Monday, November 05, 2007

關於 JPHide 的點點滴滴 (一) : N. Provos

Niels Provos 在 "Detecting Steganographic Content on the Internet" 這篇論文的 Section 5.2 整節都在談論 JPHide 這個隱藏軟體。內文如下:
 JPHide is a steganographic system by Allan Latham. There are two versions: 0.3 and 0.5. Version 0.5 supports additional compression of the hidden message. As a result, they use slightly different headers to store embedding information. Before the content is embedded, it is Blowfish encrypted with a usersupplied pass phrase.

Because the DCT coefficients are not selected continuously from the beginning, JPHide is more difficult to detect.

The program uses a fixed table that defines classes of DCT coefficients to determine in which order to modify the coefficients. All coefficients in the current class are used first to hide information before the next class is chosen. As a result, coefficients are selected in such a way that they those likely to be numerically high are used first.

One artifact of the implementation is that the information hiding continues in the current coefficient class even after the complete message has been embedded. The first class in the table are the DC coefficients of color component zero. An image with a resolution of 600 * 480 has approximately five thousand DC coefficients. Even if the message is only eight bits long, JPHide modifies all five thousand coefficients in such an image.
這邊提到 JPHide 有一個特殊方式來定義嵌入次序, JPHide 使用一個固定的表格來將 DCT 係數分成不同的 classes, 整張影像相同 class 中的 DCT 係數會依序拿來嵌入機密訊息, 直到此 class 的係數用完了, 才會動用到下一個 class 的 DCT 係數。接著, 相同 class 的係數, 數值較大者也會優先拿來嵌入機密訊息。個人覺得這樣做是有道理的, 因為嵌入影響對較大值的係數來說, 比例相對較小, 因此優先使用。

另外一點令人匪宜所思的是: 即使所有的機密訊息已經嵌入完畢了, JPHide 依然會繼續修改目前這個 class 的所有 DCT 係數。論文中提到一個例子, 第一個 class 就是 DC 係數, 假設一張 600*480的影像, 就會有 (600/8)*(480/8)= 75*60 = 4500 個 DC 係數, 那麼即使機密訊息只有 8 bits, JPHide 依然會去修改這所有的 DCT 係數。
 A pseudo-random number generator determines if coefficients are skipped. The probability of skipping bits depends on the length of the hidden message and how many bits have been embedded already.

JPHide modifies not only the least-significant bits of the DCT coefficients, it can also switch to a mode where the second-least-significant bits are modified.
如其他軟體一般, JPHide 用一個 PRNG 來決定哪些係數該跳過不嵌入機密訊息。然而, 較特殊的作法是跳過的機率是和 1) 機密訊息的長度, 2) 已經嵌入多少資料量。這代表每嵌入 1 個位元, 機率值就隨時進行更新, 用以控制所有的訊息可以完全順利嵌入。另外, JPHide 也會將機密訊息嵌入到次低位元中。

From StegoRN
Figure 6: JPHide has a signature similar to JSteg. The major difference is the order in which the DCT coefficients are modified.
Figure 6 shows the probability of embedding for an image containing information hidden with JPHide. Because JPHide can skip DCT coefficients, the probability is not as high as with JSteg.
Figure 6 是使用 Chi-Square Attack 來針對 JPHide stego-images 分析, 橫軸是將影像平分成 100 等份, 每一等份都用 Chi-Square Attack 計算嵌入機率 p。由於 JPHide 會跳過部份的 DCT 係數不藏, 因此所得到的 P 值並不像 Jsteg 那麼高。


Niels Provos and Peter Honeyman, "Detecting Steganographic Content on the Internet,"ISOC NDSS'02, San Diego, CA, February 2002.

No comments:

Post a Comment