Author: Anže Vidmar
With steganography, a plain text file is merged with a picture or sound file. The resulting file looks and sounds the same — only the size of the file is slightly changed. For extra security, you can encrypt the text file before you merge it.
Here’s a look at some useful tools that you can use to hide and unveil sensitive information inside an object. Most of these programs and tools are available in package repositories for different Linux distributions.
OutGuess
OutGuess is console-based universal steganographic tool that can hide information inside picture objects. The latest version, 0.2, was released in late 2001 and supports inserting objects into PPM, PNM, and JPEG image formats. OutGuess can be used on Linux, *BSD, Solaris, AIX, HP-UX, Mac OS X, and Windows.
Suppose I want to securely send a coworker a root password for a production server. I can start by putting the password in a pass.txt file, then encrypt it with a secret key (“summer” — shh, don’t tell anyone) and mix the encrypted version with an image called grill.jpg. OutGuess can do that with one command:
~$ outguess -k summer -d pass.txt grill.jpg summer-grill.jpg
You don’t need to use the -k
option to encrypt the sensitive data with a secret key. If you leave it off, however, anyone who knows there’s a file buried in the image can extract the output file.
Now I have an image named summer-grill.jpg that holds my production server’s root password, and I can mail it to my coworker. Anyone who sees the picture won’t notice anything strange, since the data in the image object is not visible to the human eye.
When my coworker receives the picture, he needs to extract the information from the file. As long as he knows the secret key I used for the encryption, he can run the command:
~$ outguess -k summer -r summer-grill.jpg pass.txt
If you don’t specify the -k
option and provide the key, OutGuess will extract the pass.txt file, but it won’t be readable.
Steghide
Steghide is another program you can use to hide sensitive data inside image and audio files. The latest version of Steghide, 0.5.1, has been available since October 2003, and supports hiding sensitive information inside BMP and JPEG image formats as well as in AU and WAV audio formats. The default encryption algorithm is Rijndael with a key size of 128 bits, which is basically AES (Advanced Encryption Standard), but you can choose from many other encryption algorithms as well. Steghide runs under both Linux and Windows.
Let’s use the same scenario from our previous example. The equivalent Steghide command is:
~$ steghide embed -cf grill.jpg -sf summer-grill.jpg -ef pass.txt -p summer
To extract the pass.txt file from the summer-grill.jpg picture, use this Steghide command:
~$ steghide extract -sf summer-grill.jpg
You’ll be asked for a password, and the utility will extract the pass.txt only if your password (secret key) is correct. Note that when extracting we didn’t specify any output file. That’s because Steghide automatically knows what the file name was that was inserted and extracts the file with the same name.
Stegtools
Stegtools is a pair of command-line tools for reading and writing hidden information. The latest version of stegtools, 0.4b, was released in the middle of 2005. The software supports 24bpp bitmap images, and runs on Linux and FreeBSD operating systems.
Using the same example again:
cat pass.txt | /usr/local/stegotools-0.4b/stegwrite grill.jpg summer-grill.jpg 1
Here I redirect the standard input (the output of cat command) into the stegwrite tool and specify an existing and desired output picture object. I used the full path to my stegwrite tools, since they’re not in my $PATH. The number at the end of the command represents the number of last bits of the grill.jpg image that will be used to hide my data. The value may be 1, 2, or 4. More in-depth explanation can be found in the software’s README file.
Stegread reads the hidden information from a picture object and writes it to the standard output. If I want to extract the password from summer-grill.jpg image, I can use this command:
~$ /usr/local/stegotools-0.4b/stegread summer-grill.jpg 1 > pass.txt
You need to have the right number of last bits in order to successfully extract the password from the object file. If you don’t know the right number, the utility leaves you with an empty pass.txt file.
SteGUI – click to enlarge |
SteGUI, a Steghide GUI
SteGUI is a Linux-based graphical front end to Steghide that was released in May 2006. Before you install SteGUI you need the stegtools, FLTK toolkit, PStreams, ALSA, and Libjpeg libraries installed.
The menus in SteGUI allow you to open objects (picture or sound) and extract or embed information by selecting and clicking on the screen. Here you can see that I’ve opened my grill.jpg picture and am preparing to embed the pass.txt file. You can also see how many cryptographic algorithms are available for the job. Although it’s a nice interface, SteGUI is useful only with objects made with the Steghide program.
Conclusion
Steganography can be useful in many ways for sharing and hiding personal information. Among these utilities, someone who would like to use steganography on multiple platforms would choose OutGuess. For someone who doesn’t like console-based tools, Steghide plus SteGUI is the best choice.
Category:
- Security