Srijan’10

THE LOST SYMBOL

1.

This is the primary tutorial on Steganography ….you may find it

helpful for the “The Lost Symbol” event of Srijan’10…hope it
serves bit of your purpose….SEE YOU @ SRIJAN’10.

©Srijan’10
Visit us @ www.srijanju.com
 Introduction

1.1 Digital Image

A digital image is an image f(x,y) that has been discretized both in spatial
coordinates and in brightness. We may consider a digital image as a matrix
whose row and column indices identify a point in the image and the corresponding matrix
element value identifies the gray level at that point. The elements of such a digital array
are called image elements, picture elements, pixels or pels.

1.2 Steganography

Steganography comes from the Greek word “Steganos” meaning “covered or

secret”, basically hidden writing. Steganography is the art of hidden information in a
cover media. The media may be still image, video, audio, text file etc. and the hidden
message may be text, still image, audio, video etc.

(Image,
Video,
Audio,
Text, Cover(X)
Fax) Steganography

Encoder Stego
(Image, Message (M) Media
Text,)
F (X, M, K)

(Pseudo Stego
Random Key (K)
no.
generator,
Hash
function)

Fig 1.2.1 Block Diagram of Steganography Encoder

©Srijan’10 Page 2
 It is a non-cryptographic technique for hiding data in the natural noise component of
some other signal. It simply takes one piece of information and hides it within another.
Steganography dates back to ancient Greece, where common practices consisted of
etching messages in wooden tablets and covering them with wax, and tattooing a shaved
messenger's head, letting his hair grow back, and then shaving it again when he arrived at
his contact point.
While encryption is detectable and a target for questions by Government as well as
hackers, Steganography takes it one step further and hides the message within an
encrypted message or other mediums; such as images, making it virtually impossible to
detect. It is a method related to the art of hiding a secret message within a larger one in
such a way that the unwanted person cannot make out the presence or contents of the
hidden message being sent. It can be hidden in a picture, sound or a video file.
Steganography uses computer files (images, sounds recordings, even disks), which
contain unused or insignificant areas of data. Invisible inks, microdots, character
arrangement, digital signatures, covert channels, and spread spectrum communications
also use steganography. Steganography takes advantage of these areas, replacing them
with information (encrypted mail, for instance). The least significant bits (LSBs) of most
digitized signals; music or images for instance; are randomly distributed.
Most communication channels like telephone lines and radio broadcasts
transmit signals, which are always followed by some kind of, noise. This noise
can be replaced by a secret signal that has been changed into a form that is not
detectable from noise without knowledge of a secret key and this way, the secret
signal can be transmitted undetectable.

1.3 Basic Terminologies

Steganography is art of hiding information (message) within information (cover) in an

innocuous way – the very existence of hidden message remains concealed.
Cryptography is the study of mathematical techniques related to aspects of information
security such as confidentiality, data integrity, entity authentication, and data origin
authentication.

©Srijan’10 Page 3
 Digital Watermarking is a technique to emboss copyright information, to digital media,
of the owner for authentication.
Cryptanalysis is the study of mathematical techniques for attempting to defeat
cryptographic techniques and, more generally, information security services.
Steganalysis is the practice of defeating the goal of steganography by detecting,
extracting the tampered bits and reconstructing the hidden message.
Steganalysis is concerned with developing methods for detecting the presence of secret
messages and eventually extracting them. Steganography is an inseparable part of
steganography. Indeed, one probably cannot develop a good steganographic method
without spending a substantial amount of time on how to break it. The primary goal of
Steganalysis is to detect when a covert communication is occurring. Steganography is
considered broken even when the mere presence of the secret message is detected.
Indeed, the fact that we know that certain parties are communicating secretly is often a
very important piece of information.
Steganographic Image, the image that contains some hidden data is known as
steganographic image

Steganology refer to both steganography and Steganalysis, just as cryptology refers to

both cryptography and cryptanalysis. The term Steganology is not commonly used but is
more precise than using steganography.
Embedding Capacity refer to the maximum number of bits that can be hidden in a given
cover work.
Steganographic Capacity refer to the maximum number of bits that can be hidden in a
given cover work, such that the probability of detection by an adversary is negligible.
Hence, steganographic capacity is therefore much less than the embedding
capacity. Detection by Steganalysis can be avoided simply by decreasing the amount of
information embedded (payload) in a cover work. However, practical steganographic
schemes must have usable steganographic capacity.
Therefore primary goal of new Steganographic algorithms are – develop undetectable
methods with high steganographic capacity.
.

©Srijan’10 Page 4
 1.4 Different types of Steganography

In the literature there are three types of steganographic protocols:

Pure steganography

Secret key steganography

Public key steganography

1.4.1 Pure steganography

A steganographic system which does not require the prior exchange of some secret
information (like stego-key) is called pure steganography.

Definition (Pure Steganography): The quadruple S=<C, M, D, E>, where C is the

set of possible covers, the set of secret messages M with |M| = <|C|, E: C X M  C the
embedding function and D: C  M, the extraction function, with the property that
D (E(c, m)) = m,∀ m Є M and ∀ c Є C is called pure steganographic system.
The embedding process is defined in a way that a cover and the corresponding stego
object are perceptually similar. Formally, perceptual similarity can be defined via a
similarity function.

