History and Principles of Steganography - CSM25 Secure ... · Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 31 / 54 Secret writing in the past The Antique

History and Principles of SteganographyCSM25 Secure Information Hiding

Dr Hans Georg Schaathun

University of Surrey

Spring 2008

Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 1 / 54

What is Steganography? Why?

Free thinkers and free speech


What is Steganography? Why?

The other side

Both clips:The Independent, Friday 27 October 2006.


What is Steganography? Learning Objectives

Lesson Objectives

In this session, we shall1 establish basic terminology to discuss steganography and

communications security.2 compare steganography and cryptography, and steganography and

watermarking3 introduce Kerckhoffs’ principles, especially the significance of a

secret key.After the session, you should be able to

1 use the terminology correctly to discuss communications securityunambiguously

2 be able to use Kerckhoffs’ principles to evaluate the security incommunications



The Outcomes and Expectations

Pass (50-60)be able to implement simple stego-systems and steganalysistechniqueshave an overview of the different techniques for and approaches tosteganographyuse the basic terminology correctly and unambiguously

Distinction (70+)Be able to assess security properties in a communications system,and assess security needs in an application.Be able to generalise theories and techniques in steganography,and relate and contrast different approaches.Be able to discuss stego-systems in unambiguous terms, andchoose appropriate approaches for given application needs.

Merit (60-70)Acieve all pass mark objectives, and partly achieve the distinctionmark objectives.



Exercises and Assessment

Weekly exercises One exercise sheet given after each lecture. This isto be done at home, and peer-assessed and/or discussedin the next session.

Portfolio (50%) To be handed in at the end of module, summarisingyour learning. Two of the weekly exercise papers will bespecified one week before the deadline and have to beincluded.

Poster (25% collective mark + 25% individual mark) A poster on achosen topic is to be prepared in groups of 3-5 andpresented to the class in Weeks 11-12. Each groupmember has to be active in the presentation.


Steganography models The problem

The basic problemSimmons Crypto’83

Alice

.

................................

.............

..................................

..........

......................................

.....

..........................................

.........................................

........................................

....................................... ...................................... ..................................... ..................................... .............................................................................

........................................

.........................................

..........................................

...........................................

............................................

.............................................

Bob

William theWarden

.

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

......

Escape at midnight.

«Uncle Charlie is muchbetter now.»


Steganography models The problem

The basic crypto-problemEncryption

Alice

.

................................

.............

..................................

..........

......................................

.....

..........................................

.........................................

........................................

....................................... ...................................... ..................................... ..................................... .............................................................................

........................................

.........................................

..........................................

...........................................

............................................

.............................................

Bob theBanker

Eve

.

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

.........

......

What is the password?

Transaction data.


Steganography models Threats and Controls

Threats and controlsCSM27 Re-cap – See Pfleeger&Pfleeger Ch. 1

Assets Resource and fascilities we value and don’t want to lose.Threat A potential damage or cause of damage to the assets.

Control Any security measures used to reduce the risk (eitherprobability or severity of damage) of damage fromexisting threats.

Vulnerabilities Weaknesses (bugs etc) in the system which increasesthe risk of damage from existing threats.



Discussion exercise

Team up, one (or two) person(s) from IS/IC and two (or three) fromSTA.Discuss the steganography and cryptography scenarioespresented, and identify

1 The assets we seek to protect2 Threats against these assets3 The threats controlled (respectively) by steganography and

encryption



Combining Encryption and Steganography

You can increase security of a steganographic system byencrypting the message before hiding it. (common claim)

In what way is the claim true?In what way is the claim false?Steganography and encryption control different threats.

Combining the controls control more threatsCombining the controls does not reduce the risk of each threat.

Hence, encryption does not improve the security ofsteganography.

It adds controls outside the scope of steganography.



Lesson

Be wary of general claims of security.Address the protection of each asset separately.Address the control of each threat separately.


Steganography models What steganography is

The data hiding systemWatermarking System

Embedding Extractor

Message RecoveredKey

File

Security depends on the confidentiality of the algorithm.



Watermarking vs. Steganography

Watermarking: the cover-image is essentialTwo receivers:

One observes the cover-imageOne extracts the hidden message

Minimum distortion is importantSteganography: What is the use of cover-image at receiver?

