history and principles of steganography - csm25 secure ... · dr hans georg schaathun history and...
TRANSCRIPT
History and Principles of SteganographyCSM25 Secure Information Hiding
Dr Hans Georg Schaathun
University of Surrey
Spring 2008
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 1 / 54
What is Steganography? Why?
Free thinkers and free speech
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 4 / 54
What is Steganography? Why?
The other side
Both clips:The Independent, Friday 27 October 2006.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 5 / 54
What is Steganography? Learning Objectives
Lesson Objectives
In this session, we shall1 establish basic terminology to discuss steganography and
communications security.2 compare steganography and cryptography, and steganography and
watermarking3 introduce Kerckhoffs’ principles, especially the significance of a
secret key.After the session, you should be able to
1 use the terminology correctly to discuss communications securityunambiguously
2 be able to use Kerckhoffs’ principles to evaluate the security incommunications
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 7 / 54
What is Steganography? Learning Objectives
The Outcomes and Expectations
Pass (50-60)be able to implement simple stego-systems and steganalysistechniqueshave an overview of the different techniques for and approaches tosteganographyuse the basic terminology correctly and unambiguously
Distinction (70+)Be able to assess security properties in a communications system,and assess security needs in an application.Be able to generalise theories and techniques in steganography,and relate and contrast different approaches.Be able to discuss stego-systems in unambiguous terms, andchoose appropriate approaches for given application needs.
Merit (60-70)Acieve all pass mark objectives, and partly achieve the distinctionmark objectives.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 8 / 54
What is Steganography? Learning Objectives
Exercises and Assessment
Weekly exercises One exercise sheet given after each lecture. This isto be done at home, and peer-assessed and/or discussedin the next session.
Portfolio (50%) To be handed in at the end of module, summarisingyour learning. Two of the weekly exercise papers will bespecified one week before the deadline and have to beincluded.
Poster (25% collective mark + 25% individual mark) A poster on achosen topic is to be prepared in groups of 3-5 andpresented to the class in Weeks 11-12. Each groupmember has to be active in the presentation.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 9 / 54
Steganography models The problem
The basic problemSimmons Crypto’83
Alice
.
................................
.............
..................................
..........
......................................
.....
..........................................
.........................................
........................................
....................................... ...................................... ..................................... ..................................... .............................................................................
........................................
.........................................
..........................................
...........................................
............................................
.............................................
Bob
William theWarden
.
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
......
Escape at midnight.
«Uncle Charlie is muchbetter now.»
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 11 / 54
Steganography models The problem
The basic crypto-problemEncryption
Alice
.
................................
.............
..................................
..........
......................................
.....
..........................................
.........................................
........................................
....................................... ...................................... ..................................... ..................................... .............................................................................
........................................
.........................................
..........................................
...........................................
............................................
.............................................
Bob theBanker
Eve
.
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
......
What is the password?
Transaction data.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 12 / 54
Steganography models Threats and Controls
Threats and controlsCSM27 Re-cap – See Pfleeger&Pfleeger Ch. 1
Assets Resource and fascilities we value and don’t want to lose.Threat A potential damage or cause of damage to the assets.
Control Any security measures used to reduce the risk (eitherprobability or severity of damage) of damage fromexisting threats.
Vulnerabilities Weaknesses (bugs etc) in the system which increasesthe risk of damage from existing threats.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 14 / 54
Steganography models Threats and Controls
Discussion exercise
Team up, one (or two) person(s) from IS/IC and two (or three) fromSTA.Discuss the steganography and cryptography scenarioespresented, and identify
1 The assets we seek to protect2 Threats against these assets3 The threats controlled (respectively) by steganography and
encryption
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 15 / 54
Steganography models Threats and Controls
Combining Encryption and Steganography
You can increase security of a steganographic system byencrypting the message before hiding it. (common claim)
In what way is the claim true?In what way is the claim false?Steganography and encryption control different threats.
Combining the controls control more threatsCombining the controls does not reduce the risk of each threat.
Hence, encryption does not improve the security ofsteganography.
It adds controls outside the scope of steganography.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 16 / 54
Steganography models Threats and Controls
Lesson
Be wary of general claims of security.Address the protection of each asset separately.Address the control of each threat separately.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 17 / 54
Steganography models What steganography is
The data hiding systemWatermarking System
Embedding Extractor
Message RecoveredKey
File
Security depends on the confidentiality of the algorithm.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 19 / 54
Steganography models What steganography is
Watermarking vs. Steganography
Watermarking: the cover-image is essentialTwo receivers:
One observes the cover-imageOne extracts the hidden message
Minimum distortion is importantSteganography: What is the use of cover-image at receiver?
Bob wants the messageThe image is a red herringDistortion (relative the original cover) is irrelevant
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 20 / 54
Steganography models What steganography is
Two key differencesWatermarking vs. Steganography
1 Cover-imageimportant in watermarkingmeaningless in steganography
2 AttackerSteganography: determine whether secret information exists or notWatermarking: various other goals
Change cover-textRemove watermarkChange watermark
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 21 / 54
Steganography models What steganography is
SteganographyCryptographic view
A Secret-Key stego-system (by synthesis) is S = (C, M, K , E , D)where
C : set of cover textsM : set of messagesK : key space (set of possible keys)E is an encoding function, E : K ×M → CD is a decoding function, D : K × C → M
such thatPr(D(k , E(k , m)) = m) ≈ 1.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 22 / 54
Steganography models What steganography is
Steganography from Watermarking
Secret-Key Stego-system by modificationThe encoding function takes a cover text from C as input
E : K × C ×M → C
Pure stego-system (by modification)The encoding function takes a cover text from C as input, and nokey is used
E :C ×M → CD :C → M
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 23 / 54
Steganography models What steganography is
To remember
The cover-text is a red herring in steganography.The standard definitions of pure steganography and secret-keysteganography apply to a very limited class of steganographybased on data hiding.Cover-text irrelevant⇒ distortion irrelevant.
PSNR used to measure distortion in Watermarking.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 24 / 54
Steganography models Definitions
DefinitionsThe tools
Definition (Cipher)A system which allows Alice and Bob to communicate secretly withoutEve being able to learn the contents of the communication.
Encryption refers to the process of applying a cipher.
Definition (Stego-system)A system which allows Alice and Bob to communicate secretly withoutEve knowing that any secret communication is taking place.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 26 / 54
Steganography models Definitions
DefinitionsThe disciplines
Definition (Steganography)
The study of (and art of developing) stego-systems.
Definition (Cryptography)
A general term encompassing the study of ciphers and othertechnology for secure communications.
Cryptography is more than ciphersDigital signaturesAuthorisation protocolsSteganography
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 27 / 54
Steganography models Definitions
DefinitionsThe countermeasures
Definition (Steganalysis)
The art of detecting whether secret communications is taking place ornot.
Definition (Cryptoanalysis)The art of breaking any cryptographic system, most often referring tobreaking ciphers, i.e. to find the contents of secret communications.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 28 / 54
Steganography models Definitions
Steganography versus Cryptography
We define Steganography by its objective (control a specificthreat).
We don’t make any assumptions on how it works.
Cryptography includes SteganographyModern cryptography does assume certain principles andmethods
not all Steganography qualifies as modern Cryptography.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 29 / 54
Secret writing in the past Francis Bacon 1605
Francis Bacon 1605Of the Proficience and Advancement of Learning Divine and Humane
For CYPHARS; they are commonly in Letters or Alphabets, but may bee inWordes. The kindes of CYPHARS, (besides the SIMPLE CYPHARS withChanges, and intermixtures of NVLLES, and NONSIGNIFICANTS) aremany, according to the Nature or Rule of the infoulding:WHEELE-CYPHARS, KAY-CYPHARS, DOVBLES, &c. But the vertues ofthem, whereby they are to be preferred, are three; that they be notlaborious to write and reade; that they bee impossible to discypher; and insome cases, that they bee without suspition. The highest Degree whereof,is to write OMNIA PER OMNIA; which is vndoubtedly possible, with aproportion Quintuple at most, of the writing infoulding, to the writinginfoulded, and no other restrainte whatsoever. This Arte of Cypheringe,hath for Relatiue, an Art of Discypheringe; by supposition vnprofitable; but,as things are, of great vse. For suppose that Cyphars were well mannaged,there bee Multitudes of them which exclude the Discypherer. But inregarde of the rawnesse and Vnskilfulnesse of the handes, through whichthey passe, the greatest Matters, are many times carryed in the weakestCYPHARS.
Bacon’s three cryptographic principles1 that they be not laborious to write and read; User-friendly2 that they be impossible to discipher; Secure3 (in some cases) that they be without suspicion.
Hidden i.e. steganography
No distinction between stego-systems and ciphersDefined by purpose: keeping secrets.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 31 / 54
Secret writing in the past The Antique
Secret Writing in the Antique
(Egypt) Tomb of Khnumethotep II c. 1900 B.C. Menet KhufuRebuses obscure writing.Brain exercises – adds mysterysame principles in Norse Runes (Orkneys and Scandinavia)
(Mesopotamia) Seleucia 1500 B.C.: 3"x2" tabletsProtect trade secrets.Earliest known formula for glazes for pottery.
(India) Kama-sutra by Vatsyana (legendary erotics)64 arts (yogas) women should know and practicemlecchita-vikalpa (secret writing) is no. 45.
(India) Arthasastra 321-300BCbut first political mention of cryptographyAmbassadors should use cryptanalysis to gather intelligence.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 33 / 54
Secret writing in the past The Antique
China: No cryptography
Only great civilisation using ideogrammatic writing... and only one with little interest in cryptographybut steganograhy was used:
Thin silk, covered in wax, rolled into balls (la wan)
11th century: Wu-ching tsung-yao (Essentials from MilitaryClassics)
List of 40 plaintext items (victory reports, requests for arrows, etc.)Assign to 40 first ideograms of a poem.Write appropriate ideogram in an ordinary dispatch,Mark by seal stamp over it.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 34 / 54
Secret writing in the past The Antique
Elementary Steganography à la greque
Reported in Histories by Herodotus (c. 486-425 B.C)Histæus 440 B.C.
1 Shave the head of a slave2 Tattoo the messages on his head3 Wait until the hair grows back4 Dispatch the Slave
(also used by Germany in the early 20th century)
Wax tablets1 Remove the wax2 Write the message on the wood3 Recover with wax to make a blank tablet.
(Demeratus used it to warn Sparta of a Persian invasion)
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 35 / 54
Secret writing in the past The Antique
Elementary Steganography anno 18..Pin holes in news papers
Mark individual letters in a news papermake pin wholesoverwrite with a pencil
Invisible inkQuite a few methods
Invisible to a casual observersEasy to spot when you know what to look for
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 36 / 54
Cryptography versus Steganography Kerckhoff’s principles
The Advent of Modern Cryptography
Auguste Kerckhoff 1883« La cryptographie militaire » Journal des sciencesmilitaires 1883Principles of military cryptographyDefines the security paradigm
Claude Shannon 1948Defines Information... and Entropy to measure Information quantitativelyEnables mathematical proofs of security of information
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 38 / 54
Cryptography versus Steganography Kerckhoff’s principles
Modern Cryptography
Modern cryptography has mainly been shaped byAuguste Kerckhoff 1883 : The security paradigmClaude Shannon 1948 : Mathematical theory ofinformationand Diffie & Hellman 1976 (Public KeyCryptography)
The consequence ofModern day cryptography is
Theoretically matureReliableHighly trusted technology
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 39 / 54
Cryptography versus Steganography Kerckhoff’s principles
Auguste Kerckhoffs (1835–1903)
1 Le système doit être matériellement, sinon mathématiquement,indéchiffrable ;
2 Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénienttomber entre les mains de l’ennemi ;
3 La clef doit pouvoir en être communiquée et retenue sans lesecours de notes écrites, et être changée ou modifiée au gré descorrespondants ;
4 Il faut qu’il soit applicable à la correspondance télégraphique ;5 Il faut qu’il soit portatif, et que son maniement ou son
fonctionnement n’exige pas le concours de plusieurs personnes ;6 Enfin, il est nécessaire, vu les circonstances qui en commandent
l’application, que le système soit d’un usage facile, ne demandantni tension d’esprit, ni la connaissance d’une longue série derègles à observer.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 40 / 54
Cryptography versus Steganography Kerckhoff’s principles
Auguste Kerckhoffs (1835–1903)Translation from Wikipedia
The system should be, if not theoretically unbreakable,unbreakable in practice.The design of a system should not require secrecy andcompromise of the system should not inconvenience thecorrespondentsThe key should be rememberable without notes and should beeasily changeableThe cryptograms should be transmittable by telegraphThe apparatus or documents should be portable and operable bya single personThe system should be easy, neither requiring knowledge of a longlist of rules nor involving mental strain
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 41 / 54
Cryptography versus Steganography Kerckhoff’s principles
Bacon’s first principleUser-friendliness
Kerckhoffs says:
6. The system should be easy, neither requiring knowledge ofa long list of rules nor involving mental strain
Bacon said:that they be not laborious to write and reade
Why?
Security depends on correct use.If it is difficult, users make mistakes.
Kerckhoffs also says:
5. The apparatus or documents should be portable and oper-able by a single person
and3. The key should be rememberable without notes and shouldbe easily changeable
(We will return to #3 in when we discuss keys.)
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 42 / 54
Cryptography versus Steganography Kerckhoff’s principles
Bacon’s second principleSecurity
Kerckhoffs says:
The system should be, if not theoretically unbreakable,unbreakable in practice.
Bacon said:that they bee impossible to discypher
Security still essential.Bacon did not clarify the meaning of «impossible».Kerckhoffs allows theoretically breakable ciphers.
Why? Are theoretically unbreakable cipers at all possible?
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 43 / 54
Cryptography versus Steganography Kerckhoff’s principles
Bacon’s third principleSteganography
Bacon said:that they bee without suspition.
Not mentioned by Kerckhoffs.Why not?
He addressed military communications.You already know who the enemies are.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 44 / 54
Cryptography versus Steganography Kerckhoff’s principles
Kerckhoffs’ fourth principleTelegraph
«The cryptograms should be transmittable by telegraph.»
Why does he require this?What do we require today?
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 45 / 54
Cryptography versus Steganography Kerckhoff’s principles
Kerckhoffs’ principleThe key principle
2. The design of a system should not require secrecy andcompromise of the system should not inconvenience thecorrespondents
This is the one known as Kerckhoffs’ principle.Foundation of all modern cryptography.All modern cryptographic algorithms are published in detail.Available to Eve as well as Alice and Bob.How is secrecy possible?
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 46 / 54
Cryptography versus Steganography Kerckhoff’s principles
The key
The use of a key is crucial for Kerckhoffs’ principle.
3. The key should be rememberable without notes and shouldbe easily changeable.
So, we havePublic algorithm
Difficult (expensive) to developfew good choices
Secret keyEasy (cheap) to changeMany possibilities
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 47 / 54
Cryptography versus Steganography Kerckhoff’s principles
Consequences
We need not trust the developers.The key can be changed by the userSecurity assessment by independent experts.
Mass-produced crypto-software off the shelf.Eve buys the same software; it does not matter.
No new costly development is required when secrets are lostChanging the key is easy (cheap)
All new crypto-systems are published in detailscrutinised by independent researchers world-wide
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 48 / 54
Cryptography versus Steganography Kerckhoff’s principles
SummaryKerckhoffs’ Principles in Four Keywords
User-friendlySecure in practice (not necessarily in theory)Public algorithm – secret keyTelegraph
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 49 / 54
Cryptography versus Steganography Steganography versus Kerckhoffs
Kerckhooffs’ principle and classic steganography
Recall tattooed slaves and wax tabletsHow does Kerckhoffs’ principle apply?
It worked once – because it was unexpectedNow the technique is known.Eve is going to shave all slaves passing by.... and scrutinise every wax tablet.
No key : when the algorithm is known there is no security
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 51 / 54
Cryptography versus Steganography Steganography versus Kerckhoffs
What about modern steganography?
Many computer programs became available during the 90-s.Many free of charge.Hiding messages in images.For instance, using Least Significant Bit (LSB)
Most are as banale as the ancient techniques.It is relatively easy to detect the changes,
you only have to think of it.Many solutions rely on the secrecy of the algorithm
I.e. not Kerckhoffs-compliantNot Modern Cryptography.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 52 / 54
Cryptography versus Steganography Steganography versus Kerckhoffs
Three disciplinesA conclusion
............................ .......................... ......................... .........................................
...
....................
....................
.....................
......................
.
.........................
..........................
..........
..........
........
..........
..........
........
..........................
.........................
.......................
.....................
....................
....................
.....................
.....................................................................................................................................................................................
............................................
....................
....................
.....................
.......................
.........................
..........................
............................
............................
..........................
.........................
.......................
.....................
....................
....................
............................................
................................................... ............................
Data Hiding
............................ .......................... ......................... .........................................
...
....................
....................
.....................
......................
.
.........................
..........................
..........
..........
........
..........
..........
........
..........................
.........................
.......................
.....................
....................
....................
.....................
.....................................................................................................................................................................................
............................................
....................
....................
.....................
.......................
.........................
..........................
............................
............................
..........................
.........................
.......................
.....................
....................
....................
............................................
................................................... ............................
Data Hiding
............................ .......................... ......................... .........................................
...
....................
....................
.....................
......................
.
.........................
..........................
..........
..........
........
..........
..........
........
..........................
.........................
.......................
.....................
....................
....................
.....................
.....................................................................................................................................................................................
............................................
....................
....................
.....................
.......................
.........................
..........................
............................
............................
..........................
.........................
.......................
.....................
....................
....................
............................................
................................................... ............................
............................ .......................... ........................ ...................... .......................................
...............
...
.................
..................
...................
....................
..........
..........
.
..........
..........
.
....................
...................
..................
.................
.................
...................
............................................................................................................................................................................................................................
........................................
.................
.................
..................
...................
....................
.....................
.....................
....................
...................
..................
.................
....................................
...........................................
........................ .......................... ...........................
Steganography
............................ .......................... ......................... .........................................
...
....................
....................
.....................
......................
.
.........................
..........................
..........
..........
........
..........
..........
........
..........................
.........................
.......................
.....................
....................
....................
.....................
.....................................................................................................................................................................................
............................................
....................
....................
.....................
.......................
.........................
..........................
............................
............................
..........................
.........................
.......................
.....................
....................
....................
............................................
................................................... ............................
Cryptography
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 53 / 54
Exercise
Weekly exercise 1Kerckhoffs’ principles
Make a list of principles, which you consider important for confidentialcommunications systems (cryptography and/or steganography) in ourtime. You may prioritise if appropriate.
1 Give reasons for your principles.2 Compare Kerckhoffs’ principles to your own, and justify any
differences.
Your principles may be general and universal, or restricted to someapplication which interests you (as Kerckhoff was considering militarycryptography). State any assumptions you make.
Dr Hans Georg Schaathun History and Principles of Steganography Spring 2008 54 / 54