Definition (Similarity Function): Let C be a nonempty set. A function

sim: C2 (-1 , 1] is called similarity function on C for x, y Є C

sim(x,y) = 1 x=y

For x <> y, sim(x,y) < 1

So, the most practical steganographic systems try to fulfill the condition
sim(c,E(c,m))1, ∀ m Є M and ∀ c Є C.

©Srijan’10 Page 5
 1.4.2 Secret key steganography

Pure Steganography is not very secure in practice as no information (apart from E

and D as mentioned in section 1.4.1) is required to start the process; the security of
process depends entirely on its secrecy. The security of the secrecy should rely on some
secret information, the stego-key. Without any knowledge of that stego-key, nobody
should able to extract secret information out of the cover.

A secret key steganography system is a system where the sender chooses a cover c
and embeds the secret message into c using a secret key k. If the key used in embedding
process is known to the receiver, he can reverse the process and extract the secret
message. In that type of steganography also, the cover c and the stego-object can be
perceptually similar.

Definition (Secret key steganography): The quadruple S=<C, M, K, Dk, Ek >,

where C is the set of possible covers, the set of secret messages with |C| >= |M|, K the
set of secret keys, Ek: C X M X K  C and Dk: C X K  M with the property that

Dk ( Ek( c , m , k ) ,k ) = m

∀ m belongs to M, ∀ c Є C and ∀ k ЄK is called the secret key steganographic

method.

Secret key steganography requires the exchange of some key, although the
transmissions of additional secret information subvert the original intension of invisible
communication. So we assume that all communication parties are able to trade the secret
keys through a secure channel. However, by using some characteristic features of the
cover and a secure hash function H is possible to calculate a key used for secret
communication directly out of the cover: k = H (feature). If the embedding process does
not change the “feature,” the receiver is able to recalculate the key. Obviously such a
feature has to be highly “cover dependent” to reach an adequate level of security. If the
cover is a digital image, one could take all most significant of the cover’s color values as
a “feature.”

©Srijan’10 Page 6
 1.4.3 Public key steganography
Public key steganographic system require the steganography system require the use
of two keys, one private and another public key; the public key stored in public database.
Whereas the public key is used in embedding process, the secret key is used to
reconstruct the secret message.

One way to build a public key steganography system is the use of a public key
cryptosystem. In the public key steganography, the decoding function D in the
steganography system can be applied to any cover c, whether or not it already contains a
secret message. In the latter case, a random element of M will be the result; we will call it
“natural randomness” of the cover. If one assumes that this natural randomness is
statistically indistinguishable from cipher text produced by some public key
cryptosystem, a secure steganography system can be build by embedding the cipher text
rather than unencrypted secret messages.

Figure. Data hiding typical scenario.

©Srijan’10 Page 7
 1.5 Different procedures used for steganography.

In general, steganographic algorithms are based on replacing a noise component of a

digital object with a pseudorandom secret message. There are several approaches in
classifying steganographic systems. One could categorize them according to the
types of covers used for secret communication. A classification according to the
cover modifications applied in the embedding process is another possibility. We
want to follow the second approach and group steganographic methods in six
categories; although in some cases an exact classification is not possible:

Substitution systems substitutes redundant parts of a cover with a secret
message;

Transform domain techniques embed secret information in a transform space of
the signal (e.g., in the frequency domain);

Spread spectrum techniques adopt ideas from spread spectrum communication;

Statistical methods encode information by changing several statistical properties
of a cover and use hypothesis testing in the extraction process;

Distortion techniques store information by signal distortion and measure the
deviation from the original cover in the decoding step;

Cover generation methods encode information in the way a cover for secret
communication is created.

©Srijan’10 Page 8
 2. Data Flow Diagram (DFD)

Cracking the input

Image/Text file. Hidden
Detection of the Message
Input BMP presence of hidden &
Image or message Password
TEXT file Extraction of hidden (If present)
message
Reconstruction of the
hidden message (if
possible)

Level ‘0’ DFD

©Srijan’10 Page 9
 Input

BMP Image/
Text file
1.1
BMP/Text
cracking
process.

Data file

1.2
Detection process

Data file

1.3
Extraction process

Output

Level ‘1’ DFD

©Srijan’10 Page 10
 Input

Data file

1.3.1
Password position
finding process.

Password location

1.3.2
Password breaking
process
Password

Data file

1.3.3
Message length
detection process
Message Length

Data file
1.3.4
Message
Extraction process
Message

Output

Level ‘2’ DFD

©Srijan’10 Page 11
 3. Steganalysis − Different Levels & Stages of
Attack

S teganalysis is the practice of attacking steganographic methods by detection,

extraction, or modification (or even destruction) of embedded data.
Understanding the means by which attackers can defeat steganographic systems is
necessary for the design and development of superior, more robust systems. The meaning
of a successful attack is dependent on the application; for a secret communication
application the mere detection and proof that some kind of data is hidden within the
stego-image is successful attack

Levels of Attack

There are five levels of attack of steganography: known cover, known message,
chosen stego, chosen message and stego-only.

In a known cover attack, both the original cover and the corresponding stego-image
are available.
The known message attack is when the steganalyst knows the secret message
embedded in a stego-image.
A chosen-stego attack is when access to the message extraction tool is available so
the attacker does not have to deduce the decoding algorithm.
In a stego-only attack, only the stego-image is available for Steganalysis.

In known cover attack, the cover image is required which is almost impossible. So
the known cover attack is not very practical attack.

