guardianproject / PixelKnot

Image stego app using the F5 algorithm
https://dev.guardianproject.info/projects/pixelknot/wiki
GNU General Public License v3.0
195 stars 58 forks source link

Ways to view hidden message? #4

Closed alexjj closed 9 years ago

alexjj commented 11 years ago

I was wondering what are some of the ways that the message in the picture can be read - with the password?

i.e using programs or methods in various operating systems.

harlo commented 11 years ago

You can run the original F5 jar on your command line: https://code.google.com/p/f5-steganography/

We made minor modifications to this library in our implementation here (mostly, we added a JNI wrapper so the heavy byte processing is done natively) but images should be compatible.

As for password-protection, PK currently uses GCM cipher, and that's handled in-app before embedding via F5.

Please let us know what you've learned if you hack further...

pablojr commented 10 years ago

Hi, I was able to create an Android camera based app and I used F5Android library to embed a secret message. Everything is fine but when I wanted to extract the secret using original F5 jar in my PC a error happened (yes, I should provide the error message from F5 but I'm writing from a different PC now). Have you really embed messages using PK or F5Android and actually extracting them with original F5 jar? Or you are just guessing it should work? I'm asking just to confirm it really works this way so I'm doing something wrong with my Android app. Thanks.

harlo commented 10 years ago

Hi,

We made some modifications to the seeds in our F5 implementation for Android. The PC implementation you use should use the same seed as the mobile client. Also, Android's Java might generate random differently than the version of Java on your PC. It's been awhile since I last looked at the code, so my memory is a bit fuzzy but I remember implementing the Sun Java PRNG library in the android client just to be on the safe side. That said, it hasn't been tested widely on PCs.

Thanks, harlo

On Mon, Jun 2, 2014 at 9:50 AM, Pablo J. Rogina notifications@github.com wrote:

Hi, I was able to create an Android camera based app and I used F5Android library to embed a secret message. Everything is fine but when I wanted to extract the secret using original F5 jar in my PC a error happened (yes, I should provide the error message from F5 but I'm writing from a different PC now). Have you really embed messages using PK or F5Android and actually extracting them with original F5 jar? Or you are just guessing it should work? I'm asking just to confirm it really works this way so I'm doing something wrong with my Android app. Thanks.

Reply to this email directly or view it on GitHub https://github.com/guardianproject/PixelKnot/issues/4#issuecomment-44838781 .

pablojr commented 10 years ago

harlo, thanks for your promptly reply. I have a (maybe silly) question though.

The PC implementation you use should use the same seed as the mobile client. So you mean that both the f5.jar and f5android.jar must be compiled using the same JVM (whatever it is: Oracle, IBM, OpenJDK) so to be sure they use the same seed?

pablojr commented 10 years ago

A further update. I used PK and original f5.jar was not able to extract the embedded secret either, so it looks like "compatibility" between f5 and f5android us not yet there. Good news though is that PK was able to extract message I embedded with my Android application, so at that level Android <-> Android everything is Ok.

pablojr commented 10 years ago

I finally managed to extract embedded message from image processed with F5Android library taken wih Android device camera using original f5 library in desktop PC. You just need to provide "abcdefg123" as password to f5.jar, i.e.

java -jar f5.jar x -p abcdefg123 -e secret.txt cover.jpg

harlo commented 10 years ago

Yes-- I forgot about the passwords. I'm glad you were able to find that on your own. In the implementation I built using the library, I used AES encryption on the secret message, rendering the password unimportant.

pablojr commented 10 years ago

Indeed, original f5 is using the password as seed for random generation

public F5Random(final byte[] password) { this.random = new SecureRandom(); this.random.engineSetSeed(password); this.b = new byte[1]; }

harlo commented 10 years ago

right. and since the password is hard-coded into the app, the random is a bit predictable. I decided to wrap the secret in AES and use the hard-coded seed. (this was for usability only-- if I had my way, everyone would have done both AES and custom password for seeds.)

pablojr commented 10 years ago

harlo, original F5 lets the user provide a password if desired, and the password is used as seed for the PRNG, so a default password is hard-coded for the cases where the user didn't provide one. I'm working on a variation using asymmetric cryptography taking the private key from certificates installed previously in the Android device

harlo commented 10 years ago

Yes, but we had a hard-coded pwd for the app (once again, usability.) Your cert-based AES sounds like a perfect solution to our pwd problem, though. When we do our next iteration (soon!), I hope it will be available (license permitting, if course) for us to try it out. On Jun 19, 2014 1:25 PM, "Pablo J. Rogina" notifications@github.com wrote:

harlo, original F5 lets the user provide a password if desired, and the password is used as seed for the PRNG, so a default password is hard-coded for the cases where the user didn't provide one. I'm working on a variation using asymmetric cryptography taking the private key from certificates installed previously in the Android device

Reply to this email directly or view it on GitHub https://github.com/guardianproject/PixelKnot/issues/4#issuecomment-46590749 .

ladaposamuel commented 8 years ago

I still do not understand how to extract secret message from image