Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography to not only to cover Confidentiality but likewise Integrity. I began to write in the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall I planned to send to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art”. Ah, the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host or Network addresses the detection of file that could be leaking out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection steganography. As you can see, even sophisticated technology could lack in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography is performed or ways to accomplish it. Likewise, this article is not going to list down available steganography tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

This article only wishes to address the pros and cons of steganography. As with many tools and technologies, using it with the wrong hands determines the result of it. As a security professional, this should be used as yet another layered defense or security. If we combine steganography with PKI, the result is a more secured document. Let’s take this simple approach:

I have a document. The document is hashed for message integrity. Together with the hash, I encrypt it with my private key. This is non-repudiation. The altogether result is encrypted with the user’s public key. This is confidentiality, since only the receiver can decrypt it. The result is cryptic digitally signed message. This is the PKI part. This by itself is already super secure. What if I still want to embed this using steganography and the result is encrypt again with my private key? Maybe it is too much but you see my point in combining them to add layers of security.

I’ll write a separate discussion on digital certificates next time, but for now the use of steganography can be very beneficial. On the other hand, this tool can be used in bad ways as well. It was also suspected that terrorists have used this method for their communications, but no evidence to support it.

This is a very simple method to conceal your messages. The result is almost impossible for the naked eye to spot the difference. Back to the two images I’ve talked about earlier in my email. By looking at them both now, scared me to tell that I cannot spot which one has embedded document and which one is not. Both appear identical and file size is the same.

In conclusion, when you see an image, for example the logo in this website, how easy for you to know that it is actually an image embedded with my secret recipe for my steak sauce for my sister to download? Scary but it could be true. But it is not the end of the world; steganalysis, which is the science of detecting hidden messages using steganography exist. Similar to cryptography, these are not impossible to crack. It is not a matter of if, it is a matter of when.