1

ABSTRACT :
As the information age is growing rapidly and data becomes highly valuable and sensitive, methods need to be discovered to protect and secure sensitive data. One such method that transfers data over network securely is achieved by Steganography. This paper deals with some of the steganographic techniques and detailed look at hiding information in Image and TCP/IP protocol that are used frequently in the internet.

INTRODUCTION "Steganography is the art and science of communicating in a way which hides the existence of the communication. This basically comes down to using unnecessary bits in an innocent file to store your sensitive data. The techniques used make it impossible to detect that there is anything inside the innocent file, but the intended recipient can obtain the hidden data. This way, one can not only hide the message itself, but also the fact that he is sending this message. GOAL OF STEGANOGRAPHY In contrast to Cryptography, where the enemy is allowed to detect, intercept and modify messages without being able to violate certain security premises guaranteed by a cryptosystem, the goal of Steganography is to hide messages inside other harmless messages in a way that does not allow any enemy to even detect that there is a second message present". A DETAILED LOOK AT STEGANOGRAPHY This section discusses Steganography at length and deals with the different types

which we practice today along with some of the other principles that are used in Steganography and some of the Steganographic techniques in use today. This is where one can look at the nuts and bolts of Steganography and all the different ways one can use this technology. Lets look at what a theoretically perfect secret communication. To illustrate this concept, consider three fictitious characters named Amy, Bret and Crystal. Amy wants to send a secret message (M) to Bret using a random (R) harmless message to create a cover (C) which can be sent to Bret without raising suspicion. Amy then changes the cover message (C) to a stego-object (S) by embedding the secret message (M) into the cover message (C) by using a stegokey (K). Amy should then be able to send the stego-object (S) to Bret without being detected by Crystal. Bret will then be able to read the secret message (M) because he knows the stego-key (K) used to embed it into the cover message (C).

steganography_medium = secret message + cover message + key [11]

As Fabien A.P. Petitcolas points out, "in a 'perfect' system, a normal cover should

not be distinguishable from a stegoobject, neither by a human nor by a computer looking for statistical patterns." In practice, however, this is not always the case. In order to embed secret data into a cover message, the cover must contain a sufficient amount of redundant data or noise. This is because the embedding process Steganography uses actually replaces this redundant data with the secret message. This limits the types of data that one can use with Steganography. In practice there are three types of steganography protocols used. They are Pure Steganography, Secret Key Steganography and Public Key Steganography. Pure Steganography It is defined as a steganographic system that does not require the exchange of a cipher such as a stego-key. This method of Steganography is the least secure means by which to communicate secretly because the sender and receiver can rely only upon the presumption that no other parties are aware of this secret message. Using open systems such as the Internet, this is not the case at all. Secret Key Steganography It is defined as a steganographic system that requires the exchange of a secret key (stego-key) prior to communication. Secret Key Steganography takes a cover message and embeds the secret message inside of it by using a secret key (stegokey). Only the parties who know the secret key can reverse the process and read the secret message. Unlike Pure Steganography where a perceived invisible communication channel is present, Secret Key Steganography exchanges a stego-key, which makes it more susceptible to interception. The benefit to Secret Key Steganography is

even if it is intercepted, only parties who know the secret key can extract the secret message. Public Key Steganography It takes the concepts from Public Key Cryptography as explained below. Public Key Steganography is defined as a steganographic system that uses a public key and a private key to secure the communication between the parties wanting to communicate secretly. The sender will use the public key during the encoding process and only the private key, which has a direct mathematical relationship with the public key, can decipher the secret message. Public Key Steganography provides a more robust way of implementing a steganographic system because it can utilize a much more robust and researched technology in Public Key Cryptography. It also has multiple levels of security in that unwanted parties must first suspect the use of steganography and then they would have to find a way to crack the algorithm used by the public key system before they could intercept the secret message. ENCODING SECRET MESSAGE IN TEXT Encoding secret messages in text can be a very challenging task. This is because text files have a very small amount of redundant data to replace with a secret message. Another drawback is the ease of which text based Steganography can be altered by an unwanted parties by just changing the text itself or reformatting the text to some other form (from .TXT to .PDF, etc.). There are numerous methods by which to accomplish text based Steganography.
Line-shift encoding

