Cryptography

Steganography - Don’t judge a book by its cover

Chiragh Dewan
April 18, 2017 by
Chiragh Dewan

Steganography is the art of hiding data in hiding data within non-secret text or data. A file, message, image, or an audio file can can be concealed within another file, message, image or an audio file. Steganography has been used since 440 BC. However, Digital Steganography was introduced in 1985. A few of the known examples of early steganography are:

  • Using Wax tablets
  • Messages written on bodies of the messengers
  • Messages written on paper in secret inks written over other messages
  • Mixing up typefaces in newspaper or other public documents
  • Messages written on envelopes and then covered with stamps
  • Using Microdots

The process of steganography can be denoted by a very simple formula, which is:

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

cover_medium + hidden_data + stego_key = stego_medium

where:

  • Cover Medium: It is the piece of data (image/audio/video) which will hide the sensitive information

  • Hidden Data: The sensitive data (for this case, could be any kind of data) that the user needs to hide

  • Stego Key: A passphrase that will be used as the key to hide the hidden_data within the cover_medium

  • Stego Medium: The final piece of data which in which the sensitive data has been hidden

In this article, we will be seeing how we can embed a .txt file within an image, an audio file and a video file using different software available to us.

Embedding in an Image

The most common practice of steganography is embedding data within an image. There is some software out there which can help us achieve this goal. For now, we will be seeing how we can embed a .txt file with an image using OpenStego.

OpenStego is an open-source software distributed under the GNU license. The latest version can be downloaded from https://github.com/syvaidya/openstego/releases

OpenStego is built using Java, which means it will run on Windows, MacOS, and Linux as long as Java is available on the system. OpenStego provides us with a command-line interface as well as a GUI (Graphical User Interface).

Once you have downloaded the latest version, the .jar file can be found under

openstego-*>lib> openstego.jar

First, we will see how we can embed data:

To do that, simply open then openstego.jar file and enter the required details:

  • Message File: Location of the file that you want to embed.
  • Cover File: Location of the image you want the data to be embedded in.
  • Output Stego File: Location of the image file in which you want the data embedded in (OpenStego will create the Stego file with the name you enter here)
  • Encryption Algorithm: OpenStego also gives us the ability to use an encryption algorithm such as AES128, AES258, or DES and attach a passphrase to the stego file. This passphrase would be required any everyone who wishes to extract data from the stego file.

Cover File before embedding

Message that we will be embedding

Once, all the details are added, click on Hide Data and OpenStego will take less than a minute, and you will see the output file in the destination you provided:

Output file with embedded stego.txt

Now that we have successfully embedded a .txt file within an image, which by visual representation looks the same, let's see how we can extract stego.txt from stego.png

To do that, simply select the Extract Data option (marked in black) on the right-hand side and enter the details:

  • Input Stego File: Location of the stego file
  • Output Folder or Message File: Location of the folder where you want stego.txt to be extracted and saved
  • Password: The passphrase used in the first process while hiding the data

stego.txt file after being extracted

OpenStego also gives us the option of creating our own signature and adding/verifying images with it.

To do that, the first thing we need to do is create a signature:

  • Passphrase: The combination of alfa-numeric characters used to create a strong password for the signature
  • Output Signature File: Location where your signature file will be saved

To embed watermark:

  • File to be Watermarked: Location of the file (image)
  • Signature File: Location of the signature file (.sig)
  • Output Watermarked File: Location of the final watermarked file

Once done, a watermarked image will be saved at the location specified by you

Watermarked Image

To check the strength of the watermark:

  • Files to be checked for Watermark: Location of the files to be checked (images)
  • Original Signature: Location of the .sig file created before

Note: The strength of the watermark will depend on the passphrase used to convert into the signature (.sig) file.

If you wish to use the command-line version of OpenStego, here are the two main commands:

To embed stego.txt into cover.png and getting the output as stego.png:

java -jar <path to file>/openstego.jar embed -mf stego.txt -cf cover.png -sf stego.png

To extract stego.txt from stego.png:

java -jar <path to file>/openstego.jar extract -sf stego.png -xd <path to store stego.txt>

For a detailed version of the command-line commands, you can visit: http://www.openstego.com/cmdline.html

Embedding in an Audio File

Apart from images, audio files are an excellent source of hiding the data. For this scenario, we will be using a software called MP3stego. MP3stego is an open-source Windows based command-line only software written in C, and that can be downloaded from http://www.petitcolas.net/steganography/mp3stego/

It provides us with two basic functionalities:

  • Encoding data in a .mp3 file using a passphrase
  • Decoding data from a .mp3 file
  • Encoding

    We will be encoding secret.txt into dummy.wav and saving the output as stego.mp3

    Secret.txt before embedding

    Now, let's write the following command to encode:

    encode -E secret.txt -P ThisIsCooler dummy.wav stego.mp3

    and it will look something like this:

    Successfully created stego.mp3

    Decoding

    To decode stego.mp3 and retrieve secret.txt, that can be by the following command:

    decode -X -P ThisIsCooler stego.mp3

    and it will look something like this:

    What this command will also do is it will create a file called stegp.mp3.txt that will have the contents of secret.txt, it will create a PCM file by the name of stego.mp3.pcm

    Contents of secret.txt store in stego.mp3.txt after being decoded

    Embedding in a Video File

    Another great way of hiding data is in videos. For this scenario, we will be using a multi-purpose tool called OpenPuff. OpenPuff is a freeware windows based tool that can help us embed data in the following types of files:

    • Images (BMP, JPG, PCX, PNG, TGA)
    • Audio (AIFF, MP3, NEXT/SUN, WAV)
    • Video (3GP, MP4, MPG, VOB)
    • Flash-Adobe (FLV, SWF, PDF)
    • You can download OpenPuff from http://www.embeddedsw.net/OpenPuff_Steganography_Home.html

      For now, we will see how we can embed secret.txt in a .mp4 file.

      • Cryptography Scrambling Passwords: You enter three unrelated passwords, and the algorithm mixes them up to create a random string and will use it as a key.
      • Data: Select the file you want to embed. In this case, secret.txt.
      • Carrier Selection: You can add one or more .mp4 files which can have parts of secret.txt
      • Bit Selection: Depending upon the carriers, select the appropriate options.

      Once done, it will look something like this:

      To unhide it:

      Learn Applied Cryptography

      Learn Applied Cryptography

      Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.
      • Cryptography Scrambling Passwords: Enter the same passwords used to hide the file earlier.
      • Carrier Selection: Select the files in the same order as you did earlier
      • Bit Selection: Depending upon the carriers, select the appropriate options.

      OpenPuff too gives us the option to add, remove and verify watermarks.

      Chiragh Dewan
      Chiragh Dewan

      A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.