Steganography in Images

Final Communications Report
Francesco Queirolo

Steganographic image produced on the left with the stego-tool: White Noise Storm. (Johnson, Steganography)

Steganography is a very old method of passing messages in secret. This method of message cloaking goes back to the time of the ancient Greeks. The historian Herodotus wrote about how an agent wrote a message warning of an invasion on the wood part of a wax tablet. Since messages were normally inscribed in the wax and not the wood, the tablet appeared blank to a common observer. There is also the story of a messenger during the Persian Wars who shaved his head and had a message tattooed on it. He waited until his hair grew back to make his journey. When he arrived at his destination, he shaved his head to reveal the message. During WWII spies on both sides used “invisible” inks. These inks were fluids such as milk, fruit juice, or urine that would darken when heated. They also sent messages with very small punctures above characters in a document that formed a message when combined. (Mc Cullah, Feb 7, 2001). INTRODUCTION Many people lump steganography with cryptography, and while they are in many cases means to the same ends (not letting unauthorized persons view data) they are not the same thing. Although, they are often sibling processes and first encrypting a message then using a stego-tool to hide it is more effective in hiding a secret message than either method by itself. According to Dictionary.com: Steganography is:” Hiding a secret message within a larger one in such a way that others can not discern the presence or contents of the hidden message” and Cryptography is “The process or skill of communicating in, or deciphering secret writing or ciphers.” (Dictionary.com).

Steganography can be used to cloak hidden messages in image, audio, and even text files. In this report, we will concern ourselves with hiding messages (meaning either images, or text) in images. REPRESENTATION OF IMAGE TYPES In a computer, images are represented as arrays of values. These values represent the intensities of the three colors R(ed) G(reen) and B(lue), where a value for each of the three colors describes a pixel. Through varying the intensity of the RGB values, a finite set of colors spanning the full visible spectrum can be created. In an 8-bit gif image, there can be 28 = 256 colors and in a 24-bit bitmap, there can be 224 = 16777216 colors. Large images are most desirable for steganography because they have the most space to hide data in. The best quality hidden image is normally produced using a 24-bit bitmap as a cover image. Each byte corresponding to one of the three colors and each three-byte value fully describes the color and luminance values of one pixel. The cons to large images are that they are cumbersome to both transfer and upload, while running a larger chance of drawing an “attacker’s” attention due to their uncommon size. As a result, compression is often used. There are two common compression techniques used to shrink the file size of a bitmap. (Johnson, 1998) GIF The first is the GIF (Graphics Interchange Format) format, which will decrease the number of bits used to represent each pixel from 24 to 8. This is a lossless compression technique and the data hidden in the message can be recovered without a problem.

JPEG The JPEG (Joint Photographic Experts Group) is a form of lossy compression. It does a very nice job of decreasing the file size of the image and retaining a great deal of its quality. The JPEG transformation takes eight pixel by eight pixel blocks and performs a 64 bit DCT (Discrete Cosine Transformation) does not compute to exact values. With continuing transforms, the precision of the calculation is decreased and the amount of error increases. Two methods used to perform a DCT are the Fast Fourier and wavelet transforms. The downside to JPEG compression is that it may corrupt hidden data. Palette and Image Composition The palette and composition of the image also contribute to how well the stegotool does its job. An images with gradual color gradients or in grayscale is the best for stenography because it is easier to insert small “errors” in. The changes also appear more gradually and as a result are less likely to be detected. Observe the different color palettes below and how the one on the left changes gradually and is more suitable for a cover image than the one on the right. (see Figure 1. below)

Figure 1 – Palette Gradients (Johnson, 1998)

It is also important to use images that do not contain large blocks of a solid color, as the changed bits in the solid area are easier to detect. CONCEALMENT There are three main ways to conceal the secret message/image. The first way is straight insertion where you just put the message into the cover image. The next way requires some analysis to find the variations in color and it puts the message in those areas where it is less likely to be detected. The last way is to randomly insert the message into the image. LSB First we will investigate least significant bit insertion, where you literally put the information in the least significant bits of an image. This is a simple technique but the down side is that the message is very succeptible to information loss when using lossy compression techniques. We will now go over an example that involves inserting an A into 3 pixels of a 24 bit image. Here is the original raster data: (00100111 11101001 11001000) (00100111 11001000 11101001) (11001000 00100111 11101001)

