lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 11 Jan 2007 11:26:31 +0100
From: hlangos-bugtraq@...ominate.com
To: bugtraq@...urityfocus.com
Subject: Re: A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)


Calling a steganography software "Steganography" is quite presumptuous
in itself.(Like calling an encryption software "Cryptography".)

Without having looked into that matter deeper you are right on at least 
one account: Leaving a signature ("footprint") in stego text is defeating 
the purpose.

Quoting from Wikipedia (yes I am too lazy to wite this down myself):
>
> Steganography is the art and science of writing hidden messages in such
> a way that no one apart from the intended recipient knows of the
> existence of the message; this is in contrast to cryptography, where the
> existence of the message itself is not disguised, but the content is
> obscured.


As to the replacement of the password by a "known" password.

Replacing "aaaaaa" with "a" and getting the message extracted could mean
several things:

a) The password is not used at all to encrypt the message but to 
stop their own program from extracting the message from all files you 
present to it. (Possibly by comparing a hash of that password with a
hash stored in the sequence you replaced.)

b) They use a simple Vigenere cipher and you replaced the key-sequence 
of "aaaaaa","aaaaaa","aaaaaa"... by the key squence "a","a","a","a"...
which for the purpose of Vigenere ciphers is equivalent.

c) ... i'll skip the more complicated explainations. It's not worth it.


To test a) and b) you could try to replace the key squence of "aaaaaa" 
by a key sequence of "b". 

If that works then "a)" is true.
If it doesn't but replacing "ababab" by "ab" works then "b)" is probalby 
true.

Anyway ... having a cipher from the 16th century or having no encryption
at all doesn't make much of a difference, does it?

cheers
-henrik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