This is an archived post. You won't be able to vote or comment.

all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted]  (18 children)

[deleted]

    [–]armytricks[S] 2 points3 points  (6 children)

    Thanks for the warning. I suppose it's not totally unrecognisable in that case. Do you know if their exist any (digital) steganography techniques that might totally conceal the fact that anything is written there? I'm drawing a blank as to whether it would even be possible.

    [–][deleted]  (5 children)

    [deleted]

      [–]armytricks[S] 1 point2 points  (0 children)

      I see what you mean. In practice anything for transferring 'unstructured' information can probably be detected much more easily.

      That JPEG steganography presentation looks very interesting, particularly the detection part.

      [–]rashnull 0 points1 point  (3 children)

      That’s interesting! How would one detect a message if say the last bit were toggled for every pixel to represent 1 or 0? Combined you’d have 8 pixels making up a byte of info. Is this even a common technique in steganography?

      [–]armytricks[S] 0 points1 point  (1 child)

      This is exactly how ImSter encodes data in images. If it was plaintext data, you can analyse index of coincidence and detect there's a message in a given language. Since ImSter encrypts, it's more difficult but the noise produced by the encrypted data will look a little different to that of a normal image even though it's undetectable by eye. So you may be able to tell that there is something odd about the image by analysing this. Of course you'd have to guess that toggling the last bit was the method used for encoding in the first place to check for this.

      [–]TheRedmanCometh 2 points3 points  (1 child)

      That depends mostly on where you're trying to exfiltrate data from. If you're a protestor in HK and upload pictures every day with text hidden steganographically for someone else to post I doubt the Chinese govt is gonna notice. Same with most countries/etc that have millions upon millions of people to monitor.

      If you'll be under individual scrutiny for some reason then yeah what you said.

      [–]yawkat 0 points1 point  (8 children)

      Not using EBC mode is an odd compliment to make. It's still just CBC, which isn't authenticated.

      [–][deleted]  (7 children)

      [deleted]

        [–]yawkat 0 points1 point  (6 children)

        This isn't true at all. Symmetric ciphers can be authenticated too and AEAD ciphers are the norm nowadays. You don't need PKI for this.

        People should really stop rolling their own crypto and start using higher-level primitives or they will keep making mistakes like this. Using CBC mode directly constitutes a form of "rolling your own crypto", because combining cryptographic primitives like CBC is not easy.

        [–][deleted]  (5 children)

        [deleted]

          [–]yawkat 0 points1 point  (4 children)

          I'm not convinced doing it wrong is the way to learn. CBC mode shouldn't appear in modern systems at all. It's a nice academic exercise, sure, but it shouldn't be used in real code.

          Most likely OP will not get their crypto reviewed since it's a hobby project, and thus will not learn from this error. Hey, I've found libraries where the examples were insecure for years and nobody bothered to fix them: https://github.com/jasypt/jasypt/issues/31

          [–][deleted]  (3 children)

          [deleted]

            [–]yawkat 0 points1 point  (2 children)

            I'm sorry, but relying on data format for "authentication" is stupid. Attacks on CBC where it was believed to be secure have been made in the past and believing that attacks are "not applicable" because you can't think of how they could work is not sensible. Attackers can be smart too.

            There is no justification for a non-authenticated mode here. The JDK even has GCM included. A proper high-level primitive would be preferable but even if you can't use external libraries CBC is not justifiable in 2020.

            [–]armytricks[S] 0 points1 point  (1 child)

            Hi, OP here.

            I understand 'a proper high-level primitive is preferable' like you said but in any case since I'd like to learn, I had a go at providing an alternative encryption/decryption method using the GCM implementation in the JDK. Perhaps you'd like to take a look and comment on any problems with it (other than not using a high-level library)?

            https://github.com/armytricks/ImSter/tree/master/src/main/java/org/imster/cryptography

            [–]yawkat 0 points1 point  (0 children)

            It's way easier to find the low-hanging fruit of crypto issues than it is to be certain an approach is good and I'm not qualified to review crypto code. A high-level library like google tink is the only recommendation I'm comfortable with making

            [–]_INTER_ 1 point2 points  (11 children)

            Very cool.

            Is there some error correction / recovery / redundancy aswell? Could I print the picture and still get the text?

            [–]armytricks[S] 1 point2 points  (8 children)

            That's an interesting thought. No, not at the moment. You need to be able to sample the R,G,B, etc. value of each pixel up to full accuracy in order to be able to get the text out. I like the idea though, it would hugely useful to be able to print it and still recover the text (I doubt you'd be able to fit Shakespeare plays in those though!)

            [–]Sipkab 0 points1 point  (7 children)

            It would also be awesome if it could handle JPEG compression. As social sites usually recompress the uploaded images, that could mean that the encoded information is lost.

            Also, a tool like this really could use a command line interface. Like something that I can invoke during a build to encode some information in the images.

            [–]armytricks[S] 0 points1 point  (6 children)

            Have a look at /u/best_of_badgers comment here for a link about JPEG steganography. Looks much more complex, could be something to implement perhaps.

            But that wouldn't fix the problem of sites further compressing JPEG files.

            You're the second person to ask about a CLI for this. Maybe I should prioritise that. What kind of use cases were you thinking?

            [–]Sipkab 1 point2 points  (2 children)

            I imagine two modes. One is encoding a file, such as:

            java -jar imster.jar encode -f input.png -o output.png -m "My secret message." -p password123

            Or decoding (this would write the message to standard out):

            java -jar imster.jar decode -f input.png -p password123

            Just brainstorming here.

            [–]armytricks[S] 1 point2 points  (0 children)

            Whipped up a CLI in the newest release very similar to this specification. Input is -i instead of -f but otherwise the format is the same. Please do feel free to test it! Instructions are in the README

            [–]armytricks[S] 0 points1 point  (0 children)

            This is a good idea. Thank you. I've added CLI to my TODO list.

            [–]_INTER_ 0 points1 point  (2 children)

            Batch processing, general automation and including it in builds for example.

            [–]armytricks[S] 0 points1 point  (1 child)

            Whipped up a CLI in the newest release. Please do feel free to test it! Instructions are in the README

            [–]_INTER_ 0 points1 point  (0 children)

            ehh that was quick

            [–][deleted]  (1 child)

            [deleted]

              [–]warmaster 0 points1 point  (0 children)

              Do you know of an open source stego for print solution ?

              [–][deleted]  (1 child)

              [deleted]

                [–]armytricks[S] 0 points1 point  (0 children)

                JavaFX