The Art of Steganography

by: Zarex dela Cruz, CISSP, CISA on Saturday, June 27, 2009 7:33 PM

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity [Wikipedia].

Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography not only to cover Confidentiality but likewise Integrity. I began to write along the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email dated more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall, I had planned to send it to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art” – the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host- or Network-based addresses the detection of file that could potentially leaked out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection of steganography. As you will see, even sophisticated technology fall short in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography works or ways to accomplish it. Further, this article is not going to list down available steganographic tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

This article only wishes to address the pros and cons of steganography. As with many tools and technologies, using it in the wrong hands discerns the outcome of it. As a security professional, this should be utilized as part of another layered defense or security. If we combine steganography with PKI, the result is a more secured document. Let’s take this simple approach:

I have a document. The document is hashed for message integrity. Together with the hash, I encrypt it with my private key. This is non-repudiation, because I am the only who has my private key. The altogether result is encrypted with the user’s public key. This is confidentiality, since only the receiver can decrypt it. The result is cryptic digitally signed message. This is the PKI part. This by itself is already a very secure approach. What if I still want to embed this using steganography, for which the result is to encrypt again with my private key? Maybe it is too much but you see my point in combining them to add layers of security.

I’ll write a separate discussion on digital certificates next time, but for now the use of steganography can be very beneficial. On the other hand, this tool can be used in bad ways as well. It was also suspected that terrorists have used this method for their communications, but no evidence to support it.

This is a very simple method to conceal your messages. The result is almost impossible for the naked eye to spot the difference. Let’s get back to the two images I’ve talked about earlier in my email. By looking at both of them now, scary to tell but I cannot spot which one has embedded document and which one is not. Both appear identical and file size is the same. You will only be able to compare them by examining their hashes, something it is worth talking about next time.

In conclusion, when you see an image, for example the logo in this website, how easy for you to know that it is actually an image embedded with my secret recipe for my steak sauce for my sister to download? Scary but it could be true. But it is not the end of the world; steganalysis, which is the science of detecting hidden messages using steganography exist. Similar to cryptography, these are not impossible to crack. It is not a matter of if, it is a matter of when.

1 Response to The Art of Steganography

  1. Raichel Sharon says:

    December 21st, 2010 at 1:58 AM

    wow….!!! dats a wonderful method…very interesting and realestic method ever heard..thanku for the information

Leave a comment