Bob wants the messageThe image is a red herringDistortion (relative the original cover) is irrelevant



Two key differencesWatermarking vs. Steganography

1 Cover-imageimportant in watermarkingmeaningless in steganography

2 AttackerSteganography: determine whether secret information exists or notWatermarking: various other goals

Change cover-textRemove watermarkChange watermark



SteganographyCryptographic view

A Secret-Key stego-system (by synthesis) is S = (C, M, K , E , D)where

C : set of cover textsM : set of messagesK : key space (set of possible keys)E is an encoding function, E : K ×M → CD is a decoding function, D : K × C → M

such thatPr(D(k , E(k , m)) = m) ≈ 1.



Steganography from Watermarking

Secret-Key Stego-system by modificationThe encoding function takes a cover text from C as input

E : K × C ×M → C

Pure stego-system (by modification)The encoding function takes a cover text from C as input, and nokey is used

E :C ×M → CD :C → M



To remember

The cover-text is a red herring in steganography.The standard definitions of pure steganography and secret-keysteganography apply to a very limited class of steganographybased on data hiding.Cover-text irrelevant⇒ distortion irrelevant.

PSNR used to measure distortion in Watermarking.


Steganography models Definitions

DefinitionsThe tools

Definition (Cipher)A system which allows Alice and Bob to communicate secretly withoutEve being able to learn the contents of the communication.

Encryption refers to the process of applying a cipher.

Definition (Stego-system)A system which allows Alice and Bob to communicate secretly withoutEve knowing that any secret communication is taking place.



DefinitionsThe disciplines

Definition (Steganography)

The study of (and art of developing) stego-systems.

Definition (Cryptography)

A general term encompassing the study of ciphers and othertechnology for secure communications.

Cryptography is more than ciphersDigital signaturesAuthorisation protocolsSteganography



DefinitionsThe countermeasures

Definition (Steganalysis)

The art of detecting whether secret communications is taking place ornot.

Definition (Cryptoanalysis)The art of breaking any cryptographic system, most often referring tobreaking ciphers, i.e. to find the contents of secret communications.



Steganography versus Cryptography

We define Steganography by its objective (control a specificthreat).

We don’t make any assumptions on how it works.

Cryptography includes SteganographyModern cryptography does assume certain principles andmethods

not all Steganography qualifies as modern Cryptography.


Secret writing in the past Francis Bacon 1605

Francis Bacon 1605Of the Proficience and Advancement of Learning Divine and Humane

For CYPHARS; they are commonly in Letters or Alphabets, but may bee inWordes. The kindes of CYPHARS, (besides the SIMPLE CYPHARS withChanges, and intermixtures of NVLLES, and NONSIGNIFICANTS) aremany, according to the Nature or Rule of the infoulding:WHEELE-CYPHARS, KAY-CYPHARS, DOVBLES, &c. But the vertues ofthem, whereby they are to be preferred, are three; that they be notlaborious to write and reade; that they bee impossible to discypher; and insome cases, that they bee without suspition. The highest Degree whereof,is to write OMNIA PER OMNIA; which is vndoubtedly possible, with aproportion Quintuple at most, of the writing infoulding, to the writinginfoulded, and no other restrainte whatsoever. This Arte of Cypheringe,hath for Relatiue, an Art of Discypheringe; by supposition vnprofitable; but,as things are, of great vse. For suppose that Cyphars were well mannaged,there bee Multitudes of them which exclude the Discypherer. But inregarde of the rawnesse and Vnskilfulnesse of the handes, through whichthey passe, the greatest Matters, are many times carryed in the weakestCYPHARS.

Bacon’s three cryptographic principles1 that they be not laborious to write and read; User-friendly2 that they be impossible to discipher; Secure3 (in some cases) that they be without suspicion.

Hidden i.e. steganography

No distinction between stego-systems and ciphersDefined by purpose: keeping secrets.


Secret writing in the past The Antique

Secret Writing in the Antique

(Egypt) Tomb of Khnumethotep II c. 1900 B.C. Menet KhufuRebuses obscure writing.Brain exercises – adds mysterysame principles in Norse Runes (Orkneys and Scandinavia)

(Mesopotamia) Seleucia 1500 B.C.: 3"x2" tabletsProtect trade secrets.Earliest known formula for glazes for pottery.

(India) Kama-sutra by Vatsyana (legendary erotics)64 arts (yogas) women should know and practicemlecchita-vikalpa (secret writing) is no. 45.

