Strictly Confidential Data Communication using Steganography
(KIT-STEGROUP)
The objective of this page is to demonstrate a scheme of strictly confidential Internet data communication that comprises steganography. Suppose Mr. A has two friends, Mr. B and Ms. C. They are steganography-program (e.g., Qtech HV) users. Also, they have their own webpages including images. They daily share several "access-keys/passwords" and "login-names/user-names" to access the access-controlled webpages of each other. We may call these shared data "shared secret data" here in this page.
Then there came a situation where A must send a "secret document" to B, and his "credit card info" to C in some very confidential way. In this case Email-attaching of "stego-images (i.e., document/card-info embedded image files)" might not be good enough, because someone might notice that A is sending something secret to both B and C.
Finally, A came up with two ideas, that is, the "double-step steganography scheme" and the "combination of steganography and controlled access scheme ." We call the first scheme "DS (Double-Stego)", and the second "SAC (Stego and Access Control)." We will show that Qtech HV is the very best program for this purpose. They are as follows.
No.1 DS scheme
Firstly, A embeds an "index.htm" file (shown below) in a relatively small vessel image, and then puts the embedded-image (namely, stego-1) on an A's inconspicuous webpage. That page is open to public.
At the same time, A embeds the "secret document" file in another vessel (that is large enough), and gets stego-2 having a relatively "long name". Then after, A confidentially uploads it on his HTTPS site as,
https://secret-lolipo-kawagu.ssl-lolipop.jp/ssl/392812specialmonalisa.png
where, 392812specialmonalisa.png is stego-2.
People (except A) will never notice the existence of this URL because its address is kept confidential and it is a long character string. Even if someone tries to intercept the "browser's access" to this URL, nothing leaks to the third party because it is a HTTPS site.
[index.htm] (This HTML file has no
contents, but lets the browser jump to the other URL in no time. The file size is
only 168 Bytes.)
<html>
<head>
<meta http-equiv="REFRESH"
content="0;URL=https://secret-lolipo-kawagu.ssl-lolipop.jp/ssl/392812specialmonalisa.png">
</head>
<body>
</body>
</html>
B will be soon informed of the stego-1 page by A. As you see here, once B extracts the embedded index.htm file from stego-1 by using Qtech HV (with "Link to Web" option), the default Web-browser instantly emerges and accesses the stego-2 (i.e., 392812specialmonalisa.png) in no time.
It is easy for B to download stego-2, and extract the embedded data, that is, the "secret document." Thus, B can receive the "secret document" file in a strictly confidential manner by extracting the embedded data just twice. In each embedding/extracting step, A and B use the shared access-key.
No.2 SAC scheme
Similarly, A embeds an "index.html" file (shown below) in a relatively small vessel image first, and then posts the stego image (stego-1') on his inconspicuous open webpage, too. He also uploads the "credit card info (actually, it is a photo-copied credit card in PDF format) on his "access-controlled site." There, anyone who wants to access the contents must provide an authentic login-name/use-name with correct password. On top of that, A sets up a password to view the PDF file beforehand. Of course, these secret data must be shared among them.
[index.html] (This HTML file also
lets the browser jump to other URL in no time. The file size is 156 Bytes.)
<html>
<head>
<meta http-equiv="REFRESH"
content="0;URL=http://lolipo-kawagu.secret.jp/controlled/MasterCard_Gold.pdf">
</head>
<body>
</body>
</html>
Soon after, A will inform C of his "inconspicuous page." Then C downloads stego-1' and extracts index.html (above) by using Qtech HV (with "Link to Web" option). In no time, C's default browser will come up, and asks C to login to the access-controlled page. If authentic login-name/user-name and password are provided, C will successfully login. However, still one more password is needed to view the PDF file (that is, the credit card info).
So, this scheme consists of one steganographic operation, one login operation, and one password operation. All these operations can be done by using the "shared secret data." Thus, C can receive A's credit card info in a strictly confidential manner.
In both schemes above, index.htm / index.html is embedded in some "relatively small" image." This is intended to outwit the steganography-experienced people's mind that "a small image is not good as a steganography-vessel." Also, these schemes demonstrate that steganography doesn't need to embed the whole secret data, but enough to embed "only its location data", instead.
Here is a sample inconspicuous page which was setup with both DS scheme and SAC scheme. As you see, the page looks just like a link page having two small images. Linkage works normally.
However, the fact is, No.1 image (a dark-brown button) and No.2 (Internet Exp. logo) are two stego images that are described as stego-1 and stego-1' just above. They are embedded with "location data (index.htm / index.html)" of the actual confidential data. For those stego images, the embedding ratio, (index.htm) / (stego-1), or (index.html) / (stego-1'), is around 0.006. In such case, no one can find any evidence to suspect "they could be stego images."
If you want to try receive the secret document/credit card info yourself, please follow the steps below.
Steps to receive the confidential data (You are requested to start "Information Extracting" program of Qtech HV v011 firstly.).
DS scheme
(DS_Step-1) Download the button image and save it as "button.png" (onto your Desktop).
(DS_Step-2) Drag & drop button.png onto the Information Extracting program.
(DS_Step-3) Set Access Key: secretbutton, Option: Link to Web, threshold: 40.
(DS_Step-4) Click Extract button. (In a couple of seconds, "Mona Lisa image" will appear in some window.)
(DS_Step-5) Save Mona Liza image as monolisa.png (onto your Desktop).
(DS_Step-6) Drag & drop monalisa.png onto the Information Extracting program.
(DS_Step-7) Set Access Key: 8212monalisa, Option: As it is, threshold: 40.
(DS_Step-8) Click Extract button. (In a couple of seconds, "secret-document.jpg" will appear on your monitor.)
Thus, you receive secret-document in a strictly confidential manner.
SAC scheme
(SAC_Step-1) Download the Internet Exp. logo and save it as "IE-logo.png" (onto your Desktop).
(SAC_Step-2) Drag & drop IE-logo.png onto the Information Extracting program.
(SAC_Step-3) Set Access Key: secretlogo, Option: Link to Web, threshold: 40.
(SAC_Step-4) Click Extract button. (In a couple of seconds, an access-controlled page requires username and password to login.)
(SAC_Step-5) Set username: controlled, password: secret. (Then, in a second another password will be required.)
(SAC_Step-6) Set password: Card_Go. (In no time a credit card appears in PDF format.)
Thus, you receive A's credit card info in a strictly confidential manner, too.
Which scheme do you think better/safer? DS or SAC?
We believe DS scheme is better/safer just because it is a "server-setting independent scheme."
(Updated on Sep. 02, 2021 by Eiji Kawaguchi)