Sunday, 19 February, 2006


Steganography is the art and science of writing hidden messages so that nobody but the person creating the message and the intended recipient know of the existence of the message.  This is opposed to cryptography, the purpose of which is to obscure a message whose existence is known.

Most of us played with steganography as children--constructing messages in which the second letter of each word spelled out, "Susie has cooties," or using lemon juice to write "secret" notes that were revealed by heating the paper over a light bulb or the kitchen stove.  The kitchen stove, by the way, is not recommended, as it has a distressing tendency to catch the transmittal medium (the paper) on fire.

The linked Wikipedia article has a good discussion of steganography's history.

Computers make steganography much easier.  Simple techniques include encoding a message by using the low bit of each byte in a digital image or sound file.  Although such techniques do change the transmittal medium, such changes are often undetectable by human eyes or ears.  Being simple, such techniques also are relatively easy to detect if somebody suspects that a hidden message exists.  Encrypting the message before hiding it in such a way adds further protection, and in fact cryptography is often used in conjuction with steganography in order to provide a more secure message.

You can also use compression techniques such as MPEG or JPEG compression, or even LZ77 to hide a message in a compressed file.  In any such advanced compressor there are many decision points during the compression process, all of which possible decisions result in a valid, but perhaps not optimum, compressed image.  It's possible to write a compressor that bases its decisions on input from a separate file that contains the message that you want to hide.  Recovering the hidden message requires a special decompressor that understands how the compressor arrived at its decisions and can re-generate the message based on the hidden clues in the compressed file.  The beauty of this technique is that the message itself--the bits that make up the hidden information--are not actually stored in the file, but are implied in the way that the file is constructed.  The result is that, even if somebody were to suspect the existence of a hidden message, it would be nearly impossible to extract the information.

Word processor documents offer many subtle ways of hiding messages, none of which involve anything so obvious as selecting every third character or attaching meaning to particular words and phrases.  The micro spacing pattern used to separate words and letters in a justified document could easily contain a hidden message, as could the kerning pairs used in typographic layout.  Such techniques would make the existence of the hidden message nearly undetectable.

In my April 13, 2003 entry, I put forth the suggestion that email spam could be used as a means of passing hidden messages while at the same time obscuring the sender and the intended recipients.  This, too, is a form of steganography.  A related technique would be to use blog postings (such as this one, but don't waste your time--there's no hidden message that I'm aware of in any of my entries) or comments to pass hidden messages.  This would be especially effective if the text of the article were somewhat more random than normal English text.  For example, the incoherent ramblings of the 17-year-old kid whose blog entries are filled with misspellings and seemingly random use of punctuation could in reality be a medium for hidden messages, and the posting date or the entry title the decryption key.  It's impossible to tell.

Forget all the hoopla about 128-bit (or higher) encryption technology.  Organizations or individuals who use such techniques just advertise that they have something to hide.  Governments can easily prevent sending encrypted messages by making it illegal and instituting means to scan traffic for encrypted files.  Governments can't scan every transmitted file for hidden meanings.  The best they can do is sample traffic and maybe--just maybe--find a hidden message from time to time.  The danger is that they will find a hidden message where none was intended--in one of my blog posts, for example.  My protestations of innocence would likely fall on deaf ears.