4 - 1 Encryption and Exploits - SANS ©2001 1 Steganography Security Essentials The SANS Institute Now that we have taken a detailed look at cryptography, lets take a look at another related area, which is steganography or data hiding. Steganography (“stego”) is related to cryptography (“crypto”) because with both fields you do not want someone to be able to read your message, but stego does it with a slightly different approach. With crypto, the message is garbled in such a way that someone cannot read the message, but they can tell that the message is encrypted. In certain environments, this could raise the suspicion to an unacceptable level. With stego, the real message is hidden in an overt message so someone can not even tell that you are sending a secret message. As you will see in practice, the two are often used together. Stego is a new area and hopefully you will find it exciting. We will also show you several of the tools that exist for hiding information and give you links where you can download the tools and try them out for yourself. 4 - 2 Steganography - SANS ©2001 2 Steganography (Stego) • Steganography, abbreviated as stego, not to be confused with stenography. • Involves concealing the fact that you are sending “sensitive” information •Data hiding • Relatively new field • Can hide in a variety of formats –Images •Bmp, Gif, Jpg –Word Documents –Text Documents – Machine Generated Images •fractals Steganography is a fairly new, but very interesting field. It involves hiding data within another image, so that the meaning of the message and the fact that a message is being sent is concealed. There are methods where data can be embedded in a wide range of file types using a variety of methods. 4 - 3 Steganography - SANS ©2001 3 Crypto vs. Stego • Cryptography (Crypto) provides confidentiality but not secrecy. • It is fairly easy to detect that someone is sending an encrypted message, it is just very hard for someone to read it. • With stego, you do not even know someone is sending a message, you are hiding the true intent. Lets quickly compare cryptography to steganography. With crypto, an unauthorized party cannot read the message but they can tell that the data has been encrypted. With stego, since the message is hidden, someone cannot even tell that a secret message is being sent. 4 - 4 Steganography - SANS ©2001 4 Detecting Cryptography • It is very easy for both humans and computers to detect that a message is encrypted. For example “test” becomes eJrMIedoDcgYmK7/XwY6Q+7RAeuPDSe0FziMLDU1GyUhc0WPcatAaIpw+Urc0MUX l257b1q11gFZN4S0rXwAKg2Tzqn9ois7+1pJHOdxI2fH9LCQmxtRBpZ79oFh+wFw cuPV3wW4Mgoh1HL2JQ7SarrJuZixgRoV+IW/HtoWx2Mvop+4CACHtTxbv8SjchhN FLaQNVQA1o00UgR+m7bJh42bWfR5cdGBYkVTzglbu5QXzFodk3PmtG+ghqNCz2CZ 5VZv3H581bSeydcM5zjK7DUd4OZEDSa9kF+9xKdyDMCfvFW5DyhlJkOBUVo8jvQM n/3nO8vGcx/5CcDVV6MF4xh5hPbV6NfP2OaOyNVXcHwn9n6/swH4OnrBciX8MCgF JCyXrwnlYl1GK7RBO67zw0imUkBABfAqc+Jwnbv2HJAAU0NDC+Vd+d9I4UZN6QJd 7RN821ID10ScXelDNiqCq8hxXHJM8qaP5gQp5iC2ExoPfFPl8KRsbOKcK5XPP57T • A human can infer that this is unreadable. As you can see, a human can quickly detect that a message is encrypted. Based on this fact, it is easy for someone to infer information about two parties that are communicating. For example, if two parties periodically send a large number of encrypted messages and the next day a major terrorist event occurs even though I can not tell what the 2 parties are talking about, I can infer that they were involved with the questionable activities. 4 - 5 Steganography - SANS ©2001 5 Detecting Cryptography (2) • Cryptography basically randomizes the characters in a message. • A histogram shows the frequency of characters. • A normal document has a non-predictable histogram. • An encrypted document has a flat histogram, since with randomization, all characters should appear the same amount of times. By nature of how encryption works, when a message gets encrypted the distribution of characters becomes randomized. This provides a unique signature that can be used to detect encrypted text. 4 - 6 Steganography - SANS ©2001 6 Histograms Encrypted Text 1 21 41 61 81 101 121 141 161 181 1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526 Frequency Normal Text 0 20 40 60 80 100 120 140 160 180 200 1234567891011121314151617181920212223242526 Frequency The histogram for encrypted text is very flat and easy for an automated program to detect. The histogram for “normal” text is very non-uniform and easy for an automated program to distinguish between encrypted and unencrypted information. As you can see with an encrypted message the frequency of characters is very uniform, with each character (1=A, 2=B,……26=Z) appearing the same number of times. By nature of how the English language works, we know that this does not occur with normal text. With a normal document, certain letters appear more often than others. For example the letters E and S will appear more often than the letters Q and Z. 4 - 7 Steganography - SANS ©2001 7 How Steganography Works? • Stego requires a host file and the hidden message. • Host file can be generated on the fly or use an existing file. • Hidden message is either used to generate a file or hidden in certain parts of an existing file. Stego works by embedding a secret message within an open or overt message. Everyone will see the overt message and never know that it is a cover and the real message is hidden inside. 