It involves actually shifting each line of text vertically up or down by as little as 3 centimeters. Depending on whether the line was up or down from the stationary line would equate to a value that would or could be encoded into a secret message.
Word-shift encoding

It works in much the same way that lineshift encoding works, only one can use the horizontal spaces between words to equate a value for the hidden message. This method of encoding is less visible than line-shift encoding but requires that the text format support variable spacing.
Feature specific encoding

It involves encoding secret messages into formatted text by changing certain text attributes such as vertical/horizontal length of letters such as b, d, etc. This is by far the hardest text encoding method to intercept as each type of formatted text has a large amount of features that can be used for encoding the secret message. All three of these text based encoding methods require either the original file or the knowledge of the original files formatting to be able to decode the secret messages. ENCODING SECRET MESSAGES IN IMAGE Coding secret messages in digital images is widely used in the digital world of today. This is because it can take advantage of the limited power of the human visual system (HVS). Almost any plain text, cipher text, image and any other media that can be encoded into a bit stream can be hidden in a digital image. With the continued growth of strong graphics power in computers and the research being put into image based Steganography, this field will continue to grow at a very rapid pace. To the computer, an image is an array of

numbers that represent light intensities at various points (pixels). These pixels make up the images raster data. When dealing with digital images for use with Steganography, 8-bit and 24-bit per pixel image files are typical. Both have advantages and disadvantages, 8-bit images are a great format to use because of their relatively small size. The drawback is that only 256 possible colors can be used which can be a potential problem during encoding. Usually a gray scale color palette is used when dealing with 8-bit images such as (.GIF) because its gradual change in color will be harder to detect after the image has been encoded with the secret message. 24-bit images offer much more flexibility when used for Steganography. The large number of colors (over 16 million) that can be used go well beyond the human visual system (HVS), which makes it very hard to detect once a secret message, has been encoded. The one major drawback to 24-bit digital images is their large size (usually in MB) makes them more suspect than the much smaller 8-bit digital images (usually in KB) when sent over an open system such as the Internet. Digital image compression is a good solution to large digital images such as the 24-bit images. There are two types of compression techniques. They are,
Lossless compression is preferred

when there is a requirement that the original information remain intact (as with steganographic

images). The original message can be reconstructed exactly. This type of compression is typical in GIF and BMP images.
Lossy compression, while also

saving space, may not maintain the integrity of the original image. This method is typical in JPG images and yields very good compression.

alteration are mainly in the fact that it requires a fairly large cover image to create a usable amount of hiding space. Even now a day, uncompressed image of 800 x 600 pixels are not often used on the Internet, so using these might raise suspicion. Another disadvantage will arise when compressing an image concealing a secret using a lossy compression algorithm. The hidden message will not survive this operation and is lost after the transformation.
Masking and filtering

The popular digital image encoding techniques used today are least significant bit (LSB) encoding, masking & filtering, Transformation, spread spectrum steganography, statistical steganography, distortion, and covers generation steganography. The following are some of these techniques.
Least significant bit (LSB) encoding

It is by far the most popular of the coding techniques used for digital images. By using the LSB of each byte (8 bits) in an image for a secret message, one can store 3 bits of data in each pixel for 24-bit images and 1 bit in each pixel for 8-bit images. Logic: A 24-bit bitmap will have 8 bits representing each of the three color values (red, green, and blue) at each pixel. If we consider just the blue there will be 28 different values of blue. The difference between say 11111111 and 11111110 in the value for blue intensity is likely to be undetectable by the human eye. If we do it with the green and the red as well we can get one letter of ASCII text for every three pixel. Therefore, the least significant bit can be used (more or less undetectably) for something else other than color information. As you can see, much more information can be stored in a 24-bit image file. Disadvantage of using LSB

These techniques are usually restricted to 24 bits or grayscale images; take a different approach to hiding a message. These methods are effectively similar to paper watermarks, creating markings in an image. This can be achieved for example by modifying the luminance of parts of the image. While masking does change the visible properties of an image, it can be done in such a way that the human eye will not notice the anomalies. Since masking uses visible aspects of the image, it is more robust than LSB modification with respect to compression, cropping and different kinds of image processing.
Transformations

