Digital Steganography tools - extra security or extreme liability?

silentrust

I've been looking over some of the freely available steganographic tools on the web, which in theory allow you to hide a message or a file inside another. (See interesting article on this here).

In theory this sounds ideal - you can hide stills from Baywatch inside pictures of kittens or flowers and I have been playing around with the Silenteye app and seem to be of two minds.

In the first instance, it's obvious that if steganographic tools were every discovered by an adversary on your computer, they'd start looking at seemingly innocent files much more closely.

Moreover, the supported file formats (e.g BMP, WAV), would themselves give rise to suspicion these days as it's much more likely you'd store images and sound in JPG and MP3 format. (Silenteye itself has only recently introduced support for JPG images).

As such I think the safest thing to do if you use these tools at all would be to create a steg-image using a "Live" OS so that the tool won't be obvious on your computer but also encrypt the data first (perhaps with 7zip?) before placing it inside a file, so all is not lost if you're rumbled.

I'd be very interested to hear if any of you have experience with using these?

syklops

On the one hand stenography is a cool concept, but in the real world, I think its security through obscurity. You suggest encrypting it first and then hiding the data within an image. Would you not just pick a trusted cipher and encrypt it, and then who cares if someone finds it?

silentrust

syklops wrote: »

On the one hand stenography is a cool concept, but in the real world, I think its security through obscurity. You suggest encrypting it first and then hiding the data within an image. Would you not just pick a trusted cipher and encrypt it, and then who cares if someone finds it?

I suppose the advantage would be in situations where you might be compelled to hand over your key such as via RIPA in the UK - I understand that you have similar legislation here in Ireland.

Yes ultimately though it amounts to security through obscurity. It might provide a useful additional layer but I think this is one of those security measures which sounds very exciting and secret agent-esque but will end up creating more problems than it solves.

The very presence of stego tools on your machine would give the game away and even if you hadn't used them to hide data inside any files, you could end up being faced with a court order to reveal encrypted data within them that doesn't exist. Might be useful as a blind of course...

syklops

silentrust wrote: »

I suppose the advantage would be in situations where you might be compelled to hand over your key such as via RIPA in the UK - I understand that you have similar legislation here in Ireland.

Yes ultimately though it amounts to security through obscurity. It might provide a useful additional layer but I think this is one of those security measures which sounds very exciting and secret agent-esque but will end up creating more problems than it solves.

The very presence of stego tools on your machine would give the game away and even if you hadn't used them to hide data inside any files, you could end up being faced with a court order to reveal encrypted data within them that doesn't exist. Might be useful as a blind of course...

Yea. the other problem is there is no non-repudiation feature available. There is nothing to stop me merging 'evidence' into a picture of Pamela Anderson Lee, and leaving it on your drive. Thats harder to do with encrypted media. Although as you say, if the enemy has your private key, then they can pretty much do what they like.

One word on the RIPA link you posted, that simply says Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them. Getting arrested and being held is very stressful. What would the police do if you forgot the key?

silentrust

syklops wrote: »

Yea. the other problem is there is no non-repudiation feature available. There is nothing to stop me merging 'evidence' into a picture of Pamela Anderson Lee, and leaving it on your drive. Thats harder to do with encrypted media. Although as you say, if the enemy has your private key, then they can pretty much do what they like.

One word on the RIPA link you posted, that simply says Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them. Getting arrested and being held is very stressful. What would the police do if you forgot the key?

An excellent question! The answer is that you have to appear before a panel of judges who will you have to convince that you have genuinely forgotten it. Whether or not this happens will be decided by your trial judge but of course there are difficulties when it comes to entering a plea - technically you are guilty of failing to provide the encryption key, even though it's not your fault.

See link here about one Oliver Drage, a 19 year old boy who claimed to have forgotten his password, pleaded not guilty and yet was jailed all the same. The original investigation seems to have been related to Child Pornography, yet he has never been charged with any kind of crime besides that of failing to disclose his key.

Still more puzzling is what would happen if a defendant destroyed the keyfile e.g by shredding a CD before the Police stormed in, the mind boggles!

Of course for an actual criminal, it's an easy choice between taking the two year maximum jail sentence or facing the humiliation and scrutiny of being put upon the Sex Offenders Register or being locked up for decades for Terrorism related offences.

Khannie

silentrust wrote: »

Of course for an actual criminal, it's an easy choice between taking the two year maximum jail sentence or facing the humiliation and scrutiny of being put upon the Sex Offenders Register or being locked up for decades for Terrorism related offences.

This is what fascinates me.

silentrust

Khannie wrote: »

This is what fascinates me.

It's probably best not to mention it. In the US, if a legible version of an encrypted document is demanded under a subpoena then you can be thrown in jail pretty much indefinitely for contempt of court. This is where deniable encryption comes in handy I suppose!