Steganography – Hidden In Bits 15th December 2001

Steganography - Messages Hidden in Bits

Jonathan Watkins
Multimedia Systems Coursework, Department of Electronics and Computer
Science, University of Southampton, SO17 1BJ, UK

Abstract
Steganography is the process of hiding one medium of communication (text, sound or image) within
another. This paper will discuss the tools used to both hide and unhide (know as Steganalysis) information.
A look at the history starting with Herodotus in ancient Greece describing secret messages written in wax
on stone tablets, to world war two’s secret double meaning Nazi messages and British Intelligences
invisible ink. Most recently the techniques have been accredited with Osama Bin Laden's Al-Qa’eda
terrorist network. Not all of Steganography involves some kind of subterfuge, I will also cover the area of
digital watermarking, a method to try to protect the copyright of image.

1. Introduction
The goal of this paper it to provide an overview of the Steganography. The word Steganography comes
from the Greek steganos (covered or secret) and graphy (writing or drawing) and means, literally, covered
writing [2]. We will look at history of Steganography through to current day uses and advancements in the
area, explaining how the digital age has seen the possible rebirth of Steganography and Steganlysis, the
process of finding the hidden information.
I will begin to explain the common misconception that Steganography involves cryptography.
Following through with some uses (and there respective tools) of hiding information in image and audio
files. This will include areas on digital watermarking and the idea of the ‘dead drop’ a method of passing
on secretive information in an anonymous way. Tools for hiding information using Steganography will also
be discussed.
Steganalysis, the process of finding hidden information will be described, again using some existing
software to debunk the tools described in the previous section.
Finally I will look at possible future developments in the area

2. Background

Not Cryptography?
Firstly, Steganography is not cryptography. Cryptography involves encrypting data so that any individual
that should find the data will not be able to decrypt it without knowing the correct method how, usually
through some contact/agreement with the original encryptor. Steganography is as described by Neil F.
Johnson and Sushil Jajodia in their paper ‘Steganalysis: The Investigation of Hidden Information’ as

‘The goal of Steganography is to avoid drawing suspicion to the transmission of a hidden message. If suspicion is
raised, then this goal is defeated.’[7]

So essentially with Steganography the actual subject message transmission (be that an image, sound or text)
is untouched but hidden within another source. Cryptography encrypts the actual subject of the
transmission to ensure its integrity; it is not hidden but merely ciphered. Steganography can involve
cryptography by hidden an encrypted subject but usually this is not the case, possible due to the difficulties
that lie in hiding the subject in the first place without even considering if the subject is encrypted. I will be
describing software used to hide images and sound files with others later in this paper. Out of these tools
none of them uses any kind on cryptography, although there is nothing stopping a user encrypting the files
before hiding.
I think Steganography can best be described by the quote given below:

‘Steganography is the art and science of communicating in a way which hides the existence of the communication. In
contrast to cryptography, where the "enemy" is allowed to detect, intercept and modify messages without being able to
violate certain security premises guaranteed by a cryptosystem, the goal of Steganography is to hide messages inside
other "harmless" messages in a way that does not allow any "enemy" to even detect that there is a second secret
message present’ [Markus Kuhn 1995].

-1- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

History of Steganography

The first recorded use of Steganography is from the Histories of Herodotus, where in ancient Greece text
was written on wax covered tablets. Herodotus describes how Demeratus wanted to warn Sparta on an
imminent invasion from Xerxes. In order to hide the message he scraped wax off a tablet and wrote a
message. The tablet was then covered with wax again. Upon inspection by enemy soldier the tablets
appeared blank and were allowed to pass. Other ancient methods include tattooing messages on a courier’s
head, and allowing their hair to grow, thus hiding the message and allowing the courier to deliver their
message unhindered (although obviously their hair had to removed again upon deliverance).

From the medieval period through to the renaissance many complex ciphers were being developed and used
so also was Steganography. The hiding of hidden messages in elaborate book covers and paintings became
popular as not only a way to transport secretive information but as a trademark among artists and scholars
alike.

