SE 4C03 Winter 2004 Steganography Derek Lunn (9943193) Last Revised: April 6th 2004 Introduction Steganography is a means of hiding information in a carrier medium. Although the concept itself is not new, its application to electronic data transfer is. Unlike cryptography, where the secrecy and integrity of data is maintained through encryption, steganography hides data within a host file (Cole, pg. 1024). Potential hosts include image files (bmp, gif, jpeg), word documents, sound files, movie files (mpeg), and html files. It is most often used to conceal the fact that information is being sent or stored, but can also be used to copyright electronic data. The key to steganography is placing data into a host file without causing disruptions to the host itself. This is often achieved by limiting the amount of data that can be placed in the host file (Cole, pg. 1028). The following report discusses the theoretical concepts of steganography, its application and impact to network security. The first section discusses the three main types of steganography: injection, substitution and file generation, and provides examples to further illustrate their workings. Section two explore two well-known steganographic tools and discusses the principles of how each works. Section three illustrates how steganography can be used to copyright electronic data and discusses the concepts of Watermarking and Fingerprinting. The fourth and final section explores methods network administrators can use to detect and disrupt steganographic files. Types of Steganography There are three general types of steganography. They are injection, substitution, and file generation (Cole, pg. 1028). Injection involves placing data into unused areas of the host file. Simple examples of injection include placing data as hidden form elements in an HTML file, or comments in a GIF file. However, this causes the size of the carrier file to increase (Cole, pg. 1031). Thus, detecting a steganographically injected file is simple if the file size of the host is significantly large for its type. As a result injection is not used for the concealment of large amounts of data. Substitution is the most common form of steganography. It involves replacing data within the host file so as not to degrade the host. This is done on a bit-by-bit basis (Cole, pg. 1033). Unlike injection, the file size of the host remains the same since data is replaced. However, the amount of data that can be substituted is limited beforenoticeable degradation of the host file occurs (Cole, pg. 1033). An example of substitution is replacing the least significant bits in the color table of a graphic. For an 8-bit file each pixel is represented by 8 bits. Since the human eye can only detect 6-7 bits of color, the last one or two bits in an image’s color table value can be changed without being detected (Cole, pg. 1037). Thus the last two bits can be used to hide information. Unlike the first two types of steganography, file generation creates a new file rather than using a host file. The file is created from the information to be concealed. File generation can be used to generate output such as readable text, or fractals (Cole, pg. 1039). An example of file generation steganography is generating an e-mail that appears to be a Spam-like message. Generally the file generated is considerably larger than the original message, thus the file generation method is limited to concealing small amounts of data. Steganographic Tools The following section explores two well-known steganographic applications. They are MP3Stego and Texthide. For each tool, a brief description of its functionality is given. MP3Stego MP3Stego is steganographic tool used to hide data in an MP3 file format. It works by hiding data in the Layer III encoding process during the inner_loop phase (www: mp3stego). Steganographic data is encoded into the MP3 file format by altering the end loop condition of the inner loop. This is achieved by changing what is known as the part2_3 length variable (www: mp3stego). MP3Stego then uses 3DES encryption to protect the steganographic data and an SHA-1 hash to generate pseudo random bits for use in the hiding process. MP3Stego is freeware and can be downloaded from http://www.cl.cam.ac.uk/~fapp2/steganography/mp3stego/index.html. TextHide TextHide is a steganographic tool used to conceal text messages. It takes as input a passage of text, and a hidden message. The hidden message is used as a key, and the software selects synonyms based on this key to rephrase the language in the passage of text. This produces a new passage of text that has the same meaning, but encodes the hidden text message within the grammar of the newly created message (www: TextHide- Hiding of Data in Any Text). A demo version of TextHide can be downloaded from http://www.texthide.com/.Watermarking and Fingerprinting Steganography can be used to copyright electronic data by inserting a message into the host file. Two forms of copyrighting are Watermarking and Fingerprinting. Watermarking involves embedding a ‘signature’ message into the host file to prove ownership of the file, while Fingerprinting involves hiding a ‘serialized’ message into each copy of the host file to detect copyright infringement. The use of steganography for copyrighting electronic data is effective, since the watermark and fingerprint are hidden, but easily extracted to identify ownership of the file. Detecting & Disrupting Steganographic Files Steganography is a valuable tool for securing data. However, few network administrators use it, and/or actively screen files for it. As a network administrator, it is important that they protect their network from storing and passing controversial or illegal materials. In the case of steganography it is possible that these sorts of materials reside on the network without the network administrator being aware of it. This section discusses how steganography can be detected and defended against. Detecting a