The binary value of A is 10000011 and encoding A into the last bits of this 3 pixel sequence will change the above sequence to: (00100111 11101000 11001000) (00100110 11001000 11101000) (11001000 00100111 11101001). (Johnson, 1998)

Notice that only the underlined bits had to be changed in order to create the A. On the average only have of the bits would have to be changed in an LSB(Least Significant Bit)

encoding scheme. With such a small variation in the colors it would be very difficult for the human eye to discern the difference. Next we will do least bit insertion with an 8 bit value. Since 8 bit values can only have a maximum of 256 colors the image must be chosen much more carefully. Consider a palette with four colors: white, red, blue, and green which have the palette position entries of 0(00), 1(01), 2(10) and 3(11) respectively. The values of four adjacent pixels with colored white, white, blue, blue (00 00 10 10). We will try and hide the decimal number 10 represented in binary as 1010. The resulting raster is: 01 00 11 10, which corresponds to red, white, green, blue. Thes large changes in the image are very noticeable in a color image although an 8 bit greyscale image will produce relatively good results. (Johnson, 1998) There are multiple tools that implement LSB. One tool, EzStego can change around the palate to lessen the frequency of adjacent colors with too strong of a contrast. S-Tools tries to approximate the cover image by changing around the palette to make the difference between bits only one and sometimes causes very noticeable shifts in the palette. Masking and Filtering Masking and filtering techniques are mostly used on 24 bit and greyscale images. They hide info in a way simliar to watermarks on actual paper and are sometimes used as digital watermarks. Masking images entails changing the luminance of the masked area. The smaller the luminance change, the less of a chance that it can be detected. Observe that the luminance in Figure 1. (next page) is at 15% in the mask region if it was decreased then it would be nearly invisible.

Figure 1. Masking (Johnson, 1998) Stego-images(images that have been manipulated by steganographic methods) that are masked will keep a higher fidelity than LSB through compression, cropping and some image processing. The reason that a stego image encoded with masking, degrades less under JPEG compression is that the secret message is hid in the significant areas of the picture. There is a tool called JPEG – J steg that takes advantage of the compression of JPEG while trying to keep a high message fidelity. The program takes a secret message and a lossless cover image as input and outputs a stego image in JPEG format. Digital Watermarking(a slight diversion) As stated abovce digital watermarking is often performed by masking. The reason for digital watermarking is very different from steganography. Where the goal of steganography is to transmit a message undetected, a digital watermark is created as a

sign of ownership/authorship. Since digital copies are ineherently exact replicas of the original unless noise, or some type of lossy operation is performed, there will be no way to tell them apart.Therein lies the authorship/ownership problem due to the likeness of the original and the copy. Digital watermarks can be used to show proof of ownership by having your mark put into the file, so even if both images are the same, if they contain your mark then you have a much stronger case for copyright or ownership disputes. Watermarks can be visible or invisible depending on the luminance in the mask. The highter the luminance the greater the visibility of the watermark. Attackers can use different types of image processing to remove or degrade the watermark until it is illegible. There are different recovery techniques but it is usually helpful to have the original image when trying to recover the watermark. Redundant Pattern Encoding Patchwork and other similar tools do redundant pattern encoding, which is a sort of spread spectrum technique. It works by scattering the message throughout the picture. This makes the image more resistant to cropping and rotation. Smaller secret images work better to increase the redundancy embedded in the cover image, and thus make it easier to recover if the stego-image is manipulated. Encrypt and Scatter The encrypt and scatter technique tries to emulate white noise. White Noise Storm is one such program that employs spread spectrum and frequency hopping. It does this by scattering the message throughout an image on eight channels within a random number that is generated by the previous window size and data channel. The channels then swap rotate, and interlace amongst each other. Each channel represents one bit and as a result

there are many unaffected bits in each channel. This technique is a lot harder to extract a message out of than an LSB scheme because to decode you must first detect that a hidden image exists and extract the bit pattern from the file. While that is true for any stegoimage you will also need the algorithm and stego key to decode the bit pattern, both of which are not required to recover a message from LSB. Some people prefer this method due to the considerable amount of extra effort that someone without the alogrithm and stego-key would have to go through to extract the message. Even though White Noise Storm provides extra security against message extraction it is just as succeptible as straight LSB to image degradation due to image processing. DETECTION Even though stego-images can rarely be spotted by the naked eye, they usually leave behind some type of fingerprint or statistical hint that they have been modified. It is those descrepancies which an analysis tool may be able to detect. Since some techniques and their effects are commonly known, a statistical analysis of an image can be performed to check for a hidden message(s) in it. The simplest technique is to measure the entropy of redundant data and check if its statistical properties have deviated from the data collected from the original image. Since we do not always have the unaltered cover image readily availible a detection system can compare the amount of 1’s and 0’s to detect the presence of a stego-image. A similar method of analysis can be used for JPEG’s but the coefficients of the DCT are looked at instead of individual bits. Yet another method is to create a new color and sort the palette of the image and look for statistical anomalies that way. These simple methods do not conclusively proove that there is a secret message but are merely the first step.