By the 1940’s Steganography was called upon again to hide secret messages. World War Two is better
known for the birth of hardcore encoding (E.g. the German Enigma) and the computer to crack this code.
However along side these messages ran many different tools and uses for Steganography. The German
Abwehr (military intelligence) would transmit messages where only certain letters of a transmission formed
the real message:

The following message was actually sent by a German Spy in America in WWII :

Apparently neutral's protest is thoroughly discounted

and ignored. Isman hard hit. Blockade issue affects
pretext for embargo on by products, ejecting suets and
vegetable oils.

Taking the second letter in each word the following message emerges:
Pershing sails from NY June 1. (Taken from Johnson, History and Stenography [8])

This is Steganography, not cryptography. Both texts make sense and the true messages is not
encrypted/scrambled but distributed throughout the first. This does not affect the first message.
Other forms include Great Britain’s S.O.E. (Special Operations Executive) passing messages to agents in
occupied Europe written in invisible inks, these messages could appear as simple blank pieces of paper or
another letter upon inspection but could contain vital communication written between the lines, only made
visible in a given solution [16]. Much like the German example above tiny pinpricks were added above
individual letters in a letter to mark out the letters needed to read the words of the real message.

Steganography has until recently been far less researched by industry and academics than cryptography.
This has changed. In 1996 first academic conference on the subject was organised. This was followed by
several other conferences focussing on information hiding as well as watermarking. The US government
has also announced its interest now devoting funds for research in both cryptography and now
Steganography. The fifth international workshop on information hiding will be held in October 2002. [13]
A continuation of this can be found under section 3’s ‘digital watermarking’ for protecting copyright and
‘the dead drop’, detailing a modern use for steganography and its less desirable users.

3. Uses of Steganography

Image & Audio Steganography

The simplest method of hiding information within a file is to replace all the least significant bits (LSB)
within each bit plane of a file. This change can barely been seen by the naked eye even when up to 4 of the
LSB’s are changed in each plane. This method however is not successful in audio Steganography as
changes to the LSB adds ‘noise’ that can be audible during quiet periods of the sound [15]. Steganalysis
tools can also easily detect this method, increased success can be achieved by removing some of the
randomness introduced by the bit changes, e.g. a change of every LSB by one would probably not be

-2- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

detected as there is no random element present. The bits would be assumed to form part of the original
image.

An increasingly complex method of image Steganography is known as the patchwork algorithm [15]. This
algorithm randomly selects pairs of pixels on a given image. The brighter of the two pixels is made
brighter, and the darker one darker. This change is so subtle that it is undetectable to the human eye; even
at high zoom levels the changes simply are not sufficient to make the image appear altered. The contrast
change between these two pixels now forms part of the bit pattern for the hidden file. In order to go
undetected by a filtering attack (see section 4) a limit to a few hundred changes can take place. A similar
technique can be used in audio files, increasing the amplitude contrast of pairs of randomly chosen sound
samples within the overall audio file. A filter is then applied to remove any high frequency noise created as
a result of the increases.

Example of Steganography Tools

Below is an innocent image of Big Ben and the houses of parliament. This is a 486Kb (sufficiently large to
hide most small text and image files in) True Colour jpeg image. With an image of this size using the
software below it is possible to hide a file of a maximum size of approximately 30Kb. I have chosen an
image with a large expanse of one colour; the sky, for reasons explained later. I will demonstrate a series of
images all with hidden files within, using the various options available in JSteg and comparing quality of
the output image, highlighting visible flaws. To ensure a fair test all images with hidden files had the
hidden files extracted afterwards to ensure their integrity. This was done using a freeware programme
called Jsteg version 2.0 by Korejwa [9]. Both images come from the Microsoft online clipart gallery and
are assumed clean of any previous Steganography.

Figure 1: Untouched 486Kb Jpeg Image (shown at 35% size to fit on page). White area shows the area of zoom for my examples of
JSteg’s ability

Figure 2: 7.9Kb jpeg image (to be hidden)

-3- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

Figure 3: Untouched Jpeg, zoomed in at 400% to clock tower area

Figure 4: Image in Figure 2 added using JSteg,

400% zoom. No compression or extra encryption added. Note area of sky has distortions not present in Figure3.

