What is steganography and how does it differ from cryptography?
Steganography is an ancient practice that involves hiding messages and data. From its humble origins that involved physically hiding communications and using invisible inks, it has now moved into the digital realm, allowing people to slip critical information into seemingly mundane files
It may not be as popular as its older brother cryptography, but steganography still has important applications. So let’s jump in and discuss what steganography is, the history behind it, how it differs from cryptography, its major use cases, and how it can be detected. ** What is steganography?** To put it simply, steganography is the study and practice of concealing information. It can be done either physically or digitally, with techniques ranging from blinking in Morse code to hiding data in .mp3 files.
The history of steganography The first written case of steganography is found in Histories by Herodotus. He writes that it happened during the Ionian Revolt, an uprising of some Greek cities against Persian rule at around 500 BC. Histiaeus, the ruler of Miletus was away from his city, acting as an adviser to the Persian king.
He wanted to go back to Miletus, which was under the control of his son-in-law, Aristagoras, so he planned to stage a revolt in Ionia as a pretext for his return. This is where the steganography comes in: He shaved the head of one of his slaves and tattooed a message on his scalp.
Histiaeus then waited for the slave’s hair to grow back and hide the message, then sent him to Aristagoras with instructions to shave the slave’s head once more and read the message. The concealed text told him to rise up against the Persian rule, which kicked-off the uprising against their conquerors.
Herodotus tells another story about steganography that occurred several years later, when the Spartan king Demaratus sent a seemingly blank wax tablet back to Sparta. Hidden beneath the wax was a message that warned the Spartans of Xerxes’ planned invasion.
Herodotus is known for his tall tales, so we can’t be sure of how truthful these stories are, but they’re the earliest records of steganography we have.
It wasn’t long before more sophisticated forms of steganography were recorded. In the 4th century BC, Aeneas Tacticus made mention of a hole punching technique. Philo of Byzantium was the first to discuss invisible inks, writing about them in the third century BC. His recipe used gall nuts to write text and a copper sulfate solution to reveal it.
The term steganography was first used in a book called Steganographia by Johannes Trithemius. The word combined the Greek steganos, which means concealed, with graphein, which means writing.
Steganographia was a clever book that was purportedly about magic and the occult, but used cryptography and steganography to hide its real subject matter, which centered around cryptography and steganography.
Steganographia was followed up by Polygraphia, which was first published after Trithemius’ death in 1518. This was a more straightforward book about steganography and its practice.
Another key development in steganography came in 1605, when Francis Bacon devised Bacon’s cipher. This technique used two different typefaces to code a secret message into a seemingly innocent text.
Microdots were first developed in the latter half of the 19th century, but they weren’t used heavily for steganography until World War I. They involve shrinking a message or image down to the size of a dot, which allows people to communicate and pass on information without their adversaries knowing.
There have been a wide range of other steganographic developments and techniques over the years. Steganography continues to be practiced to this day, with low tech versions often used by prison gangs, and digital methods harnessed to hide data in pictures, audio and other media.
Steganography vs cryptography Steganography is focused on hiding the presence of information, while cryptography is more concerned with making sure that information can’t be accessed. When steganography is used properly, no one – apart from the intended recipients – should be able to tell that there is any hidden communication taking place. This makes it a useful technique for situations where obvious contact is unsafe.
In contrast, cryptography tends to be used in situations where the participants aren’t concerned if anyone finds out that they are communicating, but they need the message itself to be hidden and inaccessible to third parties.
Let’s go through some examples to understand the differences. If you were a political activist who’s been imprisoned and you need to communicate with your organization, the logistics can be challenging. The authorities may monitor everything going in and out of your cell, so you would probably have to hide any communication that takes place.
In this kind of situation, steganography would be a good choice. It may be challenging with the resources you have at hand, but you could write a plain sounding letter with a hidden message concealed with different font types or other steganographic techniques.
Alternatively, let’s say you’re a diplomat discussing secret details with your home country. It’s normal for diplomats to talk with officials from their own nation so the communications themselves don’t raise any suspicions. However, since the content of the conversation is top secret, the diplomat may want to use cryptography and talk over an encrypted line.
If spies or attackers try to intercept the conversation, they will only have access to the ciphertext, and not what the two parties are actually saying.
Let’s flip things over to examine the differences even further. If the political activist used cryptography to communicate with their organization, the authorities would most likely have intercepted it.
The officials would see the ciphertext and know that the activist was trying to send encoded messages, then they would most likely stop its delivery and interrogate the activist about it. This could end very badly, in beatings, torture, or even the activist’s death. That’s why steganography would be more suitable in such a scenario.
Conversely, diplomats are often monitored by their host countries. If a diplomat tried to send steganographically concealed messages back home, they could be intercepted, analyzed and the content may be uncovered. In this situation, cryptography is more suitable, because although interceptors will know communication is taking place, they won’t be able to find out what it concerns.
See also: Beginner’s guide to cryptography
Combining steganography & cryptography While these two processes are often performed separately, they can also be combined together to gain the advantages that come from both fields. If you wanted to hide the fact that communication was taking place, but also protect the message in case it was discovered, you could first encrypt it and then conceal it with steganography.
As an example, let’s say you want to hide the message “I’m going home” with a simple Caesar cipher and invisible ink. Using the cipher, you could shift each character to the one that follows it in the alphabet, giving you a ciphertext of:
J’n hpjoh ipnf
Now that you have your cipher text, you can write it down on your piece of paper with lemon juice or whatever kind of invisible ink you have at hand. As long as your recipient knows where the message will be, how to reveal it (heat, in this case) and how to decrypt it, they will be able to access the secret communication.
If anyone intercepts the message but can’t detect the invisible ink, then they will not know that any communication has taken place. If they do know that a message is there but can’t crack the code, then the message itself will still be secure, but the interceptor will know that something has been sent. They won’t be able to access the contents of the message unless they can crack the code.
If you wanted to increase the security of the communications, you could use more sophisticated encryption and steganography methods, such as AES and bit plane complexity segmentation (BPCS), respectively. ** The uses of steganography** Steganography has a number of surprising applications, aside from the obvious one of hiding data and messages. Hackers use it to conceal code in malware attacks. Printers use steganography as well, hiding imperceptible yellow dots that identify which printer created a document and at what time. Steganographic techniques are also frequently used in watermarking and fingerprinting to prove ownership and copyright. ** The limitations of steganography** Steganography is a useful practice, but it does have a number of limitations. There are two key factors that are often in competition – the first is how obvious and easy the hidden data is to detect (whether by human perception or other forms of analysis), while the second is how much data can be hidden in a given file or piece of communication.
The higher the percentage of data someone tries to conceal, the easier it is to spot. How much data you can safely include in a given file will depend on the steganographic technique, risk level, and amount of scrutiny expected.
If data is hidden in images, it’s still quite hard for the human eye to detect anomalies when 20 percent of the data has been replaced, assuming the information has been well hidden. At lower percentages, the image will look essentially the same. As more data is packed in, the quality starts to deteriorate and you may even be able to see elements of the hidden picture.
If you’re having trouble getting your head around what it looks like, check out the examples starting at page three, and then again from page 12 in this paper written by John Ortiz for Black Hat.
If we use 20 percent as a benchmark, then it’s best to have a file that’s at least five times the size of the data you want to conceal. With this technique at a low risk level, you would want a five gigabyte file for each gigabyte that you want to hide.
This makes steganography relatively inefficient. If your goal is to keep data secure and confidential, rather than to obscure the fact that communication is taking place, cryptography is generally a better option.
On top of the efficiency problem, the recipient also needs to know where and how information has been hidden so that they can access it. This generally means that you will need access to a secure channel so that you can discuss these details without any attackers intercepting them. Because secure channels are often difficult to come by, particularly in situations that require steganography in the first place, this can be a difficult problem to surmount.
Finally, when trying to keep information hidden, it’s important to consider Kerckhoff’s principle:
“A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
The central point is that it is unwise to use a system where the only protection is the enemy’s lack of awareness – they may stumble upon or deduce that there is hidden data, then figure out ways to extract it.
It depends on the situation, but if keeping information secure and inaccessible to unauthorized parties is of the utmost importance, then data should be encrypted with a private key before steganographic techniques are applied.
The different types of steganography There are too many types of steganography to cover each one, so we will stick to the more commonly used and interesting forms, giving examples of how they are used.
Physical steganography Steganography was developed well before computers, so there are a range of non-digital techniques that we can use to hide information.
Invisible ink Throughout history, invisible ink has been one of the most common steganographic practices. It works under the principle that a message can be written without leaving any visible marks, only to be revealed later after a certain treatment is applied.
A wide range of substances can be used as invisible inks. Some of these include lemon juice, cola, wine, vinegar, milk, and soapy water, all of which can be made visible by heat. Laundry detergents, sunscreen, soap and saliva are also invisible inks, but they are revealed by ultraviolet light instead.
There are also a number of combinations where the first ingredient is used to write and the second causes a chemical reaction that makes the image visible. These include starch and iodine, iron sulfate and sodium carbonate, vinegar and red cabbage water, phenolphthalein and ammonia fumes, as well as salt and silver nitrate.
Invisible ink can only be relied on when adversaries don’t suspect that it’s been used. If messages are already being screened, it may not be the best technique, because it’s relatively easy to uncover the messages. Likewise, if the writing process leaves behind any signs, such as a different texture, scratch marks or an altered sheen, the invisible ink might be detected by the enemy.
Invisible ink was a critical part of George Washington’s communication process as he worked to overthrow the British. He created a spy group in 1778, and messages would frequently be sent between the members. They would often write a legitimate shopping list with an invisible ink message hidden underneath, just in case the note was intercepted. ** They used an ink developed by Dr. James Jay. Washington often referred to it as ‘medicine’ in his letters as a cover. The letters were also frequently written in code, just in case the British came across one of the messages. Combining steganography with encryption added another layer of protection.**