Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec
Steganography Jeremy Krinn s. ht rig The historic use of steganography was the concealing of communications. This has been ull accomplished in a number of ways ranging from microdot printing and invisible inks to spread spectrum communications. This differs from cryptography in that cryptosystems assume that f the enemy can access and modify the communication if possible. Steganography can augment ns cryptography by obscuring Key fingerprint = AF19 communication FA27 2F94 998D and prevent FDB5 the F8B5 DE3D enemy06E4 fromA169 knowing 4E46a tai communication is even being sent. However it should not be considered a replacement for cryptography. (1,2). Using computers to hide information on a hard drive is easily done with re free tools or comprehensive security packages. or The world of computing has developed some interesting applications for steganography that instead of hiding information seeks to fingerprint or watermarking. These techniques can th be used to protect distributed intellectual property such as films, audio recordings, books, and Au multimedia products by embedding copyright information. Some applications for steganography presented by Anderson and Petitcolas are for embedding signatures in advertising and monitor 2, them for contractual adherence; embedding comments in video-mail; or embedding patient 00 information into medical images. (3) -2 Information Hiding Tools 00 Steganos II (4) 20 te I started my exploration of steganography with a package from Demcom called Steganos tu II for Windows. The software is a security suite that includes a ray diffusing notepad, a password management utility, a “shredder” to permanently delete files to DOD standards and sti steganography tools. I used the US version, which uses a RC-4 compatible encryption algorithm In with a 128-bit key. There is a charge for the full version of the suite of software. NS Launching the program runs a desktop for utilizing the Steganos Suite. A split pane window allows for easy browsing. Steganos allows you to use either encrypt a file or encrypt SA and hide a file. A drag and drop concept works between the two panes to select the files to hide. Steganos also integrates with Windows to give an option to hide data from an explorer view by © right clicking on the file and choosing the Hide… feature. Demcom makes a “reader” program for people who do not have the full suite but may want to read embedded data. The additional features and the suite of programs included with this software package make it worth the initial cost. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
I think everyone is familiar with the default Microsoft Startup WAV. I have used Steganos to embed this paper you are reading (without pictures or sounds). s. ht Here is the original for comparison. rig S-Tools (5) ull S-tools seemed to be the most popular tool cited in many papers as well as by number of f downloads from Zdnet. S-Tools fits on a floppy, after it’s been decompressed from download. ns ThisKey is afingerprint big plus =ifAF19 you are FA27like me998D 2F94 and visit FDB5many DE3D machines during F8B5 06E4 A169any given day. The 4E46 tai interface is simple to use just drag a picture into the frame of the running program. The lower left part of the picture will indicate the how a large a file your carrier will hold. Then you can re simply drag the file you want to hide into the image. A dialog box then asks for a passphrase or and encryption algorithm that you want to use. A simple right click allows you to save the carrier/hidden file to your hard drive. th To unhide the information, drag the picture into the frame, right click, select reveal the Au type in your passphrase. You still need to drag the revealed file from the program window to the hard disk. The size of the program makes it easy to transport or send via email. However the 2, small size means you sacrifice some features. S-tools will only allow gif, bmp or wav carrier 00 files. This is a limiting factor if you wish to send or store information in other file formats. -2 Here is a picture of a spider web downloaded from Imagebank.com. The