Steganography in Images

Final Communications Report

Francesco Queirolo

Steganographic image produced on the left with the stego-tool: White Noise Storm.
(Johnson, Steganography)

Steganography is a very old method of passing messages in secret. This method of

message cloaking goes back to the time of the ancient Greeks. The historian Herodotus
wrote about how an agent wrote a message warning of an invasion on the wood part of a
wax tablet. Since messages were normally inscribed in the wax and not the wood, the
tablet appeared blank to a common observer.
There is also the story of a messenger during the Persian Wars who shaved his
head and had a message tattooed on it. He waited until his hair grew back to make his
journey. When he arrived at his destination, he shaved his head to reveal the message.
During WWII spies on both sides used invisible inks. These inks were fluids
such as milk, fruit juice, or urine that would darken when heated. They also sent
messages with very small punctures above characters in a document that formed a
message when combined. (Mc Cullah, Feb 7, 2001).
INTRODUCTION
Many people lump steganography with cryptography, and while they are in many
cases means to the same ends (not letting unauthorized persons view data) they are not
the same thing. Although, they are often sibling processes and first encrypting a message
then using a stego-tool to hide it is more effective in hiding a secret message than either
method by itself. According to Dictionary.com: Steganography is: Hiding a secret
message within a larger one in such a way that others can not discern the presence or
contents of the hidden message and Cryptography is The process or skill of
communicating in, or deciphering secret writing or ciphers. (Dictionary.com).

Steganography can be used to cloak hidden messages in image, audio, and even
text files. In this report, we will concern ourselves with hiding messages (meaning either
images, or text) in images.
REPRESENTATION OF IMAGE TYPES
In a computer, images are represented as arrays of values. These values represent
the intensities of the three colors R(ed) G(reen) and B(lue), where a value for each of the
three colors describes a pixel. Through varying the intensity of the RGB values, a finite
set of colors spanning the full visible spectrum can be created. In an 8-bit gif image, there
can be 28 = 256 colors and in a 24-bit bitmap, there can be 224 = 16777216 colors.
Large images are most desirable for steganography because they have the most
space to hide data in. The best quality hidden image is normally produced using a 24-bit
bitmap as a cover image. Each byte corresponding to one of the three colors and each
three-byte value fully describes the color and luminance values of one pixel. The cons to
large images are that they are cumbersome to both transfer and upload, while running a
larger chance of drawing an attackers attention due to their uncommon size. As a
result, compression is often used. There are two common compression techniques used to
shrink the file size of a bitmap. (Johnson, 1998)
GIF
The first is the GIF (Graphics Interchange Format) format, which will decrease
the number of bits used to represent each pixel from 24 to 8. This is a lossless
compression technique and the data hidden in the message can be recovered without a
problem.

JPEG
The JPEG (Joint Photographic Experts Group) is a form of lossy compression. It
does a very nice job of decreasing the file size of the image and retaining a great deal of
its quality. The JPEG transformation takes eight pixel by eight pixel blocks and performs
a 64 bit DCT (Discrete Cosine Transformation) does not compute to exact values. With
continuing transforms, the precision of the calculation is decreased and the amount of
error increases. Two methods used to perform a DCT are the Fast Fourier and wavelet
transforms. The downside to JPEG compression is that it may corrupt hidden data.
Palette and Image Composition
The palette and composition of the image also contribute to how well the stegotool does its job. An images with gradual color gradients or in grayscale is the best for
stenography because it is easier to insert small errors in. The changes also appear more
gradually and as a result are less likely to be detected. Observe the different color palettes
below and how the one on the left changes gradually and is more suitable for a cover
image than the one on the right. (see Figure 1. below)

Figure 1 Palette Gradients (Johnson, 1998)

It is also important to use images that do not contain large blocks of a solid color,
as the changed bits in the solid area are easier to detect.
CONCEALMENT
There are three main ways to conceal the secret message/image. The first way is
straight insertion where you just put the message into the cover image. The next way
requires some analysis to find the variations in color and it puts the message in those
areas where it is less likely to be detected. The last way is to randomly insert the message
into the image.
LSB
First we will investigate least significant bit insertion, where you literally put the
information in the least significant bits of an image. This is a simple technique but the
down side is that the message is very succeptible to information loss when using lossy
compression techniques. We will now go over an example that involves inserting an A
into 3 pixels of a 24 bit image. Here is the original raster data:
(00100111 11101001 11001000)
(00100111 11001000 11101001)
(11001000 00100111 11101001)

