Steganography

May 9 2023
Home | Cryptography by Hand | Prev | Next
Public Domain · vim(1) No Babies

We explored how to encrypt messages with the one-time pad and prove authenticity with message authentication codes (MACs), but neither will hide secret messages from prying eyes. You could send an encrypted and MACed message as a string of digits in an email or letter, but this will raise eyebrows. We need to conceal messages from everyone who doesn't know how and where to look for them. This is the art of steganography.

Why Hide Messages?

Long before the modern age of cryptography, people hid secret messages from plain sight instead of encrypting them. For example, American Revolutionary War spies used invisible inks. Anyone suspecting foul play could physically examine letters for hidden writing. Such inks didn't make messages indecipherable, merely unnoticeable to the unwary. Steganography cannot replace encryption, but it can reduce suspicion.

But why hide encrypted messages? True, analysis won't reveal the messages' contents, but adversaries who find encrypted messages would learn:

  1. that you're secretly communicating with someone
  2. that you have something sensitive to say (else you wouldn't encrypt it)
  3. who you're communicating with
  4. when you communicate
  5. how you communicate
  6. how frequently you communicate; and
  7. how long your messages are.

Imagine how useful this information is:

  1. If your adversaries know that you're secretly communicating with someone, they'll monitor your activities, your acquaintances, your finances, and so on.
  2. If they know that you have something sensitive to say (because you're sending encrypted messages), they'll suspect you of wrongdoing and monitor you more closely.
  3. If they know who you're communicating with, they'll know who your connections are and monitor them as well. They could imprison and coerce you or your partners.
  4. If they know when you communicate, they can correlate messages with events in your life, revealing what you could be communicating about.
  5. If they know how you communicate, they'll monitor those communications and disrupt or corrupt them.
  6. If they know how frequently you communicate, they'll know when to expect new messages.
  7. And if they know how long your messages are, they'll narrow their guesses to things that can be communicated at such lengths.

When Edward Snowden, the famous American leaker of top-secret National Security Agency (NSA) practices, revealed that the American government covertly collected call logs for American citizens from telephone companies — when calls were made, who the callers were (phone numbers), and conversation durations — most people were unconcerned. After all, if spies couldn't examine calls' contents, what could they learn? But security experts warned that such call "metadata" could reveal much through network analysis.

For example, if a woman (known by consulting phone number records) calls her best friend (suggested by calling the same number frequently over a few years) late at night for hours, then calls a phone number known to belong to a women's health clinic early the next day, there's a good chance that the woman learned she was pregnant, called her best friend to seek support (Why call a good friend late at night for so long?), and called the clinic to discuss her options, including abortion. Now that many American states criminalize abortions, such information can be deadly; but if it were hidden, states could learn nothing.

How to Hide Messages

There are countless ways to hide encrypted messages, but two conditions are necessary:

  1. the media must appear innocuous on its own — things you would ordinarily use (think of hobbies and interests); and
  2. the media must be large or dense enough to hide your messages.

The first condition makes communication itself look innocent; the second buries the messages in enough innocent-looking material ("noise") to hide them.

The suggestions below are merely illustrative. Have fun inventing new strategies and combining existing ones!

Word Counts in Prose

This technique buries encrypted messages' digits in prose. You and your partner must pick a number d in advance. For every encrypted message digit x, write a sentence containing x words with more than d letters. Sentences with no such words encode zeros.

For example, the following paragraph encodes the digits "145025" if d is 4 (relevant words are underlined):

Good morning, Joe! I had a fantastic dinner with Elliot last night. I wish you were there, though, because we ate your favorite steak. I'm sad you were not with us. It was delicious and juicy just the way you like it. Joe said you were hilarious at last weekend's party at Melissa's house.

The prose doesn't have to be good, just innocent-looking. Writing about actual events makes it even less suspicious.

The higher d is, the more functional and filler words you can use ("I", "as", "you", "were", "talked", and so on), but the harder encoding larger digits (7, 8, 9) will be.

Word Counts in Poetry

If you're poetic, write poems that encode digits by varying the number of words per line. Decide on a minimum number of words per line w. For each digit in your encrypted message d, write a line of poetry with w+d words in it. (Encode zeros as lines with w or fewer words.)

Poems don't have to be good, just in character. The following terrible poem encodes the digits "145025" when w is 2:

As I gaze
above the smoky mountain skyline stretching
beyond the dark, forboding alpine pine forest,
I smile.
Here is my fear
wrapped in hazy shadows, light and dark.

Strokes in Chinese Characters

If you know (or are studying) languages that use Chinese characters (Chinese languages, Japanese, and Korean), encode digits from encrypted messages as Chinese characters. For each digit d, write a character with d+s strokes, where s is some minimum number of strokes you and your partner agree on in advance. (Encode zeros as characters with s or fewer strokes.)

Counts in Visual Art

If you're even a bit artistically inclined, you can embed encrypted messages in visual art.

For example, if you're writing a letter to your partner, you can doodle in the margins. Use one or more doodles to hide encrypted messages. If your doodles are connected to the letter's contents, even better! Some example doodles:

  1. Draw a string or garland of flowers. Each flower represents a digit; the number of petals is the digit's value. (Flowers with no petals represent zeros.)
  2. Draw a line of ants marching to food. Each ant represents a digit; the number of legs and antennae is the digit's value. (Ants with no legs or antennae represent zeros.)
  3. Draw a night sky. Every star represents a digit (read them from left to right, top to bottom); the number of light rays coming from each star is the digit's value. (Stars with no light rays represent zeros.)

If your partner might misunderstand your doodles' patterns, leave exemplars at the beginning of each doodle: a zero and a nine. These merely show your partner what zeros and nines look like in each doodle — they aren't part of the encrypted messages. Your partner can compare them and infer the patterns (what a one looks like, what a two looks like, and so on).

Math Questions and Puzzles

If you and your partner like math or computer programming (or can pretend to be), you can hide encrypted messages as math questions or puzzles or programming language expressions in your communications.

For example, if you need to hide the encrypted message "145025", you could do something as simple as:

Of course you should make the problems more sophisticated! Tie them to your communications or cover text so they look less suspicious.

Quotations from Shared Texts

You and your partner share two exact copies of one or more books — same publishers and print editions. The larger or more numerous the books you share and the more the contents correspond to your interests, the better. When you send an encrypted message, turn its digits into page numbers, then find quotations on those pages. Send those quotations in your correspondence. Your partner searches for those quotations and copies their page numbers. Stringing those page numbers together recreates the encrypted message's digits.

Obviously this method works best when your partner can quickly find quotations — searchable e-books and works with numbered passages such as sacred texts (the Bible and the Quran) and well-researched ancient books (Plato's dialogues) or works of art (Shakespeare's plays) are easiest.

An alternative for academics, researchers, and nerds is quoting texts like academic journals that are freely and easily accessible online.