size of this gif is 186 00 KB. Below it is the same picture using S-Tools to embed the Samples.XLS workbook that comes with Microsoft Office. The original size of the embedded file is 215 KB. This is about 20 the limit that S-Tools recommended for the maximum file size. Close observation of the two images shows a definite change in pixilation in places. I purposely embedded a larger file to te show some differences in the two images. The second image is only 272 KB. Comparing this to tu the original would show an obvious difference. However a small image in a large file would not sti be as obvious. A large image could hold a great deal of data, especially if compressed. This In could even be made more difficult to detect by embedding the data in the original and not having copies to compare it. NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2, 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
s. There are programs available for most popular operating systems. I have reviewed two for ht Windows for comparison. Please reference the table at the end of this paper for a guide to some rig of the tools available. ull Before discussing digital watermarking I would like to mention Craig Rowland describes another method of data hiding that in a paper. Craig describes techniques to leverage weaknesses in the f TCP/IP protocol suite that would allow covert channel communications. The areas encoded in ns the Key packet can be: 1) fingerprint the IPFA27 = AF19 packet identification 2F94 998D FDB5 field 2) the DE3D TCP F8B5 initial 06E4 sequence A169 4E46 number field tai and 3) the TCP acknowledged sequence number field. The fields are replaced with numerical ASCII representation of the character to be encoded. Each subsequent packet contains the next re letter in the code. This could provide a means to “smuggle” data between networks. There is or source code available for Linux at the end of Craig’s paper for TCP header manipulation. (7) th Digital Watermarking Au The use of hidden copyright or fingerprinting can be used to identify electronic media or 2, carry data about the media. This could ensure ownership and identify illicit copying of digital 00 media. (4). This has become an issue recently with the emergence of mp3 and the recent charges -2 against Napster. A great deal of research has been done on techniques for watermarking and fingerprinting. Rather then discuss the techniques I am going to profile a company that provides 00 commercial watermarking products. I will provide links to research papers at the end of the 20 document. te Recently an e-column from Red Herring (8) magazine profile companies that are linking tu old-world media like catalogs and magazines to online content by using watermark image sti embedded in advertising that can be read by digi-cams. Digimarc (http://www.digimarc.com) is a company that is offering commercial steganography tools. They have patented processes to In protect movies, photographs, as well as financial records. The technology involves both digital NS images that can have embedded images on them. These images can be tracked by searching for meta data embedded in the images.(9) SA The second technology allows embedding of information into identification cards such as © a drivers license or credit card. This helps prevent counterfeiting by using high quality reproductions. The embedded data would be undetectable except by computers with digital cameras. The watermarks can survive printing and laminating. The documents can then be personalized to an individual. Keyarefingerprint There = AF19toFA27 tools available 2F94 test the 998D FDB5 robustness DE3D F8B5 06E4 of watermarking A169are and these 4E46 available unZign (available at http://www.altern.org/watermark ) and Stirmark (available at http://www.cl.cam.ac.uk/~fapp2/steganography/image_watermarking/stirmark/ ) © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Bibliography s. ht 1) Johnson, Neil. “Steganography”. URL: http://www.jjtc.com/stegdoc/ rig 2) Unknown , “Hidden in Plain Sight-Steganography” Counterintelligence New and Developments June 1998 Vol. 2 URL: http://www.nacic.gov/cind/jun98.htm#rtoc4 ull 3) Anderson, Ross J. and Petitcolas, Fabien A.P.. “On the Limits of Steganography”. IEEE Journal of Selected Areas in Communications, 16(4):474-481, May 1998. URL: f ns http://www.cl.cam.ac.uk/~fapp2/papers/jsac98-limsteg/ KeyDemcom. 4) fingerprinthttp://www.demcom.com/english/steganos/index.html = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai 5) StegArchive http://members.tripod.com/steganography/stego.html re 6) Johnson, Neil. “Steganography & Digital Watermarking”. http://www.jitc.com/Steganography or 7) Rowland, Craig. “ Covert Channels in the TCP/IP Protocol Suite.” URL: th http://www.psionic.com/papers/covert/ 8) Needleman, Rafe. “Stripes and Blobs.” Red Herring.com July 21, 2000. URL : Au http://www.redherring.com/cod/2000/0621.html 9) Johnson, Neil. “In Search of the Right Image: Recognition and Tracking of Images in 2, Image Databases, Collections and The Internet.” URL: 00 http://www.isse.gmu.edu/~njohnson/pub/csis_tr_99_05_nfj -2 10) Digimarc. “Digimarc Watermark Guide” URL: http://www.digimarc.com/support/cswater.shtml 00 11) Fridrich, Jiri and Goljan, Miroslav “ Comparing robustness of watermarking techniques” 20 Other Links(not used directly in this article but can provide more information): te tu Petitcolas, Fabien A.P. “Annotated Bibliography on Information Hiding” URL: http://www.cl.cam.ac.uk/~fapp2/steganography/bibliography/ sti In Ed. Katzenbeisser, Stefan and Petitcolas, Fabien. Information Hiding Techniques For Steganography and Digital Watermarking. Publisher : Artech House NS Available at Amazon: Steganography and Watermarking . SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
s. ht rig Below is a table listing various tools for comparison. The original version of this table appears at http://www.jtc.com/Steganography/toolsmatrix.htm. (6) f ull Tool Vendor -Author Operating Coexisting Technology Image Comments ns System Requirement Formats Argent Commercial, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D Images F8B5are06E4 not Embeds A169 copyright 4E46or license information as watermark. tai Digital Information Commodities yet supported. Exchange (DICE) re http://digital-watermark.com/ or Copyright Commercial, Web based JPEG and GIF Only phase 3 involves digital watermarking. Intellectual Protocols2 (IP2) and requires th http://www.ip2.com/ a Java compliant browser. Au 2, EZStego, Shareware, Romana Machado 1) EZStego - EzStego LSB. Sorts EzStego - GIF Only supports GIF images. Stego supports PICT images 00 Stego Online, romana@stego.com Java requires Java palette to StegoOnline - only. Stego http://www.stego.com/ 2) Stego Virtual similar colors - GIF Online - Web Machine. palette shifts. Stego - PICT -2 3) Stego - Stego Online Mac requires All three tools HTML 3.2 use the same 00 compliant approach to web browser. information 20 Stego hiding. requires Mac. te tu Giovanni Commercial Win, MAC Fast Fourier Digital Media: More information is available at the Giovanni web page. Blue Spike, Inc. Transform Image and All the information resides in the watermarked copy and sti 800 381 8344 (FFT) audio does not require a web site lookup, as do other E-Mail: info@bluespike.com commercial products. As long as one has the Giovanni http://www.bluespike.com/ software, the encoding keys, and the copy, the watermark In can be extracted. NS Also see questions and answers about Giovanni for both image and audio watermarking. SA Hide and Shareware, Colin Maroney Win, DOS LSB V5.0 - GIF Hide and Seek 1.0 for Win95 Seek cjm@cypher.net http://www.cypher.net/ http://www.cypher.net/products/ Win95 - 8-bit Hide and Seek 5.0 for DOS © BMP http://www.rugeley.demon.co.uk/security/hdsk50.zip IBM Digital Commercial, IBM's Digital Discrete Watermark is an internal function to the library system. Library IBM Library Cosine http://www.research.ibm.com/image_apps/ System Howard Sachar System. Transformation http://www.research.ibm.com/image_apps/commerce.html Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 sachar@watson.ibm.com (DCT). (commercial use) Manager, image applications IBM T. J. Watson Research Center P.O. Box 218 Yorktown Heights, NY 10598-0218 (914) 945-1432 Fax: (914) 945-4003 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
