steganography: Hiding your wallet in a JPEG image

[grondilu]

Edit:  I realised during this thread that there are FOSS programs to do this.  "steghide" is one of them.

I was starting to write this but I'm getting lazy so I just put the beginning of it, in case someone would like to end it.

The idea is to store your wallet, or an encrypted version of it, into an image file.  The program creates a quasi identical image, with the data steganographied in it.   The data can be retreived by comparing the two almost identical images.  Therefore you need to store both images, possibly in two different places on cyberspace.

Requires ImageMagick to convert the file in Ascii PPM format.

Code:

#!/bin/bash

if [[ -z "$1" ]]
then echo "usage: $0 image-file [input-data]" 1>&2; exit 1
elif [[ ! -s "$1" ]]
then echo "$1 is empty or does not exist" 1>&2; exit 2
elif image="$1"; ! identify "$1" 1>&2
then echo "couldn't understand image format for $1" 1>&2; exit 3
else
    ppmimage="${1%.*}.ppm"
    convert "$image" -compression none "$ppmimage"
    data=$(mktemp)
    xxd -p "${2:-/dev/stdin}" |
    while read -N 2 x
    do
        n=$((0x$x))
        : please continue
    done
fi

[fabianhjr]

Something to note is that if the image is a JPG/PNG or other compressed format it would be easy to detect if someone tampered with it. I suggest you only use BMPs. This is a nice idea. Though, I would suggest having the original uploaded and the one with your wallet on it to stay offline.

[grondilu]

Something to note is that if the image is a JPG/PNG or other compressed format it would be easy to detect if someone tampered with it. I suggest you only use BMPs. This is a nice idea. Though, I would suggest having the original uploaded and the one with your wallet on it to stay offline.

Let me make it clear, stenography is only a way to hide data.  It's not proper encryption.  It's quite useful, though, since then you can store your wallet pretty much anywhere (any image storing web service), or even wikipedia.

But if you want to store your two images (both images are required to retrieve data) on the web, then you must use an encrypted wallet, not the wallet itself.  You might possibly use a passphrase that the image reminds you of.

[fabianhjr]

Let me make it clear, stenography is only a way to hide data.  It's not proper encryption.  It's quite useful, though, since then you can store your wallet pretty much anywhere (any image storing web service), or even wikipedia.

But if you want to store your two images (both images are required to retrieve data) on the web, then you must use an encrypted wallet, not the wallet itself.  You might possibly use a passphrase that the image reminds you of.

Yeah that is my point. It is better that your wallet never touches the public Internet.

Also I just realized you use the Netpbm format. That is great. Sorry, I was half sleep and couldn't read the whole code. I see no flaw with your code. Great job. 

http://www.youtube.com/watch?v=BA6kG-tOkBs - McFrontalot - Secrets from the Future

[Nefario]

You should encrypt it before using steganography to attempt to hide it, encrypted data often cannot be differentiated from random data.

[ShadowOfHarbringer]

I was starting to write this but I'm getting lazy so I just put the beginning of it, in case someone would like to end it.

The idea is to store your wallet, or an encrypted version of it, into an image file.  The program creates a quasi identical image, with the data steganographied in it.   The data can be retreived by comparing the two almost identical images.  Therefore you need to store both images, possibly in two different places on cyberspace.

Requires ImageMagick to convert the file in Ascii PPM format.

Code:

#!/bin/bash

if [[ -z "$1" ]]
then echo "usage: $0 image-file [input-data]" 1>&2; exit 1
elif [[ ! -s "$1" ]]
then echo "$1 is empty or does not exist" 1>&2; exit 2
elif image="$1"; ! identify "$1" 1>&2
then echo "couldn't understand image format for $1" 1>&2; exit 3
else
    ppmimage="${1%.*}.ppm"
    convert "$image" -compression none "$ppmimage"
    data=$(mktemp)
    xxd -p "${2:-/dev/stdin}" |
    while read -N 2 x
    do
        n=$((0x$x))
        : please continue
    done
fi

There is already Linux, open source command-line software for just this:

http://steghide.sourceforge.net/

Checked, it works. You can use it under windows with cygwin.
Also, it encrypts the data with a password, so you are fully protected.

