Steganography

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:26

0
71
lượt xem
22
download

Steganography

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Now that we have taken a detailed look at cryptography, lets take a look at another related area, which is steganography or data hiding. Steganography (“stego”) is related to cryptography (“crypto”) because with both fields you do not want someone to be able to read your message, but stego does it with a slightly different approach.

Chủ đề:
Lưu

Nội dung Text: Steganography

  1. Steganography Security Essentials The SANS Institute Encryption and Exploits - SANS ©2001 1 Now that we have taken a detailed look at cryptography, lets take a look at another related area, which is steganography or data hiding. Steganography (“stego”) is related to cryptography (“crypto”) because with both fields you do not want someone to be able to read your message, but stego does it with a slightly different approach. With crypto, the message is garbled in such a way that someone cannot read the message, but they can tell that the message is encrypted. In certain environments, this could raise the suspicion to an unacceptable level. With stego, the real message is hidden in an overt message so someone can not even tell that you are sending a secret message. As you will see in practice, the two are often used together. Stego is a new area and hopefully you will find it exciting. We will also show you several of the tools that exist for hiding information and give you links where you can download the tools and try them out for yourself. 4-1
  2. Steganography (Stego) • Steganography, abbreviated as stego, not to be confused with stenography. • Involves concealing the fact that you are sending “sensitive” information • Data hiding • Relatively new field • Can hide in a variety of formats – Images • Bmp, Gif, Jpg – Word Documents – Text Documents – Machine Generated Images • fractals Steganography - SANS ©2001 2 Steganography is a fairly new, but very interesting field. It involves hiding data within another image, so that the meaning of the message and the fact that a message is being sent is concealed. There are methods where data can be embedded in a wide range of file types using a variety of methods. 4-2
  3. Crypto vs. Stego • Cryptography (Crypto) provides confidentiality but not secrecy. • It is fairly easy to detect that someone is sending an encrypted message, it is just very hard for someone to read it. • With stego, you do not even know someone is sending a message, you are hiding the true intent. Steganography - SANS ©2001 3 Lets quickly compare cryptography to steganography. With crypto, an unauthorized party cannot read the message but they can tell that the data has been encrypted. With stego, since the message is hidden, someone cannot even tell that a secret message is being sent. 4-3
  4. Detecting Cryptography • It is very easy for both humans and computers to detect that a message is encrypted. For example “test” becomes eJrMIedoDcgYmK7/XwY6Q+7RAeuPDSe0FziMLDU1GyUhc0WPcatAaIpw+Urc0MUX l257b1q11gFZN4S0rXwAKg2Tzqn9ois7+1pJHOdxI2fH9LCQmxtRBpZ79oFh+wFw cuPV3wW4Mgoh1HL2JQ7SarrJuZixgRoV+IW/HtoWx2Mvop+4CACHtTxbv8SjchhN FLaQNVQA1o00UgR+m7bJh42bWfR5cdGBYkVTzglbu5QXzFodk3PmtG+ghqNCz2CZ 5VZv3H581bSeydcM5zjK7DUd4OZEDSa9kF+9xKdyDMCfvFW5DyhlJkOBUVo8jvQM n/3nO8vGcx/5CcDVV6MF4xh5hPbV6NfP2OaOyNVXcHwn9n6/swH4OnrBciX8MCgF JCyXrwnlYl1GK7RBO67zw0imUkBABfAqc+Jwnbv2HJAAU0NDC+Vd+d9I4UZN6QJd 7RN821ID10ScXelDNiqCq8hxXHJM8qaP5gQp5iC2ExoPfFPl8KRsbOKcK5XPP57T • A human can infer that this is unreadable. Steganography - SANS ©2001 4 As you can see, a human can quickly detect that a message is encrypted. Based on this fact, it is easy for someone to infer information about two parties that are communicating. For example, if two parties periodically send a large number of encrypted messages and the next day a major terrorist event occurs...even though I can not tell what the 2 parties are talking about, I can infer that they were involved with the questionable activities. 4-4
  5. Detecting Cryptography (2) • Cryptography basically randomizes the characters in a message. • A histogram shows the frequency of characters. • A normal document has a non-predictable histogram. • An encrypted document has a flat histogram, since with randomization, all characters should appear the same amount of times. Steganography - SANS ©2001 5 By nature of how encryption works, when a message gets encrypted the distribution of characters becomes randomized. This provides a unique signature that can be used to detect encrypted text. 4-5
