seek produces images whose 8-bit color
values are multiples of 4. For example, the whitest color
in a stego image from this software has the RGB value252,252,252.
8/4/2019 Crypt Analysis
49/52
Steganalysis: Destroying Hidden
Information
Once existence of a hidden message is detected, it is
necessary to read it. This is not always easy, since thehidden message may be encrypted. The next best thingthat an attacker can do is to destroy the message.
Break the image I in two parts:I = v + t,
where t is threshold of human imperceptibility.
Choose some t in the region of human imperceptibilityand modify the image as:
I = v + t.
I and I look the same, but I has the hidden messagedistorted beyond recovery possibilities.
8/4/2019 Crypt Analysis
50/52
References
8/4/2019 Crypt Analysis
51/52
References: Cryptography
Alfred J Menezes, Paul C van Oorschot and Scott A Vanstone,
Handbook of Applied Cryptography, CRC Press, Fifth Printing(August 2001). ISBN: 0-8493-8523-7.http://www.cacr.math.uwaterloo.ca/hac/
William Stallings, Cryptography and Network Security, Pearson
Education, 2003. ISBN: 81-7808-902-5. Bruce Schneier, Applied Cryptography, John Wiley & Sons, Inc.
Asian edition 2002. ISBN: 9971-51-348-X.
Neal Koblitz, A Course in Number Theory and Cryptography(Graduate Texts in Mathematics, No 114), Springer-Verlag, 2ndedition (August 1, 1994). ISBN: 0-3879-4293-9.
A Das and C E Veni Madhavan, Book on public-key cryptography,
Forthcoming.
8/4/2019 Crypt Analysis
52/52
References: Steganography
Neil F Johnson, Zoran Duric, Sushil Jajodia, Information Hiding:Steganography and Watermarking - Attacks and Countermeasures,(Advances in Information Security, Volume 1), Kluwer AcademicPublishers, 2001. ISBN: 0-79237-204-2.
Stefan Katzenbeisser, Fabien A P Petitcolas (editors), InformationHiding Techniques for Steganography and Digital Watermarking,Artech House Books, January 2000. ISBN: 1-58053-035-4