The most powerful attack is the chosen message attack, where the steganalyst has the
access to the steganography encoding tool itself and can embed and analyze messages of
his/her choice.

©Srijan’10 Page 12
 The stego-only attack is the most common and difficult to detect. Here, cover image,
stego message and key all are absent.

Stages of Attack

The stego object is attacked in three stages:

Detection: The first stage is to detect whether a message is hidden within the object
or not. Analysis of image statistics reveals the existence of hidden message.

Extraction of message bit stream: After the confirmation of message hiding, the
steg-analyst aims to identify the positions where the message is hidden. This may require
the knowledge of stego key. Once the message positions are identified, the message bit
stream is easy to extract.

Reconstruction of Hidden Message: Reconstruction of hidden message from the

extracted bit stream is not a very easy job to perform. In most of the cases, some
encryption algorithm like DES, IDEA etc, encrypts the message. Decrypting the message
bit stream, the hidden message is reconstructed. Details of decryption will be discussed in
the next chapter of Cryptanalysis.

©Srijan’10 Page 13
 4. A general review of Cryptography and
Cryptanalysis.

C ryptography is the science of keeping secrets secret. Assume a sender want to

send a message ‘m’ to a receiver. He uses an insecure communicational
channel like computer network or a telephone line. There is a problem if the message
contains confidential information. The message could be intercepted and read by an
eavesdropper. One objective of cryptography is to provide methods for preventing such
attacks.

Cryptanalysis is the science of studying attacks against cryptographic schemes.

Successful attacks may, recover the plain text (or parts of the plain text) from the cipher
text, substitute parts of the original message, or forge digital signatures. Cryptography
and cryptanalysis are often subsumed by the more general term cryptology.

Encryption and Secrecy

The fundamental and classical task of cryptography is to provide confidentiality by

encryption methods. The message to be transmitted – can be some text, numerical data,
an executable program or any other kind of information - is called the plain text. One
encrypts the plain text m and obtains the cipher text ‘c’. The cipher text ‘c’ is transmitted
to other. The other person turns the cipher text back into the plain text by decryption. To
decrypt, he needs some secret information, a secret decryption key.

The Objective of Cryptography

Providing confidentiality is not the only objective of cryptography. Cryptography is
also used to provide solutions for other problems:
1. Confidentiality. Service used to keep the content of information from all but
those authorized to have it.

©Srijan’10 Page 14
 2. Data Integrity. The receiver of a message should be able to check whether
the message was modified during transmission, either accidentally or deliberately. No
one should be able to substitute a false message for the original message, or for part
of it.
3. Authentication. The receiver of a message should be able to verify its origin. No
one should be able to send a message to other and pretend to be another (data origin
authentication). When initiating a communication between two, both should b able to
identify each other (entity authentication).
4. Non-repudiation. The sender should not be able to later deny that he sent a
message.

Attacks
The primary goal of cryptography is to keep the plain text secret from eavesdroppers
trying to get some information about the plain text.

A fundamental assumption in cryptanalysis was first stated by A.Kerkoff in the

nineteenth century. It is usually referred to as Kerkoff’s principle. It states that the
adversary knows all the details of the cryptosystem, including algorithms and their
implementations. According to the principle, the security of a cryptosystem must be
entirely based on the secret keys.

The possible attacks depend on the actual resources of the adversary eavesdropper.
They are usually classified as follows:

1. Cipher text - only attack. Eavesdropper has the ability to obtain cipher texts.
This is likely to be the case in any encryption situation. Even if eavesdropper
cannot perform the more sophisticated attacks described below, one must assume
that he can get access to encrypted messages. An encryption method that cannot
resist a cipher text - only attack is completely insecure.

©Srijan’10 Page 15
 2. Known – plain text attack. Eavesdropper has the ability to obtain plain text –
cipher text pairs. Using the information from these pairs, he attempts to decrypt a
cipher text for which he does not have the plain text. At first glance, it might
appear that such information would not ordinarily be available to an attacker.
However, it very often is available. Messages may be sent in standard formats
which the eavesdropper knows.

3. Chosen – plain text attack. Eavesdropper has the ability to obtain cipher texts
for plain texts of his choosing. Then he attempts to decrypt a cipher text for
which he does not have a plain text. While again this may seem unlikely, there
are many cases in which the eavesdropper can do just this. For example, he sends
some interesting information to his intended victim, which he is confident that
the other will encrypt and send out. This type of attack assumes that the
eavesdropper must first obtain whatever plain text – cipher text pairs he wants
and do his analysis, without any further interaction. This means that she only
needs access to the encrypting device once.

4. Adaptively – chosen – plain text attack. This is the same as the previous
attack, except now the eavesdropper may do some analysis on the plain text –
cipher text pairs, and subsequently get some more pairs. He may switch between
gathering pairs and performing the analysis as often as he likes. This means that
he has either lengthy access to the encrypting device or can some-how make
repeated use of it.

5. Chosen – and adaptively – chosen – cipher text attack. These two attacks are
similar to the above plain text attacks. The eavesdropper can choose cipher texts
and get the corresponding plaintexts. He has the access to the decryption device.

©Srijan’10 Page 16
 5. Description of Commercial stego tools.

Pretty Good Envelope v1.0

Pretty Good Envelope (PGE) is a DOS based program that hides a message in the
file by the very simple method of appending the message to the file, and then appending a
4 byte little endian number which points to the start of the message. A companion
program UNPGE retrieves the message. PGE can be used with graphic files (GIF and
JPG) or any other binary files, including .COM and .EXE files.

