29-10-2012, 10:23 AM
Modeling the security of steganographic systems
Modeling the security.pdf (Size: 71.37 KB / Downloads: 28)
Abstract.
We present a model of steganographic systems which allows to
evaluate their security. We especially want to establish an analogy to the
known-plaintext-attack which is commonly used to rate cryptographic systems.
This model´s main statement is that the embedding operation of a
steganographic system should work indeterministic from the attacker´s point of
view. This is proved by means of information theory.
A short introduction to steganography
Bruce Schneier characterizes steganography in the following way [1]: "Steganography
serves to hide secret messages in other messages, such that the secret´s very existence
is concealed." He also states some historic examples, such as "…invisible inks, tiny
pin punctures on selected characters, minute differences between handwritten
characters, pencil marks on typewritten characters, …".
These examples show that steganography itself is not a new technique. However, it
experiences a renaissance due to the ubiquitious use of computers and multimedia;
especially when graphical and audio data are involved. Consequently, most available
implementations of steganographic algorithms work on graphics or sound.
In Figure 1 we illustrate the use of steganography on images.
Steganography vs. cryptography
How do steganography and cryptography compare? The purpose of both is to provide
secret communication. Cryptography hides the contents of a secret message from an
attacker, whereas steganography even conceals the existence of this message.
Therefore the definition of breaking the system is different. In cryptography, the
system is broken when the attacker can read the secret message (for the point under
discussion it does not matter how he does this).
Breaking a steganographic system has two stages:
1. The attacker can detect that steganography has been used.
2. Additionally, he is able to read the embedded message.
In our definition a steganographic system is insecure already if the detection of
steganography is possible (first stage).
Information theoretic setting
In the following we will evaluate the model from Chapter 3.1 by means of information
theory. In "On the limits of steganography" [5] there is a chapter which addresses this
approach. The authors argue with the entropy of cover, emb and stego, just like we
will do, but don´t go further into detail. They had a different goal with their paper:
while we would like to present a commonly valid model for steganographic systems
(and prove its validity by means of information theory), they do concentrate on the
practical issues of steganography. Consequently the mentioned chapter is rather short
and does not contain an actual proof for the (of course reasonable) statements which
are made.
Indeterminism and steganography
An advanced solution to this problem is to have an indeterministic embedding
operation. An indeterministic operation or process gives different results (within a
certain range) every time it is computed. In other words, it contains randomness.
Information theory supports this approach:
As stated above, it is impossible to provide information theoretically secure
steganography if the attacker knows cover and stego (respectively C and S). Therefore
we establish the following condition: When the attacker knows S, there remains an
uncertainty about C, so that H(C|S) > 0. For that we introduce a new alphabet from
which the actual cover is selected. We call this alphabet CS or Source.
The effect of introducing CS into the Embedding Model is shown in Figure 3. We
assume that fE, CS and S (or stego) are publicly known, whereas K and C (respectively
key and cover) are unknown to attackers.
Since the actual cover is selected from CS, we assume C Í CS. In addtion, we
assume H(CS) ³ H©, which is both plausible for any selection and neccesary to
achieve the intended indeterminism. It says that the uncertainty about the realisation of
an actual cover from CS must be greater than or equal to that about a realisation from
C.