Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecSteganography
Jeremy Krinn
s.
ht
rig
The historic use of steganography was the concealing of communications. This has been
ull
accomplished in a number of ways ranging from microdot printing and invisible inks to spread
spectrum communications. This differs from cryptography in that cryptosystems assume that
f
the enemy can access and modify the communication if possible. Steganography can augment
ns
cryptography by obscuring
Key fingerprint = AF19 communication
FA27 2F94 998D and prevent
FDB5 the F8B5
DE3D enemy06E4
fromA169
knowing
4E46a
tai
communication is even being sent. However it should not be considered a replacement for
cryptography. (1,2). Using computers to hide information on a hard drive is easily done with
re
free tools or comprehensive security packages.
or
The world of computing has developed some interesting applications for steganography
that instead of hiding information seeks to fingerprint or watermarking. These techniques can
th
be used to protect distributed intellectual property such as films, audio recordings, books, and
Au
multimedia products by embedding copyright information. Some applications for steganography
presented by Anderson and Petitcolas are for embedding signatures in advertising and monitor
2,
them for contractual adherence; embedding comments in video-mail; or embedding patient
00
information into medical images. (3)
-2
Information Hiding Tools
00
Steganos II (4)
20
te
I started my exploration of steganography with a package from Demcom called Steganos
tu
II for Windows. The software is a security suite that includes a ray diffusing notepad, a
password management utility, a “shredder” to permanently delete files to DOD standards and
sti
steganography tools. I used the US version, which uses a RC-4 compatible encryption algorithm
In
with a 128-bit key. There is a charge for the full version of the suite of software.
NS
Launching the program runs a desktop for utilizing the Steganos Suite. A split pane
window allows for easy browsing. Steganos allows you to use either encrypt a file or encrypt
SA
and hide a file. A drag and drop concept works between the two panes to select the files to hide.
Steganos also integrates with Windows to give an option to hide data from an explorer view by
©
right clicking on the file and choosing the Hide… feature. Demcom makes a “reader” program
for people who do not have the full suite but may want to read embedded data. The additional
features and the suite of programs included with this software package make it worth the initial
cost.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.I think everyone is familiar with the default Microsoft Startup WAV. I have used Steganos to
embed this paper you are reading (without pictures or sounds).
s.
ht
Here is the original for comparison.
rig
S-Tools (5)
ull
S-tools seemed to be the most popular tool cited in many papers as well as by number of
f
downloads from Zdnet. S-Tools fits on a floppy, after it’s been decompressed from download.
ns
ThisKey
is afingerprint
big plus =ifAF19
you are
FA27like me998D
2F94 and visit
FDB5many
DE3D machines during
F8B5 06E4 A169any given day. The
4E46
tai
interface is simple to use just drag a picture into the frame of the running program. The lower
left part of the picture will indicate the how a large a file your carrier will hold. Then you can
re
simply drag the file you want to hide into the image. A dialog box then asks for a passphrase
or
and encryption algorithm that you want to use. A simple right click allows you to save the
carrier/hidden file to your hard drive.
th
To unhide the information, drag the picture into the frame, right click, select reveal the
Au
type in your passphrase. You still need to drag the revealed file from the program window to the
hard disk. The size of the program makes it easy to transport or send via email. However the
2,
small size means you sacrifice some features. S-tools will only allow gif, bmp or wav carrier
00
files. This is a limiting factor if you wish to send or store information in other file formats.
-2
Here is a picture of a spider web downloaded from Imagebank.com. The size of this gif is 186
00
KB. Below it is the same picture using S-Tools to embed the Samples.XLS workbook that
comes with Microsoft Office. The original size of the embedded file is 215 KB. This is about
20
the limit that S-Tools recommended for the maximum file size. Close observation of the two
images shows a definite change in pixilation in places. I purposely embedded a larger file to
te
show some differences in the two images. The second image is only 272 KB. Comparing this to
tu
the original would show an obvious difference. However a small image in a large file would not
sti
be as obvious. A large image could hold a great deal of data, especially if compressed. This
In
could even be made more difficult to detect by embedding the data in the original and not having
copies to compare it.
