SteganographySteganographyEd NorrisEd Norris

ECE 5546ECE 5546

12/4/0312/4/03

IntroductionIntroduction

Undetectable information hidingUndetectable information hiding Why undetectable? Why undetectable?

The message and the communication itself The message and the communication itself must remain secretmust remain secret

Low-tech examplesLow-tech examples Roman tattooingRoman tattooing Lemon juiceLemon juice

Typical MethodTypical Method

1.1. Alice and Bob agree on a secret keyAlice and Bob agree on a secret key

2.2. The key uniquely determines how the The key uniquely determines how the message is hidden in an imagemessage is hidden in an image

3.3. Alice sends the image to BobAlice sends the image to Bob

4.4. Bob, using the shared key, reveals the Bob, using the shared key, reveals the hidden contenthidden content

They must be using the same steganographic system and most They must be using the same steganographic system and most likely have another shared key for the message itselflikely have another shared key for the message itself

Passive EavesdroppersPassive Eavesdroppers

(by definition)(by definition) The stenographic system must evade The stenographic system must evade

detection from passive eavesdroppingdetection from passive eavesdropping Routines analyze the image / sound / data Routines analyze the image / sound / data

file for statistical anomalies that indicate file for statistical anomalies that indicate the presence of hidden messagesthe presence of hidden messages

This will be explored in detailThis will be explored in detail

JPEGsJPEGs

JPEG images are useful for JPEG images are useful for steganographic systems for several steganographic systems for several reasonsreasons Common picture encodingCommon picture encoding Relatively simple file formatRelatively simple file format Resistant to visual attacks (unlike palette Resistant to visual attacks (unlike palette

based encoding, like BMP)based encoding, like BMP)

JPEG EncodingJPEG Encoding

1.1. Transform to a luminance / chrominance Transform to a luminance / chrominance color spacecolor space

2.2. Group pixels into 8x8 blocks and Group pixels into 8x8 blocks and transform each block with the discrete transform each block with the discrete cosine transform (DCT)cosine transform (DCT)

3.3. Divide each of the 64 values by a Divide each of the 64 values by a different quantization coefficientdifferent quantization coefficient

4.4. Losslessly encode and package JPEGLosslessly encode and package JPEG

Visual AttackVisual Attack

The simplest attack; relies on a noticeable The simplest attack; relies on a noticeable visual distortion of the imagevisual distortion of the image

Which one contains the first chapter Which one contains the first chapter of of The Hunting of the SnarkThe Hunting of the Snark??

Each image was 640x480 with 24-bit color. The JPEG compressed Each image was 640x480 with 24-bit color. The JPEG compressed size of each is 300K and the hidden information is 15Ksize of each is 300K and the hidden information is 15K

JSTEGJSTEG

Replaces the LSB of the DCT coefficients Replaces the LSB of the DCT coefficients with the message datawith the message data

Does not require a shared keyDoes not require a shared key

The nature of JPEG encoding causes modification of a single The nature of JPEG encoding causes modification of a single coefficient to affect all 64 values in each block. The result is not coefficient to affect all 64 values in each block. The result is not visible to the eye.visible to the eye.

Statistical MethodsStatistical Methods

The encoded message has a random bit The encoded message has a random bit distribution from encryption and distribution from encryption and compression or bothcompression or both

Addition of the data causes changes in the Addition of the data causes changes in the inherent statistical properties of the imageinherent statistical properties of the image

Using a chi-square (Using a chi-square (ΧΧ²)²) test: test:

JSTEG Effect on Coefficient JSTEG Effect on Coefficient DistributionDistribution

JSTEG DetectionJSTEG Detection

Since JSTEG adds information starting at the beginning of the image Since JSTEG adds information starting at the beginning of the image data file, it is straightforward to discover the message lengthdata file, it is straightforward to discover the message length

OutGuessOutGuess

Replaces random LSBs with stego image Replaces random LSBs with stego image datadata

Randomizer is seeded with the shared keyRandomizer is seeded with the shared key Previous chi-square test does not detect Previous chi-square test does not detect