  6. Encrypted Text Histograms 181 The histogram for encrypted 161 141 text is very flat and easy for 121 101 Frequency 81 61 an automated program to 41 21 detect. 1 Normal Text 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 200 The histogram for “normal” 180 160 text is very non-uniform and 140 120 easy for an automated 100 80 Frequency program to distinguish 60 between encrypted and 40 20 unencrypted information. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Steganography - SANS ©2001 6 As you can see with an encrypted message the frequency of characters is very uniform, with each character (1=A, 2=B,……26=Z) appearing the same number of times. By nature of how the English language works, we know that this does not occur with normal text. With a normal document, certain letters appear more often than others. For example the letters E and S will appear more often than the letters Q and Z. 4-6
  7. How Steganography Works? • Stego requires a host file and the hidden message. • Host file can be generated on the fly or use an existing file. • Hidden message is either used to generate a file or hidden in certain parts of an existing file. Steganography - SANS ©2001 7 Stego works by embedding a secret message within an open or overt message. Everyone will see the overt message and never know that it is a cover and the real message is hidden inside. 4-7
  8. General Types of Stego • There are many ways to hide information; lesson in creativity. • General methods: – Injection – Substitution – Generate new file Steganography - SANS ©2001 8 To hide data within an image, either the secret message can be embedded or injected within another image. This will increase the size of the file and be easy to detect. Or certain information in a file might be able to be replaced, which will not increase the size of the file. Also, a newer technique is to use the secret message to generate a new text or image file. 4-8
  9. Injection • Most file types have ways of putting information in a file that will be “ignored”. • For example, hidden form elements in html. • Word documents also have hidden information. – Create a large document and remove data, notice the file size is very large Steganography - SANS ©2001 9 With injection, data is put within a host file in such a way that when the file is actually read by a given program, the program ignores the data. Most programs, like web browsers or Microsoft Word, have ways of putting “hidden” data within a file, that exists in the file but is ignored when the program displays it to the user. 4-9
  10. Injection Example Browser displays “Hello World” but by viewing the source reveals a hidden message. Hello World     Steganography - SANS ©2001 10 Here is a simple example of injecting data within an html file. By using the hidden field, a message can be embedded within the source file, but ignored when displayed by the browser. 4 - 10
  11. Substitution • Data in a file can be replaced or substituted with hidden text. • Depending on the type of file and/ or the amount of data, it could result in degradation of the file. • Usually replaces insignificant data in the host file. Steganography - SANS ©2001 11 Data in a file can be replaced or substituted with hidden text. Depending on the type of file and/or the amount of data, it could result in degradation of the file. In order to make this technique undetectable to the human observer, the technique usually replaces insignificant data in the host file. 4 - 11
  12. Generate A New File • The hidden data can also be used to generate a new file. • No host file is needed. • For example, the input text can be used to generate fractals or “human” like text. Steganography - SANS ©2001 12 Also, to eliminate the need for a host file, the secret message can be used to generate a new file. For example, a file consisting of complex fractals can be generated based on the input file. This means that each unique input file would generate a unique output file. 4 - 12
  13. Stego Example • A common way to embed data in an image is to replace the LSB (least significant bits) • For an 8 bit file, each pixel is represented by 8 bits: – 10001100 – The most significant bits (MSB) are to the left and the least significant bits (LSB) are to the right. – If you change a MSB it will have a big impact on the color. If you change the LSB it will have minimal impact. Steganography - SANS ©2001 13 This shows an example of how data can be embedded in an image file using a basic technique call LSB. With this technique, the least significant bits of the image file are replaced with data. For an 8 bit file, each pixel is represented by 8 bits, 10001100. The most significant bits (MSB) are to the left and the least significant bits (LSB) are to the right. If you change a MSB it will have a big impact on the color. If you change the LSB it will have minimal impact. 4 - 13