A more complex way of hiding a secret inside an image comes with the use and modifications of discrete cosine transformations. Discrete cosine transformations (DST)), are used by the JPEG compression algorithm to transform successive 8 x 8 pixel blocks of the image, into 64 DCT coefficients each. It follows Jsteg algorithm (D.Upham) used JPEG image format. According to Jsteg algorithm, Replace sequentially the leastsignificant bit of discrete cosine

transform coefficients with the message data . Logic: The secret data is inserted into the cover image in the DCT domain. The signature (secret message) DCT coefficients are encoded using a lattice coding scheme before embedding. Each block of cover DCT coefficients is first checked for its texture content and the signatured codes are appropriately inserted depending on a local texture measure. Experimental results indicate that high quality embedding is possible, with no visible distortions. Signature images can be recovered even when the embedded data is subject to significant lossy JPEG compression. Each DCT coefficient F (u, v) of an 8 x 8 block of image pixels f(x, y) is given by:

get next LSB from message replace DCT LSB with message bit end if insert DCT into steganographic image end while Although a modification of a single DCT will affect all 64 image pixels, the LSB of the quantized DCT coefficient can be used to hide information. Lossless compressed images will be suspectible to visual alterations when the LSB are modified. This is not the case with the above described method, as it takes place in the frequency domain inside the image, instead of the spatial domain and therefore there will be no visible changes to the cover image. In addition to DCT, images can be processed with Fast Fourier transform (FFT). FFT is "an algorithm for computing the Fourier transform of a set of discrete data values". The FFT expresses a finite set of data points in terms of its component frequencies. It also solves the identical inverse problem of reconstructing a signal from the frequency data. Thus simple logic for encoding and decoding using transforms is hiding the data. The steps are to take the DCT or wavelet transform of the cover image and find the coefficients below a specific threshold. Replace these bits with bits to be hidden (for example, use LSB insertion) and then take the inverse transform and store it as a regular image. Recovering the data To extract the hidden data take the transform of the modified image and find the coefficients below a specific threshold. Extract bits of data from these coefficients and combine the bits into an actual message. 6

where C(x) = 1/2 when x equals 0 and C(x) = 1 otherwise. After calculating the coefficients, the following quantizing operation is performed:

where Q (u, v) is a 64-element quantization table. A simple pseudo-code algorithm to hide a message inside a JPEG image could look like this:
Input: message, cover image Output: steganographic image containing

message while data left to embed do get next DCT coefficient from cover image if DCT . 0 and DCT . 1 then

Patchwork

Patchwork is a statistical technique that uses redundant pattern encoding to embed a message in an image. The algorithm adds redundancy to the hidden information and then scatters it throughout the image.
Logic: A pseudorandom generator

is used to select two areas of the image (or patches), patch A and patch B. All the pixels in patch A is lightened while the pixels in patch B are darkened. In other words the intensities of the pixels in the one patch are increased by a constant value, while the pixels of the other patch are decreased with the same constant value. The contrast changes in this patch subset encodes one bit and the changes are typically small and imperceptible, while not changing the average luminosity. A disadvantage of the patchwork approach is that only one bit is embedded. One can embed more bits by first dividing the image into sub-images and applying the embedding to each of them.

The TCP/IP header contains a number of areas where information can be stored and sent to a remote host in a covert manner. Take the following diagrams which are textual representations of the IP and TCP headers respectively: IP Header (Numbers represent bits of data from 0 to 32 and the relative position of the fields in the datagram)

Fig 5.1 Basic IP Header Structure [4] TCP Header (Numbers represent bits of data from 0 to 32 and the relative position of the fields in the diagram.)

Fig 5.2 Basic TCP header structure [4]

The advantage of using this technique is that the secret message is distributed over the entire image, so should one patch be destroyed, the others may still survive. This however, depends on the message size, since the message can only be repeated throughout the image if it is small enough. If the message is too big, it can only be embedded once. There are also other methods that are not discussed in this paper which are of less utility over the above topics. ENCODING INFORMATION IN A TCP/IP HEADER

Logic: Within each header there are multitudes of areas that are not used for normal transmission or are "optional" fields to be set as needed by the sender of the datagrams. An analysis of the areas of a typical IP header that are either unused or optional reveals many possibilities where data can be stored and transmitted. For general purposes, this paper focuses on encapsulation of data in the more mandatory fields. Because these fields are not as likely to be altered in transit as say the IP or TCP options fields which are sometimes changed or stripped off by packet filtering mechanisms or through fragment re-assembly. They are 7

- The IP packet identification field. - The TCP initial sequence number field. - The TCP acknowledged sequence number field. Hence data can be placed into these fields. Though the ASCII code of character can be placed simply, it will not look innocent thus some special techniques are used to encode and decode for much safety.
Manipulating IP packet identification field

The identification field of the IP protocol helps with re-assembly of packet data by remote routers and host systems. Its purpose is to give a unique value to packets so if fragmentation occurs along a route, they can be accurately reassembled. In the following example, the lines below show a tcp dump representation of the packets on a network between two hosts "nemesis.psionic.com" and "blast.psionic.com". This is one of the packets received during transmission which has character H. in its IP packet identification field.
Manipulating Initial Sequence Number field (ISN)

store information in either a byte fashion, or as bits of information represented through careful manipulation of the sequence number. The simple algorithm of the covert tcp program takes the ASCII value of our data and converts it to a usable sequence number Also there are other methods for hiding data in TCP/IP header that may vary depending on the type of application and requirement. Also data can be hidden in audio and video files which are not discussed in this paper. And they are also widely used in open environment systems. APPLICATIONS The three most popular and researched uses for steganography in an open systems environment are covert channels, embedded data and digital watermarking. Covert channels in TCP/IP involve masking identification information in the TCP/IP headers to hide the true identity of one or more systems. This can be very useful for any secure communications needs over open systems such as the Internet when absolute secrecy is needed for an entire communication process and not just one document as mentioned next. Embedding Data using containers (cover messages) is by far the most popular use of Steganography today. This method of Steganography is very useful when a party must send a top secret, private or highly sensitive document over an open systems environment such as the Internet. By embedding the hidden data into the cover message and sending it, you can gain a sense of security by the fact that no one knows you have

The Initial Sequence Number field (ISN) of the TCP/IP protocol suite enables a client to establish a reliable protocol negotiation with a remote server. It is similar to above but here it has 32 bits field, hence it serves as a perfect medium for transmitting clandestine data. Consider following line. Here 1207959552 is ISN. Dividing it by 65536*256 gives 72(i.e., H.) Because of the sheer amount of information any one can represent in a 32 bit address space (4,294,967,296 numbers), the sequence number makes an ideal location for storing data. Aside from the obvious example given above, a number of other techniques are used to

sent more than a harmless message other than the intended recipients. Digital watermarking is usually used for copy write reasons by companies or entities that wish to protect their property by either embedding their trademark into their property or by concealing serial numbers/license information in software, etc. Digital watermarking is very important in the detection and prosecution of software pirates/digital thieves. CONCLUSION Although only some of the main image steganographic techniques were discussed in this paper, one can see that there exists a large selection of approaches to hiding information in images. All the major image file formats have different methods of hiding messages, with different strong and weak points respectively. Where one technique lacks in payload capacity, the other lacks in robustness. For example, the patchwork approach has a very high level of robustness against most type of attacks, but can hide only a very small amount of information. Least significant bit (LSB) in both BMP and GIF makes up for this, but both approaches result in suspicious files that increase the probability of detection when in the presence of a warden. Thus for an agent to decide on which steganographic algorithm to use, he would have to decide on the type of application he want to use the algorithm for and if he is willing to compromise on some features to ensure the security of others. REFERENCES [1]. Hide and Seek: An Introduction to Steganography - Niels Provos and Peter Honeyman

URL: http:// niels.xtdnet.nl/papers/practical.pdf [2]. Johnson, Neil F., Steganography, 2000, URL: http://www.jjtc.com/stegdoc/index2.html [3]. Steganography - Wikipedia, the free encyclopedia_files URL: http://en.wikipedia.org/wiki/Steganograp hy [4]. Embedding Covert Channels into TCP/IP - Steven J. Murdoch and Stephen Lewis URL: http://www.cl.cam.ac.uk/users/ {fsjm217, srl32g}/ [5]. Krenn, R., Steganography and Steganalysis, URL: http://www.krenn.nl/univ/cry/steg/article. pdf [6]. Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2 (1997) URL: http://www.firstmonday.org