[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070111102631.GN22252@innominate.com>
Date: Thu, 11 Jan 2007 11:26:31 +0100
From: hlangos-bugtraq@...ominate.com
To: bugtraq@...urityfocus.com
Subject: Re: A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)
Calling a steganography software "Steganography" is quite presumptuous
in itself.(Like calling an encryption software "Cryptography".)
Without having looked into that matter deeper you are right on at least
one account: Leaving a signature ("footprint") in stego text is defeating
the purpose.
Quoting from Wikipedia (yes I am too lazy to wite this down myself):
>
> Steganography is the art and science of writing hidden messages in such
> a way that no one apart from the intended recipient knows of the
> existence of the message; this is in contrast to cryptography, where the
> existence of the message itself is not disguised, but the content is
> obscured.
As to the replacement of the password by a "known" password.
Replacing "aaaaaa" with "a" and getting the message extracted could mean
several things:
a) The password is not used at all to encrypt the message but to
stop their own program from extracting the message from all files you
present to it. (Possibly by comparing a hash of that password with a
hash stored in the sequence you replaced.)
b) They use a simple Vigenere cipher and you replaced the key-sequence
of "aaaaaa","aaaaaa","aaaaaa"... by the key squence "a","a","a","a"...
which for the purpose of Vigenere ciphers is equivalent.
c) ... i'll skip the more complicated explainations. It's not worth it.
To test a) and b) you could try to replace the key squence of "aaaaaa"
by a key sequence of "b".
If that works then "a)" is true.
If it doesn't but replacing "ababab" by "ab" works then "b)" is probalby
true.
Anyway ... having a cipher from the 16th century or having no encryption
at all doesn't make much of a difference, does it?
cheers
-henrik
Powered by blists - more mailing lists