  14. Stego Example (2) • If we change only 1 or 2 LSB’s in the image, it will have minimal impact because most human eyes can only detect around 6 bits of color. • Regardless of what the last 2 LSB’s are, a human eye can not tell the difference. • If we take 10001100 and change it to 10001111 or 10001110, it will all seem like the same color. • This means we can embed data in those bits. Steganography - SANS ©2001 14 Since the LSB’s will have a minimal impact, we will change those bits for each pixel. Regardless of what the last 2 LSB’s are, a human eye can not tell the difference. If we take 10001100 and change it to 10001111 or 10001110, it will all seem like the same color. This means we can embed data in those bits. 4 - 14
  15. Embedding Data in Pixels • So if our message converted to binary is 1101 0010, the first 8 pixels will be modified as follows – 1100 0101 becomes 1100 0111 – 1111 0010 becomes 1111 0001 – 1010 1111 becomes 1010 1100 – 0010 0010 becomes 0010 0010 • To an observer, the image looks normal. Steganography - SANS ©2001 15 The following shows how we would embed a data in the pixels of an image. So if our message converted to binary is 1101 0010, the first 8 pixels will be modified as follows 1100 0101 becomes 1100 0111 1111 0010 becomes 1111 0001 1010 1111 becomes 1010 1100 0010 0010 becomes 0010 0010 To an observer, the image looks normal. 4 - 15
  16. S-Tools • Embeds data in the LSB of the color table for bmp files. • Even if you have the original file, the two images look identical. • S-Tools is available from: – ftp://idea.sec.dsi.unimi.it/pub/security/ crypt/code/s-tools4.zip Steganography - SANS ©2001 16 Now lets look at an example of a popular tool that is used to embed data in images called S-Tools. 4 - 16
  17. S-Tools Example The image to the left is the original image and the image below has a 10 page document embedded in it. Through visual observation, they look identical. Or if you only saw the one with data hidden, it would not look suspicious. Steganography - SANS ©2001 17 Here you can see that even though the two images are not the same, they look identical and the file size is the same. 4 - 17
  18. Detecting S-Tools • Since S-Tools, changes the colors in the color table, it increases the number of near duplicate colors. • A normal bitmap (bmp) has very few duplicate colors. • A bmp with data embedded has a large number of duplicate colors. Steganography - SANS ©2001 18 If you know what to look for, detecting S-Tools is fairly straightforward. When you embed data in a bmp file, you are actually changing the colors in the color table. This is what the program uses to look up colors for each pixel. Since S-Tools changes the colors in the color table, it increases the number of near duplicate colors. A normal bitmap has very few duplicate colors. A bitmap with data embedded has a large number of duplicate colors. 4 - 18
  19. Detecting S-Tools (2) • A small program was written to print out the number of duplicate colors. • For a normal file, the following is the output: – D:\DH\Data\BMP>bmpmap forest.bmp – File Name: forest.bmp – actual size: 66146 Reported: 66146 – Duplicate colors: 2 • For one with embedded data: – D:\DH\Data\BMP\STools>bmpmap forest_h.bmp – File Name: forest_h.bmp – actual size: 66614 Reported: 66614 – Duplicate colors: 1046 Steganography - SANS ©2001 19 I wrote a small program that will go through the color table and determine the number of near duplicate colors. If the number of near duplicate colors is greater than 50, you know that data has been embedded in the image. Notice that even though the file size is the same for the two images, one has a larger number of duplicate colors. 4 - 19
  20. Stego Tools • There are a wide range of stego tools available from: – http://members.tripod.com/steganography /stego/software.html • There are over 200 stego tools ranging from different platforms to different techniques. Steganography - SANS ©2001 20 There are a wide range of tools available. Since this is a new field, most are fairly basic, but some are fairly sophisticated. The bottom line is, if you do not know that they are being used, you will not be able to detect even the simplest of tools. 4 - 20
Đồng bộ tài khoản