Hiding Secrets with Steganography

I've always been fascinated by algorithms and the whole concept that a bit of mathematics can be used to compress an image or a sound or a video. Or keep track of where it put the files on my hard drive. Or perhaps scramble the contents of one of those files so that only my intended recipient is capable of descrambling it. Granted, I don't even pretend to understand the mathematics behind algorithms. But I'm somewhat comforted that there are people in this world who do, and that their efforts help to keep the computers of this world computing.

In this article, I'll introduce the science of steganography by demonstrating two applications from the ports collection. Along the way, we'll also discover some interesting features of compression algorithms.

What is Steganography, Anyway?

The term steganography comes from the Greek words for covered writing. If, as a child, you ever wrote an invisible message in lemon juice and had your friend hold it next to a light bulb in order to watch the message magically appear, you've used steganography.

When using steganography on a computer, you actually hide a message within another file. That resulting file is called a "stego file." The trick to computer steganography is to choose a file capable of hiding a message. A picture, audio, or video file is ideal for several reasons:

• These types of files are already compressed by an algorithm. For example, .jpeg, .mp3, .mp4, and .wav formats are all examples of compression algorithms.

• These files tend to be large, making it easier to find spots capable of hiding some text.

• These files make excellent distractors. That is, few people expect a text message to be hidden within a picture or an audio clip. If the steganographic utility does its job well, a user shouldn't notice a difference in the quality of the image or sound, even though some of the bits have been changed in order to make room for the hidden message.

If you're new to steganography, you're in for some interesting reading at the Steganography and Digital Watermarking web site.

Before we build the ports, you should be aware that steganography is also capable of encrypting a message before it is hidden in a file. Depending upon your geographic location, you may be limited by legal restrictions regarding the strength of encryption protocols, or even if you're allowed to use encryption in the first place. You'll see an example of this if you go to the outguess web site.

outguess

The outguess port builds several utilities that I'll demonstrate. Not all of them deal directly with steganography, as some are used to manipulate .jpeg images. You can find more information about these utilities at JPEGclub.org.

Let's start by building the port:

% cd /usr/ports/security/outguess
% make install clean

There's a fair bit of documentation on outguess and its related utilities. The port will install /usr/local/share/doc/README, as well as manpages for the following utilities: outguess, cjpeg, djpeg, jpegtran, rdjpgcom, and wrjpgcom. Finally, there is the outguess project home page.

Since the outguess suite of applications deals primarily with .jpeg images, you may find the JPEG FAQ and the Compression FAQ helpful in getting up to speed.

I'll start with the rdjpgcom and wrjpgcom utilities. Did you know that the JPEG standard allows COM, or comment, blocks to be inserted into a .jpeg image? Being the curious type, when I first learned this, I was dying to know if the .jpegs on my hard drive had any interesting hidden comments. Fortunately, I had the rdjpgcom tool, so I could ReaD my JPG COMments:

$ cd ~/images
$ rdjpgcom pic1.jpg
$ rdjpgcom pic2.jpg

I was sorta disappointed to learn that most of my .jpegs had no messages at all. One indicated that it had been created using "VT-Compress (tm) Xing Technology Corp." and another indicated it had been "Created with The GIMP."

Fortunately, I could change this situation by using the wrjpgcom utility to WRite in my own JPG COMments:

$ wrjpgcom -comment "This picture was taken on my June 2003 canoeing trip"
	pic1.jpg > pic1a.jpg

Make sure that you give the newly commented file a different name, or you'll end up with an empty original file.

Now, if I check out the results:

$ rdjpgcom pic1a.jpg
Created with The GIMP
This picture was taken on my June 2003 canoeing trip

It's interesting to note that if I use the file command, it will pick up the original comment inserted by the GIMP, but not the comment I added myself.

If I had instead wanted to delete the previous GIMP comment, I would have used the -replace switch instead of the -comment switch.

