[Written on December 6th 2003]
Steganography strength (is it easy to see there is hidden data?): Low
Cryptography strength (is it easy to recover the hidden data?): Low
1. What is it?
Some people behind an interesting Delphi programming website at dancemammal.com coded a small steganographic freeware called ImageHide. The presentation text on the web page is very honest and fair ("simple encrypt"), no snake-oil detected at all. It's almost refreshing. This program can encrypt text, and hide it into several bitmap-based image formats. Here we are going to have a look on the BMP format only.
2. Quick visual look
Let's hide a text in a black 24 bits bitmap file, and then enhance the Least Significant Bits (LSB) with this small tool, so they appear in flashy colors. We have this:
We can see right away that the hidden bits are not spread pseudo-randomly all over the image. Instead, they are hidden linearly, starting from the top of the bitmap (which is actually the last line in the file, the BMP format storing information upside-down).
3. The format of the hidden data
We just have to extract these Least Significant Bits, make them back into bytes, and look at this extracted information. We will see quickly that the format is the following:
- the first 4 bytes (32 bits) are all set to zero
- the next 4 bytes (32 bits) are the hidden message size
- the next bytes are the hidden message
So we can use the fixed first 32 LSBs as a signature. If they are all 0, which is not very probable in a photo for example, the image may contain data hidden with ImageHide. Of course, there may be some false positives with special kind of images (a completely black BMP for example).
4. And if the message is encrypted?
As the programmers say, the encryption algorithm is simple. Basically, it's a byte-by-byte XOR loop with a key that is modified at each step (2 additions and 1 multiplication) with a sort of feedback mode using the precedent encoded byte (in one of the additions - the other operations use hardcoded values) to add some variation depending on the plain text itself. This precedent phrase is impossible to understand, so you will have to believe me, this algo is easy to break. Or just look in the source of my decoder.
5. A program to retrieve and decrypt the hidden data
I quickly coded a small program called ImageHide Hidden Text Finder to automatize the extraction and decryption of the data. It checks if the file is a 24-bits BMP, then if there is some hidden data by checking the ImageHide signature. Then it extracts the data and save two files: "hidden_extracted.txt" contains the raw data (the plain text message will be here if it was not encrypted) and "hidden_extracted_decrypted.txt" that contains decrypted data (the plain text message will be here if it was encrypted).
And that's it for today.
Have a nice day!
Guillermito, December 6th 2003