Steganography: The Art of Hiding Messages steganography, the main goal is ﬁrst to determine if the image has ahidden message and to determine the speciﬁc steganographyalgorithm

86Steganography: The Art

of Hiding Messages

Mark Edmead

86.1 Hiding the Data .................................................................. 1116

86.2 Steganography in Image Files ............................................ 1116

86.3 A Practical Example of Steganographyat Work................................................................................ 1117

86.4 Practical (and Not So Legal) Usesfor Steganography............................................................... 1117

86.5 Defeating Steganography ................................................... 1118

86.6 Summary ............................................................................. 1119

References.......................................................................................... 1119

Recently, there has been an increased interest in steganography (also called stego). We have seen this

technology mentioned during the investigation of the September 11 attacks, where the media reported

that the terrorists used it to hide their attack plans, maps, and activities in chat rooms, bulletin boards,

and Web sites. Steganography had been widely used long before these attacks and, as with many other

technologies, its use has increased due to the popularity of the Internet.

The word steganography comes from the Greek, and it means covered or secret writing. As defined

today, it is the technique of embedding information into something else for the sole purpose of hiding

that information from the casual observer. Many people know a distant cousin of steganography called

watermarking—a method of hiding trademark information in images, music, and software. Water-

marking is not considered a true form of steganography. In stego, the information is hidden in the image;

watermarking actually adds something to the image (such as the word Confidential), and therefore it

becomes part of the image. Some people might consider stego to be related to encryption, but they are

not the same thing. We use encryption—the technology to translate something from readable form to

something unreadable—to protect sensitive or confidential data. In stego, the information is not

necessarily encrypted, only hidden from plain view.

One of the main drawbacks of using encryption is that with an encrypted message—although it cannot

be read without decrypting it—it is recognized as an encrypted message. If someone captures a network

data stream or an e-mail that is encrypted, the mere fact that the data is encrypted might raise suspicion.

The person monitoring the traffic may investigate why, and use various tools to try to figure out the

message’s contents. In other words, encryption provides confidentiality but not secrecy. With

steganography, however, the information is hidden; and someone looking at a JPEG image, for instance,

would not be able to determine if there was any information within it. So, hidden information could be

right in front of our eyes and we would not see it.

In many cases, it might be advantageous to use encryption and stego at the same time. This is because,

although we can hide information within another file and it is not visible to the naked eye, someone can

still (with a lot of work) determine a method of extracting this information. Once this happens, the

AU7495—Chapter86—25/1/2007—20:59—PARTHIBAN—14746—XML MODEL CRC12a – pp. 1115–1120.

1115

hidden or secret information is visible for him to see. One way to circumvent this situation is to combine

the two—by first encrypting the data and then using steganography to hide it. This two-step process adds

additional security. If someone manages to figure out the steganographic system used, he would not be

able to read the data he extracted because it is encrypted.

86.1 Hiding the Data

There are several ways to hide data, including data injection and data substitution. In data injection, the

secret message is directly embedded in the host medium. The problem with embedding is that it

usuallymakes the host file larger; therefore, the alteration is easier to detect. In substitution, however, the

normal data is replaced or substituted with the secret data. This usually results in very little size change

for the host file. However, depending on the type of host file and the amount of hidden data, the

substitution method can degrade the quality of the original host file.

In the article “Techniques for Data Hiding,” Walter Bender outlines several restrictions to using stego:

† The data that is hidden in the file should not significantly degrade the host file. The hidden data

should be as imperceptible as possible.

† The hidden data should be encoded directly into the media and not placed only in the header or

in some form of file wrapper. The data should remain consistent across file formats.

† The hidden (embedded) data should be immune to modifications from data manipulations such

as filtering or resampling.

† Because the hidden data can degrade or distort the host file, error-correction techniques should

be used to minimize this condition.

† The embedded data should still be recoverable even if only portions of the host image are

available.

86.2 Steganography in Image Files

As outlined earlier, information can be hidden in various formats, including text, images, and sound

files. In this chapter, we limit our discussion to hidden information in graphic images. To better

understand how information can be stored in images, we need to do a quick review of the image file

format. A computer image is an array of points called pixels (which are represented as light intensity).

Digital images are stored in either 24- or 8-bit pixel files. In a 24-bit image, there is more room to

hide information, but these files are usually very large in size and not the ideal choice for posting them

on Web sites or transmitting over the Internet. For example, a 24-bit image that is 1024!768 in size

would have a size of about 2 MB. A possible solution to the large file size is image compression. The

two forms of image compression to be discussed are lossy and lossless compression. Each one of these

methods has a different effect on the hidden information contained within the host file. Lossy

compression provides high compression rates, but at the expense of data image integrity loss. This

means the image might lose some of its image quality. An example of a lossy compression format

is JPEG (Joint Photographic Experts Group). Lossless, as the name implies, does not lose image

integrity, and is the favored compression used for steganography. GIF and BMP files are examples of

lossless compression formats.

A pixel’s makeup is the image’s raster data. A common image, for instance, might be 640!480 pixels

and use 256 colors (eight bits per pixel).

In an eight-bit image, each pixel is represented by eight bits, as shown in Exhibit 86.1. The four bits to

the left are the most-significant bits (MSB), and the four bits to the right are the least-significant bits

(LSB). Changes to the MSB will result in a drastic change in the color and the image quality, while

changes in the LSB will have minimal impact. The human eye cannot usually detect changes to only one


1116 Information Security Management Handbook

or two bits of the LSB. So if we hide data in any two bits in the LSB, the human eye will not detect it. For

instance, if we have a bit pattern of 11001101 and change it to 11001100, they will look the same. This is

why the art of steganography uses these LSBs to store the hidden data.

86.3 A Practical Example of Steganography at Work

To best demonstrate the power of steganography, Exhibit 86.2 shows the host file before a hidden file has

been introduced. Exhibit 86.3 shows the image file we wish to hide. Using a program called Invisible

Secrets 3, by NeoByte Solution, Exhibit 86.3 is inserted into Exhibit 86.2. The resulting image file is

shown in Exhibit 86.4. Notice that there are no visual differences to the human eye. One significant

difference is in the size of the resulting image. The size of the original Exhibit 86.2 is 18 kb. The size of

Exhibit 86.3 is 19 kb. The size of the resulting stego-file is 37 kb. If the size of the original file were known,

the size of the new file would be a clear indication that something made the file size larger. In reality,

unless we know what the sizes of the files should be, the size of the file would not be the best way to

determine if an image is a stego carrier. A practical way to determine if files have been tampered with is to

use available software products that can take a snapshot of the images and calculate a hash value. This

baseline value can then be periodically checked for changes. If the hash value of the file changes, it means

that tampering has occurred.

86.4 Practical (and Not So Legal) Uses for Steganography

There are very practical uses for this technology. One use is to store password information on an image

file on a hard drive or Web page. In applications where encryption is not appropriate (or legal), stego can

be used for covert data transmissions. Although this technology has been used mainly for military

operations, it is now gaining popularity in the commercial marketplace. As with every technology, there

are illegal uses for stego as well. As we discussed earlier, it was reported that terrorists use this technology

EXHIBIT 86.2 Unmodified image.

EXHIBIT 86.1 Eight-Bit Pixel

1 1 0 0 1 1 0 1


Steganography: The Art of Hiding Messages 1117

to hide their attacks plans. Child pornographers have also been known to use stego to illegally hide

pictures inside other images.

86.5 Defeating Steganography

Steganalysis is the technique of discovering and recovering the hidden message. There are terms

in steganography that are closely associated with the same terms in cryptography. For instance,

a steganalyst, like his counterpart a cryptanalyst, applies steganalysis in an attempt to detect the existence

of hidden information in messages. One important—and crucial—difference between the two is that in

cryptography, the goal is not to detect if something has been encrypted. The fact that we can see the

encrypted information already tells us that it is. The goal in cryptanalysis is to decode the message.