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
There are programs available for most popular operating systems. I have reviewed two for
ht
Windows for comparison. Please reference the table at the end of this paper for a guide to some
rig
of the tools available.
ull
Before discussing digital watermarking I would like to mention Craig Rowland describes another
method of data hiding that in a paper. Craig describes techniques to leverage weaknesses in the
f
TCP/IP protocol suite that would allow covert channel communications. The areas encoded in
ns
the Key
packet can be: 1)
fingerprint the IPFA27
= AF19 packet identification
2F94 998D FDB5 field 2) the
DE3D TCP
F8B5 initial
06E4 sequence
A169 4E46 number field
tai
and 3) the TCP acknowledged sequence number field. The fields are replaced with numerical
ASCII representation of the character to be encoded. Each subsequent packet contains the next
re
letter in the code. This could provide a means to “smuggle” data between networks. There is
or
source code available for Linux at the end of Craig’s paper for TCP header manipulation. (7)
th
Digital Watermarking Au
The use of hidden copyright or fingerprinting can be used to identify electronic media or
2,
carry data about the media. This could ensure ownership and identify illicit copying of digital
00
media. (4). This has become an issue recently with the emergence of mp3 and the recent charges
-2
against Napster. A great deal of research has been done on techniques for watermarking and
fingerprinting. Rather then discuss the techniques I am going to profile a company that provides
00
commercial watermarking products. I will provide links to research papers at the end of the
20
document.
te
Recently an e-column from Red Herring (8) magazine profile companies that are linking
tu
old-world media like catalogs and magazines to online content by using watermark image
sti
embedded in advertising that can be read by digi-cams. Digimarc (http://www.digimarc.com) is a
company that is offering commercial steganography tools. They have patented processes to
In
protect movies, photographs, as well as financial records. The technology involves both digital
NS
images that can have embedded images on them. These images can be tracked by searching for
meta data embedded in the images.(9)
SA
The second technology allows embedding of information into identification cards such as
©
a drivers license or credit card. This helps prevent counterfeiting by using high quality
reproductions. The embedded data would be undetectable except by computers with digital
cameras. The watermarks can survive printing and laminating. The documents can then be
personalized to an individual.
Keyarefingerprint
There = AF19toFA27
tools available 2F94
test the 998D FDB5
robustness DE3D F8B5 06E4
of watermarking A169are
and these 4E46
available unZign
(available at http://www.altern.org/watermark ) and Stirmark (available at
http://www.cl.cam.ac.uk/~fapp2/steganography/image_watermarking/stirmark/ )
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Bibliography
s.
ht
1) Johnson, Neil. “Steganography”. URL: http://www.jjtc.com/stegdoc/
rig
2) Unknown , “Hidden in Plain Sight-Steganography” Counterintelligence New and
Developments June 1998 Vol. 2 URL: http://www.nacic.gov/cind/jun98.htm#rtoc4
ull
3) Anderson, Ross J. and Petitcolas, Fabien A.P.. “On the Limits of Steganography”. IEEE
Journal of Selected Areas in Communications, 16(4):474-481, May 1998. URL:
f
ns
http://www.cl.cam.ac.uk/~fapp2/papers/jsac98-limsteg/
KeyDemcom.
4) fingerprinthttp://www.demcom.com/english/steganos/index.html
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
5) StegArchive http://members.tripod.com/steganography/stego.html
re
6) Johnson, Neil. “Steganography & Digital Watermarking”.
http://www.jitc.com/Steganography
or
7) Rowland, Craig. “ Covert Channels in the TCP/IP Protocol Suite.” URL:
th
http://www.psionic.com/papers/covert/
8) Needleman, Rafe. “Stripes and Blobs.” Red Herring.com July 21, 2000. URL :
Au
http://www.redherring.com/cod/2000/0621.html
9) Johnson, Neil. “In Search of the Right Image: Recognition and Tracking of Images in
2,
Image Databases, Collections and The Internet.” URL:
00
http://www.isse.gmu.edu/~njohnson/pub/csis_tr_99_05_nfj
-2
10) Digimarc. “Digimarc Watermark Guide” URL:
http://www.digimarc.com/support/cswater.shtml
00
11) Fridrich, Jiri and Goljan, Miroslav “ Comparing robustness of watermarking techniques”
20
Other Links(not used directly in this article but can provide more information):
te
tu
Petitcolas, Fabien A.P. “Annotated Bibliography on Information Hiding” URL:
http://www.cl.cam.ac.uk/~fapp2/steganography/bibliography/
sti
In
Ed. Katzenbeisser, Stefan and Petitcolas, Fabien. Information Hiding Techniques For
Steganography and Digital Watermarking. Publisher : Artech House
NS
Available at Amazon: Steganography and Watermarking .