4 - 8 Steganography - SANS ©2001 8 General Types of Stego • There are many ways to hide information; lesson in creativity. • General methods: –Injection – Substitution – Generate new file To hide data within an image, either the secret message can be embedded or injected within another image. This will increase the size of the file and be easy to detect. Or certain information in a file might be able to be replaced, which will not increase the size of the file. Also, a newer technique is to use the secret message to generate a new text or image file. 4 - 9 Steganography - SANS ©2001 9 Injection • Most file types have ways of putting information in a file that will be “ignored”. • For example, hidden form elements in html. • Word documents also have hidden information. – Create a large document and remove data, notice the file size is very large With injection, data is put within a host file in such a way that when the file is actually read by a given program, the program ignores the data. Most programs, like web browsers or Microsoft Word, have ways of putting “hidden” data within a file, that exists in the file but is ignored when the program displays it to the user. 4 - 10 Steganography - SANS ©2001 10 Injection Example <body lang=EN-US style='tab-interval:.5in'> <div class=Section1> <p class=MsoNormal>Hello World</p> <p class=MsoNormal><![if !supportEmptyParas]> <![endif]><o:p></o:p></p> <p class=MsoNormal><![if !supportEmptyParas]> <![endif]><o:p></o:p></p> <input type="hidden" name="SearchFunction" value="This is a hidden message"> </div> </body> </html> Browser displays “Hello World” but by viewing the source reveals a hidden message . Here is a simple example of injecting data within an html file. By using the hidden field, a message can be embedded within the source file, but ignored when displayed by the browser. [...]... crypt/code/s-tools4.zip Steganography - SANS ©2001 16 Now lets look at an example of a popular tool that is used to embed data in images called S-Tools 4 - 16 S-Tools Example The image to the left is the original image and the image below has a 10 page document embedded in it Through visual observation, they look identical Or if you only saw the one with data hidden, it would not look suspicious Steganography. .. a larger number of duplicate colors 4 - 19 Stego Tools • There are a wide range of stego tools available from: – http://members.tripod.com /steganography /stego/software.html • There are over 200 stego tools ranging from different platforms to different techniques Steganography - SANS ©2001 20 There are a wide range of tools available Since this is a new field, most are fairly basic, but some are fairly... banner ads that appear on web sites – Stash – hides data in a variety of image formats • As you can see, there are a wide range of tools • http://members.tripod.com /steganography/ stego.html contains tools for various operating systems Steganography - SANS ©2001 The following are some example programs: –Jsteg – hides in jpeg images using the DCT coefficients –MP3Stego – hides in mpeg files –S-Mail –... last 2 LSB’s are, a human eye can not tell the difference • If we take 10001100 and change it to 10001111 or 10001110, it will all seem like the same color • This means we can embed data in those bits Steganography - SANS ©2001 14 Since the LSB’s will have a minimal impact, we will change those bits for each pixel Regardless of what the last 2 LSB’s are, a human eye can not tell the difference If we... first 8 pixels will be modified as follows – 1100 – 1111 – 1010 – 0010 0101 0010 1111 0010 becomes becomes becomes becomes 1100 1111 1010 0010 0111 0001 1100 0010 • To an observer, the image looks normal Steganography - SANS ©2001 15 The following shows how we would embed a data in the pixels of an image So if our message converted to binary is 1101 0010, the first 8 pixels will be modified as follows... be replaced or substituted with hidden text • Depending on the type of file and/ or the amount of data, it could result in degradation of the file • Usually replaces insignificant data in the host file Steganography - SANS ©2001 11 Data in a file can be replaced or substituted with hidden text Depending on the type of file and/or the amount of data, it could result in degradation of the file In order... the colors in the color table, it increases the number of near duplicate colors • A normal bitmap (bmp) has very few duplicate colors • A bmp with data embedded has a large number of duplicate colors Steganography - SANS ©2001 18 If you know what to look for, detecting S-Tools is fairly straightforward When you embed data in a bmp file, you are actually changing the colors in the color table This is... 66146 Reported: 66146 Duplicate colors: 2 • For one with embedded data: – – – – D:\DH\Data\BMP\STools>bmpmap forest_h.bmp File Name: forest_h.bmp actual size: 66614 Reported: 66614 Duplicate colors: 1046 Steganography - SANS ©2001 19 I wrote a small program that will go through the color table and determine the number of near duplicate colors If the number of near duplicate colors is greater than 50, you... host file 4 - 11 Generate A New File • The hidden data can also be used to generate a new file • No host file is needed • For example, the input text can be used to generate fractals or “human” like text Steganography - SANS ©2001 12 Also, to eliminate the need for a host file, the secret message can be used to generate a new file For example, a file consisting of complex fractals can be generated based... significant bits (MSB) are to the left and the least significant bits (LSB) are to the right – If you change a MSB it will have a big impact on the color If you change the LSB it will have minimal impact Steganography - SANS ©2001 13 This shows an example of how data can be embedded in an image file using a basic technique call LSB With this technique, the least significant bits of the image file are replaced . the tools and try them out for yourself. 4 - 2 Steganography - SANS ©2001 2 Steganography (Stego) • Steganography, abbreviated as stego, not to be confused. cryptography, lets take a look at another related area, which is steganography or data hiding. Steganography (“stego”) is related to cryptography (“crypto”)