The magazine of the Melbourne PC User Group Steganography - For the bookshelf Major Keary |
Dictionaries still treat 'steganography' (commonly called stego) as synonymous with cryptography (crypto). Steganography is the older word in English (1569) and originally meant 'secret writing', but it derives from the Greek 'covered writing'. Cryptography, which came into English in 1641, comes from the Greek 'hidden writing'. Drawing a distinction may seem pedantic, but the two terms have come to mean quite different things.
Hidden in respect of cryptography refers to 'hidden meaning'; the writing is there to be seen, but its meaning is concealed. Covered means that the writing cannot be seen because its presence is concealed by something else; the message (or whatever) may or may not be encrypted. The micro-dot is a classic example of steganography, being made effectively invisible by placing it on top of the dot in a punctuation mark or the dot above a letter. Usually the message contained in a micro-dot is encrypted.
An important branch of steganography is digital watermarking, which is not always hidden (such as the watermark logos used by television stations). Hidden digital watermarks are used to embed copyright information in some - usually audio or graphical-work. They can also contain device control code that prevents illegal recording. There is nothing new about that-a system was patented by Ray Dolby in 1981. Digital watermarking has effectively become a field of its own, both in terms of theoretical study and practical application. For anyone interested at a professional level the definitive text is Cox et al.: Digital Watermarking (Morgan Kaufmann, 2002).
Stego works quite well if a file with a data payload is sent directly to the intended recipient(s) or posted on a Web site, BBS, and the like. It is vulnerable to changes of file format or processes such as lossy data compression. There is a lot of work being done at both theoretical and practical levels in making stego/watermarking more robust and resistant to detection.
Literature on stego for general readers is still pretty sparse; prior to 11 September 2001 very few people had even heard of it, although there was a lively-albeit small-Web community that had produced a range of software for embedding data in a variety of image file formats. Shortly after 11 September there were stories to the effect that the hijackers had used steganography to hide messages in pictures on porn sites. That was never substantiated, and was probably a rehash of Jack Kelley's statement on USA Today (6 February 2001):
"Hidden in the X-rated pictures on several pornographic Web sites and the posted comments on sports chat rooms may lie the encrypted blueprints of the next terrorist attack against the United States or its allies" [quoted by Eric Cole in Hiding in Plain Sight].
Terrorists use porn pics, but the CIA uses digital reproductions of pictures by Monet, Renoir, or Rembrandt. However, it seems that no one was listening to Jack Kelley-or there was nothing to be found.
Well-developed techniques for detecting the presence of stego in image files have been around for quite a while, and Eric Cole notes that he "randomly downloaded 500 images from eBay, and over 150 had data hidden in them". As he observes, "somebody out there is very busy", but doesn't say if the busy people favoured salacious or non-salacious images.
There are two very good texts for general readers. One is at the popular end of the spectrum, and the other at the academic end. I use those terms loosely for the purpose of comparing these titles.
Hiding in Plain Sight
The author spent some time working for the CIA on design and deployment of secure communications systems, and is actively engaged in the field of stego. His book is not 'popular' in the sense of 'dumbing down' or titillating the reader. It is a serious, but readable account of stego without dropping the reader in at the technical 'deep end'. Even if you have no interest in using stego, it is worth reading. The language used by some American writers on data protection is alarmist and full of gung-ho terms, such as 'information warfare'. Eric Cole has avoided much of that kind of hyperbole. He uses fictional scenarios, which are separated from the main text, to convey the possibilities of stego techniques and it works very well.
One statement did irk me:
"All cryptography is crackable, in time. Anyone who claims he has a crypto scheme that is not crackable is lying to you."
That is not so. One-time-pad (OTP), properly implemented, is demonstrably unbreakable (Claude Shannon proved it so). The reason is that the key is the same size as the message, and is never repeated. As far as I am aware, the only successful attack on OTP in some eighty years of use was the result of pads (the key) being recycled; even then the cryptanalysts were unable to read all of the traffic (described in Des Ball and David Horner: Breaking the Codes, Allen & Unwin, 1998). Commercial application of OTP is impractical because of the problem of generating random numbers and key exchange.
However, Hiding in Plain Sight has not been written for the crypto cognoscenti, but is designed primarily for those who want to know how stego works, how it can be implemented to add an extra layer of security to communications, and how it can be detected. Computer users with a sense of enquiry will find it interesting and informative.