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
Below is a table listing various tools for comparison. The original version of this table appears at
http://www.jtc.com/Steganography/toolsmatrix.htm. (6)
f ull
Tool Vendor -Author Operating Coexisting Technology Image Comments
ns
System Requirement Formats
Argent Commercial,
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D Images
F8B5are06E4
not Embeds
A169 copyright
4E46or license information as watermark.
tai
Digital Information Commodities yet supported.
Exchange (DICE)
re
http://digital-watermark.com/
or
Copyright Commercial, Web based JPEG and GIF Only phase 3 involves digital watermarking.
Intellectual Protocols2 (IP2) and requires
th
http://www.ip2.com/ a Java
compliant
browser. Au
2,
EZStego, Shareware, Romana Machado 1) EZStego - EzStego LSB. Sorts EzStego - GIF Only supports GIF images. Stego supports PICT images
00
Stego Online, romana@stego.com Java requires Java palette to StegoOnline - only.
Stego http://www.stego.com/ 2) Stego Virtual similar colors - GIF
Online - Web Machine. palette shifts. Stego - PICT
-2
3) Stego - Stego Online
Mac requires All three tools
HTML 3.2 use the same
00
compliant approach to
web browser. information
20
Stego hiding.
requires Mac.
te
tu
Giovanni Commercial Win, MAC Fast Fourier Digital Media: More information is available at the Giovanni web page.
Blue Spike, Inc. Transform Image and All the information resides in the watermarked copy and
sti
800 381 8344 (FFT) audio does not require a web site lookup, as do other
E-Mail: info@bluespike.com commercial products. As long as one has the Giovanni
http://www.bluespike.com/ software, the encoding keys, and the copy, the watermark
In
can be extracted.
NS
Also see questions and answers about Giovanni for both
image and audio watermarking.
SA
Hide and Shareware, Colin Maroney Win, DOS LSB V5.0 - GIF Hide and Seek 1.0 for Win95
Seek cjm@cypher.net http://www.cypher.net/ http://www.cypher.net/products/
Win95 - 8-bit Hide and Seek 5.0 for DOS
©
BMP
http://www.rugeley.demon.co.uk/security/hdsk50.zip
IBM Digital Commercial, IBM's Digital Discrete Watermark is an internal function to the library system.
Library IBM Library Cosine http://www.research.ibm.com/image_apps/
System Howard Sachar System. Transformation http://www.research.ibm.com/image_apps/commerce.html
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
sachar@watson.ibm.com (DCT). (commercial use)
Manager, image applications
IBM T. J. Watson Research Center
P.O. Box 218
Yorktown Heights, NY 10598-0218
(914) 945-1432 Fax: (914) 945-4003
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.JK_PGS Evaluation, UNIX (Sun, PPM image Working on development for Photo Shop and Paint Shop
(Pretty Good PhD Students SGI, format only. plug-ins.
Signature) Mr. Martin Kutter (Switzerland - LINUX)
kutter@ltssg3.epfl.ch) and http://ltswww.epfl.ch/~kutter/watermarking/JK_PGS.html
Mr. Frederic Jordan (France) at (Win95/NT
s.
Signal Processing Laboratory at Swiss version is
Federal Institute of Technology (EPFL). under
ht
development)
rig
Jsteg Freeware, UNIX, DOS, Combination Input: PPM When extracting the hidden message, a "decoded" image
Derek Upham Win (source within the (PBMPLUS must be created.
ull
code is JPEG color format),
available) algorithm at PGM
f
compression? (PBMPLUS
gray-scale
ns
format), GIF,
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Targa, and
tai
RLE (Utah
Raster Toolkit
re
format).
Output: JFIF
or
format JPEG
th
Mandelsteg Freeware, C source Generates a Insecure. Signature: 128 unique colors. Each color used
Henry Hastur code. Au Mandelbrot
fractal
two palette
GIF Software is available worldwide at many sites.
entries.
image.
