Mercy College Steganography IASP 470 Capstone System Security Rajkumar Ramadhin 3-11-2019
Mercy College
Steganography
IASP 470 Capstone System Security
Rajkumar Ramadhin
3-11-2019
1
Abstract.......................................................................................................................................................2
Introduction.................................................................................................................................................3
Preliminaries................................................................................................................................................3
Problem.......................................................................................................................................................6
My Approach to Cyber Defense...................................................................................................................7
Conclusion...................................................................................................................................................8
References.................................................................................................................................................10
2
AbstractSteganography is the process of hiding a file inside of another file. In this paper I will
discuss the benefits of using steganography. This project will discuss flaws and security issues
that exist within steganography. I will discuss the different methods of steganography and how it
can be paired with cryptography. With social media growing as well, I will look at which sites
and services allows us to use steganography. I will be using Kali Linux and Steghide to hide
messages in files.
3
IntroductionWith the ever-growing need for privacy it is important to be ensure only the intended
party can read the message. The most common way to protect messages is through cryptography,
but if the attacker is aware the message with important data has been sent, they can intercept it
and decrypt the message. Hiding a message in plain site is known as steganography.
Steganography is considered the cousin to cryptography. In cryptography the goal is the encrypt
and confuse, while in steganography the goal is to hide the message.
A Brief History
Steganography roots can be traced back to ancient Rome and Greek. Steganography was
originally done by shaving slaves’ heads and allowing the hair to grow back covering the
message. Steganography eventually turned in writing in invisible ink during the American
revolution, used by both the British and the Americans. As time and technology so did the
techniques. Eventually in World War II full messages were hidden within a period. As the digital
age progressed so did the method of delivering messages through the internet. With the ever-
growing rise of social media, it allows us to send images and files almost unnoticed.
PreliminariesTechnology Used
This project utilizes steganography software and Linux. While any Linux distribution will
work, Kali Linux was used for the project. Kali is a security focused Linux distribution that
comes pre-installed with a variety of tools to detect and conduct different attacks. Users are not
limited to only the program used in this project as there are different tools available for each OS,
for example Steghide is only available for Linux and uses the command line, while Stegosuite
4
can be used for all operating systems and has a graphical user interface (GUI). Steghide was used
as the primary tool for this project due to its ability to embed messages into .wav files as well as
any image file. Steghide does not come preinstalled either and can be put on the system using the
command apt-get install steghide. The project will also use image comparison tools to identify
altered images.
Steghide can embed any file into a JPEG, BMP, WAV, and AU file. Steghide uses a
graph-theoretic approach to steganography. To do this the data being hidden is compressed then
encrypted. Using pseudo-random number generator started by the passphrase, the positions of
pixels are chosen. Pixels that already have the correct value are not changed. The graph-theoretic
matching algorithm finds the positions to match the hidden data. The same is done for audio
files, but instead of pixels it is using audio samples. Steghide uses AES encryption algorithm
Rijndael but allows the user to select a different method if they choose. (Hetzl, 2002)
Using Steganography programs
Using a steganography program is simple and effective. Using Stegosuite only allows
images and text files to be embedded. With Stegosuite the user uploads the file and message in a
GUI interface and type embed. When extracting the user uploads the file that has the message
hidden in it and presses extract. The benefit of Stegosuite is that it is simple to use with the GUI
interface
5
Figure 1: Stegosuit in Kali Linux
Using Steghide the user accesses the program using the command line. to begin using steghide
enter the following command in the terminal steghide embed -cf filename.filetype -ef filetoembed.filetype.
The steghide command opens the program allowing the other commands to be understood, while embed
tells the program you are inserting data. The -cf (--coverfile) command allows the user to select the file
that is the cover image, this is the image or audio file where the message will be hidden. The -ef (--
embedfile) command selects the file that you want to be hidden in the cover file. The user extracts the file
in a similar fashion, the command line is steghide extract -sf filename.filetype -xf filetoembed.filetype. The
extract command allows the program to know it is going to extract and -sf (--stegofile) chooses the file to
extract the data. The command -xf (--extractfile) allows the user to know what to name the file. It is
important to note to extract the file the same program needs to be used that was used to embed it.
Figure 2: Embedding an image using Steghide
Figure 3: Extracting an image from Steghide
6
Figure 4: List of commands for Steghide
ProblemSteganography plays a role in copyright. Using water mark methods allows companies to
find media that was posted without their consent. For example, an audio file can be digital
watermarked where it is not noticeable to the human ear, by adjusting the last bit of the audio
sample. This method is known as the Least Significant Bit (LSB), while it is not good for
security as it is easy for programs to decrypt, but it still does well against visual attacks. Doing
the least significant bit also works in photos, the color changes unnoticeable to the human eye.
