Re: Call for stego ideas

From: Michael Amling (nospam_at_nospam.com)
Date: 07/22/04


Date: Thu, 22 Jul 2004 01:58:36 GMT

vedaal@hush.com wrote:
> Michael Amling <nospam@nospam.com> wrote in message news:<r0wLc.1594$fH5.266@newssvr31.news.prodigy.com>...
>
>
>>>> I think you can get good security without an explicit
>>>>embedding/extraction function. Start out with a few hundred or a few
>>>>thousand more or less independent candidate images files (or sound
>>>>files). Calculate the HMAC of each, using a secret shared key. Select
>>>>and send in order a sequence of images whose HMAC's low-order 8 bits
>>>>form the message (which may itself be ciphertext) to be communicated.
>>>>
>>>> The recipient calculates all the received images' HMACs, extracts
>>>>the low-order 8 bits of each, and concatenates them to reconstruct the
>>>>message.
>>>>
>>>> No amount of examination of the images will reveal how it is that
>>>>they have been modified to carry the message, since the images have
>>>>not been modified.
>>>>
>>>> I didn't invent this method, but except for the rather low data
>>>>rate, it looks like a good idea.
>
>
> this sounds so good,
> that maybe it's time to plan for the next stage ;-)
> the 'active warden' attack.
>
> the length of stego message, should be able to be long enough to
> include a PK hash of the steganographically concealed message,
> so that the receiver and sender can know if the message has been
> tampered with.

   I agree some kind MAC is good. It doesn't necessarily have to be a PK
hash or digital signature.

>
> the entire (concealed) message can still be an encrypted string if
> desired,
> but should be able to be authenticated when retrieved from the stego
> carrier and decrypted.
>
> this can be very difficult in practice, if even one image is lost in
> transit,
> and may be a problem when the carrier is a 'collection' of many
> separate images.
>
>
> without the ability to authenticate,
> it is trivial for the 'warden' to defeat,
> by simply copying the .jpeg's with a small compression factor, and
> slightly changing the brightness/contrast, as is routinely done by
> many image programs,
> resulting in images that 'look' exactly the same,
> but have altered the 'carrier' and anything it contained.

   Yes, if the warden alters the images, the message will be lost.

>
> a 1024 DH key/DSA sig would be both effective enough and short enough
> to include
> as part of message.

   Since the parties already are presumed to have shared secrets, one
more shared secret key for a 64-bit MAC of the ciphertext would also do it.

--Mike Amling