The binary value of A is 10000011 and encoding A into the last bits of this 3 pixel
sequence will change the above sequence to:
(00100111 11101000 11001000)
(00100110 11001000 11101000)
(11001000 00100111 11101001). (Johnson, 1998)

Notice that only the underlined bits had to be changed in order to create the A. On the
average only have of the bits would have to be changed in an LSB(Least Significant Bit)

encoding scheme. With such a small variation in the colors it would be very difficult for
the human eye to discern the difference.
Next we will do least bit insertion with an 8 bit value. Since 8 bit values can only
have a maximum of 256 colors the image must be chosen much more carefully. Consider
a palette with four colors: white, red, blue, and green which have the palette position
entries of 0(00), 1(01), 2(10) and 3(11) respectively. The values of four adjacent pixels
with colored white, white, blue, blue (00 00 10 10). We will try and hide the decimal
number 10 represented in binary as 1010. The resulting raster is: 01 00 11 10, which
corresponds to red, white, green, blue. Thes large changes in the image are very
noticeable in a color image although an 8 bit greyscale image will produce relatively
good results. (Johnson, 1998)
There are multiple tools that implement LSB. One tool, EzStego can change
around the palate to lessen the frequency of adjacent colors with too strong of a contrast.
S-Tools tries to approximate the cover image by changing around the palette to make the
difference between bits only one and sometimes causes very noticeable shifts in the
palette.
Masking and Filtering
Masking and filtering techniques are mostly used on 24 bit and greyscale images.
They hide info in a way simliar to watermarks on actual paper and are sometimes used as
digital watermarks. Masking images entails changing the luminance of the masked area.
The smaller the luminance change, the less of a chance that it can be detected. Observe
that the luminance in Figure 1. (next page) is at 15% in the mask region if it was
decreased then it would be nearly invisible.

Figure 1. Masking (Johnson, 1998)

Stego-images(images that have been manipulated by steganographic methods)
that are masked will keep a higher fidelity than LSB through compression, cropping and
some image processing. The reason that a stego image encoded with masking, degrades
less under JPEG compression is that the secret message is hid in the significant areas of
the picture. There is a tool called JPEG J steg that takes advantage of the compression
of JPEG while trying to keep a high message fidelity. The program takes a secret
message and a lossless cover image as input and outputs a stego image in JPEG format.
Digital Watermarking(a slight diversion)
As stated abovce digital watermarking is often performed by masking. The reason
for digital watermarking is very different from steganography. Where the goal of
steganography is to transmit a message undetected, a digital watermark is created as a

sign of ownership/authorship. Since digital copies are ineherently exact replicas of the
original unless noise, or some type of lossy operation is performed, there will be no way
to tell them apart.Therein lies the authorship/ownership problem due to the likeness of the
original and the copy. Digital watermarks can be used to show proof of ownership by
having your mark put into the file, so even if both images are the same, if they contain
your mark then you have a much stronger case for copyright or ownership disputes.
Watermarks can be visible or invisible depending on the luminance in the mask. The
highter the luminance the greater the visibility of the watermark. Attackers can use
different types of image processing to remove or degrade the watermark until it is
illegible. There are different recovery techniques but it is usually helpful to have the
original image when trying to recover the watermark.
Redundant Pattern Encoding
Patchwork and other similar tools do redundant pattern encoding, which is a sort
of spread spectrum technique. It works by scattering the message throughout the picture.
This makes the image more resistant to cropping and rotation. Smaller secret images
work better to increase the redundancy embedded in the cover image, and thus make it
easier to recover if the stego-image is manipulated.
Encrypt and Scatter
The encrypt and scatter technique tries to emulate white noise. White Noise Storm
is one such program that employs spread spectrum and frequency hopping. It does this by
scattering the message throughout an image on eight channels within a random number
that is generated by the previous window size and data channel. The channels then swap
rotate, and interlace amongst each other. Each channel represents one bit and as a result

there are many unaffected bits in each channel. This technique is a lot harder to extract a
message out of than an LSB scheme because to decode you must first detect that a hidden
image exists and extract the bit pattern from the file. While that is true for any stegoimage you will also need the algorithm and stego key to decode the bit pattern, both of
which are not required to recover a message from LSB. Some people prefer this method
due to the considerable amount of extra effort that someone without the alogrithm and
stego-key would have to go through to extract the message. Even though White Noise
Storm provides extra security against message extraction it is just as succeptible as
straight LSB to image degradation due to image processing.
DETECTION
Even though stego-images can rarely be spotted by the naked eye, they usually
leave behind some type of fingerprint or statistical hint that they have been modified. It is
those descrepancies which an analysis tool may be able to detect. Since some techniques
and their effects are commonly known, a statistical analysis of an image can be
performed to check for a hidden message(s) in it.
The simplest technique is to measure the entropy of redundant data and check if
its statistical properties have deviated from the data collected from the original image.
Since we do not always have the unaltered cover image readily availible a detection
system can compare the amount of 1s and 0s to detect the presence of a stego-image. A
similar method of analysis can be used for JPEGs but the coefficients of the DCT are
looked at instead of individual bits. Yet another method is to create a new color and sort
the palette of the image and look for statistical anomalies that way. These simple methods
do not conclusively proove that there is a secret message but are merely the first step.