The opening chapters present an overview of modern cryptography, digital watermarking, and steganography. A chapter, Nuts and Bolts of Steganography, explains how information can be hidden in various kinds of digital files and formats: images, audio, word processor documents, plain text files, HTML files, and even in message headers.
Another chapter that I found especially interesting and revealing is Sending Stego Files across a Network; it is essential reading for anyone administering a web site or otherwise interested in comms. A network related topic that is discussed in a later chapter is the use of stego as a vehicle for virus attacks (a variation on device control).
There is no bibliography, which won't worry general readers or those who would like to experiment with stego without the hassles of programming, and there is no discussion of the technical aspects of algorithms and the like. What it does deliver is a detailed, plain language account of what can be done, how it is done, the software that is used, and available means of detection.
An extensive collection of stego software is provided on a companion CD, which also contains images files for the illustrations used in the book. Those images illustrate how files display with and without embedded data.
|
Eric Cole: Hiding in Plain Sight ISBN 0-471-44449-9 Published by Wiley, 335 pp., RRP $65.95 incl. GST |
 |
Disappearing Cryptography
The first edition of this title appeared in 1996 and was, until this year, the
only text on stego for general readers. A second edition has been published,
partly to catch up with developments in digital watermarking. The author has
published numerous papers in Cryptologia and has taught computer science at
Cornell and Georgetown universities. He manages to add some keen humour to a
technical subject.
Disappearing Cryptography is an excellent introduction for students of computer
science, programmers interested in developing stego-related applications,
software engineers, and informed general readers. The style is academic in the
sense that references are carefully listed, algorithms are laid out and
discussed, and code examples are provided. Disappearing Cryptography assumes
more than a casual acquaintance with the kind of algorithms used in cryptography
and data compression. The language is clear, and readers who are unfamiliar with
the technical side of crypto, data compression, and file formats should still
find much of interest. The mysteries of topics such as bit significance (most
significant bit, least significant bit, and in-between bits) and noise (which is
not always something one hears) are discussed, and illustrated, in
comprehensible language.
He describes a number of stego programs, provides a list of URLs, and maintains
a Web site that "contains implementations for hiding information in lists,
sentences, and images". You can try your hand without the effort of installing
one of the applications.
The main thrust of the book is to explain the workings of the various schemes,
especially for those who are interested in developing applications. There are
discussions of a number of topics that won't be found in the general literature.
For example, mimicry, reversible grammar generators, bit twiddling, and hiding
information in noise.
An example is given of how a stego payload can be embedded in digital images by
taking the least significant bit for each pixel and using it for concealed data.
In the case of a Kodak photo-CD-which typically uses about 18 megabytes to store
a 32-bit image-there is close to two megabytes available for embedded data. The
text of a 1000-page computer reference book can be stored digitally in about one
megabyte (without formatting or compression). There are many variables, but as a
rule of thumb ten per cent of an image file can be converted to a concealed
payload. What does that do to the quality of an image? Not a great deal, as the
book's example images show. However, illustrations created by applications such
as Macromedia FreeHand are not good candidates because they produce very clean
files.
Anonymous remailers are not technically related to stego, but are used to
conceal something that conventional crypto can't: identity of the sender. The
book includes an informative chapter on the subject, describing how remailers
work and giving some examples. A related chapter, Secret Senders, discusses the
Dining Cryptographers algorithm, which is one of a class of algorithms created
by David Chaum (well known in the crypto community). It is a method for
broadcasting a message without revealing the sender, but requires more than
enthusiasm to implement. Another topic not found in general texts deals with the
adaptation of spread-spectrum radio principles to steganography; readers with an
interest in image file formats will encounter some familiar landmarks.
Less than a decade ago stego was regarded as a sideshow by mainstream
cryptologists; since then it has led to the commercially important field of
digital watermarking, and has-in its own right-become a part of secure
communication technology. Anyone who wants to understand stego at a technical
level, especially with a view to keeping abreast of developments for
professional purposes, should have this book.
|
Peter Wayner: Disappearing Cryptographer 2/e ISBN 1-55860-769-2 Published by Morgan Kaufmann, 412 pp., RRP $113.85 incl. GST |
 |
Reprinted from the September 2003 issue of PC Update, the magazine of Melbourne PC User Group, Australia