JK_PGS Evaluation, UNIX (Sun, PPM image Working on development for Photo Shop and Paint Shop (Pretty Good PhD Students SGI, format only. plug-ins. Signature) Mr. Martin Kutter (Switzerland - LINUX) kutter@ltssg3.epfl.ch) and http://ltswww.epfl.ch/~kutter/watermarking/JK_PGS.html Mr. Frederic Jordan (France) at (Win95/NT s. Signal Processing Laboratory at Swiss version is Federal Institute of Technology (EPFL). under ht development) rig Jsteg Freeware, UNIX, DOS, Combination Input: PPM When extracting the hidden message, a "decoded" image Derek Upham Win (source within the (PBMPLUS must be created. ull code is JPEG color format), available) algorithm at PGM f compression? (PBMPLUS gray-scale ns format), GIF, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Targa, and tai RLE (Utah Raster Toolkit re format). Output: JFIF or format JPEG th Mandelsteg Freeware, C source Generates a Insecure. Signature: 128 unique colors. Each color used Henry Hastur code. Au Mandelbrot fractal two palette GIF Software is available worldwide at many sites. entries. image. 2, 00 PictureMarc Commercial, Photoshop Pattern block The mark may Subtle changes to "flat" areas may be detected when and Digimarc Corporation Compatible encoding. be embedded compared with the original -2 BatchMarc http://www.digimarc.com/ image into any image processing readable by software. Adobe Photo 00 Requires Shop and can MarcCenter be processed 20 to verify the with filters (24- watermark bit or "code." grayscale). te tu sti PixelTag MIT Media Lab Pattern block Patent Pending Joshua Smith and Barrett Comiskey encoding. http://www.media.mit.edu/pixeltag pixeltag@media.mit.edu In NS Steganos Shareware, Win, DOS LSB V1.4 (DOS) Noticeable noise in 8-bit images. Deus Ex Machina Communications BMP SA http://www.steganography.com/ V1.4 also hides data in VOC, WAV, or ASCII files. Win95: BMP, Fabian Hansmann (may be going DIB Win95 also processes VOC, WAV, TXT, HTML commercial) © V1.4 hangs when processing a 1byte message. Internet: steganos-support@demcom.com WWW: http://www.demcom.com/english/steganos/ Mail: Deus Ex Machina Communications, Sophienstr. 28, 60487, Frankfurt, Germany Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Stegodos, Public Domain, Black Wolf DOS Requires LSB. The Multiple Software is available through various web sources. Black Wolf's third party encoded image images formats Picture screen is displayed since it use Noticeable noise in most images. Encoder capturing and must be screen © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
software to "captured" in a captures. Only save the paint program supports encoded before saving. 320x200 image. images with 256 colors. s. S-Tools Shareware, Andy Brown Win LSB. Color V4.0: GIF, Software is available through various web sources. reduction then BMP ht a.brown@nexor.co.uk insert V4.0 also supports additional rig 28 Ashburn Drive colors as Wetherby necessary to S-tools has trouble recovering small messages (1-2 bytes). West Yorkshire cover LSBs 3 byte+ messages are more reliable. ull LS22 5RD without United Kingdom adversely impacting the f image quality. ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai SureSign Commercial, Win, MAC Photoshop Pattern block Any image that Watermark follows the image pattern. Signum SureSign's Signum Technologies Compatible encoding. can be watermark logo is visible on the image. re http://www.signumtech.com/ image displayed in processing Paint Shop Pro, signum@signumtech.com software. Photo Shop or or Works with compatible Signum Technologies Ltd. Paint Shop image th 2-6 St George's Business Park Pro processing Alstone Lane (shareware) programs and Cheltenham Glos. Au can manipulated be GL51 8HF with image UK filters. 2, 00 SysCoP Commercial, Sun Solaris, PPM, PGM, For still images, it reads PPM (PGM, PBM) formats, and -2 Fraunhofer Center for Research in HP-UX, SGI PBM, and with uses a conversion toolkit to support JPEG, GIF, and TIFF Computer Graphics (CRCG) a non-profit IRIX, a conversion formats. For motion data, Motion JPEG and MPEG-1 are computer graphics research group, Jian Win95/NT toolkit supports supported. 