Mon, 28 Aug 2000

Mission Impossible: Hiding secret data in image files

By Lim Tri Santosa

BANDUNG (JP): All right, all of you Mission Impossible and James Bond fans, it's time to pour Vodka Martini shaken not stirred. This time we will visit Q (Bond's genius friend), he doesn't have a laser pen or exploding cigarette for you, he has a great encryption and hiding program.

What's the biggest problem with encrypting your files? Other than the unmanageable interfaces of many encryption programs, it has to be the fact that the minute you encrypt something you've basically announced to the world that you're hiding something. When someone sees a huge mass of garbled text it doesn't take a genius to figure out that it's encrypted. If it's encrypted it must be important, and if it's important then you're inviting people to try and crack the encryption and get access to it.

But, before we explore further, let's see the basic theory. Cryptography is the practice of encrypting or coding data so that only the recipient with the right "key" will be able to decode and use it. Digital cryptography techniques have advanced so much that for most purposes, they are almost impossible to crack.

Not too long ago, 64-bit encryption was the Holy Grail of crypto technology, but that's far too weak by today's standards. Everything gets outdated even before it gains firm ground. We're now talking of 1024-bit encryption! The good news is that you don't have depend on cryptography alone. Steganography is a technique that adds another layer of security to data transfer and permits one to hide secret messages inside digital images and audio.

Its power is seen when it works in tandem with cryptography. How do you crack a code that cannot be seen in the first place? Like the Midas touch, and many other inspiring tales, steganography, too, has its roots in ancient Greece. An ingenious method of conveying secret messages was developed whereby the head of a messenger was shaved, and the message tattooed onto it. When the hair grew, the messenger could simply walk by guards without anyone ever noticing. Steganography is Greek for covered writing.

With steganography, the presence of the message itself is craftily concealed within other data.

Invisible Secrets

So, how can we make it more difficult? How can we encrypt a document and hide it so no one, not even your wife, boss, or a hacker, would realize that it is even there? Invisible Secrets Pro (www.east-tec.com) solves this problem in a rather unique way. They hide the documents in picture. Anyone accessing your files is free to open the pictures and they display normally. Unless they know the exact size of the file, they'll never realize that it also contains one or more encrypted documents.

The program does far more that encrypt the file using "Blowfish" and embed it in your chosen JPG image file. When it's done, it erases any record of the process and, if you so choose, deletes the unencrypted file. For those unfamiliar with "Blowfish," it is a powerful encryption program.

The U.S. Government classifies encryption software as dangerous munitions. Encryption software has restrictions for export. Because of the cryptography algorithm implemented in Invisible Secrets, it is regarded as strong cryptography.

I will not delve into a simple explanation of "Blowfish" encryption. I will say that if you encrypt a document with "Blowfish" and forget your password, you will never recover it. You might if you had several million dollars to spend on a Cray super computer, another million for a decryption program, were the FBI willing to sell it to you, and about 20 years to waste. The result is that most of us reuse the same password over and over. That defeats the purpose. If someone were to discover that password, you've lost the crown jewels.

The free program is limited to password lengths of five characters. The registered version permits longer passwords, which, if someone discovered you secret, would make it more difficult to decrypt. The beauty of the program is that the JPEG image loses no picture quality, and there is little to no adjustment to the file size, making them easy to e-mail and hard to detect. The user can embed any file types (like Microsoft Word, Excel, other image files, sound files, etc) and there are no restrictions on file amounts.

The program can be described as one big wizard which guides you through all the necessary steps needed to protect your data. This is very useful for newbies who use the program for the first time but becomes less practical if you use the program daily. That's why EAST Technologies has implemented a 'shell integration', which means that you can encrypt, hide and shred files by right clicking on a file in Windows Explorer.

There is also a program available called "Unhider" (ftp://ftp.east-tec.net/trial/unhider.exe) that can unhide and decrypt data, which was stored into a carrier with Invisible Secrets Pro. You can't use Invisible Secrets Pro to reveal your data when your evaluation period has expired, thus use unhider. It is also useful for the recipient of hidden messages to open the secret messages.

This software is dangerous if being held in the wrong-hands, because it can be used to conceal pornographic files inside an innocent file. Even if the police can seize the evidence, they cannot prove the existence of pornographic materials. Suppose the police have a computer geek who can probe inside the hard-disk content, there is no way he can find the evidence of original pornographic files, because there is an option "shredder" command that can wipe out original files completely without a trace.

By the way, I have just sent my boss a greeting image file of "I just called to say I love you" and embed an encrypted picture of me making an obscene gesture. There is a possibility that my boss will know or sense secret messages inside the pic, but.... How does he crack/know a secret message that can't be seen in the first place? A brilliant idea indeed!