Ways to view hidden message?

[alexjj]

I was wondering what are some of the ways that the message in the picture can be read - with the password?

i.e using programs or methods in various operating systems.

[harlo]

You can run the original F5 jar on your command line: https://code.google.com/p/f5-steganography/

We made minor modifications to this library in our implementation here (mostly, we added a JNI wrapper so the heavy byte processing is done natively) but images should be compatible.

As for password-protection, PK currently uses GCM cipher, and that's handled in-app before embedding via F5.

Please let us know what you've learned if you hack further...

[pablojr]

Hi, I was able to create an Android camera based app and I used F5Android library to embed a secret message. Everything is fine but when I wanted to extract the secret using original F5 jar in my PC a error happened (yes, I should provide the error message from F5 but I'm writing from a different PC now). Have you really embed messages using PK or F5Android and actually extracting them with original F5 jar? Or you are just guessing it should work? I'm asking just to confirm it really works this way so I'm doing something wrong with my Android app. Thanks.

[harlo]

Hi,

We made some modifications to the seeds in our F5 implementation for Android. The PC implementation you use should use the same seed as the mobile client. Also, Android's Java might generate random differently than the version of Java on your PC. It's been awhile since I last looked at the code, so my memory is a bit fuzzy but I remember implementing the Sun Java PRNG library in the android client just to be on the safe side. That said, it hasn't been tested widely on PCs.

Thanks, harlo

On Mon, Jun 2, 2014 at 9:50 AM, Pablo J. Rogina notifications@github.com wrote:

Hi, I was able to create an Android camera based app and I used F5Android library to embed a secret message. Everything is fine but when I wanted to extract the secret using original F5 jar in my PC a error happened (yes, I should provide the error message from F5 but I'm writing from a different PC now). Have you really embed messages using PK or F5Android and actually extracting them with original F5 jar? Or you are just guessing it should work? I'm asking just to confirm it really works this way so I'm doing something wrong with my Android app. Thanks.

Reply to this email directly or view it on GitHub https://github.com/guardianproject/PixelKnot/issues/4#issuecomment-44838781 .

[pablojr]

harlo, thanks for your promptly reply. I have a (maybe silly) question though.

The PC implementation you use should use the same seed as the mobile client. So you mean that both the f5.jar and f5android.jar must be compiled using the same JVM (whatever it is: Oracle, IBM, OpenJDK) so to be sure they use the same seed?

[pablojr]

A further update. I used PK and original f5.jar was not able to extract the embedded secret either, so it looks like "compatibility" between f5 and f5android us not yet there. Good news though is that PK was able to extract message I embedded with my Android application, so at that level Android <-> Android everything is Ok.

[pablojr]

I finally managed to extract embedded message from image processed with F5Android library taken wih Android device camera using original f5 library in desktop PC. You just need to provide "abcdefg123" as password to f5.jar, i.e.

java -jar f5.jar x -p abcdefg123 -e secret.txt cover.jpg

[harlo]

Yes-- I forgot about the passwords. I'm glad you were able to find that on your own. In the implementation I built using the library, I used AES encryption on the secret message, rendering the password unimportant.

[pablojr]

Indeed, original f5 is using the password as seed for random generation

public F5Random(final byte[] password) { this.random = new SecureRandom(); this.random.engineSetSeed(password); this.b = new byte[1]; }

[harlo]

right. and since the password is hard-coded into the app, the random is a bit predictable. I decided to wrap the secret in AES and use the hard-coded seed. (this was for usability only-- if I had my way, everyone would have done both AES and custom password for seeds.)

[pablojr]

harlo, original F5 lets the user provide a password if desired, and the password is used as seed for the PRNG, so a default password is hard-coded for the cases where the user didn't provide one. I'm working on a variation using asymmetric cryptography taking the private key from certificates installed previously in the Android device

[harlo]

Yes, but we had a hard-coded pwd for the app (once again, usability.) Your cert-based AES sounds like a perfect solution to our pwd problem, though. When we do our next iteration (soon!), I hope it will be available (license permitting, if course) for us to try it out. On Jun 19, 2014 1:25 PM, "Pablo J. Rogina" notifications@github.com wrote:

harlo, original F5 lets the user provide a password if desired, and the password is used as seed for the PRNG, so a default password is hard-coded for the cases where the user didn't provide one. I'm working on a variation using asymmetric cryptography taking the private key from certificates installed previously in the Android device

Reply to this email directly or view it on GitHub https://github.com/guardianproject/PixelKnot/issues/4#issuecomment-46590749 .

[ladaposamuel]

I still do not understand how to extract secret message from image