I keep looking at the whole stego thing. But the basic problem remains the same. Stego relies on the *method* being secret, which stands in stark contrast to kerchoff's principle. I mean, sure, you can stego encrypted stuff so nobody who recovers it can read it, but if you use any of the "available" programs, there will always be utilities that can detect your encrypted stuff and, usually, extract it. In a proper stego system, the stegotext must be *undetectable* by people who don't have the key -- even if they have the stego program used. I don't know of any which meet that criteria. For one thing they mostly work on lowest-significant-bits and leave the rest of the carrier text alone. It's pretty simple to detect that the LSB's have increased entropy, or represent inconsistent gradients of color on the smallest scales. One thing that is an absolute dead giveaway, and I see a lot of stegograms out there that have this built in, is that in graphic files, the number of pixels is increased by interpolation, either in the digital camera/scanner, or after the image is made by a graphics editor, before the steganography is done. The problem with this is that interpolation is done by highly predictable algorithms which dictate the relationships of each pixel (including the LSB) to its neighbors. When you take this regular system of linear-equations-with-a-simultaneous-solution and then impose your stegotext on it, it stands out like a sore thumb. *sigh*. I will not use a stego system unless I write it first and my recipient has the only other copy. Because it's a matter of keeping the *method* secret, that's really the only way. Bear

On Wed, 18 Jul 2001, David Honig wrote:

1. encrypted data is indisttinguishable from uniformly distributed noise

Yes, but which natural data sources have that signature?

2. LSBs in digitizations of analog signals are noise

Not uniformly distributed noise, unfortunately. Perhaps somebody should put hardware entropy generators mixing white noise into multimedia steam LSBs. People should definitely package stegano decoys into Open Source streaming multimedia warez.

3. ignoring the nuance of different LSB distributions, how can you distinguish a stego'd from unaltered file?

By running a simple statistical test (most packages don't even pad, so you can vgrep for it). There is some pretty bulletproof stego out there, but 90% of it wouldn't stand a trace of scrutiny. Of course it limits the processivity of the screening.

Stego by itself is much less interesting than stego'd encrypted data (with idenntifying headers stripped of course)

The point of stego is not leaking the information that you're sending other information.

That spam, mp3, or image could be merely a transport for more privledged info. Posting /reading to a public newsgroup solves traffic-analysis issues too.

-- Eugen* Leitl <a href="http://www.lrz.de/~ui22204/">leitl</a> ______________________________________________________________ ICBMTO : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3

Ah, but your assumptions are not quite right. See my Wired News article on steganalysis. -Declan On Wed, Jul 18, 2001 at 09:34:15AM -0700, David Honig wrote:

At 08:07 AM 7/18/01 -0700, Ray Dillinger wrote:

...

I keep looking at the whole stego thing. But the basic problem remains the same. Stego relies on the *method* being secret, which stands in stark contrast to kerchoff's principle. I mean, sure, you can stego encrypted stuff so nobody who recovers it can read it, but if you use any of the "available" programs, there will always be utilities that can detect your encrypted stuff and, usually, extract it.

1. encrypted data is indisttinguishable from uniformly distributed noise 2. LSBs in digitizations of analog signals are noise 3. ignoring the nuance of different LSB distributions, how can you distinguish a stego'd from unaltered file?

Stego by itself is much less interesting than stego'd encrypted data (with idenntifying headers stripped of course)

That spam, mp3, or image could be merely a transport for more privledged info. Posting /reading to a public newsgroup solves traffic-analysis issues too.

At 4:28 PM -0700 7/21/01, jamesd@echeque.com wrote:

-- On 18 Jul 2001, at 8:07, Ray Dillinger wrote:

...

*sigh*. I will not use a stego system unless I write it first and my recipient has the only other copy. Because it's a matter of keeping the *method* secret, that's really the only way.

In principle, it should be possible to write a stego program that is undetectable, provided your enemy has no better models of noise sources in the medium than you have. As far as I know, no one has done this.

It is probably easier to do this with sound than with video, as order and randomness in sound somewhat easier to specify.

Take a set of bits generated by a good PRNG. Use this set for the LSB of GIFs or other noncompressed image files. Anyone analyzing the LSBs sees a set with various spectral and statistical properties. To send a signal, a message, XOR the message with this set of PRNG-generated bits. One's recipient already has a copy of the PRNG-generated bits. (Remember, stego is not the same as public key crypto, so Alice and Bob can arrange in advance to use a particular entry point in an PRNG, or an entry point in a one-time pad, etc.) The resulting LSBs will have, "in almost cases," a set of spectral and statistical properties nearly identical with the original LSBs. Unless the message bits are somehow correlated with the PRNG-generated bits, the distribution will pass all tests for "randomness" that the orginal PRNG-generated bits passed. This is a kind of variant on von Neumann's scheme for ensuring even distributions of heads and tails in a message stream even with coins weighted unevenly towards heads and tails. The approach can be extended to have the distribution of LSBs look like that of a camera source, or whatever normal images or sound files typically have. (In this case, Alice and Bob exchange sets of LSBs from camera/microphone sources. Messages are then XORed with these sets. All statistical tests produce the same results as original camera/microphone sources produce.) (A "gotcha" left as an exercise if if the image or microphone source produces fixed patterns of bits in certain places. For example, if every image file begins with 16 fixed bits, or somesuch. In this case, XORing these fixed bits with the message bits would NOT preserve the statistical properties.) --Tim May --Tim May -- Timothy C. May tcmay@got.net Corralitos, California Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns