May 21, 2007

Four ways to hide information inside image and sound objects

Author: Anže Vidmar

Ever find yourself with too many passwords to remember and no idea where to keep them so that only you can find the password list? Creating a password.txt file in your root directory is out of the question, as is a password-protected OpenOffice.org file. A piece of paper hidden somewhere is not a good idea, because after you forget where did you put it, someone else will find it and abuse it. Instead of these approaches, consider using steganography, a method for hiding sensitive information inside some other object, typically a JPEG picture or a sound file.

With steganography, a plain text file is merged with a picture or sound file. The resulting file looks and sounds the same -- only the size of the file is slightly changed. For extra security, you can encrypt the text file before you merge it.

Here's a look at some useful tools that you can use to hide and unveil sensitive information inside an object. Most of these programs and tools are available in package repositories for different Linux distributions.

OutGuess

OutGuess is console-based universal steganographic tool that can hide information inside picture objects. The latest version, 0.2, was released in late 2001 and supports inserting objects into PPM, PNM, and JPEG image formats. OutGuess can be used on Linux, *BSD, Solaris, AIX, HP-UX, Mac OS X, and Windows.

Suppose I want to securely send a coworker a root password for a production server. I can start by putting the password in a pass.txt file, then encrypt it with a secret key ("summer" -- shh, don't tell anyone) and mix the encrypted version with an image called grill.jpg. OutGuess can do that with one command:

~$ outguess -k summer -d pass.txt grill.jpg summer-grill.jpg

You don't need to use the -k option to encrypt the sensitive data with a secret key. If you leave it off, however, anyone who knows there's a file buried in the image can extract the output file.

Now I have an image named summer-grill.jpg that holds my production server's root password, and I can mail it to my coworker. Anyone who sees the picture won't notice anything strange, since the data in the image object is not visible to the human eye.

When my coworker receives the picture, he needs to extract the information from the file. As long as he knows the secret key I used for the encryption, he can run the command:

~$ outguess -k summer -r summer-grill.jpg pass.txt

If you don't specify the -k option and provide the key, OutGuess will extract the pass.txt file, but it won't be readable.

Steghide

Steghide is another program you can use to hide sensitive data inside image and audio files. The latest version of Steghide, 0.5.1, has been available since October 2003, and supports hiding sensitive information inside BMP and JPEG image formats as well as in AU and WAV audio formats. The default encryption algorithm is Rijndael with a key size of 128 bits, which is basically AES (Advanced Encryption Standard), but you can choose from many other encryption algorithms as well. Steghide runs under both Linux and Windows.

Let's use the same scenario from our previous example. The equivalent Steghide command is:

~$ steghide embed -cf grill.jpg -sf summer-grill.jpg -ef pass.txt -p summer

To extract the pass.txt file from the summer-grill.jpg picture, use this Steghide command:

~$ steghide extract -sf summer-grill.jpg

You'll be asked for a password, and the utility will extract the pass.txt only if your password (secret key) is correct. Note that when extracting we didn't specify any output file. That's because Steghide automatically knows what the file name was that was inserted and extracts the file with the same name.

Stegtools

Stegtools is a pair of command-line tools for reading and writing hidden information. The latest version of stegtools, 0.4b, was released in the middle of 2005. The software supports 24bpp bitmap images, and runs on Linux and FreeBSD operating systems.

Using the same example again:

cat pass.txt | /usr/local/stegotools-0.4b/stegwrite grill.jpg summer-grill.jpg 1

Here I redirect the standard input (the output of cat command) into the stegwrite tool and specify an existing and desired output picture object. I used the full path to my stegwrite tools, since they're not in my $PATH. The number at the end of the command represents the number of last bits of the grill.jpg image that will be used to hide my data. The value may be 1, 2, or 4. More in-depth explanation can be found in the software's README file.

Stegread reads the hidden information from a picture object and writes it to the standard output. If I want to extract the password from summer-grill.jpg image, I can use this command:

~$ /usr/local/stegotools-0.4b/stegread summer-grill.jpg 1 > pass.txt

You need to have the right number of last bits in order to successfully extract the password from the object file. If you don't know the right number, the utility leaves you with an empty pass.txt file.

SteGUI - click to enlarge

SteGUI, a Steghide GUI

SteGUI is a Linux-based graphical front end to Steghide that was released in May 2006. Before you install SteGUI you need the stegtools, FLTK toolkit, PStreams, ALSA, and Libjpeg libraries installed.

The menus in SteGUI allow you to open objects (picture or sound) and extract or embed information by selecting and clicking on the screen. Here you can see that I've opened my grill.jpg picture and am preparing to embed the pass.txt file. You can also see how many cryptographic algorithms are available for the job. Although it's a nice interface, SteGUI is useful only with objects made with the Steghide program.

Conclusion

Steganography can be useful in many ways for sharing and hiding personal information. Among these utilities, someone who would like to use steganography on multiple platforms would choose OutGuess. For someone who doesn't like console-based tools, Steghide plus SteGUI is the best choice.

Category:

  • Security
Click Here!