If I visually view both files, say with gimp, I won't recognize any differences between the two. Let's see if there are any differences:

$ ls -l pic1*
-rw-r--r--  1 dlavigne6  wheel  6817 Nov 15 14:36 pic1.jpg
-rw-r--r--  1 dlavigne6  wheel  6873 Nov 15 14:36 pic1a.jpg

Okay, the file with the comments is a little bit bigger than the original file. However, the file utility doesn't indicate any difference:

$ file pic1*
pic1.jpg:  JPEG image data, JFIF standard 1.01, resolution (DPI),
	"Created with The GIMP", 72 x 72
pic1a.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI),
	"Created with The GIMP", 72 x 72

Hiding More Data

Let's carry this idea a bit further and hide a complete text file within a .jpeg file. For example, I may want to protect my great grandmother's chocolate chip cookie recipe. Right now, it's stored in cookie.txt:

$ ls -l cookie.txt
-rw-r--r--  1 dlavigne6  wheel  296 Nov 15 14:56 cookie.txt

I also have a picture of my grandmother, who entrusted that recipe to me when I was much younger:

$ ls -l gramma.jpg
-rw-r--r--   1 dlavigne6  wheel   50873 Sep  5 09:13 gramma.jpg

Let's see what happens if I hide the recipe in that picture:

$ outguess -k "don't worry, the recipe is safe" -d cookie.txt
	gramma.jpg grandma.jpg

Let's take a look at that syntax. The -k or key switch is followed by a passphrase enclosed within double quotes. I need to remember that passphrase, in case I ever want to extract that secret recipe. I then used the -d switch to specify the name of the file to hide (cookie.txt), followed by the name of the file to hide it in (gramma.jpg) and the name of the new stego file (grandma.jpg). Once I had entered that command, I saw the following output:

Reading gramma.jpg....
JPEG compression quality set to 75
Extracting usable bits:   55365 bits
Correctable message size: 25855 bits, 46.70%
Encoded 'cookie.txt': 2368 bits, 296 bytes
Finding best embedding...
    0:  1219(50.8%)[51.5%], bias  1301(1.07), saved:    -4, total:  2.20%
    1:  1215(50.6%)[51.3%], bias  1235(1.02), saved:    -3, total:  2.19%
    5:  1192(49.7%)[50.3%], bias  1241(1.04), saved:    -1, total:  2.15%
    7:  1164(48.5%)[49.2%], bias  1217(1.05), saved:     2, total:  2.10%
   13:  1155(48.1%)[48.8%], bias  1176(1.02), saved:     3, total:  2.09%
   25:  1163(48.5%)[49.1%], bias  1156(0.99), saved:     2, total:  2.10%
   28:  1141(47.5%)[48.2%], bias  1145(1.00), saved:     5, total:  2.06%
28, 2286: Embedding data: 2368 in 55365
Bits embedded: 2400, changed: 1141(47.5%)[48.2%], bias: 1145, tot: 55200, skip: 52800
Foiling statistics: corrections: 499, failed: 0, offset: 46.129114 +- 142.525859
Total bits changed: 2286 (change 1141 + bias 1145)
Storing bitmap into data...
Writing grandma.jpg....

If I now open both the original and new .jpeg files and examine them side by side, I'm hard pressed to see any differences between the two. This is to be expected, as the file to hide was very small (296 bytes) compared to the image file (50873 bytes). Interestingly, the new image file is slightly smaller than the original:

$ ls -l grandma.jpg
-rw-r--r--   1 dlavigne6  wheel   50415 Nov 15 15:04 grandma.jpg

Retrieving The Hidden File

To retrieve the hidden file, I need use the -r switch:

$ outguess -k "don't worry, the recipe is safe" -r grandma.jpg test.txt
Reading grandma.jpg....
Extracting usable bits:  55365 bits
Steg retrieve: seed: 28, len: 296

I had to use the same key or passphrase I used to hide the message. If I read the resulting test.txt file, I'll see that the cookie recipe is still intact.

The outguess utility is capable of hiding messages in .jpeg, .ppm, and .pnm files. If you currently have a .bmp file that you'd like to hide a file in, use the cjpeg, or convert jpeg, utility:

cjpeg santa.bmp > test.jpeg

To my untrained eye, both files look the same in gimp. I can now use that new .jpeg file with the outguess utility.

Not surprisingly, djpeg converts the other way around; that is, from a .jpeg to the specified format:

$ djpeg -bmp frosty.jpeg > icicle.bmp
$ djpeg -gif frosty.jpeg > icicle.gif

Both of these utilities have several switches to control the quality of the images. See their respective manpages for details.

