Hyangwonjeong pavillion inside Gyeongbokgung Palace in Seoul, Korea. (Original, see below for steg image.)

While visiting the American University of Armenia today, I stumbled upon a talk by Dr. Sos Agaian on digital signal processing and steganalysis. I have been interested in this area for years and Dr. Agaian’s talk gave me insight on some new and interesting research into this area while providing me with motivation to share my thoughts here. I hope to cover specifics about Dr. Agaian’s research results in a future posting. With this post, I would like to give an introduction to steganography and steganalysis for those who are new to this topic.

—

Susa (or modern day Shush, Iran) is one of the most ancient settlements known to man and one of the capitals of the Persian Empire. Much older than Rome, this city has played an important role in world history. It is also where steganography is believed to have first been used.

It was there that in the 5^th century B.C. – according to Herodotus – a deposed king of Sparta by the name of Demaratus witnessed the plans by Persia to attack the Greeks. The Persian emperor Xerxes I had allegedly amassed one of the largest fighting forces in history and was intent on conquering all Greek city-states. Demaratus, still loyal to his people, decided to warn his compatriots of the impeding attack. In order to avoid detection, Demaratus used a pair of wooden folding tablets. Scraping off the original wax he inscribed news of the impeding attack and covered the tablets with fresh wax. His secret message to the Spartans reached its destination disguised as blank tablets. Thanks to Demaratus, the Greeks were able to prepare and fend off the Persian attack.

Armenian poet Yeghishe Charents, during the height of Soviet repression and censorship in the 1930s, penned a poem titled “The Message,” seemingly paying tribute to the Soviets. The poem includes these lines:

A new light shone on the world.
Who brought this sun?
… It is only this sunlight
Which for centuries will stay alive.

The poem bypassed the censors and was happily published as propaganda until they figured out that the first letter of every line spelled an entirely different and more nationalistic message: “O Armenian people, your only salvation is in the power of your unity.” Charents was not allowed to publish thereafter and in a year or so disappeared under mysterious circumstances that are not so mysterious to those familiar with the history of Stalin’s purges. Charents may have been eliminated but due to his successful use of steganography his message is alive today and for generations to come.

The art and science of hiding information with a secret meaning inside other seemingly innocuous media is known as steganography. Attempting to detect and decipher these messages is called steganalysis. Steganography also can be characterized as a specific form of covert channel.

These are popular areas of study in security today due to the apparent ability to effortlessly communicate in a secret and secure manner in adversarial conditions. In particular, governments are concerned with terrorists being able to use this technology to communicate with each other bypassing detection.

Many different media can be used for the purpose of steganography, including:

Image above with hidden text.

• Images: Images can be used for steganography. There are various methods that can be used. One of the methods is called Least Significant Bit (LSB) where data is hidden in the least significant bits of pixels in an image reducing the quality of an image by a very small and possibly visually undetectable manner. Consider the photo of at the top of this post. For illustration purposes, I have embedded the contents of a small text file inside the beautiful image (right).

• Audio: Steganography using audio is a bit more complex than images but still possible. In order to hide data in audio, you must have a good algorithm for detecting peaks in an audio waveform and hide the data within the peaks. Secret data can be embedded in one of the thousands of MPG files on a computer for instance.

• Video: A video simply consists of many frames of images. Messages can be hidden in just one or some of the frames.

• Text: Consider white space in a full-justified text document. The combination of spaces (some double spaces and single spaces) can convey special meaning and thus act as a covert channel. Besides white spaces, the following can also be used to convey special meaning: letter frequency, word frequency, grammar style, and so forth.

Steganalysis involves detecting whether steganography is used and being able to extract the hidden message. A variety of steganalysis methods exist, depending on the type of medium involved.

One way to visually see the difference between the original and steganographic image is to obtain a color histogram of both images. You can see that the histogram on the right is slightly different than the one on the left. In simple terms steg analysis usually involves figuring out a mathematical model that would help us determine if an image is abnormal in the sense that it contains hidden information, without the benefit of having the original image.

Comparison of histograms.

For this particular case the relatively small amount of hidden data we injected (only 1K for an 813K file) makes steganalysis much more difficult. I will cover more steganalysis techniques in future postings on this blog.

Smart users of steganography will also rely on tactically choosing the carrier image. For instance, binary images (those composed of only 2 colors) do not yield themselves well to steganography. Thus, someone wishing to conceal his/her traces would pick images that have features that would make it easy to hide bits of information.

Generating Stego Image

Here is how I generated the steganographic image above:

$ outguess -k "linkgard" -d ~/mess.txt ~/ORIG.jpg ~/STEG.jpg
Reading /home/user/ORIG.jpg....
JPEG compression quality set to 75
Extracting usable bits:   441867 bits
Correctable message size: 8102 bits, 1.83%
Encoded '/home/user/mess.txt': 4992 bits, 624 bytes
Finding best embedding...
    0:  2512(50.0%)[50.3%], bias  2505(1.00), saved:    -2, total:  0.57%
    1:  2443(48.6%)[48.9%], bias  2428(0.99), saved:     6, total:  0.55%
   12:  2447(48.7%)[49.0%], bias  2374(0.97), saved:     6, total:  0.55%
   28:  2432(48.4%)[48.7%], bias  2320(0.95), saved:     8, total:  0.55%
28, 4752: Embedding data: 4992 in 441867
Bits embedded: 5024, changed: 2432(48.4%)[48.7%], bias: 2320, tot: 441028,
skip: 436004
Foiling statistics: corrections: 844, failed: 0, offset: 83.645251 +-
220.522425
Total bits changed: 4752 (change 2432 + bias 2320)
Storing bitmap into data...
Writing /home/user/STEG.jpg....

Note: Original image is 813Kb. Maximum usable/recommended steg bandwidth is reported as ~ 1K.

Further reading

• Wikipedia entry on the topic.
• Hide and Seek: An Introduction to Stegangography – Niels Provos and Peter Honeyman, IEEE Security & Privacy Magazine, May/June 2003.
• Hiding in Plain Sight : Steganography and the Art of Covert Communication – Explains how to use stegdetect and stegbreak.
• Automated Steganography Detection – Kevin Bryan, Raghu Menon, Neil Bennett, Victor Fay-Wolfe – University of Rhode Island, Department of Computer Science, Digital Forensics Center.

Tools

I used a couple of aged but tried and true tools to produce the images and analysis are listed below:

• Stegdetect is a Linux-based application that will allow you to insert hidden data in JPG files and detect if steganography exists in an image. A variety of statistical methods are used for detection.
• OutGuess is another tool by the same author (Niels Provos) that uses a different method of hiding the data.
• The GIMP! For the histograms.
  

Updates:

• 5/23/2009 – Minor edits and updated sections.