Re: Call for stego ideas

From: Michael Amling (nospam_at_nospam.com)
Date: 07/22/04


Date: Thu, 22 Jul 2004 01:58:36 GMT

vedaal@hush.com wrote:
> Michael Amling <nospam@nospam.com> wrote in message news:<r0wLc.1594$fH5.266@newssvr31.news.prodigy.com>...
>
>
>>>> I think you can get good security without an explicit
>>>>embedding/extraction function. Start out with a few hundred or a few
>>>>thousand more or less independent candidate images files (or sound
>>>>files). Calculate the HMAC of each, using a secret shared key. Select
>>>>and send in order a sequence of images whose HMAC's low-order 8 bits
>>>>form the message (which may itself be ciphertext) to be communicated.
>>>>
>>>> The recipient calculates all the received images' HMACs, extracts
>>>>the low-order 8 bits of each, and concatenates them to reconstruct the
>>>>message.
>>>>
>>>> No amount of examination of the images will reveal how it is that
>>>>they have been modified to carry the message, since the images have
>>>>not been modified.
>>>>
>>>> I didn't invent this method, but except for the rather low data
>>>>rate, it looks like a good idea.
>
>
> this sounds so good,
> that maybe it's time to plan for the next stage ;-)
> the 'active warden' attack.
>
> the length of stego message, should be able to be long enough to
> include a PK hash of the steganographically concealed message,
> so that the receiver and sender can know if the message has been
> tampered with.

   I agree some kind MAC is good. It doesn't necessarily have to be a PK
hash or digital signature.

>
> the entire (concealed) message can still be an encrypted string if
> desired,
> but should be able to be authenticated when retrieved from the stego
> carrier and decrypted.
>
> this can be very difficult in practice, if even one image is lost in
> transit,
> and may be a problem when the carrier is a 'collection' of many
> separate images.
>
>
> without the ability to authenticate,
> it is trivial for the 'warden' to defeat,
> by simply copying the .jpeg's with a small compression factor, and
> slightly changing the brightness/contrast, as is routinely done by
> many image programs,
> resulting in images that 'look' exactly the same,
> but have altered the 'carrier' and anything it contained.

   Yes, if the warden alters the images, the message will be lost.

>
> a 1024 DH key/DSA sig would be both effective enough and short enough
> to include
> as part of message.

   Since the parties already are presumed to have shared secrets, one
more shared secret key for a 64-bit MAC of the ciphertext would also do it.

--Mike Amling



Relevant Pages

  • Re: Are purely-analog audio devices immune to aliasing?
    ... but I think I would tend to call them images rather than aliases. ... the fundamental of the carrier. ... space out to infinity, ... is often also referred to as "pulse code modulation," ...
    (rec.audio.tech)
  • Re: Are purely-analog audio devices immune to aliasing?
    ... but I think I would tend to call them images rather than aliases. ... Yes they are analogous in that a sampling device will also produce them. ... the fundamental of the carrier. ... space out to infinity, ...
    (rec.audio.tech)