The magazine of the Melbourne PC User Group Steganography Major Keary majkeary@netspace.com.au

The distinction between cryptography and steganography is still not made in most dictionaries, which treat the words as synonymous with each other. The word, steganography, first came into English during the reign of Elizabeth I, almost a century before "cryptography" appeared. Steganography derives ultimately from a Greek word for "covered", whereas cryptography derives from a word meaning, "secret". As a matter of interest, Mary Queen of Scots used both methods; she gave instructions to the Spanish Ambassador on how to create an invisible message (steganography), and a cipher (cryptography) was used for correspondence from supporters in France. One, Thomas Phelippes, was used by Walsingham to decipher intercepted mail, and it was his work that led to Mary losing her head. Apart from the use of cryptography, the operation involved what may be the first recorded case of spoofing. Walsingham had Phelippes add a postscript to one of Mary's encrypted letters asking the addressee to include certain information in his reply.

Codes, ciphers, and concealed writing have been used from very early times. Julius Caesar is said to have been the first to make use of a cipher for military purposes, which was well after the first recorded use of steganography. Herodotus, in his history of the 5th century BC Graeco-Persian wars, relates how Histiaeus set a secret message to Aristagoras by tattooing it on the shaved head of a slave. After the slave's hair had regrown he was sent off, carrying the concealed message. An instance of another technique, during the same period, has also been recorded. Wooden tablets covered with wax were used to write letters, which were pressed into the wax with a stylus. A message, according to the account, was scratched into the wood, which was then coated with wax, and another-innocuous-message was written on the wax to conceal the real one.

Since then the art developed through the use of better invisible inks, the microdot (developed by the Germans during WWII), and more recently digital implementations. Those watermarks one sees on television images use the modern techniques of steganography. It is also used to embed data that can be used to identify digital data (typically an image or sound track) as the property of a particular person or company.

Mainstream cryptographers have tended to regard steganography as something of a sideshow, but it has considerable potential for serious use. There is a large amount of information on the Web, as well as software. Just search for "stego" and you will find quite a library.

The only text that I have seen dedicated to the subject is Peter Wayner's Disappearing Cryptography. It describes systems that enable the insertion of data into image, sound, or even text files. On ordinary inspection the file reveals no sign of the hidden data, but it can be extracted. An inserted message can be encrypted (and often is) so as to provide additional security. The original image, or whatever, can still be viewed, played, etc. without any sign that it conceals something else.

Why go to that trouble? Even though encrypted messages may resist attack, the fact that encrypted traffic is passing between certain parties reveals something, especially to those skilled in traffic analysis. If, on the other hand, there is no apparent sign of traffic (encrypted or otherwise), then eavesdroppers have nothing to work on.

Digital steganography can be used to broadcast messages. Placing an image file, in which a message has been inserted, on a Web site or posted to a news group enables intended recipients to download it without leaving evidence of any contact with the originator.

Image and sound files usually contain plenty of room for extra data that will not noticeably affect the end result if someone should choose to view or listen to them. Image files are good candidates because they can be "promoted" to a greater bit-depth in order to make room for the insertion. PhotoCD images are particularly good because typically there is room for 2 MB of hidden text. Compression algorithms also can be manipulated to enable the insertion of hidden data.

Wayner's book is an introduction to some of the techniques that can be used for steganography. That description may give the impression that it is superficial; indeed, it is not. The word, introduction, is used in the academic sense. The text is not a full treatise, but provides technical explanations that should enable the reader to follow professional texts on specific topics (for example, Stollitz: Wavelets for Computer Graphics). The author does not pretend to describe every method and possibility; but leaves a clear trail for further enquiry.

A chapter, Life in the Noise, discusses white noise, how to take advantage of it, and various programs that have been written for the purpose of inserting data into images.

The author discusses technical aspects of conventional crypto techniques in some depth. The book is also a useful resource on how anonymous remailers work and are set up, information not readily found elsewhere. Apart from the technical discussion, a number of URLs are mentioned.

An essential part of any crypto library, Disappearing Cryptography should also be of interest to teachers and students of communications (as distinct from what we call comms) courses. For anyone interested in attempts to exert official control over crypto and other means of securing privacy (anonymous remailers, for example) the book contains a good discussion of the issues.

If you want to experiment with steganography - and would like some general, but quite fascinating, information about it-look at the "stego" Web sites

Reprinted from the July 2000 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]