00 Zhao (Mac and JPEG, GIF, In 8-bit images, SysCop has a signature pattern, especially Netscape and TIFF. with images of lower unique colors, of like colors grouped http://syscop.igd.fhg.de/ plug-in are in a range. 20 and http://www.crcg.edu/syscop/ under development) te Send email to syscop@igd.fhg.de if you have any question. tu sti TigerMark Commercial, Requires use Discrete TigerMark is NEC's watermarking tool which has been (NEC) and NEC of Informix Cosine integrated with Informix Databalde technology. In Informix DBMS as Transformation Datablade core. (DCT) or fast There is a software development kit (SDK) which fourier provides access to the watermark capability without the NS transformation requirement for Informix (under development?). (FFT) with "secure spread SA spectrum." © Visual Freeware, Jouko Holopainen DOS Generates Severe "Visual cryptography", Moni Naor and Adi Shamir; Cryptography postscript files degradation of Advances in Cryptology - of the first two container EUROCRYPT '94, Lecture notes in Computer Science input images. images. 950; Springer 1995 The hidden image is spread across the two carriers so if Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 the carriers are overlapped, then the hidden image will be seen. © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
White Noise Shareware, DOS Spread PCX Degrades 8-bit images and may cause complete color Storm (WNS) Ray Arachelian Spectrum, LSB shifts in 24-bit. s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2, 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Last Updated: January 5th, 2020 Upcoming Training SANS Austin Winter 2020 Austin, TX Jan 06, 2020 - Jan 11, 2020 Live Event SANS Miami 2020 Miami, FL Jan 13, 2020 - Jan 18, 2020 Live Event Miami 2020 - SEC401: Security Essentials Bootcamp Style Miami, FL Jan 13, 2020 - Jan 18, 2020 vLive Mentor Session @ Work - SEC401 Detroit, MI Jan 14, 2020 - Jan 30, 2020 Mentor SANS Amsterdam January 2020 Amsterdam, Netherlands Jan 20, 2020 - Jan 25, 2020 Live Event SANS Anaheim 2020 Anaheim, CA Jan 20, 2020 - Jan 25, 2020 Live Event Mentor Session - SEC401 Online, MI Jan 24, 2020 - Feb 28, 2020 Mentor SANS Las Vegas 2020 Las Vegas, NV Jan 27, 2020 - Feb 01, 2020 Live Event SANS San Francisco East Bay 2020 Emeryville, CA Jan 27, 2020 - Feb 01, 2020 Live Event SANS Security East 2020 New Orleans, LA Feb 01, 2020 - Feb 08, 2020 Live Event Community SANS Dallas SEC401 Dallas, TX Feb 03, 2020 - Feb 08, 2020 Community SANS Security East 2020 - SEC401: Security Essentials Bootcamp Style New Orleans, LA Feb 03, 2020 - Feb 08, 2020 vLive Mentor Session - SEC401 Sterling, VA Feb 05, 2020 - Apr 15, 2020 Mentor SANS London February 2020 London, United Feb 10, 2020 - Feb 15, 2020 Live Event Kingdom SANS New York City Winter 2020 New York City, NY Feb 10, 2020 - Feb 15, 2020 Live Event SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 202002, Feb 10, 2020 - Mar 18, 2020 vLive Community SANS Sacramento SEC401 Sacramento, CA Feb 10, 2020 - Feb 15, 2020 Community SANS SANS Northern VA - Fairfax 2020 Fairfax, VA Feb 10, 2020 - Feb 15, 2020 Live Event Community SANS Columbus SEC401 Columbus, OH Feb 10, 2020 - Feb 15, 2020 Community SANS SANS Scottsdale 2020 Scottsdale, AZ Feb 17, 2020 - Feb 22, 2020 Live Event SANS San Diego 2020 San Diego, CA Feb 17, 2020 - Feb 22, 2020 Live Event SANS Manchester February 2020 Manchester, United Feb 24, 2020 - Feb 29, 2020 Live Event Kingdom SANS Secure India 2020 Bangalore, India Feb 24, 2020 - Feb 29, 2020 Live Event SANS Jacksonville 2020 Jacksonville, FL Feb 24, 2020 - Feb 29, 2020 Live Event SANS Northern VA - Reston Spring 2020 Reston, VA Mar 02, 2020 - Mar 07, 2020 Live Event Community SANS Chicago SEC401 Chicago, IL Mar 02, 2020 - Mar 07, 2020 Community SANS SANS Secure Japan 2020 Tokyo, Japan Mar 02, 2020 - Mar 14, 2020 Live Event SANS Munich March 2020 Munich, Germany Mar 02, 2020 - Mar 07, 2020 Live Event Mentor Session - SEC401 Charleston, SC Mar 03, 2020 - May 05, 2020 Mentor SANS Jeddah March 2020 Jeddah, Kingdom Of Mar 07, 2020 - Mar 12, 2020 Live Event Saudi Arabia SANS St. Louis 2020 St. Louis, MO Mar 08, 2020 - Mar 13, 2020 Live Event
You can also read