Re: Call for stego ideas

From: Michael Amling (
Date: 07/22/04

Date: Thu, 22 Jul 2004 01:58:36 GMT wrote:
> Michael Amling <> wrote in message news:<r0wLc.1594$>...
>>>> I think you can get good security without an explicit
>>>>embedding/extraction function. Start out with a few hundred or a few
>>>>thousand more or less independent candidate images files (or sound
>>>>files). Calculate the HMAC of each, using a secret shared key. Select
>>>>and send in order a sequence of images whose HMAC's low-order 8 bits
>>>>form the message (which may itself be ciphertext) to be communicated.
>>>> The recipient calculates all the received images' HMACs, extracts
>>>>the low-order 8 bits of each, and concatenates them to reconstruct the
>>>> No amount of examination of the images will reveal how it is that
>>>>they have been modified to carry the message, since the images have
>>>>not been modified.
>>>> I didn't invent this method, but except for the rather low data
>>>>rate, it looks like a good idea.
> this sounds so good,
> that maybe it's time to plan for the next stage ;-)
> the 'active warden' attack.
> the length of stego message, should be able to be long enough to
> include a PK hash of the steganographically concealed message,
> so that the receiver and sender can know if the message has been
> tampered with.

   I agree some kind MAC is good. It doesn't necessarily have to be a PK
hash or digital signature.

> the entire (concealed) message can still be an encrypted string if
> desired,
> but should be able to be authenticated when retrieved from the stego
> carrier and decrypted.
> this can be very difficult in practice, if even one image is lost in
> transit,
> and may be a problem when the carrier is a 'collection' of many
> separate images.
> without the ability to authenticate,
> it is trivial for the 'warden' to defeat,
> by simply copying the .jpeg's with a small compression factor, and
> slightly changing the brightness/contrast, as is routinely done by
> many image programs,
> resulting in images that 'look' exactly the same,
> but have altered the 'carrier' and anything it contained.

   Yes, if the warden alters the images, the message will be lost.

> a 1024 DH key/DSA sig would be both effective enough and short enough
> to include
> as part of message.

   Since the parties already are presumed to have shared secrets, one
more shared secret key for a 64-bit MAC of the ciphertext would also do it.

--Mike Amling