EXHIBIT 86.3 Image to be hidden in Exhibit 86.2.

EXHIBIT 86.4 Image with Exhibit 86.3 inserted into Exhibit 86.2.



In steganography, the main goal is first to determine if the image has a hidden message and to determine

the specific steganography algorithm used to hide the information. There are several known attacks

available to the steganalyst: stego-only, known cover, known message, chosen stego, and chosen message.

In a stego-only attack, the stego host file is analyzed. A known cover attack is used if both the original

(unaltered) media and the stego-infected file are available. A known message attack is used when the

hidden message is revealed. A chosen stego attack is performed when the algorithm used is known and

the stego host is available. A chosen message attack is performed when a stego-media is generated using a

predefined algorithm. The resulting media is then analyzed to determine the patterns generated, and this

information is used to compare it to the patterns used in other files. This technique will not extract the

hidden message, but it will alert the steganalyst that the image in question does have embedded (and

hidden) information.

Another attack method is using dictionary attacks against steganographic systems. This will test to

determine if there is a hidden image in the file. All of the stenographic systems used to create stego images

use some form of password validation. An attack could be perpetrated on this file to try to guess the

password and determine what information had been hidden. Much like cryptographic dictionary attacks,

stego dictionary attacks can be performed as well. In most steganographic systems, information is

embedded in the header of the image file that contains, among other things, the length of the hidden

message. If the size of the image header embedded by the various stego tools is known, this information

could be used to verify the correctness of the guessed password.

Protecting yourself against steganography is not easy. If the hidden text is embedded in an image, and

you have the original (unaltered) image, a file comparison could be made to see if they are different. This

comparison would not be to determine if the size of the image has changed—remember, in many cases

the image size does not change. However, the data (and the pixel level) does change. The human eye

usually cannot easily detect subtle changes—detection beyond visual observation requires extensive

analysis. Several techniques are used to do this. One is the use of stego signatures. This method involves

analysis of many different types of untouched images, which are then compared to the stego images.

Much like the analysis of viruses using signatures, comparing the stego-free images to the stego-images

may make it possible to determine a pattern (signature) of a particular tool used in the creation of

the stego-image.

86.6 Summary

Steganography can be used to hide information in text, video, sound, and graphic files. There are tools

available to detect steganographic content in some image files, but the technology is far from perfect.

A dictionary attack against steganographic systems is one way to determine if content is, in fact, hidden

in an image.

Variations of steganography have been in use for quite some time. As more and more content is placed

on Internet Web sites, the more corporations—as well as individuals—are looking for ways to protect

their intellectual properties. Watermarking is a method used to mark documents, and new technologies

for the detection of unauthorized use and illegal copying of material are continuously being improved.

References

Bender, W., Gruhl, D., Morimoto, N., and Lu, A. 1996. Techniques for data hiding. IBM Syst. J., 35, 3–4,

313–336, February.

Additional Sources of Information

http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html—Great introduction to

steganography by Duncan Sellars.

http://www.jjtc.com/Steganography/—Neil F. Johnson’s Web site on steganography. Has other useful

links to other sources of information.


Steganography: The Art of Hiding Messages 1119

http://stegoarchive.com/—Another good site with reference material and software you can use to make

your own image files with hidden information.

http://www.sans.org/infosecFAQ/covertchannels/steganography3.htm—Article by Richard Lewis on

steganography.

http://www.sans.org/infosecFAQ/encryption/steganalysis2.htm—Great article by Jim Bartel on

steganalysis.



Steganography: The Art of Hiding Messages steganography, the main goal is ﬁrst to determine if the image has ahidden message and to determine the speciﬁc steganographyalgorithm

Documents