After a suspected image is found then a dictionary attack must be conducted to verify that
there is a hidden message.

USES OF STEGANOGRAPHY
Steganography can be used anytime you want to hide data. There are many
reasons to hide data but they all boil down to the desire to prevent unauthorized persons
from becoming aware of the existence of a message. In the business world
steganography can be used to hide a secret chemical formula or plans for a new
invention. Steganography can also be used for corporate espionage by sending out trade
secrets without anyone at the company being any the wiser. Steganography can also be
used in the non-commercial sector to hide information that someone wants to keep
private. Spies have used it since the time of the Greeks to pass messages undetected.
Terrorists can also use steganography to keep their communications secret and to
coordinate attacks. It is exactly this potential that we will investigate in the next section.
TERRORISTS AND STEGANOGRAPHY
Now that we have investigated the basics of steganography we will examine what
part it has had in the communication for terrorist networks and more specifically how it is
linked to the activities of Osama bin Laden and the al-Qaida network. There is a general
belief that some of the plans for the September 11 attacks were hidden in images and put
into sports and pornographic bulletin boards.
Known Communications
The al-Qaida terrorist network has been known to use encryption. They receive
money from Muslim sympathizers, buy computers and then go online and download

encryption programs from the web. (Kelley 6/19/01) Here are brief accounts from USA
Today, that describe three instances where terrorists have used some sort of encryption:

Wadih El Hage, one of the suspects in the 1998 bombing of two U.S. embassies in East Africa,
sent encrypted e-mails under various names, including "Norman" and "Abdus Sabbur," to
"associates in al Qaida," according to the Oct. 25, 1998, U.S. indictment against him. Hage went
on trial Monday in federal court in New York.

Khalil Deek, an alleged terrorist arrested in Pakistan in 1999, used encrypted computer files to plot
bombings in Jordan at the turn of the millennium, U.S. officials say. Authorities found Deek's
computer at his Peshawar, Pakistan, home and flew it to the National Security Agency in Fort
Meade, Md. Mathematicians, using supercomputers, decoded the files, enabling the FBI to foil the
plot.

Ramzi Yousef, the convicted mastermind of the World Trade Center bombing in 1993, used
encrypted files to hide details of a plot to destroy 11 U.S. airliners. Philippines officials found the
computer in Yousef's Manila apartment in 1995. U.S. officials broke the encryption and foiled the
plot. Two of the files, FBI officials say, took more than a year to decrypt. (Kelley, 6/19/2001)

Osama bin Laden has used mobile phones, and satellite communications in the past
but it is believed that he has stopped using them to make it more difficult to detect him.
(Sieberg, 9/21/01) Some experts believe that he only uses messengers now. For a military
commander this would be highly ineffective as they have to be in contact with their
subordinate commanders at all times, but bin Laden is considered a spiritual or
inspirational leader and as a result does not have to maintain constant contact with his
troops. They can operate in smaller cells.
The events that took place on September 11 were obviously very coordinated and the
terrorists must have had to use some form of communication to coordinate their attacks.
Since their communications were not detected, it would lead one to believe that they were
using some type of encryption and/or message hiding system.
Steganography for Terrorists
Whether or not al-Qaida uses steganography, it would be a very effective high tech
communication method. They can use bulletin boards and other public places where you

can put images as cyber dead drops for stego-images. A dead drop is a place where you
drop off a deliverable at some pre-determined time and place without ever meeting or
directly communicating with the other party. Of course, communication will have to be
initiated but after that, all communications/exchanges can be made in the manner outlined
above. For covert purposes, this communication technique has two very distinct
advantages over most other forms of communication. The first is that the communication
is asynchronous, which means that it is simpler to implement and helps to avoid
suspicion as involved parties arent directly associated with each other. The second
reason is that only one of the parties is required to know who the other is. This is
especially valuable if one party is caught then they may not be able to divulge who they
were dealing with, regardless of the interrogation methods used. The last point makes
steganography an especially appealing method of communication to the al-Qaida network
because they operate as cells and the anonymity that dead drops provide will help to
avoid uncovering of the entire network even if some members are caught.
Detection
There have been multiple congressional committees dealing with encryption over the
past few years. The US government has done some private contracting to develop
steganography detection tools. One such contract is with WetStone Technologies who
have been contracted to develop a blind steganography detection prototype. (Mc
Cullah, February 21, 2001) There is no doubt more research going on but not all of it will
be made public and it is most probable that the NSA is developing or has detection
programs already.