2,
00
PictureMarc Commercial, Photoshop Pattern block The mark may Subtle changes to "flat" areas may be detected when
and Digimarc Corporation Compatible encoding. be embedded compared with the original
-2
BatchMarc http://www.digimarc.com/ image into any image
processing readable by
software. Adobe Photo
00
Requires Shop and can
MarcCenter be processed
20
to verify the with filters (24-
watermark bit or
"code." grayscale).
te
tu
sti
PixelTag MIT Media Lab Pattern block Patent Pending
Joshua Smith and Barrett Comiskey encoding. http://www.media.mit.edu/pixeltag
pixeltag@media.mit.edu
In
NS
Steganos Shareware, Win, DOS LSB V1.4 (DOS) Noticeable noise in 8-bit images.
Deus Ex Machina Communications BMP
SA
http://www.steganography.com/ V1.4 also hides data in VOC, WAV, or ASCII files.
Win95: BMP,
Fabian Hansmann (may be going DIB Win95 also processes VOC, WAV, TXT, HTML
commercial)
©
V1.4 hangs when processing a 1byte message.
Internet: steganos-support@demcom.com
WWW:
http://www.demcom.com/english/steganos/
Mail: Deus Ex Machina Communications,
Sophienstr. 28, 60487, Frankfurt, Germany
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Stegodos, Public Domain, Black Wolf DOS Requires LSB. The Multiple Software is available through various web sources.
Black Wolf's third party encoded image images formats
Picture screen is displayed since it use Noticeable noise in most images.
Encoder capturing and must be screen
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.software to "captured" in a captures. Only
save the paint program supports
encoded before saving. 320x200
image. images with
256 colors.
s.
S-Tools Shareware, Andy Brown Win LSB. Color V4.0: GIF, Software is available through various web sources.
reduction then BMP
ht
a.brown@nexor.co.uk insert V4.0 also supports
additional
rig
28 Ashburn Drive colors as
Wetherby necessary to S-tools has trouble recovering small messages (1-2 bytes).
West Yorkshire cover LSBs 3 byte+ messages are more reliable.
ull
LS22 5RD without
United Kingdom adversely
impacting the
f
image quality.
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
SureSign Commercial, Win, MAC Photoshop Pattern block Any image that Watermark follows the image pattern. Signum SureSign's
Signum Technologies Compatible encoding. can be watermark logo is visible on the image.
re
http://www.signumtech.com/ image displayed in
processing Paint Shop Pro,
signum@signumtech.com software. Photo Shop or
or
Works with compatible
Signum Technologies Ltd. Paint Shop image
th
2-6 St George's Business Park Pro processing
Alstone Lane (shareware) programs and
Cheltenham
Glos.
Au can
manipulated
be
GL51 8HF with image
UK filters.
2,
00
SysCoP Commercial, Sun Solaris, PPM, PGM, For still images, it reads PPM (PGM, PBM) formats, and
-2
Fraunhofer Center for Research in HP-UX, SGI PBM, and with uses a conversion toolkit to support JPEG, GIF, and TIFF
Computer Graphics (CRCG) a non-profit IRIX, a conversion formats. For motion data, Motion JPEG and MPEG-1 are
computer graphics research group, Jian Win95/NT toolkit supports supported.
00
Zhao (Mac and JPEG, GIF, In 8-bit images, SysCop has a signature pattern, especially
Netscape and TIFF. with images of lower unique colors, of like colors grouped
http://syscop.igd.fhg.de/ plug-in are in a range.
20
and http://www.crcg.edu/syscop/ under
development)
te
Send email to syscop@igd.fhg.de if you
have any question.
tu
sti
TigerMark Commercial, Requires use Discrete TigerMark is NEC's watermarking tool which has been
(NEC) and NEC of Informix Cosine integrated with Informix Databalde technology.
In
Informix DBMS as Transformation
Datablade core. (DCT) or fast There is a software development kit (SDK) which
fourier provides access to the watermark capability without the
NS
transformation requirement for Informix (under development?).
(FFT) with
"secure spread
SA
spectrum."