When thinking of steganography, it can be used for more than copyright protection.
Important documentation is emailed and sent over the web all the time. Even if the information is
encrypted, if a malicious user intercepts the message, they may believe the information is worth
the time and resources to decrypt the message. A simple solution to this can be to not let the
attacker know that an important message has been sent. This simple tactic allows users to hide
7
their message in plain sight. This method can allow messages to slip pass unnoticed from
attackers and unwanted eyes. Users should still encrypt the messages prior to embedding into the
image as not all steganography programs will do it automatically before embedding, such as
JSteg.
In previous research, detection rates and mode of transportation have not been well
researched. Most research conducted on steganography involves analysis of stegofiles with the
message to test distortion on the original file. While this is useful for keeping the image
unnoticed, it is unnecessary when using an image no one else will have access to. Not enough
studies address if the file will be noticeable in transit or if intercepted.
While using steganography to protect assets can be useful, some use it for malicious
intent. An example of this is the DuQu malware. This was cause by a hacker known as Unit
8200. He created an executable embedded in a type font, that took advantage of a Microsoft Zero
Day exploit.
My Approach to Cyber DefenseThe proposed solution to avoiding interception attacks involve embedding important files
into pictures that the can not be found online. For example, Alice will encrypt her message then
embed it into an image or audio file uncommon to the internet. Bob can receive the message
through the internet knowing that the message is hidden in the file, and decrypt. Another way to
use steganography is to send a PGP key, hidden in a picture thus adding another layer of security
to PGP. The approach is as follow:
8
Figure 5: Using steganography to protect messages
The benefit of using this method, is that the file is disguised as an everyday picture. The
file remains integrity with the hidden message even when sent across various social media
platforms. Examples of social media that allows the movement of steganographic files include
Facebook Messenger, Google Photos, and WhatsApp. Twitter now post processes the images, so
the message will no longer be there.
As stated earlier for this method to work the file can not be easily found online. The
number one way someone can determine if the image has a hidden message is through a
statistical analysis. This involves comparing two files that, the original and new file and looking
for differences. Figure 6 shows the result after comparing one photo with out an embedded
message and one with it. While the images are unnoticeable to the naked eye, see Figure 7, by
comparing each pixel individually with the original photo it highlights all the changed pixels.
9
Figure 6: Online comparison tool highlights the different pixels compared to the original photo
Figure 7: Comparing both photos side by side
ConclusionIn closing relying on cryptography is enough to protect messages. An attacker will be
aware the message being sent is encrypted and if they feel as if the data can be worth the time
and resources, they will decrypt the data. Steganography on the other has not had a successful
documented attack, where the data was not destroyed or partially corrupted, the closet we have
seen is by two students who gained 90% confidence that a message was hidden but were still
unable to access the message. In a world where privacy is key and corporations are constantly
under attack, it is important to take an extra step to protect information being sent across the
internet.
10
ReferencesAnderson, R. J., & Petitcolas, F. A. (1998, May). On the Limits of Steganography. IEEE Journal on Selected
Areas in Communications, 16, 474-481.
Chugh, G., & Gaba, P. (2018, March). Review on Audio and Video Steganography Techniques. International Journal of Recent Research Aspects, 5(1), 115-119.
El-Sayed, E.-A. M., & Azzat, A.-S. A. (2012). Pixel-Value Differencing Steganography: Attacks and Improvements. ICCIT, 757-762.
Hetzl, S. (2002, May 14). Steghide - manual. Steghide - manual. Retrieved from http://steghide.sourceforge.net/documentation/manpage.php
Johnson, N. F., & Jajodia, S. (1998). Exploring Steganography: Seeing the Unseen. Computing Practices, 26-34.
Provos, N., & Honeyman, P. (2003). Hide and Seek: An Introduction to Steganography. IEEE SECURITY &PRIVACY, 32-44.
Saini, R. (2018, March). Comparative Study of Current Image Steganography Techniques. International Journal of Recent Research Aspects, 5, 308-310.
Wang, H., & Wang, S. (2004, October). Cyber Warfare: Steganography vs. Steganalysis. COMMUNICATIONS OF THE ACM, 47, 76-82.
Westfeld, A., & Pfitzmann, A. (n.d.). Attacks on Steganographic Systems Breaking the Steganographic Utilities EzStego, Jsteg, Steganos, and S-Tools—and Some Lessons Learned. 1-16.