Steghide is a Steganography utility written in C++ for Linux and Windows, released under the GNU/GPL license. It lets users exploit Windows Bitmap and JPEG images (with the Libjpeg library) and Windows Wave and Sun/NeXT AU audio files as cover files; any kind of file may instead be used as the payload. Data in the payload may be encrypted (using the libraries MCrypt and MHash) and compressed (thanks to the Zlib library). In addition to the data proper it is also possible to include in the stego file the payload file name and a checksum to verify the integrity of extracted data.
The cryptography algorithm used per default is Rijndael with 128-bit keys (which constitutes the Advanced Encryption Standard, or AES) in cipher block chaining mode. It is in any case possible to select any algorithm among 18 possibilities, each of which may operate in various modes. To have a complete list of the algorithms and modes of operation you can run steghide --encinfo; supported algorithms at the time of writing (Steghide 0.5.1) are shown in the following table.
| Algorithm | Supported modes of operation | |||||||||||||||
|
cbc, cfb, ctr, ecb, ncfb, nofb, ofb | |||||||||||||||
|
stream |
Cryptographic algorithms and modes of operation as supported by Steghide
Command line syntax for Steghide is quite simple; the base structure is the following:
steghide command [ arguments ]
Possible commands are embed, extract, info, encinfo, version, license, help. We mentioned encinfo above and the last three should be pretty obvious; we explain the others, which constitute the heart of Steghide, below.
The embed command is used to insert a payload inside a cover file. In addition to cryptography and the checksum we mentioned, you can also protect your data with a passphrase, that will be requested on extraction. In this phase you can also choose the level of compression to use for the payload, among the nine provided by the Zlib library, as well as the cryptographic algorithm and mode of operation. It is not mandatory to include the payload file name, nor the checksum; it may be useful not to, when the usable space in the cover file is an issue.
An example of usage of the embed command follows:
$ steghide embed -cf picture.jpg -ef secret.txt Enter passphrase: Re-Enter passphrase: embedding "secret.txt" in "picture.jpg"... done
In the example the file secret.txt (embed file) is hidden inside the picture.jpg file (cover file). No other flags are specified, so the payload is compressed and encrypted by default (with AES) and the embedded file name is added to the payload together with the checksum. In this case the picture.jpg file at the end of the operation contains the payload; it is also possible to leave the original cover file as it is and make a copy that contains the payload, by adding the argument -sf filename. The passphrase is also specifiable on the command line with the parameter -p, allowing the use of this command also in non-interactive contexts.
The extract command is used to extract the payload from the stego file produced. Again usage is very simple, and there are less parameters that can be passed to the executable; you have to specify the name of the file from which to attempt extraction and optionally a passphrase, that will be requested interactively otherwise. It's possible to choose the name of the output file the payload will be saved to:
$ steghide extract -sf picture.jpg -xf secret.txt Enter passphrase: wrote extracted data to "secret.txt".
The last fundamental command is info. With it it becomes possible to gather information on any file among the supported types, like for example to find out about capacity: it can thus be useful before an embed, to verify that the chosen cover file may adequately contain the payload to be hidden. The info command may optionally return information on the hidden contents if it is provided the passphrase used during an embed. The next example should make this more easily understandable:
$ steghide info received_file.wav "received_file.wav": format: wave audio, PCM encoding capacity: 3.5 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "secret.txt": size: 1.6 KB encrypted: rijndael-128, cbc compressed: yes
In this example the passphrase is provided interactively but, again, it's possible to use the -p parameter. Information returned about the payload are the name of the hidden file (if included during an embed), its size, the cryptographic algorithm used and whether it's compressed or not.
The following paragraph explains how Steghide works internally, and is taken from the Steghide manual page:
Steghide uses a graph-theoretic approach to Steganography. You do not need to know anything about graph theory to use Steghide and you can safely skip the rest of this paragraph if you are not interested in the technical details. The embedding algorithm roughly works as follows: at first, the secret data is compressed and encrypted. Then a sequence of positions of pixels in the cover file is created based on a pseudo-random number generator initialized with the passphrase (the secret data will be embedded in the pixels at these positions). Of these positions those that do not need to be changed (because they already contain the correct value by chance) are sorted out. Then a graph-theoretic matching algorithm finds pairs of positions such that exchanging their values has the effect of embedding the corresponding part of the secret data. If the algorithm cannot find any more such pairs all exchanges are actually performed. The pixels at the remaining positions (the positions that are not part of such a pair) are also modified to contain the embedded data (but this is done by overwriting them, not by exchanging them with other pixels). The fact that (most of) the embedding is done by exchanging pixel values implies that the first-order statistics (i.e. the number of times a color occurs in the picture) is not changed. For audio files the algorithm is the same, except that audio samples are used instead of pixels.