©
Visual Freeware, Jouko Holopainen DOS Generates Severe "Visual cryptography", Moni Naor and Adi Shamir;
Cryptography postscript files degradation of Advances in Cryptology -
of the first two container EUROCRYPT '94, Lecture notes in Computer Science
input images. images. 950; Springer 1995
The hidden
image is spread
across the two
carriers so if
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 the carriers are
overlapped,
then the hidden
image will be
seen.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.White Noise Shareware, DOS Spread PCX Degrades 8-bit images and may cause complete color
Storm (WNS) Ray Arachelian Spectrum, LSB shifts in 24-bit.
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 5th, 2020
Upcoming Training
SANS Austin Winter 2020 Austin, TX Jan 06, 2020 - Jan 11, 2020 Live Event
SANS Miami 2020 Miami, FL Jan 13, 2020 - Jan 18, 2020 Live Event
Miami 2020 - SEC401: Security Essentials Bootcamp Style Miami, FL Jan 13, 2020 - Jan 18, 2020 vLive
Mentor Session @ Work - SEC401 Detroit, MI Jan 14, 2020 - Jan 30, 2020 Mentor
SANS Amsterdam January 2020 Amsterdam, Netherlands Jan 20, 2020 - Jan 25, 2020 Live Event
SANS Anaheim 2020 Anaheim, CA Jan 20, 2020 - Jan 25, 2020 Live Event
Mentor Session - SEC401 Online, MI Jan 24, 2020 - Feb 28, 2020 Mentor
SANS Las Vegas 2020 Las Vegas, NV Jan 27, 2020 - Feb 01, 2020 Live Event
SANS San Francisco East Bay 2020 Emeryville, CA Jan 27, 2020 - Feb 01, 2020 Live Event
SANS Security East 2020 New Orleans, LA Feb 01, 2020 - Feb 08, 2020 Live Event
Community SANS Dallas SEC401 Dallas, TX Feb 03, 2020 - Feb 08, 2020 Community SANS
Security East 2020 - SEC401: Security Essentials Bootcamp Style New Orleans, LA Feb 03, 2020 - Feb 08, 2020 vLive
Mentor Session - SEC401 Sterling, VA Feb 05, 2020 - Apr 15, 2020 Mentor
SANS London February 2020 London, United Feb 10, 2020 - Feb 15, 2020 Live Event
Kingdom
SANS New York City Winter 2020 New York City, NY Feb 10, 2020 - Feb 15, 2020 Live Event
SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 202002, Feb 10, 2020 - Mar 18, 2020 vLive
Community SANS Sacramento SEC401 Sacramento, CA Feb 10, 2020 - Feb 15, 2020 Community SANS
SANS Northern VA - Fairfax 2020 Fairfax, VA Feb 10, 2020 - Feb 15, 2020 Live Event
Community SANS Columbus SEC401 Columbus, OH Feb 10, 2020 - Feb 15, 2020 Community SANS
SANS Scottsdale 2020 Scottsdale, AZ Feb 17, 2020 - Feb 22, 2020 Live Event
SANS San Diego 2020 San Diego, CA Feb 17, 2020 - Feb 22, 2020 Live Event
SANS Manchester February 2020 Manchester, United Feb 24, 2020 - Feb 29, 2020 Live Event
Kingdom
SANS Secure India 2020 Bangalore, India Feb 24, 2020 - Feb 29, 2020 Live Event
SANS Jacksonville 2020 Jacksonville, FL Feb 24, 2020 - Feb 29, 2020 Live Event
SANS Northern VA - Reston Spring 2020 Reston, VA Mar 02, 2020 - Mar 07, 2020 Live Event
Community SANS Chicago SEC401 Chicago, IL Mar 02, 2020 - Mar 07, 2020 Community SANS
SANS Secure Japan 2020 Tokyo, Japan Mar 02, 2020 - Mar 14, 2020 Live Event
SANS Munich March 2020 Munich, Germany Mar 02, 2020 - Mar 07, 2020 Live Event
Mentor Session - SEC401 Charleston, SC Mar 03, 2020 - May 05, 2020 Mentor
SANS Jeddah March 2020 Jeddah, Kingdom Of Mar 07, 2020 - Mar 12, 2020 Live Event
Saudi Arabia
SANS St. Louis 2020 St. Louis, MO Mar 08, 2020 - Mar 13, 2020 Live EventYou can also read
