Computer Crime Research Center

cybercrime/223.jpg

What is steganography and how does it differ from cryptography?

Date: August 26, 2020
Source: Computer Crime Research Center
By: JOSH LAKESPECIALIST IN SECURITY, PRIVACY AND ENCRYPTION

Steganography is an ancient practice that involves hiding messages and data. From its humble origins that involved physically hiding communications and using invisible inks, it has now moved into the digital realm, allowing people to slip critical information into seemingly mundane files

It may not be as popular as its older brother cryptography, but steganography still has important applications. So let’s jump in and discuss what steganography is, the history behind it, how it differs from cryptography, its major use cases, and how it can be detected.

What is steganography?

To put it simply, steganography is the study and practice of concealing information. It can be done either physically or digitally, with techniques ranging from blinking in Morse code to hiding data in .mp3 files.

The history of steganography
The first written case of steganography is found in Histories by Herodotus. He writes that it happened during the Ionian Revolt, an uprising of some Greek cities against Persian rule at around 500 BC. Histiaeus, the ruler of Miletus was away from his city, acting as an adviser to the Persian king.

He wanted to go back to Miletus, which was under the control of his son-in-law, Aristagoras, so he planned to stage a revolt in Ionia as a pretext for his return. This is where the steganography comes in: He shaved the head of one of his slaves and tattooed a message on his scalp.

Histiaeus then waited for the slave’s hair to grow back and hide the message, then sent him to Aristagoras with instructions to shave the slave’s head once more and read the message. The concealed text told him to rise up against the Persian rule, which kicked-off the uprising against their conquerors.

Herodotus tells another story about steganography that occurred several years later, when the Spartan king Demaratus sent a seemingly blank wax tablet back to Sparta. Hidden beneath the wax was a message that warned the Spartans of Xerxes’ planned invasion.

Herodotus is known for his tall tales, so we can’t be sure of how truthful these stories are, but they’re the earliest records of steganography we have.

It wasn’t long before more sophisticated forms of steganography were recorded. In the 4th century BC, Aeneas Tacticus made mention of a hole punching technique. Philo of Byzantium was the first to discuss invisible inks, writing about them in the third century BC. His recipe used gall nuts to write text and a copper sulfate solution to reveal it.

The term steganography was first used in a book called Steganographia by Johannes Trithemius. The word combined the Greek steganos, which means concealed, with graphein, which means writing.

Steganographia was a clever book that was purportedly about magic and the occult, but used cryptography and steganography to hide its real subject matter, which centered around cryptography and steganography.

Steganographia was followed up by Polygraphia, which was first published after Trithemius’ death in 1518. This was a more straightforward book about steganography and its practice.

Another key development in steganography came in 1605, when Francis Bacon devised Bacon’s cipher. This technique used two different typefaces to code a secret message into a seemingly innocent text.

Microdots were first developed in the latter half of the 19th century, but they weren’t used heavily for steganography until World War I. They involve shrinking a message or image down to the size of a dot, which allows people to communicate and pass on information without their adversaries knowing.

There have been a wide range of other steganographic developments and techniques over the years. Steganography continues to be practiced to this day, with low tech versions often used by prison gangs, and digital methods harnessed to hide data in pictures, audio and other media.

Steganography vs cryptography
Steganography is focused on hiding the presence of information, while cryptography is more concerned with making sure that information can’t be accessed. When steganography is used properly, no one – apart from the intended recipients – should be able to tell that there is any hidden communication taking place. This makes it a useful technique for situations where obvious contact is unsafe.

In contrast, cryptography tends to be used in situations where the participants aren’t concerned if anyone finds out that they are communicating, but they need the message itself to be hidden and inaccessible to third parties.

Let’s go through some examples to understand the differences. If you were a political activist who’s been imprisoned and you need to communicate with your organization, the logistics can be challenging. The authorities may monitor everything going in and out of your cell, so you would probably have to hide any communication that takes place.

In this kind of situation, steganography would be a good choice. It may be challenging with the resources you have at hand, but you could write a plain sounding letter with a hidden message concealed with different font types or other steganographic techniques.

Alternatively, let’s say you’re a diplomat discussing secret details with your home country. It’s normal for diplomats to talk with officials from their own nation so the communications themselves don’t raise any suspicions. However, since the content of the conversation is top secret, the diplomat may want to use cryptography and talk over an encrypted line.

If spies or attackers try to intercept the conversation, they will only have access to the ciphertext, and not what the two parties are actually saying.

Let’s flip things over to examine the differences even further. If the political activist used cryptography to communicate with their organization, the authorities would most likely have intercepted it.

The officials would see the ciphertext and know that the activist was trying to send encoded messages, then they would most likely stop its delivery and interrogate the activist about it. This could end very badly, in beatings, torture, or even the activist’s death. That’s why steganography would be more suitable in such a scenario.

Conversely, diplomats are often monitored by their host countries. If a diplomat tried to send steganographically concealed messages back home, they could be intercepted, analyzed and the content may be uncovered. In this situation, cryptography is more suitable, because although interceptors will know communication is taking place, they won’t be able to find out what it concerns.

See also: Beginner’s guide to cryptography

Combining steganography &cryptography
While these two processes are often performed separately, they can also be combined together to gain the advantages that come from both fields. If you wanted to hide the fact that communication was taking place, but also protect the message in case it was discovered, you could first encrypt it and then conceal it with steganography.

As an example, let’s say you want to hide the message “I’m going home” with a simple Caesar cipher and invisible ink. Using the cipher, you could shift each character to the one that follows it in the alphabet, giving you a ciphertext of:

J’n hpjoh ipnf

Now that you have your cipher text, you can write it down on your piece of paper with lemon juice or whatever kind of invisible ink you have at hand. As long as your recipient knows where the message will be, how to reveal it (heat, in this case) and how to decrypt it, they will be able to access the secret communication.

If anyone intercepts the message but can’t detect the invisible ink, then they will not know that any communication has taken place. If they do know that a message is there but can’t crack the code, then the message itself will still be secure, but the interceptor will know that something has been sent. They won’t be able to access the contents of the message unless they can crack the code.

If you wanted to increase the security of the communications, you could use more sophisticated encryption and steganography methods, such as AES and bit plane complexity segmentation (BPCS), respectively.

The uses of steganography

Steganography has a number of surprising applications, aside from the obvious one of hiding data and messages. Hackers use it to conceal code in malware attacks. Printers use steganography as well, hiding imperceptible yellow dots that identify which printer created a document and at what time. Steganographic techniques are also frequently used in watermarking and fingerprinting to prove ownership and copyright.

The limitations of steganography

Steganography is a useful practice, but it does have a number of limitations. There are two key factors that are often in competition – the first is how obvious and easy the hidden data is to detect (whether by human perception or other forms of analysis), while the second is how much data can be hidden in a given file or piece of communication.

The higher the percentage of data someone tries to conceal, the easier it is to spot. How much data you can safely include in a given file will depend on the steganographic technique, risk level, and amount of scrutiny expected.

If...
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo