Ever find yourself with too many passwords to remember and no idea where to keep them so that only you can find the password list? Creating a password.txt file in your root directory is out of the question, as is a password-protected OpenOffice.org file. A piece of paper hidden somewhere is not a good idea, because after you forget where did you put it, someone else will find it and missuse it. Instead of these approaches, consider using steganography, a method for hiding sensitive information inside some other object, typically a JPEG picture or a sound file.
With steganography, a plain text file is merged with a picture or sound file. The resulting file looks and sounds the same -- only the size of the file is slightly changed. For extra security, you can encrypt the text file before you merge it.
Here's a look at some useful tools that you can use to hide and unveil sensitive information inside an object. Most of these programs and tools are available in package repositories for different Linux distributions.
OutGuess
OutGuess is console-based universal steganographic tool that can hide information inside picture objects. OutGuess can be used on Linux, *BSD, Solaris, AIX, HP-UX, Mac OS X, and Windows.
Suppose I want to securely send a coworker a root password for a production server. I can start by putting the password in a pass.txt file, then encrypt it with a secret key ("summer" -- shh, don't tell anyone) and mix the encrypted version with an image called grill.jpg. OutGuess can do that with one command:
~$ outguess -k summer -d pass.txt grill.jpg summer-grill.jpg
output of $outguess -k suffer -d flag.txt 1.jpg suffer-1.jpg:
Reading 1.jpg....
JPEG compression quality set to 75
Extracting usable bits: 46389 bits
Correctable message size: 20587 bits, 44.38%
Encoded 'flag.txt': 368 bits, 46 bytes
Finding best embedding...
0: 198(49.5%)[53.8%], bias 179(0.90), saved: -1, total: 0.43%
4: 183(45.8%)[49.7%], bias 175(0.96), saved: 0, total: 0.39%
88: 189(47.2%)[51.4%], bias 164(0.87), saved: 0, total: 0.41%
241: 191(47.8%)[51.9%], bias 159(0.83), saved: 0, total: 0.41%
241, 350: Embedding data: 368 in 46389
Bits embedded: 400, changed: 191(47.8%)[51.9%], bias: 159, tot: 45997, skip: 45597
Foiling statistics: corrections: 85, failed: 0, offset: 22.923077 +- 41.335624
Total bits changed: 350 (change 191 + bias 159)
Storing bitmap into data...
Writing suffer-1.jpg....
You don't need to use the -k option to encrypt the sensitive data with a secret key. If you leave it off, however, anyone who knows there's a file buried in the image can extract the output file.
Now I have an image named summer-grill.jpg that holds my production server's root password, and I can mail it to my coworker. Anyone who sees the picture won't notice anything strange, since the data in the image object is not visible to the human eye.
When my coworker receives the picture, he needs to extract the information from the file. As long as he knows the secret key I used for the encryption, he can run the command:
~$ outguess -k summer -r summer-grill.jpg pass.txt
example:
vishal@Eva:~/research$ outguess -k suffer -r suffer-1.jpg pass.txtReading suffer-1.jpg....
Extracting usable bits: 46389 bits
Steg retrieve: seed: 241, len: 46
If you don't specify the -k option and provide the key, OutGuess will extract the pass.txt file, but it won't be readable.
Steghide
Steghide is another program you can use to hide sensitive data inside image and audio files. The default encryption algorithm is Rijndael with a key size of 128 bits, which is basically AES (Advanced Encryption Standard), but you can choose from many other encryption algorithms as well. Steghide runs under both Linux and Windows.
Let's use the same scenario from our previous example. The equivalent Steghide command is:
~$ steghide embed -cf grill.jpg -sf summer-grill.jpg -ef pass.txt -p summer
example:
vishal@Eva:~/research$ steghide embed -cf 1.jpg -sf 123.jpg -ef flag.txt -p summer
embedding "flag.txt" in "1.jpg"... done
writing stego file "123.jpg"... done
To extract the pass.txt file from the summer-grill.jpg picture, use this Steghide command:
~$ steghide extract -sf summer-grill.jpg
example:
vishal@Eva:~/research$ steghide extract -sf 123.jpg
Enter passphrase:
wrote extracted data to "flag.txt".
You'll be asked for a password, and the utility will extract the pass.txt only if your password (secret key) is correct. Note that when extracting we didn't specify any output file. That's because Steghide automatically knows what the file name was that was inserted and extracts the file with the same name.
No comments:
Post a Comment