Hide and Seek v5.0

The latest version of Hide and Seek has been totally redesigned. It is still a DOS
based program, but now includes a user interface (no more command line operations) to
hide info in GIF files.

Hide & seek uses the blowfish algorithm to encrypt your random number seed, your
file length, and your version number, as a header at the beginning of the file. This
information is later used to get the data out. The data itself is NOT encrypted. You can
hide encrypted data, though, and if you do there is no way to know when you have
cracked hide & seeks password, since hide & seek will silently pull out garbage if given a
wrong password.

JP Hide and Seek

JPHS is a DOS-based command-line stego program that hides data in the JPG image
format. Its small size is a major bonus as it easily fits on a disk. It uses encryption as well,
but does not mention which type. Win95 and Linux version are also available.

©Srijan’10 Page 17
 Camouflage

Camouflage is an interesting Windows-based program that allows you to hide files

by scrambling them and then attaching them to the end of the file of your choice. The
camouflaged file then looks and behaves like a normal file, and can be stored or emailed
without attracting attention. Works for pretty much any file type. Password protection
included.

Gifshuffle v2.0

Gifshuffle is a command-line-only program for windows, which conceals messages

in GIF images by shuffling the color map. The picture remains visibly intact, only the
order of color within the palette is changed. It works with all GIF images, including those
with transparency and animation, and in addition provides compression and encryption of
the concealed message.

Steghide

Steghide, by Stefan Hetzl, is a command-line application that features hiding data in

bmp, wav and au files, blowfish encryption, 128 bit MD5 hashing of pass phrases to
blowfish keys and pseudo-random distribution of hidden bits in the container data.
Steghide is written in ANSI C so the source code should compile on many systems.

Hide4PGP v2.0

Hide4PGP v2.0 by Heinz Repp is a command-line steganographic program for

Windows, DOS, and OS/2 that hides data within BMP, WAV, and VOC files. It is
designed to use with both PGP and Stealth, but also works well as a stand-alone program.
Version 2.0 has several new features, including a new stego format, which is much more
robust against format conversions - only non - lossless compression formats will loose
the hidden data. The source is also included and should compile on any platform without
major problems.

©Srijan’10 Page 18
 SecurEngine 2.0

SecurEngine is nice little program that hides data in JPG files. Strong encryption and
file wiping is included. It hides the message in the file by the very simple method of
appending the message to the file, with 21 ‘#’ as garbage followed by ‘0A’, followed by
message length, file name, and message after the ‘FF D9’ EOF marker of JPEG.

The Third Eye

Hides files in BMP, GIF, and PCX files. Includes encryption and has nice user
interface.

Image Hide

Windows-based program which hide files in a number of different formats without

increasing file size. The data is embedded in the image by LSB insertion serially.

S-Tools

S-Tools v4 is an excellent Win 95/NT based steganography tool that hides files in
BMP, GIF, and WAV files. It encrypts the data with DES cryptosystem with the help of
the password and distributes it in the image file by LSB insertion.

In The Picture

In The Picture is a Win95-based stego program that hides data in BMP images. It
offers multiple unique keys so you can encrypt data intended for multiple recipients into
the same file. It has a drag and drop interface and can generate a random fractal image to
use as a vessel image, if needed.

©Srijan’10 Page 19
 Gif-It-Up v1.0

Gif-It-Up is a Win95-based stego program that hides data in GIF files. It has a
professional-looking interface and includes a slick installation program.

Stash-It v1.1

Stash is a simple Win95/98/NT-based stego program that will allow you to hide (and
extract, of course) any data file inside a perfectly normal BMP, GIF, TIFF, PNG or PCX
file. It does not appear to have any additional encryption features.

JSteg

JSteg, by Derek Upham, hides data within the popular JPG format. Prior to hiding
data in a JPG file, you will need to save that file in the TGA (targa) format. After the data
is embedded into the image, the resulting output file will be in the JPG format, with all of
the compression advantages that JPG entails. The tampering is done serially in the LSB
of the quantized DCT.

SGPO

SGPO (Stegano Gif Palette Order) is a Java v1.1 based program with a nice interface
that hides messages in GIF images by shuffling the color map. The picture remains
visibly intact, only the order of color within the palette is changed.

©Srijan’10 Page 20
 6.Software Package to detect Steganographic
images.

S teganography encompasses methods of transmitting secret messages through

innocuous cover carriers in such a manner that the very existence of the
embedded messages is undetectable. Creative methods have been devised in the hiding
process to reduce the visible detection of the embedded messages. An overview of
current steganography software and methods applied to digital images is examined
below.

Hiding information, where electronic media are used as such carriers, requires
alteration of the media properties, which may introduce some form of degradation. If
applied to images that degradation, at times, may be visible to the human eye and point to
signatures of the steganographic methods and tools used. These signatures may actually
broadcast the existence of the embedded message, thus defeating the purpose of
steganography, which is hiding the existence of a message.

Two aspects of attacks on steganography are detection and destruction of the

embedded message. Any image can be manipulated with the intent of destroying some
hidden information whether an embedded message exists or not. Detecting an embedded
message also defeats the primary goal of steganography, that of concealing the very
existence of a hidden message. Our goal is not to advocate the removal of disabling of
valid copyright information from stego images, but to point out the vulnerabilities of such
approaches, as they are not as robust as is claimed.