The final utility in the outguess suite is jpegtran which can transform a .jpeg from, say, landscape to portrait. For example, the -flip horizontal switch will create a mirror image. That is, whatever is on the left will now be on the right:

$ jpegtran -flip horizontal family.jpeg > reverse.jpeg

The manpage contains other switches to flip and rotate .jpeg images.

steghide

Let's move on to the second port, the steghide utility:

% cd /usr/ports/security/steghide
% make install clean

This utility will install a man steghide as well as some informative information to /usr/local/share/doc/steghide/README.

I liked outguess because of the extra .jpeg manipulation utilities that came with it. I liked steghide as its syntax is a bit more sensible, it supports more file formats (.jpeg, .bmp, .wav, and .au), and it allows you to specify an encryption algorithm.

Hiding The Cookie Recipe Again

Let's see what happens if I imbed that cookie recipe into a .wav file:

$ steghide embed -cf hohoho.wav -ef cookie.txt -sf new.wav
Enter passphrase:
Re-Enter passphrase:
embedding "cookie.txt" in "hohoho.wav"... done%
writing stego file "new.wav"... done

Those switches make a lot of sense if you remember the three types of files you're using:

• -cf coverfile, or the file you want to cover/hide
• -ef embedded file
• -sf stegofile

If I listen to both the embedded file and the stegofile in xmms, I can't tell a difference in the audio quality, which, granted, I've never found that great for .wav files anyway.

Extracting the Recipe Again

When I wish to extract my cookie recipe, I'll extract from the stego file like so:

$ steghide extract -sf new.wav
Enter passphrase:
wrote extracted data to "cookie.txt".

Or like this:

$ steghide extract -sf new.wav -xf secret.txt
Enter passphrase:
wrote extracted data to "secret.txt".

The first invocation will extract the recipe into the same file name as the original cover file. The second invocation allows me to specify the name of the newly extracted file.

Miscellaneous steghide Extras

The steghide info command is quite useful. It will tell me if a file contains hidden data (however, only from steghide-created files, as far as I know):

$ steghide info new.wav
"new.wav":
  format: wave audio, PCM encoding
  capacity: 1.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "cookie.txt":
    size: 296.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Notice that the default encryption algorithm is Rijndael, also called AES, at 128 bits. To see what other encryption algorithms are available:

$ steghide encinfo 
encryption algorithms:
<algorithm>: <supported modes>...
cast-128: cbc cfb ctr ecb ncfb nofb ofb
gost: cbc cfb ctr ecb ncfb nofb ofb
rijndael-128: cbc cfb ctr ecb ncfb nofb ofb
twofish: cbc cfb ctr ecb ncfb nofb ofb
arcfour: stream
cast-256: cbc cfb ctr ecb ncfb nofb ofb
loki97: cbc cfb ctr ecb ncfb nofb ofb
rijndael-192: cbc cfb ctr ecb ncfb nofb ofb
saferplus: cbc cfb ctr ecb ncfb nofb ofb
wake: stream
des: cbc cfb ctr ecb ncfb nofb ofb
rijndael-256: cbc cfb ctr ecb ncfb nofb ofb
serpent: cbc cfb ctr ecb ncfb nofb ofb
xtea: cbc cfb ctr ecb ncfb nofb ofb
blowfish: cbc cfb ctr ecb ncfb nofb ofb
enigma: stream
rc2: cbc cfb ctr ecb ncfb nofb ofb
tripledes: cbc cfb ctr ecb ncfb nofb ofb

Wow, that's a lot of supported algorithms. To use a different algorithm, simply include the -e or encryption switch at the end of your embed command. In this example, I'll choose "blowfish":

$ steghide embed -cf hohoho.wav -ef cookie.txt -sf new.wav -e blowfish

Once the stego file is created, I'll double-check that it worked:

$ steghide info new.wav
"new.wav":
  format: wave audio, PCM encoding
  capacity: 1.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "cookie.txt":
    size: 296.0 Byte
    encrypted: blowfish, cbc
    compressed: yes

Conclusion

This should get you started on using steganography utilities. The only question you may be asking yourself is "why use such a utility?" Probably the most common use is to safeguard passwords. We all know that we should use different passwords for various tasks. For example, you should use a different password to log into your computer, another to retrieve email, another for online banking, and yet another for when you create an account on a web server. It can be very handy to make a text file of each password and its usage, and to safeguard that file by hiding it in a place no one would suspect to look.

Until now, had you ever thought of looking in a picture or a sound file?

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Comments on this article

Showing messages 1 through 18 of 18.