(India) Arthasastra 321-300BCbut first political mention of cryptographyAmbassadors should use cryptanalysis to gather intelligence.



China: No cryptography

Only great civilisation using ideogrammatic writing... and only one with little interest in cryptographybut steganograhy was used:

Thin silk, covered in wax, rolled into balls (la wan)

11th century: Wu-ching tsung-yao (Essentials from MilitaryClassics)

List of 40 plaintext items (victory reports, requests for arrows, etc.)Assign to 40 first ideograms of a poem.Write appropriate ideogram in an ordinary dispatch,Mark by seal stamp over it.



Elementary Steganography à la greque

Reported in Histories by Herodotus (c. 486-425 B.C)Histæus 440 B.C.

1 Shave the head of a slave2 Tattoo the messages on his head3 Wait until the hair grows back4 Dispatch the Slave

(also used by Germany in the early 20th century)

Wax tablets1 Remove the wax2 Write the message on the wood3 Recover with wax to make a blank tablet.

(Demeratus used it to warn Sparta of a Persian invasion)



Elementary Steganography anno 18..Pin holes in news papers

Mark individual letters in a news papermake pin wholesoverwrite with a pencil

Invisible inkQuite a few methods

Invisible to a casual observersEasy to spot when you know what to look for


Cryptography versus Steganography Kerckhoff’s principles

The Advent of Modern Cryptography

Auguste Kerckhoff 1883« La cryptographie militaire » Journal des sciencesmilitaires 1883Principles of military cryptographyDefines the security paradigm

Claude Shannon 1948Defines Information... and Entropy to measure Information quantitativelyEnables mathematical proofs of security of information



Modern Cryptography

Modern cryptography has mainly been shaped byAuguste Kerckhoff 1883 : The security paradigmClaude Shannon 1948 : Mathematical theory ofinformationand Diffie & Hellman 1976 (Public KeyCryptography)

The consequence ofModern day cryptography is

Theoretically matureReliableHighly trusted technology



Auguste Kerckhoffs (1835–1903)

1 Le système doit être matériellement, sinon mathématiquement,indéchiffrable ;

2 Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénienttomber entre les mains de l’ennemi ;

3 La clef doit pouvoir en être communiquée et retenue sans lesecours de notes écrites, et être changée ou modifiée au gré descorrespondants ;

4 Il faut qu’il soit applicable à la correspondance télégraphique ;5 Il faut qu’il soit portatif, et que son maniement ou son

fonctionnement n’exige pas le concours de plusieurs personnes ;6 Enfin, il est nécessaire, vu les circonstances qui en commandent

l’application, que le système soit d’un usage facile, ne demandantni tension d’esprit, ni la connaissance d’une longue série derègles à observer.



Auguste Kerckhoffs (1835–1903)Translation from Wikipedia

The system should be, if not theoretically unbreakable,unbreakable in practice.The design of a system should not require secrecy andcompromise of the system should not inconvenience thecorrespondentsThe key should be rememberable without notes and should beeasily changeableThe cryptograms should be transmittable by telegraphThe apparatus or documents should be portable and operable bya single personThe system should be easy, neither requiring knowledge of a longlist of rules nor involving mental strain



Bacon’s first principleUser-friendliness

Kerckhoffs says:

6. The system should be easy, neither requiring knowledge ofa long list of rules nor involving mental strain

Bacon said:that they be not laborious to write and reade

Why?

Security depends on correct use.If it is difficult, users make mistakes.

Kerckhoffs also says:

5. The apparatus or documents should be portable and oper-able by a single person

and3. The key should be rememberable without notes and shouldbe easily changeable

(We will return to #3 in when we discuss keys.)



Bacon’s second principleSecurity

Kerckhoffs says:

The system should be, if not theoretically unbreakable,unbreakable in practice.

Bacon said:that they bee impossible to discypher

Security still essential.Bacon did not clarify the meaning of «impossible».Kerckhoffs allows theoretically breakable ciphers.

Why? Are theoretically unbreakable cipers at all possible?



Bacon’s third principleSteganography

Bacon said:that they bee without suspition.

Not mentioned by Kerckhoffs.Why not?

He addressed military communications.You already know who the enemies are.



Kerckhoffs’ fourth principleTelegraph

«The cryptograms should be transmittable by telegraph.»

Why does he require this?What do we require today?



