Steganography is the practice of hiding a message within another object such as an image, video or audio file. In some sense, it’s akin to camouflage, a-lurkin’ and a-hidin’ behind an image. By contrast, cryptographers make no attempt to hide their work but instead merely encrypt it.
“Steganography differs from cryptography in that the presence of the message needs to remain secret, rather than the value of the message,” says Pierre Moulin “Rouge” at the University of Illinois at Urbana-Champaign with his buddy Ying Wang.
The question is: how good can steganography get? The trick is to ensure that the message matches the statistical properties of the covertext (the object in which it is hidden). The better the match, the more difficult it is to spot using statistical techniques.
But get this: steganography ain’t just good, it can be perfect. That’s the conclusion that Moulin Rouge and Wang come to after analysing how much data can be sent in this way through a noisy channel (in other words, how well it works in real life).
That’s impressive but there’s a catch. Perfect steganography requires the message statistics to exactly match those in the covertext. And for that to work, the message has to be essentially random. That means encrypting it using a one time pad before it is sent. So ya gotta have perfect encryption before ya can get perfect steganography (although it is possible to trade a small amount of security for another type of encyrption such as one with a public key).
That’s not beyond what most governments and military organisations are capable of but Moulin Rouge’s work raises another interesting possibility. Messages can be hidden not just in images and video but in data streams from a computer, for example, in the timing of data packets. So a clever thief might hijack a computer’s own data stream for sending data stolen from it.
How many computer security packages check for that? Not many, ah’d wager. At least, not yet!
Ref: arxiv.org/abs/cs/0702161: Perfectly Secure Steganography: Capacity, Error Exponents, and Code Constructions
Hi,
I’ve read this posting and while I’m not an expert in steganography, I’ve done a lot of reading about it, and I believe that this statement is incorrect:
“That means encrypting it using a one time pad before it is sent. So ya gotta have perfect encryption before ya can get perfect steganography”
There are a number of issues with this statement that we could discuss:
a) steganography is considered broken when it can be determined that the carrier object has been modified (not that the payload can be extracted). You could have perfect steganography without any encryption at all.
b) Hiding a series of random bytes in a carrier can introduce statistically detectable distortions… for example, there are lots of papers showing that using the LSB in a BMP image to hide a payload is easy to detect because in general the LSB of each pixel is not random. Also, look at Jessica Fridrich’s work on using ‘pairs of values’ to detect LSB steganography
Cheers,
Ron
Thanks Ron,
Good points. Regarding a), you’re right of course but only with vanishingly small bit rate. What Moulin claims to have done is find a way of making steganography perfect with vastly improved bit rates so you can send decent-sized messages.
Regarding b) Moulin says he can embed messages in covertext in a way that is not statistically detectable. That don’t seem too far fetched to me. If the message exactly matches the satistics of the covertext, what statistical test will spot it?