• Vorbis?
  2003-12-09 01:19:22  anonymous2 [View]
  
  
  Any apps to do stego with ogg files?

• Cool... (use source to install steghide and dependencies on Linux)
  2003-12-08 14:53:53  anonymous2 [View]
  
  
  Tried installing using RPMs on Mandrake 9.1 and entered dependency hell (gotta love the FreeBSD ports system)...
  
  Instead I downloaded the source for libmcrypt (http://sourceforge.net/projects/mcrypt) and libmhash (http://sourceforge.net/project/showfiles.php?group_id=4286), ./configure , make && make install those and then installed steghide from source too.
  
  My 9 year old son will think this is the neatest thing ever! Then again I wonder if I should show him this... Hmmm

• wow
  2003-12-08 14:51:16  anonymous2 [View]
  
  
  Its insulting as an American that this article doesnt even explain the history of Steganography which is from the slaves of the underground railroad who put images on their quilts to show the right direction, usually north.
• wow
  2008-05-13 16:01:51  dazla [View]
  
  
  actually steganography is thought to date back to at least 440BC! A little before America had it's slave trade I think!
  
  Americans think they invent everything!!
  
  http://en.wikipedia.org/wiki/Steganography
  
  
• wow
  2003-12-09 02:37:31  anonymous2 [View]
  
  
  Steganography: An American invention. Obviously. So, somehow they took something chronicled 2,500 years ago and then "invented" it 150 years ago. Sounds familiar... SCO anyone? Are you sure you're not Darl McBride?
• Re: wow
  2003-12-09 02:32:28  anonymous2 [View]
  
  
  Once again we seem to have an American without an education. Steganography existed a long time before the underground railroad. Why? Steganography means "covered writing" - this is from Herodotus (approx 400 B.C.E.).
  
  In "The Histories", Herodotus chronicled the conflicts between Greece and Persia in the fifth century BC, which he viewed as a confrontation between freedom and slavery, between the independent Greek states and the oppressive Persians. According to Herodotus, it was the art of secret writing that saved Greece from being conquered by Xerxes, King of Kings, the despotic leader of the Persians.
  
  Herodotus wrote:
  
  "As the danger of discovery was great, there was only one way in which he could contrive to get the message through: this was by scraping the wax off a pair of wooden folding tablets, writing on the wood underneath what Xerxes intended to do, and then covering the message over with wax again. In this way the tablets, being apparently blank, would cause no trouble with the guards along the road. When the message reached its destination, no one was able to guess the secret, until, as I understand, Cleomenes' daughter Gorgo, who was the wife of Leonides, divined and told the others that if they scraped the wax off, they would find something written on the wood underneath. This was done; the message was revealed and read, and afterwards passed on to the other Greeks."
  
  What ever happened to the educational system in America? You talk about not respecting history but don't seem to even understand that America is not the be-all and end-all of the world...
• Re: wow
  2003-12-10 19:37:49  anonymous2 [View]
  
  
  The 'educational system' in the U.S. (I don't use the term 'America' in reference to the U.S. as America actually includes everything from Canada to Chile, but don't tell that to a USAmican) is essentially 'daycare' and all that's taught is enough to pass 'assessment' tests, which are used to determine future funding for schools. If assessment scores are high at a given school, then no additional funding is needed as that school is apparently doing well enough with what it has. If scores are low, funding is cut as punishment. Logical, no? This is part of what's called 'No Child Left Behind' and serves as a fine example of double-speak. Nobody is taught to think. Students are prepared for servile careers and a life of unquestioning obedience to power. Increasingly, only those with money, and lots of it, can afford college, and even a college education prepares most only to consume mass quantities of alcohol and drugs and engage in various types of sexual or criminal activity, or both.
  
  The history referred to in your post might be more widely known in the U.S. if it had been included in a Hollywood blockbuster with a dashing leading man a fetching leading lady.
  
  Unfortunately for the rest of the planet, USAmicans may never realize that the U.S. is not the be-all and end-all of the world.
• Re: wow and the graceless comments
  2007-10-08 14:52:49  BigBlueOcean [View]
  
  
  What is in the well of your heart must come up in the bucket of your mouth (Matthew 12:34). Your words will minister either grace or disgrace.
  
  "Let your conversation be always full of grace, seasoned with salt, so that you may know how to answer everyone" (Colossians. 4:5 NIV).
  
  The same God who gave birds the power of song gave you the power of speech. Grow, therefore, in conversation that is commendable. "Let no corrupt communication proceed out of your mouth but that which is good to the use of edifying, that it may minister grace unto the hearers."
  
  Perhaps it is America's greater God centered view as opposed to the more athiestic non-American co-inhabitants of this Earth that explains the vitriol of our anonymous fellow contributors.
  http://en.wikipedia.org/wiki/Demographics_of_atheism
  The only word, in English as it were, is pusillanimous.
  

• been there done that
  2003-12-08 14:51:04  anonymous2 [View]
  
  
  http://politrix.org/segment/bpoint.php
  http://www.antioffline.com/gits.html

• What happens if the image gets edited?
  2003-12-08 11:39:27  anonymous2 [View]
  
  
  I'm curious to know what happens to the hidden message if the image is manipulated in some way by Photoshop or some other image editing application after the 'secret' message has been embedded, be it resized, cropped, rotated, etc. Is the 'secret' still extractable? What about after extreme editing that causes significant changes in file size. If I understand the concept correctly, the photo editing application should read the file comments when the image is loaded and then re-write them (unchanged) after the image is altered. However, since the 'secret' is encrypted it should make it impossible for the image editing software to even recognize and read the embedded comment in the first place. However, if it can, in fact, recognize even the encrypted comment, it seems we have accomplished little more then encrypting text. So then I must ask why even bother hiding the encrypted text? Why not just use PGP?
  
  Scott N
  maquis@purdue.edu
  
• What happens if the image gets edited?
  2003-12-08 19:40:27  anonymous2 [View]
  
  
  In steganography a well written algorithm only takes care that the information is preserved only while compressing an image and any other operation we can be sure that the message is lost.
  Also the algo saves for compression because usually the data is stored in a bmp file and then compressed to a jpeg.
• What happens if the image gets edited?
  2003-12-08 16:08:58  anonymous2 [View]
  
  
  I'm not sure why the author included the information about jpeg comments, as these program encode the hidden file in the jpeg itself (by flipping insignificant bits), not the comment. Editing them in anyform will surely render the embedded file unretrievable or atleast significantly corrupted.
• What happens if the image gets edited?
  2003-12-08 14:28:45  anonymous2 [View]
  
  
  Editors can not recognize the encrypted comment.
  Editing can destroy the information.
  
  Why do this instead of PGP? PGP can be broken with enough computer power. The advantage of this technique is that they do not even know their is a code to break. Therefore, even 20 years from now, people may not be able to retreive the secret information, not because their computers are not powerfull enough to break your encryption, but because they do not realize the information is there to find.
  
  You could get a slighlty less effective but similar result simply by renaming your secret information something like "image.retrieval.dll" and hoping that no one bothers to try and decrypt it. But by puting it into a regular file, people are less likely to try and break the code.
• What happens if the image gets edited?
  2003-12-09 04:46:53  anonymous2 [View]
  
  
  But people will know there is information to find. If you insert an encrypted message into a photo, it is fairly easy to
  figure out that white noise(the encrypted message) has been added "unexpectedly" at some point -- and without a lot of computer power.

• converting image formats after encoding
  2003-12-08 09:08:24  anonymous2 [View]
  
  
  since jpeg uses lossy compression, if one was to use a program to export the image as a bmp or something else after performing the steganography, would this not result in the message being garbled if it were ever converted back to jpeg?

• Poor quality wav files?
  2003-12-08 08:28:22  anonymous2 [View]
  
  
  If I listen to both the embedded file and the stegofile in xmms, I can't tell a difference in the audio quality, which, granted, I've never found that great for .wav files anyway.
  
  WAV files are lossless, uncompressed audio. You can't really get better digital quality, esp. compared to mp3 or ogg. There's a reason a 10 minute song takes dozen's of megs of disk space compared to an 8 meg mp3 of the same song ...
• Poor quality wav files?
  2003-12-08 08:47:25  anonymous2 [View]
  
  
  ...which is why people lower the quality (sampling rate, bits, downmix to mono, etc., etc.) to make smaller WAV files, which is why most WAV files sound crappy...

• jpeg-6b_1
  2003-12-06 06:42:43  anonymous2 [View]
  
  
  jpeg-6b_1 installs actually cjpeg/djpeg/jpegtran/etc and all
  related manpages not "outguess suite"
  wbr