Figure 5: 145 line, 1015 word text file

400% zoom. Again No compression or extra encryption added, again area of sky has distortions not present in Figure3.

Figure 6: Image in Figure 2 added using JSteg,

400% zoom. Maximum compression Quality, image in figure 2 compressed using RAR. Smooth applied and Huffman table for
encoding optimised.

-4- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

Using [Figure 3] as a benchmark [figure’s 4 & 5] show slight distortions around the blue-sky area.
Although this is present in 3 (due to the high level of zoom) more regular patterns of distortion can be seen.
JSteg is a freeware program so perfect results were not expected but looking at [Figure 6], using some of
JSteg’s advanced features the output file is nearly indistinguishable from the original.

Audio
Obviously I will not be able to give examples of audio Steganography but I can briefly describe a piece of
software I found for hiding text files within a WAV file and then compressing the result into MP3 (and its
extraction). Mp3Stego is a freeware program by Petitcolas, F [13]. This piece software actually encrypts
the input file and can even password protect it. The hiding process takes place during Layer III encoding
from WAV audio to MP3. Here bits from the input file are encoded in with matching bits from the WAV
file. Checks are made on any distortions introduced against a given threshold.

Encoding a simple text file into a WAV file is carried out from a command prompt with options about
output filename and password protection given as command line arguments.

After hiding a 5-word sentence (in a txt file) into a 300Kb MP3 file there was no obvious defects in the
output file. Upon sharper listening short ‘crackling’ distortions can be heard in areas of silence or quieter
audio; these were not in the original. The encoding process described at the start of section 3 may have
caused this. However these defects could easily be accredited to simply sound distortions during the
recording process and not the presence of a hidden file.

Digital Watermarking
Most research and development in Steganography is in digital watermarking. This is the process of marking
an image (although primarily images are used, both audio and video can be watermarked) with some kind
of digital ID. This ID is unique to the owner of the image and so can be used to copyright that image.
Digital watermarking was created for businesses (or individuals) that have a web presence involving
images that they consider their property (they are copyright). Thanks to the way that the average web
browser operates there is very little to stop a user downloading an image from a web page and using it
elsewhere, making any alterations as they want. Techniques include using Java script to disable right
clicking (to disable the ‘save as’ function), which can promptly be overcome by simply saving the whole
page. There is a need for images to actually protect themselves, as apposed to security features on the pages
they are displayed upon.

There are numerous web companies offering such services to help people protect their copyright images.
Digimarc [4] is one of biggest; I will use this as an example case study.

Digimarc sell software to invisibly imprint (watermark) images with a unique ID, made up of a code unique
to the customer and a code unique to the image. The software to detect and read the digital IDs is free.

Copyright images are then protected in two ways. Firstly by a product from Digimarc called MarcSpider
[5], this program crawls the web for customer’s images. MarcSpider then makes detailed reports on the
location and dates of any images found with Digimarc IDs in. Customers can then subscribe to this service
and are notified of any images found (and details of the find). Digimarc claim that it has coverage of over
50 million images a month [3].

Subscribers who discover their images on other websites can act as they wish. They may use the data to
simply investigate the popularity of their product or to enforce copyright of their images (possible by
means of a legal threat).

The second method is a process called ImageBridge [4]. Here each time a Digimarc enabled application
opens a copyrighted image (with a Digimarc code inside) a copyright logo is displayed on the title bar of
the image, with ImageBridge Pro IDs image displaying and editing can be blocked all together. This helps
protect an image author’s copyright on that image as well as let any potential editor know the image is
copyrighted. Already most major graphics package vendors (Adobe, Corel to name but two) have signed up
to support this method.

-5- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

Digimarc will work round some attempts to avoid inspection of images but still falls down on a number of
easy to action methods:

• Mosaic [14]:
Splitting an image up into smaller areas then displaying all of the smaller images next to each
other looks as if the image is whole (and normal) but because of the break up MarcSpider will
detect several different images and fail to detect an ID in a potential copyrighted image [Figure 7].

Figure 7: avoiding Digimarc’s MarcSpider through breaking an image up thus ruining the ID[14]. (Would normally be
displayed with each image touching to give the impression of one whole picture)

• Within a Java Applet:

Displaying an image through a Java applet doesn’t allow Marcspider to check its validity as it can
only check pages displayed from a HTML tag or similar.

• Block Requests:
The web server hosting page’s with images on could simply ignore [NYT 10] MarcSpider’s
request to view the page. The above reference from the New York Times comments that this is
simply to often the case with either requests ignore or images that need to be checked are hidden
behind passworded area of the web server where MarcSpider can’t reach.

• JPEG Compression:
Heavy JPEG compression [10] can diminish the Digimarc ID to the point where it is read as
invalid or simply disappears from the image altogether. There is currently no way to prevent this.

Essentially Digital watermarking is still not at a point where it can guarantee 100% detection of all images
in violation of copyright. Despite Digimarc’s efforts there are still far to many methods to get around
detection, for Digimarc to improve against some measure it would either have to breach website security or
increase the strength of its watermarks, both of which are not possible. (The later is not possible currently
without degrading the image).

The ‘Dead drop’

The ‘dead drop’ is a term used by security agencies around the globe to describe a process of anonymous
communication between two parties. The integral advantage of the dead drop is the anonymity of all
individuals involved in the message passing.

Most recently Agent Robert Philip Hanssen of the FBI was arrested and charged with spying for Russia [3].
Although no details on when he was recruited by Russian intelligence was given out; information on his
passing on of secrets was. Hanssen would walk through a nearby park on his way to work every morning.
When he had information to pass on he would leave a chalk mark on a tree or bench. The following day he
would look for another chalk mark in the park. This mark would be presumably left by a Russian agent
from the nearby Russian Embassy. Hassen would receive payment in cash through another ‘drop’ a few

-6- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

days later. It was discovered that although Hassen knew he was in the pay of the Russian’s he didn’t know
his contact (who would make the drop to him) and they probably had no idea who he was. This way should
any part of the message passing chain fail (get discovered) only that individual would be affected. They had
no knowledge of their contacts. It is a ‘dead drop’ as there is no social contact; the passing of information is
carried out completely anonymously.

This is why Steganography has possibly become a tool for the dead drop over the Internet. Information can
be communicated over the Internet reasonably anonymously; the using of pseudonym emails and
usernames aids this. Encryption can also hinder any attempts to intercept. Eventually though even if the
content of the actual transmissions are never discovered their sources and perhaps even individuals can be
traced from a point of origin. Remember a sender needs to know who to send to.

Steganography can provide the extra piece of secrecy that these transactions require, complete anonymity
between sender and receiver.

It has been suggested; especially since the events of 11th September that terrorist’s have been using
Steganography to communicate. Wired News reports of members of Osama bin Laden Al-Qa’eda group
posting instructions for terrorist activities on sports chat rooms, auction sites and pornographic bulletin
boards; all this is reportedly refuted by U.S. Government and other foreign officials [12]. The BBC also
tells us of ‘speculation that Bin Laden has hidden messages in pornographic images posted and swapped on
Usenet, eBay and Amazon’ [17]. Another article from the BBC confirms that ‘French officials believe
terrorists would have received their final instructions for the plot hidden in e-mail messages or even in
pictures placed on the net’ [1]. Again no actual concrete sources are mentioned. Has Steganography on the
Internet become another urban legend, only to really exist in the minds of the paranoid?

The Internet would be ideal for a dead drop. Images could be posted on bulletin boards that appear
perfectly normal to everyone else but to the right person the image can be downloaded and information
extracted. Secret correspondence could also be requested much like the chalk on the park bench above. An
individual could post a request on a board asking for a specific type of image/audio file. The other person
in the chain, which would be looking for posts like this, would then see their contact would like to
communicate. They would then post the required image (hidden information inside). The process would
continue and the two parties would maintain total anonymity (ideal for individual terrorist cells to operate
as if one is caught they don’t know there contacts personally so they can’t betray anything). Other people
using the board for a more legitimate use would never know what was happening. This theory was put to
the test and is discussed in section 4.

4. Steganalysis
Steganalysis is simply:

Discovering and rendering useless such covert messages is a new art form known as Steganalysis.
[Neil F. Johnson, Jajodia 7]

Steganalysis usually consists of brute force attacks using some of the tools discussed earlier in section
three. Brute force attacks usually consist of simply running tools against images to see if they confirm there
is more information present, then running a dictionary attack to crack any password there might be
preventing the unlock of it.

Other methods include running pattern-matching utilities over the bit patterns of the images. As mentioned
in section three, irregular changes in the less significant bits in bit planes can easily be matched if they
don’t occur regularly enough. (E.g. they are not justified if the irregularities truly occur rarely with the
bits).

A StirMark attack [15] is the best and most successful attack on reputed Stegangraphic images. StirMark is
a tool developed for testing the robustness of an image-marking algorithm. At its lowest level StirMark
introduces errors into the image (as if the image had been high quality printed and scanned in again). A
slight distortion (consisting of a stretch, shear and possible a subtle rotation) is applied. Increasing subtle
defects are mathematically added; at this point most normal images start showing noticeable defects. An
image with a Stegangraphic component will not survive this process. The defects added from a
mathematical approach (rather than random errors) damage the images bit pattern to badly for the image

-7- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

and hidden content to survive. After several cycles the images is left as noise making the image instantly
suspicious.
The image example where taken from Attacks on Steganographic Systems by Andreas Westfeld [18]. They
show an image [Figure8] with StirMark filtering applied to it to give [Figure 9]. A copy of [Figure 8] was
taken, had information hidden in it then the same level of StirMark applied. As can be seen at the same
level as [Figure 9], [Figure10] is completely degraded to noise. A normal un-Steganographic image would
not do this.

Figure 8: Normal image (was also used later to contain hidden data)

Figure 9: After StirMark filtering the image is still there but degraded heavily

Figure 10: Started off as Figure 8 with Steganographic content, after same levels as Figure 9 the image is destroyed.

A study, by Niels Provos and Peter Honeyman of the University of Michigan of more than two million
images downloaded from eBay auctions[6] appears to show little evidence that terrorists--or indeed
anybody is using the images to hide encoded messages [11]. Provost and Honeyman wrote a program to
crawl through and examine all files on ebay over 20K in size. Using 60 computers they searched all images
for evidence of hidden information using three common Steganography tools: JSteg, JPHide and OutGuess.
The search was narrowed after initial tests to about 17,000 images. The clusters of computers (with the
tools above) were then used to mount a dictionary attack to crack any passwords to stop files being
unlocked. The attacks failed.

Three possibilities for failure were given, firstly no one uses any of the stegangraphic tools they used,
secondly all users who did had carefully chosen passwords which dictionary attacks alone could not crack.
Finally, that there is simply no significant use of Steganography on the Internet. They conclude with the
later. "The most likely explanation is that there is no use of Steganography on the Internet" [Provos,N 11].
However, the researchers now plan to increase their search from eBay to include content from the USENET
image groups.

I don’t find it that surprising that there were no finds on eBay. Ebay’s auctions last for a set amount of time
(typically 1 week maximum). Also registration is required with personal and credit card information. If
someone wanted to communicate with Stegangraphic images (presumable secretly) this would be pretty
restrictive. Newsgroups and Bulletin boards are far more likely candidates, due to their opened ended

-8- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

threads, underground culture and users only really registering with a name and an email (none of which has
to be real).

5. Future Developments
I believe Steganography will continue to increase in popularity over cryptography. As it gets more and
more advanced as will the Steganalysis tools for detecting it. I think we will see more encrypted data being
hidden using Steganography as the combination of the two provides an even hard target to crack (but not
necessarily a harder concoction to assemble). Currently although most specific tools can detect files hidden
using themselves in the first place. It is well accepted though, small sentences and one-word answers (e.g. a
‘yes’) are virtually impossible to find. This could be an area for further advances as possible compression
sizes decrease further.

There also seems very little in terms of tools for hiding data in video. There are some for audio but this is
still an area, which lags behind image Steganography. The future may see audio files and video streams that
could possibly be decoded on the fly to form their correct messages. This could be the ultimate broadcast of
secret information.

The hope for digital watermarking tools (but possibly bad news for freedom of information) could be
images that will only display on valid sites. If the Steganographic encoded image is tried to be displayed
against its copyright information (again perhaps hidden inside the image) the picture could display
something else instead, e.g. a copyright warning and a link to its site of origin. This takes the work off the
third party image manipulation vendors (e.g. adobe Photoshop etc.) to scan images for watermarks and deal
with any finds appropriately.

With regards to less desirable types using Steganography to communicate I believe there is very little to do
against it other than to catch someone involved and break the chain from there. There are simply too many
message boards and newsgroups containing billions of images. It is not practical or sensible to try to target
all of these. And for now there is, at least no public proof that anyone is using these techniques to
communicate. The prospect however must be appealing..

-9- Jonathan Watkins

Steganography – Hidden In Bits 15th December 2001

6. References
All Internet links were last checked 12th November 2001.

1. BBC News Online. (05/10/2001) France terror code 'breakthrough'

http://news.bbc.co.uk/hi/english/world/europe/newsid_1580000/1580593.stm

2. Common Law, West El Paso Information Network, (1995) Steganography (Hidden Writing)
http://www.wepin.com/pgp/stego.html

3. CNN (USA) (20/02/2001) FBI agent charged as Russian spy

http://www.cnn.com/2001/US/02/20/fbi.spy.06/index.html

4. Digimarc: The leading developer of digital watermarking technologies

http://www.digimarc.com/imaging/copyprot.htm

5. Digimarc MarcSpider: The best way to track your images on the Web
http://www.digimarc.com/imaging/prspider.htm

6. Ebay Online Auctions

www.ebay.com

7. Johnson, Neil.F and Jajodia, Sushil. Steganalysis: The Investigation of Hidden Information, IEEE
Information Technology Conference, Syracuse, New York, USA, September 1998

8. Johnson, Neil F. History and Stenography (1995-2000)

http://www.jjtc.com/stegdoc/

9. Jsteg Version 2.0 by Korejwa. Freeware

http://www.tiac.net/users/korejwa/jsteg.htm

10. Katz, Marty. (11/11/1997). New York Times. Digital Watermarks Often Fail on Web Images.
http://www.nytimes.com/library/cyber/week/111197digimarc.html (Online Version)

11. Loney, Matt. (26/09/2001) ZDNet (UK) News. Study: No hidden code in Web images
http://www.zdnet.com/zdnn/stories/news/0,4586,2814840,00.html

12. McCullagh, Declan. (07/02/01) Wired News. Bin Laden: Steganography Master?
http://www.wired.com/news/politics/0,1283,41658,00.html

13. Petitcolas, Fabien A. P., (1997–2001). The information hiding homepage digital watermarking &
steganography
http://www.cl.cam.ac.uk/~fabb2/stegangography/index.html

14. Petitcolas, Fabien A. P., (1997–2001). ‘Mosaïc’ attack

http://www.cl.cam.ac.uk/~fapp2/watermarking/2mosaic/index.html

15. Petitcolas, Fabien A. P., Ross J Anderson, Markus G. Kuhn. University of Cambridge. (April 1998)
Attacks on Copyright Marking Systems

16. Public Record Office Secret History Files, 2001. The SOE Syllabus: Lessons in Ungentlemanly
Warfare. ISBN 1-9033-6518-X

17. Ward, Mark (21/09/2001) BBC News Online. Tackling terror with technology
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1555000/1555981.stm

18. Westfeld, Andreas (21/12/1999) Attacks on Steganographic Systems

http://wwwrn.inf.tu-dresden.de/~westfeld/

- 10 - Jonathan Watkins