OutGuess imagesOutGuess images

OutGuess DetectionOutGuess Detection

Modified chi-squareModified chi-square Sliding sample of coefficientsSliding sample of coefficients Sample size determined by image analysisSample size determined by image analysis Nearly 100% true-positive detection rate if Nearly 100% true-positive detection rate if

25% or more of the available LSBs in the 25% or more of the available LSBs in the image have been usedimage have been used

Trained DetectorsTrained Detectors

System contains known stego and non-System contains known stego and non-stego imagesstego images

Nonlinear support vector machineNonlinear support vector machine Can also analyze images based on Can also analyze images based on

similarity to groups (outdoor, people, etc)similarity to groups (outdoor, people, etc) Class discriminationClass discrimination

Detection SummaryDetection Summary

The previous steganalysis methods The previous steganalysis methods demonstrate that simple LSB replacement demonstrate that simple LSB replacement can be detectedcan be detected Class discriminationClass discrimination Inherent statistical propertiesInherent statistical properties

F5F5

Matrix encoding of DCT coefficientsMatrix encoding of DCT coefficients Uses a Hamming code to recover from a Uses a Hamming code to recover from a

single bit error (per block)single bit error (per block)

K5 Pseudocode K5 Pseudocode

Statistics-Aware SteganographyStatistics-Aware Steganography

If the statistical stego-detection methods If the statistical stego-detection methods are known, the unused LSBs can be are known, the unused LSBs can be modified to retain the original coefficient modified to retain the original coefficient statistics of the imagestatistics of the image

In addition, the message could be In addition, the message could be encoded as the parity of groups of DCT encoded as the parity of groups of DCT coefficientscoefficients

Real World DetectionReal World Detection

Media reports assert that steganography is Media reports assert that steganography is prevalent on the Internetprevalent on the Internet

JSteg JSteg JSteg-Shell is a Windows GUIJSteg-Shell is a Windows GUI RC4 (40-bit) encryptionRC4 (40-bit) encryption

JPHideJPHide Blowfish encryptionBlowfish encryption

OutGuessOutGuess

Image SourcesImage Sources

World Wide Web – Ebay auction picturesWorld Wide Web – Ebay auction pictures More than two million imagesMore than two million images

Usenet groupsUsenet groups One million imagesOne million images

Approximately two percent of images Approximately two percent of images appeared to contain steganographic appeared to contain steganographic content using Stegbreakcontent using Stegbreak

Data is Detected, Now What?Data is Detected, Now What?

Dictionary AttackDictionary Attack 850,000 words for WWW images850,000 words for WWW images 1.8 million words for Usenet images1.8 million words for Usenet images

Application header information can helpApplication header information can help

Find Anything?Find Anything?

NoNo

Why Not?Why Not?

Passwords were all robustPasswords were all robust All positives were false positivesAll positives were false positives The steganographic systems used were The steganographic systems used were

not the ones looked fornot the ones looked for Messages were too small for detection Messages were too small for detection

(Stegbreak has a 50 byte minimum)(Stegbreak has a 50 byte minimum)

Future Steps?Future Steps?

Look elsewhere for candidate imagesLook elsewhere for candidate images Use more hardware for password crackingUse more hardware for password cracking Research new information hiding and Research new information hiding and

detection algorithmsdetection algorithms (give up – no one uses steganography)(give up – no one uses steganography)

Further StudyFurther Study

PPM – portable pixel mapsPPM – portable pixel maps BMP – Microsoft bitmapBMP – Microsoft bitmap WAV – Windows sound fileWAV – Windows sound file

Matlab – Available on school computers, Matlab – Available on school computers, has built-in importers for BMP and WAV has built-in importers for BMP and WAV (PPM is trivial)(PPM is trivial)

ReferencesReferences

Hide and Seek: An Introduction to Hide and Seek: An Introduction to Steganography, IEEE Security & Privacy, Steganography, IEEE Security & Privacy, May/June 2003May/June 2003

QuestionsQuestions

What is a visual attack?What is a visual attack? The presence of steganographic content is The presence of steganographic content is

indicated by visual distortion of an imageindicated by visual distortion of an image

When / why use steganography?When / why use steganography? When the presence of communication is a When the presence of communication is a

secretsecret