[grondilu]

There is already Linux, open source command-line software for just this:

http://steghide.sourceforge.net/

Indeed !

I searched once "apt-cache search steganography" and I had found nothing.

Now I see why, the description was in my mother tongue, so I should have written "stéganographie" instead.

Thanks, I'm sure this thread will be usefull anyway, for it will allow people to be aware of this tool.

[davout]

There is already Linux, open source command-line software for just this:
http://steghide.sourceforge.net/

Nice!

[ShadowOfHarbringer]

There is already Linux, open source command-line software for just this:

http://steghide.sourceforge.net/

Indeed !

I searched once "apt-cache search steganography" and I had found nothing.

Now I see why, the description was in my mother tongue, so I should have written "stéganographie" instead.

Thanks, I'm sure this thread will be usefull anyway, for it will allow people to be aware of this tool.

FYI, it is present in many of current linux distros' repositories as well.
I use Gentoo and i have this in repo.

[gene]

Be careful with these methods:

http://freshmeat.net/projects/stegdetect/

Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are jsteg, jphide, invisible secrets, outguess 01.3b, F5, appendX, and camouflage. Using linear discriminant analysis, it also supports detection of new stego systems. Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide, and OutGuess 0.13b.

Stego detection is an area of active research.

[HostFat]

Please give a look at this one also 
http://www.ollydbg.de/Paperbak/index.html

[kkndrs]

But if you want to store your two images (both images are required to retrieve data) on the web, then you must use an encrypted wallet, not the wallet itself.  You might possibly use a passphrase that the image reminds you of.

You don't need both images to retrieve steganographically hidden data. You need a modified image and a shared secret key.

Something to note is that if the image is a JPG/PNG or other compressed format it would be easy to detect if someone tampered with it. I suggest you only use BMPs. This is a nice idea. Though, I would suggest having the original uploaded and the one with your wallet on it to stay offline.

Everybody uses compressed format nowadays. Using BMP is suspicious by itself. There are, indeed, very secure steganographic techniques for JPEG domain, just google it. It is also more convenient 

[ZenMondo]

Another problem if you want to hide it plain sight on an image hosting site, all of them process the images they host and display on the web, therefore probably losing any steganographic data.  In fact I am in the market for some public anonymous imagehost that hosts raw images for a steganography experiment. I have not looked HARD yet, but so far have not found any hosting service that does not process the images.

[tifanny357]

As far as I am concerned, I have ever tried to display the image, not to hide the JPEG images. But an advanced image processing control may enables you to both display and hide the images.

[UberNifty]

Question: Would the following scenario be practical under real-world usage?

Let's say that you were to render your initial stenographed image as a BMP. Then let's say that you compress both the original image and the stenographed image into an identically compressed JPG setting (i.e. 90% JPG compression), and then proceed to upload both to the Internet Archive (does not manipulate / reformat images in any manner whatsoever).

Would the above scenario even be practical? The basic idea here, is to obfuscate the stenographed image enough to make detection at least a bit more difficult.

Naturally, each oth the two images would be stored on separate and unique Archive pages.

[12648430]

Question: Would the following scenario be practical under real-world usage?

Let's say that you were to render your initial stenographed image as a BMP. Then let's say that you compress both the original image and the stenographed image into an identically compressed JPG setting (i.e. 90% JPG compression), and then proceed to upload both to the Internet Archive (does not manipulate / reformat images in any manner whatsoever).

Would the above scenario even be practical? The basic idea here, is to obfuscate the stenographed image enough to make detection at least a bit more difficult.

Naturally, each oth the two images would be stored on separate and unique Archive pages.

Not remotely. Steganographed data is put into the lowest order bits of the image. JPEG compression is lossy. When you convert BMP->JPEG->BMP, the resulting image will not have the same low order bits as the inputs.

[enrapha]

it would be interesting if printers and scanners/phone cameras got to the point that they could print and read something like this. you could hide your wallet in a simple photo of your wife in a frame.