In academia, graduate students Niel Provos and Richard Honeyman at the University
of Michigan have written a web crawling program to detect steganographic images in the
wild. The program has already digested 2 billion JPEGs on popular sights such as ebay
and has so far found only one stego-image in the wild. The detected image was on an
ABC web page that dealt with the topic of steganography. It had a picture of a B-52
graveyard at Davis-Monthan Air Force Base embedded into a surreal image of clocks and
the earth. Even though there is much speculation on the subject and al-Qaida has used
high tech information hiding methods in the past there is no proof that steganography was
used to orchestrate elements of the September 11 bombing. However, since this search is
was not exhaustive there is no conclusive proof either way.
CONCLUSION
Where does this leave us now, in the very precarious position of trying to balance
personal freedoms with national safety. There has been debate in different sectors of
government as the issue has come up before and was a rather hot issue after the first
World Trade Center attack. During the Clinton administration restrictions on the
exportation of cryptography, hardware and software tools were laxed. After the
September 11 attack, there will be no doubt a very close inspection of many aspects of
our national security and there will be new proposals to try to stop another tragedy from
occurring.
Authors Closing Thoughts
It is the hope of the author of this paper that judicious limits on cryptography and
steganography will be implemented. As I believe that in our current position if terrorists

used a good stego-tool and a solid encryption algorithm it would be very difficult to
discover their plans before they are executed. Of course, there will be some that argue
encryption should not be mitigated as it is an academic pursuit and helps preserve
privacy. Even so, I believe we must rely on our government (for they are accountable to
the citizens of this country) to make the correct decisions in the matter because privacy is
important but not to the point where people can use it as shield to kill people.

Bibliography
How Stego Online Works. Visited on: 11/7/01.
http://www.stego.com/howto.html
Johnson, N, & Jajodia, S. (February 1998) Exploring Steganography: Seeing the Unseen.
Visited on: 11/8/01. http://www.computer.org/computer/co1998/r2026abs.htm

Johnson, N. Steganography. Visited on: 11/8/01.

http://www.jjtc.com/stegdoc/stegdoc.html
Johnson, Neil F. Steganography. Visited on 11/9/01.
http://www.jjtc.com/stegdoc/sec313.html
Kelley, Jack (June 19, 2001). Terror groups hide behind Web encryption. Visited on:
11/8/01. http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm

Kuhn, Markus (July 3, 1995). Steganography. Visited on: 11/7/01.

http://www.iks-jena.de/mitarb/lutz/security/stegano.html

Levy, Steven (2001). Did Encryption Empower These Terrorists?. Visited on 11/5/01.
http://msnbc.com/news/627390.asp?cp1=1#BODY

Mc Cullah, Declan (Feb 7, 2001). Bin Laden: Steganography Master?. Visited on:
11/4/01. http://www.wired.com/news/politics/0,1283,41658-2,00.html

Mc Cullah, Declan (February 21, 2001). Secret Messages Come in .Wavs. Visited on:
11/7/01. http://www.wired.com/news/print/0,1294,41861,00.html

McGrath, Peter (Sept 21, 2001). Coded Communications: Did the hijackers hide their
messages in harmless-looking images on the Internet?. Visited on 11/4/01.
http://www.msnbc.com/news/632358.asp?cp1=1#BODY

Mendell, Ronald (Sept 20, 2000). Steganography - Electronic Spycraft. Visited on

11/7/01. http://www.earthweb.com/article/0,,10456_624101,00.html

PDF files from: http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf

Provos, Niel (October 12, 2001). First Steganographic Image in the Wild. Visited on:
11/7/01. http://www.citi.umich.edu/u/provos/stego/abc.html

Schneier, Bruce. (September 24, 2001). Terrorists and steganography.

http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html

Sieberg, Daniel (Sept 21, 2001). Bin Laden exploits technology to suit his needs. Visited
on 11/4/01. http://www.cnn.com/2001/US/09/20/inv.terrorist.search/