After a suspected image is found then a dictionary attack must be conducted to verify that there is a hidden message.

USES OF STEGANOGRAPHY Steganography can be used anytime you want to hide data. There are many reasons to hide data but they all boil down to the desire to prevent unauthorized persons from becoming aware of the existence of a message. In the business world steganography can be used to hide a secret chemical formula or plans for a new invention. Steganography can also be used for corporate espionage by sending out trade secrets without anyone at the company being any the wiser. Steganography can also be used in the non-commercial sector to hide information that someone wants to keep private. Spies have used it since the time of the Greeks to pass messages undetected. Terrorists can also use steganography to keep their communications secret and to coordinate attacks. It is exactly this potential that we will investigate in the next section. TERRORISTS AND STEGANOGRAPHY Now that we have investigated the basics of steganography we will examine what part it has had in the communication for terrorist networks and more specifically how it is linked to the activities of Osama bin Laden and the al-Qaida network. There is a general belief that some of the plans for the September 11 attacks were hidden in images and put into sports and pornographic bulletin boards. Known Communications The al-Qaida terrorist network has been known to use encryption. They receive money from Muslim sympathizers, buy computers and then go online and download

encryption programs from the web. (Kelley 6/19/01) Here are brief accounts from USA Today, that describe three instances where terrorists have used some sort of encryption:
• Wadih El Hage, one of the suspects in the 1998 bombing of two U.S. embassies in East Africa, sent encrypted e-mails under various names, including "Norman" and "Abdus Sabbur," to "associates in al Qaida," according to the Oct. 25, 1998, U.S. indictment against him. Hage went on trial Monday in federal court in New York. Khalil Deek, an alleged terrorist arrested in Pakistan in 1999, used encrypted computer files to plot bombings in Jordan at the turn of the millennium, U.S. officials say. Authorities found Deek's computer at his Peshawar, Pakistan, home and flew it to the National Security Agency in Fort Meade, Md. Mathematicians, using supercomputers, decoded the files, enabling the FBI to foil the plot. Ramzi Yousef, the convicted mastermind of the World Trade Center bombing in 1993, used encrypted files to hide details of a plot to destroy 11 U.S. airliners. Philippines officials found the computer in Yousef's Manila apartment in 1995. U.S. officials broke the encryption and foiled the plot. Two of the files, FBI officials say, took more than a year to decrypt. (Kelley, 6/19/2001)

Osama bin Laden has used mobile phones, and satellite communications in the past but it is believed that he has stopped using them to make it more difficult to detect him. (Sieberg, 9/21/01) Some experts believe that he only uses messengers now. For a military commander this would be highly ineffective as they have to be in contact with their subordinate commanders at all times, but bin Laden is considered a spiritual or inspirational leader and as a result does not have to maintain constant contact with his troops. They can operate in smaller cells. The events that took place on September 11 were obviously very coordinated and the terrorists must have had to use some form of communication to coordinate their attacks. Since their communications were not detected, it would lead one to believe that they were using some type of encryption and/or message hiding system. Steganography for Terrorists Whether or not al-Qaida uses steganography, it would be a very effective high tech communication method. They can use bulletin boards and other public places where you

can put images as cyber dead drops for stego-images. A dead drop is a place where you drop off a deliverable at some pre-determined time and place without ever meeting or directly communicating with the other party. Of course, communication will have to be initiated but after that, all communications/exchanges can be made in the manner outlined above. For covert purposes, this communication technique has two very distinct advantages over most other forms of communication. The first is that the communication is asynchronous, which means that it is simpler to implement and helps to avoid suspicion as involved parties aren’t directly associated with each other. The second reason is that only one of the parties is required to know who the other is. This is especially valuable if one party is caught then they may not be able to divulge who they were dealing with, regardless of the interrogation methods used. The last point makes steganography an especially appealing method of communication to the al-Qaida network because they operate as cells and the anonymity that dead drops provide will help to avoid uncovering of the entire network even if some members are caught. Detection There have been multiple congressional committees dealing with encryption over the past few years. The US government has done some private contracting to develop steganography detection tools. One such contract is with WetStone Technologies who have been contracted to develop a “blind steganography detection prototype”. (Mc Cullah, February 21, 2001) There is no doubt more research going on but not all of it will be made public and it is most probable that the NSA is developing or has detection programs already.

In academia, graduate students Niel Provos and Richard Honeyman at the University of Michigan have written a web crawling program to detect steganographic images in the wild. The program has already digested 2 billion JPEG’s on popular sights such as ebay and has so far found only one stego-image in the wild. The detected image was on an ABC web page that dealt with the topic of steganography. It had a picture of a B-52 graveyard at Davis-Monthan Air Force Base embedded into a surreal image of clocks and the earth. Even though there is much speculation on the subject and al-Qaida has used high tech information hiding methods in the past there is no proof that steganography was used to orchestrate elements of the September 11 bombing. However, since this search is was not exhaustive there is no conclusive proof either way. CONCLUSION Where does this leave us now, in the very precarious position of trying to balance personal freedoms with national safety. There has been debate in different sectors of government as the issue has come up before and was a rather hot issue after the first World Trade Center attack. During the Clinton administration restrictions on the exportation of cryptography, hardware and software tools were laxed. After the September 11 attack, there will be no doubt a very close inspection of many aspects of our national security and there will be new proposals to try to stop another tragedy from occurring. Author’s Closing Thoughts It is the hope of the author of this paper that judicious limits on cryptography and steganography will be implemented. As I believe that in our current position if terrorists

used a good stego-tool and a solid encryption algorithm it would be very difficult to discover their plans before they are executed. Of course, there will be some that argue encryption should not be mitigated as it is an academic pursuit and helps preserve privacy. Even so, I believe we must rely on our government (for they are accountable to the citizens of this country) to make the correct decisions in the matter because privacy is important but not to the point where people can use it as shield to kill people.

Bibliography How Stego Online Works. Visited on: 11/7/01. http://www.stego.com/howto.html Johnson, N, & Jajodia, S. (February 1998) Exploring Steganography: Seeing the Unseen. Visited on: 11/8/01. http://www.computer.org/computer/co1998/r2026abs.htm

Johnson, N. Steganography. Visited on: 11/8/01. http://www.jjtc.com/stegdoc/stegdoc.html Johnson, Neil F. Steganography. Visited on 11/9/01. http://www.jjtc.com/stegdoc/sec313.html Kelley, Jack (June 19, 2001). Terror groups hide behind Web encryption. Visited on: 11/8/01. http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm

Kuhn, Markus (July 3, 1995). Steganography. Visited on: 11/7/01. http://www.iks-jena.de/mitarb/lutz/security/stegano.html

Levy, Steven (2001). Did Encryption Empower These Terrorists?. Visited on 11/5/01. http://msnbc.com/news/627390.asp?cp1=1#BODY

Mc Cullah, Declan (Feb 7, 2001). Bin Laden: Steganography Master?. Visited on: 11/4/01. http://www.wired.com/news/politics/0,1283,41658-2,00.html

Mc Cullah, Declan (February 21, 2001). Secret Messages Come in .Wavs. Visited on: 11/7/01. http://www.wired.com/news/print/0,1294,41861,00.html

McGrath, Peter (Sept 21, 2001). Coded Communications: Did the hijackers hide their messages in harmless-looking images on the Internet?. Visited on 11/4/01. http://www.msnbc.com/news/632358.asp?cp1=1#BODY

Mendell, Ronald (Sept 20, 2000). Steganography - Electronic Spycraft. Visited on 11/7/01. http://www.earthweb.com/article/0,,10456_624101,00.html

PDF files from: http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf

Provos, Niel (October 12, 2001). First Steganographic Image in the Wild. Visited on: 11/7/01. http://www.citi.umich.edu/u/provos/stego/abc.html

Schneier, Bruce. (September 24, 2001). Terrorists and steganography. http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html

Sieberg, Daniel (Sept 21, 2001). Bin Laden exploits technology to suit his needs. Visited on 11/4/01. http://www.cnn.com/2001/US/09/20/inv.terrorist.search/