©Srijan’10 Page 21
 6.1 Detecting Hidden Information:
Steganography tools typically hide relatively large blocks of information serially or
redundantly throughout the entire image. In any case, these methods insert information
and manipulate the images in ways as to remain invisible to the human eye. However,
any manipulation to the image introduces some amount of distortion and degradation of
some aspect in the “original” image’s properties. The tools vary in their approaches for
hiding information. Without knowing which tool is used and which, if any, stegokey is
used, detecting the hidden information may become quite complex. However, some of
the tools produce stego-images with characteristics that act as signatures for the
steganography method or tool used.

To begin evaluating images for additional, hidden information, the concept of

defining a “normal” or average image was deemed desirable. Defining a normal image is
somewhat difficult when considering the possibilities of digital photographs, paintings,
drawings, and graphics. Only after evaluating many original images and stego-images as
to color composition, luminance, and pixel relationship do anomalies point to
characteristics that are not “normal” in other images. Several patterns became visible
when evaluating many images used for applying steganography. The chosen message and
known cover attacks were quite useful in detecting these patterns. In images that have
color palettes or indexes, colors are typically ordered from the most used colors to the
least used colors to reduce table lookup time. The changes between color values may
change gradually but rarely, if ever, in one bit shifts. Gray-scale image color indexes do
shift in 1-bit increments, but all the RGB values are the same. Applying a similar
approach to monochromatic images other than gray-scale, normally two of the RGB
values are the same with the third generally being a much stronger saturation of color.
Some images such as hand drawings, fractals and clipart may shift greatly in the color
values of adjacent pixels. However, having occurrences of single pixels outstanding may
point to the existence of hidden information.

©Srijan’10 Page 22
 Added content to some images may be recognizable as exaggerated noise. This is a
common characteristic for many bit-wise tools as applied to 8-bit BMP and GIF images.
Using 8-bit BMP images without manipulating the palette will, in many cases, cause
color shifts as the raster pointers are changed from one palette entry to another. If the
adjacent palette colors are very similar, there may be little or no noticeable change.
However, if adjacent palette entries are dissimilar, then the noise due to the manipulation
of the LSBs is obvious. For this reason that many authors of steganography software and
some articles stress the use of gray-scale images (those with 256 shades of gray). Gray-
scale images are special occurrences of 8-bit images and are very good covers because
the shades gradually change from color entry to color entry in the palette.
Detecting in BMP images :
Using images, with vastly contrasting adjacent palette entries, to foil steganography
software so that small shifts to the LSBs of the raster data will cause radical color
changes in the image that advertise the existence of a hidden message. Without altering
the 8-bit palette, changes to the LSBs in the raster data may show dramatic changes in the
stego-image.
In a BMP image, the first 54 bytes contain the image header (height, width, etc). In
case of 8-bit BMP the next 1024 bytes (256 entries * 4 bytes = 1024) contain the color
palette. The image data starts next, indicating the color value from the palette table by 8-
bit only. Whereas, in case of 24-bit BMP the image data starts after the header with each
pixel represented by 24-bit RGB value. The first pixel value in the file goes in the lower
left hand corner, and the second one goes just to its right. The image is scanned from left
to right, bottom to top, until all the pixels have been specified.
Some of the bit-wise tools attempt to reduce this affect by ordering the palette. Even
with a few numbers of distinct colors, sorting the palette may not be sufficient to keep
from broadcasting the existence of an embedded message. Other bit-wise tools and a
transform tool take it a step farther and create new palettes. Converting an 8-bit image to
24-bit provides direct access to the color values for manipulation and any alteration will
be larger in size and may be unsuitable for electronic transmission. A possible solution is
to convert the image back to an 8-bit image after the information is hidden in the LSBs.
Even if the colors in the image palette change radically, this method may still hide the
fact that a message exists.
©Srijan’10 Page 23
 Since 8-bit images are limited to 256 unique color entries in the image palette,
consideration of the number of unique colors used by the image must be considered. For
example, if an image contains 200 unique colors and steganography is applied then the
number of unique colors could easily jump to 300(assuming that LSB steganography
alters on average 50% of the bits and the new colors are added.) Reducing the image to
8-bit again will force the image into 256 colors. There is a high probability that some of
the new colors created when modifying the LSBs will be lost.

One method around this is to decrease the number of colors to a value that will
maintain good image quality and ensure that the number of colors will not increase
beyond 256. This novel approach applies techniques and reduces the number of colors to
no less than 32 unique colors. These 32 colors are “expanded” up to eight palette entries
by adding adjacent colors in the palette that are very close to the original color. This
method produces a stego-image that is so close to the original cover image that virtually
no visual differences are detected. However, this approach also creates a unique pattern.

Figure 1: Original BMP image and its palette.

©Srijan’10 Page 24
 Detecting in TEXT file :

fffffffffffffffffffffffffffffffffffffffffffff

Detecting in GIF images

Pictures in a computer are divided into pixels (picture elements), organized

horizontally and vertically in lines, much like lines of characters on a page. The GIF must
represent a rather large number of pixels efficiently, or the file size (and Internet transport
time) gets too large.

In a GIF image, the first pixel in the file goes in the upper left hand corner, and the
second one goes just to its right. The image is scanned from left to right, top to bottom,
until all the pixels have been specified.

Each pixel has a color. In GIF images, a color is specified using Red, Green, and
Blue components. With 8 bits for each component, there are over 2^24, or about 16
million possible colors. A naive representation of the image would simply store three
bytes for each pixel. But then a 640x480 pixel image (which is a modest size) would be
around a megabyte of data. At a modem speed of 56 kilobits per second, it would take
131 seconds, more than two minutes, to download the image. GIF compresses the data,
reducing the number of bits to represent the image.

The first kind of compression that GIF uses is called a color map. Instead of allowing
the image to contain all 16 million colors, GIF restricts the image to a maximum of, say,
256 out of the 16 million (the number of colors in the color map can be varied). It can be
any 256 out of the 16 million, so there is no loss of richness of possible colors. But no
more than 256 distinct colors can be used simultaneously in any one image. The colors
are stored in a color map table, and the color for each pixel is specified as an index into
the table. So instead of using 24 bits for each pixel, a file only contains an 8-bit index. (A
24-bit display of a modern computer can display all 16 million colors simultaneously; so
multiple GIF images with different color map tables can be simultaneously displayed
with good color fidelity.) A GIF image can be non-interlaced, interlaced or animated.

©Srijan’10 Page 25
 With color map table of 256 entries, the above scheme reduces the amount of data by
a factor of three. But GIF does better than this. The second kind of compression that GIF
includes is called run-length coding. This makes use of the fact that neighboring pixels
are often the same color in a typical image. When several pixels have the same color,
instead of storing them individually, they are stored as a run length followed by the color.
For example, a sequence of three Blue pixels could be stored as "Blue Blue Blue" or "3,
Blue". The specifics of how this is done are a little complex; GIF uses a sophisticated
variation of run-length coding known as Lempel-Ziv-Welch coding.

Different steganography tools have different methods of tampering. Some of them

keep a definite signature in the GIF image. It is possible to extract out the palettes from
the image and find distinguishing features from it that indicates that the image is
tampered. Further more different tools have different signatures.

Figure 2: Original GIF image and its palette

©Srijan’10 Page 26
 6.2 Looking for Signature:

One method for detecting the existence of hidden messages in stego-images is to

look for obvious and repetitive patterns that may point to the identification or signature of
a steganography tool or hidden message. Distortion or patterns visible to the human eye
are the easiest to detect. An approach used to identify such patterns is to compare the
original cover-images with the stego-images and note visible differences (known cover
attack). Minute changes are readily noticeable when comparing the cover and stego-
images. These subtle distortions may go unnoticed without the benefit of such a
comparison. In making these comparison with numerous images, patterns begin emerge
as possible signatures to steganography software. Some of these signatures may be
exploited automatically to identify the existence of hidden messages and even the tools
used in embedding the messages. With this knowledge base, if the cover images are not
available for comparison, the derived known signatures are enough to imply the existence
of a message and identify the tool used to embed the message. However, in some cases
recurring, predictable patterns are not readily apparent even if distortion between the
cover and stego-images is noticeable.

Mechanism of Signature Detection:

Known cover attack and known message attack, these two levels of attack of
steganography have been used in order to analyze the steganography tools under
consideration viz. PGE (V2.0), WbStego (V2.1) and WbStego99 (V3.5).
To perform Steganalysis, two images (synthetic) of same dimensions, say
BLACK.bmp and WHITE.bmp were taken as covers (known). A fixed text message of
fixed length say msg.txt has been considered as the payload (known message). This
message has been embedded in both the (known) covers, with the help of the
Steganography tool under consideration, to get the tampered / steganographic images as
output. So in tabular form we have-

©Srijan’10 Page 27
 Known covers Known message Tampered/Steganographic
Images
BLACK.bmp msg.txt BLACK_msg.bmp
WHITE.bmp msg.txt WHITE_msg.bmp
The primary objective behind this is as follows-
The payload, being same and the covers being known and of same dimension it is
expected that the same bit pattern (of the message/payload) will be embedded in the
same positions of the original images. The individual pairs of original and the
corresponding tampered images are studied (in hex editors, w.r.t the alterations in the bit
patterns due to message embedding). Now the positions where the bit patterns underwent
changes considering both the pairs (union) will give the possible positions where the
payload has been embedded. Thus, giving the signature, for the tool under consideration.
For example, let 10110 be the binary code of the (fixed) payload to be embedded in the
given two images BLACK.bmp and WHITE.bmp.
Let ….11111111111111111111111…. be the bit pattern of a certain position in the
original image BLACK.bmp which has been changed to the bit pattern
…..11011011111111111111111….. in the tampered image BLACK_msg.bmp.
Let ….00000000000000000000000…. be the bit pattern of the same region (w.r.t the
BLACK.bmp) in the original image WHITE.bmp which has been changed to the bit
pattern ….01011000000000000000000…. in the tampered image WHITE_msg.bmp.
Now considering the position of the 1st bit of the given bit patterns in the original images
as 1st position , the bit pattern underwent changes at the positions {3,6} and {2,4,5} w.r.t
(BLACK.bmp, BLACK_msg.bmp) and (WHITE.bmp, WHITE_msg.bmp) respectively i.e.
….11111111111111111111111…. BLACK.bmp
….11011011111111111111111…. BLACK_msg.bmp
And

….00000000000000000000000…. WHITE.bmp
….01011000000000000000000…. WHITE_msg.bmp

In Set theory notations, considering tampered positions for the pair (BLACK.bmp,
BLACK_msg.bmp) as the set A= {3, 6} and for the pair (WHITE.bmp, WHITE_msg.bmp)

©Srijan’10 Page 28
 as the set B= {2, 4, 5} . Thus the region for signature detection for the considered tool is
given by the set C whose elements are the positions {2, 3, 4, 5, 6} i.e. C= {2, 3, 4, 5, 6}
i.e. C=AUB.

Example of palette signature in GIF images.

1. The Third Eye :

Third Eye creates stego-images with a special characteristic in the palette. It so

happens that when the color palette entry in a normal GIF image is less than 256, it has
the tendency to fill up the remaining of the color palette with zeros. If the image has got
256 color values then it becomes difficult to distinguish the stego-image with that of the
original as there is no difference in the two palette entries.

©Srijan’10 Page 29
 3. Stegano GIF Palette Order (SGPO) :

Stegano GIF Palette Order is a steganography tool that changes the palette of a GIF
image and orders them serially according to the red values or the blue values for the same
red value. Investigation has been done for more than 200 color images, which shows that
red value or the blue value of the tampered image increases gradually to a threshold
value. This is a unique signature for this particular steganography tool.

©Srijan’10 Page 30
7. Software Package to extract plain and encrypted
message from steganographic images.

A goal of steganography is to avoid drawing suspicion to the transmission of a

hidden message, so it remains undetected. If suspicion is raised, then this goal
is defeated. Steg-analysis is the art of discovering and rendering such messages useless.
Analysis on hidden information may take several forms: detecting, extracting, confusing
and disabling hidden information.

Just as a cryptanalyst applies cryptanalysis in an attempt to decipher encrypted

messages, the steganalyst is one who applies steganalysis in an attempt to detect the
existence of hidden information. The hidden message in steganography may or may not
be encrypted. If it is encrypted, then if the message is extracted, cryptanalysis techniques
may be applied to further understand the embedded message. The hidden message can be
in a plain (i.e. non-cryptic) or cryptic form and serially or randomly embedded in the
least significant bits or appended at the end of the image or by any other phenomenon.

The challenge with steganography is not only in detecting that something has been
hidden, but decoding the hidden message. Some possible attack techniques used for
steganalysis are given below.
• Stego-only attack. Only the stego-object is available for analysis.
• Known cover attack. The ‘original’ cover-object and stego-object are both
available.
• Known message attack. At some point, the attacker may know the hidden
message. Analyzing the stego-object for patterns that corresponds to the hidden
message may be beneficial for the future attacks against that system. Even with
the message, this may be very difficult and ma yeven be considered equivalent to
the stego-only attack.
• Chosen stego attack. The steganography tool and stego-object are known.
• Chosen message attack. The steganalyst generates a stego-object from some
steganography tool or algorithm from a chosen message. The goal in this attack

©Srijan’10 Page 31
 is to determine corresponding patterns in the stego-object that may point to the
use of specific steganography tools or algorithms.
• Known stego attack. The steganography algorithm (tool) is known and both
the original and stego-objects are available.

Even given the best alternative for the attacker, the embedded message may still be
difficult to extract. Sometimes the approach is not to attack algorithm or images at all, but
to attack the password used to encrypt or choose the bits to hide the message. This ‘brute
force’ is successful against some tools, but still requires significant processing time to
achieve favorable results.

7.1 Extraction of serially embedded plain text : Pretty Good

Envelope.

Introduction :

PGE is not an encryption program, nor a safe tool to rely on privacy by itself. PGE is
just a special kind of envelope we use to send or receive our messages or data. PGE
inserts the data into a GIF or JPG file, and yet, being able to view the picture after
inserting the data. Apparently, all that are done is transferring innocent pictures. A
companion program UNPGE retrieves the message.

©Srijan’10 Page 32
 PGE and UNPGE procedure :

PGE is a DOS based program. So it is necessary to go to the directory where

envelope file is located and run PGE. It is not very secure in hiding text since the text
would be visible from an ordinary binary editor such as DEBUG or Hex-Editor.

Exploration :

It hides a message file in another file by the very simple method of appending the
message to the file, and then appending a 4 byte little endian number, which points to the
end of the message after the GIF image terminator “ 00 3B”. The binary code for non-
tampered and tampered image is shown below. The image is tampered with the message
‘kolkata’.

Method of Extraction :

The image file is read till the last ’00 3B’ is obtained which indicates the end of
GIF image. The next bytes are extracted till the 4 bytes from the end of the file, which
indicates the end of message. The ASCII values as obtained when printed in character
format, gives the hidden message.

©Srijan’10 Page 33
 7.2 Extraction of serially embedded encrypted text :
Camouflage

Introduction :

Camouflage allows us to hide files by scrambling them and then attaching them to
the file of our choice. This camouflaged file then looks and behaves like a normal file,
and can be stored or emailed without attracting attention.

For example, we can create a picture file that looks and behaves exactly like any
other picture file but contains hidden encrypted files, or we can hide a file inside a Word
document that would not attract attention if discovered. Such files can later be safely
extracted.

For additional security we can password our camouflaged file. This password will
be required when extracting the files within. We can even camouflage files within
camouflaged files.

Camouflaging and Uncamouflaging Procedure :

Camouflage is a Windows based program. After installing Camouflage we will find

two new menu options when right-clicking files in Windows Explorer; 'Camouflage' and
'Uncamouflage'. We can camouflage a file or several files at a time by highlighting them
in Windows Explorer, then clicking the right mouse button and choosing 'Camouflage'
from the pop-up menu.

In the second screen choose a file to be used as camouflage. This can be any type of
file, but some files work better than others. For example, avoid choosing a text file
because Notepad would display the entire contents of it, including the scrambled files
attached. Most other files work well. Once you have selected a file, click 'Next'.

©Srijan’10 Page 34
 From the third screen choose the folder and filename of the camouflaged file that
will be created. The default folder is the folder where you selected the files in Windows
Explorer, and the default filename is the name of the file you selected for use as
camouflage in the previous screen.
From the final screen we can type in a password if we wish. This password will be
required when extracting files from our camouflaged file. If we do not wish to add a
password we just click 'Finish'.
Clicking 'Finish' will create the camouflaged file and then exit.

To extract the files hidden within a camouflaged file, right-click it in Windows

Explorer and choose 'Uncamouflage' from the pop-up menu.

A password prompt appears in the Uncamouflage dialog. If this file was created
with a password, type it in. Note that Camouflage was designed so that it doesn't reveal
camouflaged files to the casual observer. For this reason the password screen is always
displayed whether the file is a camouflaged file or not, or whether or not it contains a
password. Once you have entered the correct password (if applicable), click 'Next'.

The second screen displays the files hidden within the camouflaged file. The first is
the file originally used as camouflage and the second one is the hidden message file.
Click ‘Next’.

From the final screen, choose the folder where the files are to be extracted. If you're
not extracting the first file in the list (the file originally used as camouflage), the default
folder will be the folder where you right-clicked on the camouflaged file in Windows
Explorer.
Click 'Finish' to extract the files and exit.

©Srijan’10 Page 35
 Exploration :

Camouflage hides a message file in another cover file by the very simple method of
appending the message at the file. After the GIF image terminator (’00 3B’) is obtained,
26 bytes garbage is ignored. The next 4 bytes give the message length. The hidden
message is serially appended from the very next byte in a cryptic form. The end of the
message is indicated by ‘FF FF FF FF’ mark. From the end of the image file we move
back 275 bytes to locate the position of the start of the password, which follows the same
cryptic algorithm as that of the message. The password continues up to 2 consecutive ’20
20’ mark. The password can be of 255 characters in maximum.

The encryption is done by using the binary operator ‘XOR’. For each byte there is a
definite key. XOR-ing the ASCII value of the first character by the first key, second
character by the second key and so on gives the encrypted ASCII value. These values are
serially appended as the hidden message in above-mentioned position.

©Srijan’10 Page 36
 Methods of extraction :

In the password section we have ‘6A E0 1E 41 63’. The first key is "00000010".
‘6A(H)’ and ‘02(H)’ on XOR-ing gives ‘68(H)’ which is the ASCII value of ‘h’. The
second key is "10010101"; ‘E0(H)’ and ‘95(H)’ gives ‘75(H)’ which is the ASCII value of
‘u’. The third key is "01111010"; ‘1E(H)’ and ‘7A(H)’ gives ‘64(H)’ which is the ASCII
value of ‘d’. The forth key is "00100010"; ‘41(H)’ and ‘22(H)’ gives ‘63(H)’ which is the
ASCII value of ‘c’. The fifth key is "00001100"; ‘63(H)’ and ‘0C(H)’ gives ‘6F(H)’ which
is the ASCII value of ‘o’. Thus the password is: ‘hudco’. We can uncamouflage the
image using the password.
Otherwise the message can even be extracted in a similar fashion. The message as
shown in the figure is: ‘India is my motherland’.

©Srijan’10 Page 37
8. Conclusion

T he main feature of this software is the robustness. Following are the features,
which proves the robustness of the software.

a. Incase of 8-bit BMP images, the software can detect that the image is tampered
with 100% accuracy if stego tools like S-Tools and Hide4PGP tamper the image.

b. For GIF images, the software can detect that the image is tampered with 100%
accuracy if stego tools like S-Tools, Hide-and-Seek, Image-Hide, Stella- full,
Stegano-Gif-Palette-Order, Pretty Good Envelope and Camouflage tamper the
image.

c. Incase of GIF images, the software can detect that the image is tampered with less
than 100% accuracy if stego tools like Third-eye and Gifshuffle tamper the image.
There is around 10-15% false detection rate(FDR) in case of Third-eye and
Gifshuffle.

d. For GIF images the software can extract non-encrypted message in case the image
is tampered with PGE, with 100% accuracy. If the image is tampered with
Camouflage, the software can decrypt and extract the encrypted password and
message with 100% accuracy.

©Srijan’10 Page 38
9. Scope of future Application

A s far as deployment of this software is concerned, client urgently requires this.

The crime of steganography frequently occurs with the help of internet. The
best use of this software is to verify those images that are passed through the internet. So
we need Sniffer software that sniffs images of different format online at the ISP end. In
public domain, there is Sniffer software named Pick Packet that sniffs files including
images of different protocol like SMTP, FTP, HTTP and TELNET. Among them first
three is of our interest. This Sniffer software works mainly in three steps. First it
generates a configuration file then it starts filtering and finally post processing. The
output of the post processor generates a .pkt file that includes all information of sniffed
files of different protocol.

This software is one of the part of the security software. The Police Academy, Law
enforcement agencies require this type of software.

©Srijan’10 Page 39