Kerckhoffs’ principleThe key principle

2. The design of a system should not require secrecy andcompromise of the system should not inconvenience thecorrespondents

This is the one known as Kerckhoffs’ principle.Foundation of all modern cryptography.All modern cryptographic algorithms are published in detail.Available to Eve as well as Alice and Bob.How is secrecy possible?



The key

The use of a key is crucial for Kerckhoffs’ principle.

3. The key should be rememberable without notes and shouldbe easily changeable.

So, we havePublic algorithm

Difficult (expensive) to developfew good choices

Secret keyEasy (cheap) to changeMany possibilities



Consequences

We need not trust the developers.The key can be changed by the userSecurity assessment by independent experts.

Mass-produced crypto-software off the shelf.Eve buys the same software; it does not matter.

No new costly development is required when secrets are lostChanging the key is easy (cheap)

All new crypto-systems are published in detailscrutinised by independent researchers world-wide



SummaryKerckhoffs’ Principles in Four Keywords

User-friendlySecure in practice (not necessarily in theory)Public algorithm – secret keyTelegraph


Cryptography versus Steganography Steganography versus Kerckhoffs

Kerckhooffs’ principle and classic steganography

Recall tattooed slaves and wax tabletsHow does Kerckhoffs’ principle apply?

It worked once – because it was unexpectedNow the technique is known.Eve is going to shave all slaves passing by.... and scrutinise every wax tablet.

No key : when the algorithm is known there is no security



What about modern steganography?

Many computer programs became available during the 90-s.Many free of charge.Hiding messages in images.For instance, using Least Significant Bit (LSB)

Most are as banale as the ancient techniques.It is relatively easy to detect the changes,

you only have to think of it.Many solutions rely on the secrecy of the algorithm

I.e. not Kerckhoffs-compliantNot Modern Cryptography.



Three disciplinesA conclusion

............................ .......................... ......................... .........................................

...

....................

....................

.....................

......................

.

.........................

..........................

..........

..........

........

..........

..........

........

..........................

.........................

.......................

.....................

....................

....................

.....................

.....................................................................................................................................................................................

............................................

....................

....................

.....................

.......................

.........................

..........................

............................

............................

..........................

.........................

.......................

.....................

....................

....................

............................................

................................................... ............................

Data Hiding

............................ .......................... ......................... .........................................

...

....................

....................

.....................

......................

.

.........................

..........................

..........

..........

........

..........

..........

........

..........................

.........................

.......................

.....................

....................

....................

.....................

.....................................................................................................................................................................................

............................................

....................

....................

.....................

.......................

.........................

..........................

............................

............................

..........................

.........................

.......................

.....................

....................

....................

............................................

................................................... ............................

Data Hiding

............................ .......................... ......................... .........................................

...

....................

....................

.....................

......................

.

.........................

..........................

..........

..........

........

..........

..........

........

..........................

.........................

.......................

.....................

....................

....................

.....................

.....................................................................................................................................................................................

............................................

....................

....................

.....................

.......................

.........................

..........................

............................

............................

..........................

.........................

.......................

.....................

....................

....................

............................................

................................................... ............................

............................ .......................... ........................ ...................... .......................................

...............

...

.................

..................

...................

....................

..........

..........

.

..........

..........

.

....................

...................

..................

.................

.................

...................

............................................................................................................................................................................................................................

........................................

.................

.................

..................

...................

....................

.....................

.....................

....................

...................

..................

.................

....................................

...........................................

........................ .......................... ...........................

Steganography

............................ .......................... ......................... .........................................

...

....................

....................

.....................

......................

.

.........................

..........................

..........

..........

........

..........

..........

........

..........................

.........................

.......................

.....................

....................

....................

.....................

.....................................................................................................................................................................................

............................................

....................

....................

.....................

.......................

.........................

..........................

............................

............................

..........................

.........................

.......................

.....................

....................

....................

............................................

................................................... ............................

Cryptography


Exercise

Weekly exercise 1Kerckhoffs’ principles

Make a list of principles, which you consider important for confidentialcommunications systems (cryptography and/or steganography) in ourtime. You may prioritise if appropriate.

1 Give reasons for your principles.2 Compare Kerckhoffs’ principles to your own, and justify any

differences.

Your principles may be general and universal, or restricted to someapplication which interests you (as Kerckhoff was considering militarycryptography). State any assumptions you make.


History and Principles of Steganography - CSM25 Secure ... · Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 31 / 54 Secret writing in the past The Antique

Documents