Chapter 5: Hash

Functions++
“I'm sure [my memory] only works one way.” Alice remarked.
“I can't remember things before they happen.”
“It's a poor sort of memory that only works backwards,”
the Queen remarked.
“What sort of things do you remember best?" Alice ventured to ask.
“Oh, things that happened the week after next,"
the Queen replied in a careless tone.
 Lewis Carroll, Through the Looking Glass

Part 1  Cryptography
1
 Confidentiality
in the Real World

Part 1  Cryptography
2
 Symmetric Key vs Public
Key
 Symmetric key +’s
o Speed
o No public key infrastructure (PKI)
needed (but have to
generate/distribute keys)
 Public Key +’s
o Signatures (non-repudiation)
o No shared secret (but, do have to get
private keys to the right user…)
Part 1  Cryptography
3
 Notation Reminder
 Public key notation
o Sign M with Alice’s private key
[M]Alice
o Encrypt M with Alice’s public key
{M}Alice
 Symmetric key notation
o Encrypt P with symmetric key K
C = E(P,K)
o Decrypt C with symmetric key K
P = D(C,K)
Part 1  Cryptography
4
 Real World Confidentiality
 Hybrid cryptosystem
o Public key crypto to establish a key
o Symmetric key crypto to encrypt data…

I’m Alice, {K}Bob

E(Bob’s data, K)
E(Alice’s data, K)
Alice Bob

 Can Bob be sure he’s talking to Alice?

Part 1  Cryptography
5
 Chapter 5: Hash
Functions++
A boat, beneath a sunny sky
Lingering onward dreamily
In an evening of July 
Children three that nestle near,
Eager eye and willing ear,
...
 Lewis Carroll, Through the Looking Glass

Part 1  Cryptography
6
 Hash Function Motivation
 Suppose Alice signs M
o Alice sends M and S = [M]Alice to Bob
o Bob verifies that M = {S}Alice
o Can Alice just send S?
 If M is big, [M]Alice costly to compute &
send
 Suppose instead, Alice signs h(M), where
h(M) is a much smaller “fingerprint” of M
o Alice sends M and S = [h(M)]Alice to Bob
o Bob verifies that h(M) = {S}Alice
Part 1  Cryptography
7
 Hash Function Motivation
 So, Alice signs h(M)
o That is, Alice computes S = [h(M)]Alice
o Alice then sends (M, S) to Bob
o Bob verifies that h(M) = {S}Alice
 What properties must h(M) satisfy?
o Suppose Trudy finds M’ so that h(M) = h(M’)
o Then Trudy can replace (M, S) with (M’, S)
 Does Bob detect this tampering?
o No, since h(M’) = h(M) = {S}Alice
Part 1  Cryptography
8
 Crypto Hash Function
 Crypto hash function h(x) must provide
o Compression  output length is small
o Efficiency  h(x) easy to compute for any x
o One-way  given a value y it is infeasible to
find an x such that h(x) = y
o Weak collision resistance  given x and
h(x), infeasible to find y  x such that h(y) =
h(x)
o Strong collision resistance  infeasible to
find any x and y, with x  y such that h(x) =
h(y)
PartLots
 of collisions
1  Cryptography exist, but hard to find
9
 Crypto Hash Function
 If h(x) is N bits, then 2N different hash
values are possible
 So, if you hash about sqrt(2N) = 2N/2
values then you expect to find a
collision
 Implication? “Exhaustive search”
attack…
o Secure N-bit hash requires 2N/2 work to
“break”
o Recall that secure N-bit symmetric cipher
has work factor of 2N1
Part 1  Cryptography
13
 Non-crypto Hash (1)
 Data X = (X1,X2,X3,…,Xn), each Xi is a byte
 Define h(X) = (X1+X2+X3+…+Xn) mod 256
 Is this a secure cryptographic hash?
 Example: X = (10101010, 00001111)
 Hash is h(X) = 10111001
 If Y = (00001111, 10101010) then h(X) =
h(Y)
 Easy to find collisions, so not secure…
Part 1  Cryptography
14
 Non-crypto Hash (2)
 Data X = (X0,X1,X2,…,Xn-1)
 Suppose hash is defined as
h(X) = (nX1+(n1)X2+(n2)X3+…+2Xn-1+Xn)
mod 256
 Is this a secure cryptographic hash?
 Note that

h(10101010, 00001111)  h(00001111,

10101010)
 But hash of (00000001, 00001111) is
same as hash of (00000000, 00010001)
 Not “secure”, but this hash is used in
Part 1  Cryptography
15 the (non-crypto) application rsync
 Non-crypto Hash (3)
 Cyclic Redundancy Check (CRC)
 Essentially, CRC is the remainder in a
long division calculation
 Good for detecting burst errors
o Such random errors unlikely to yield a
collision
 But easy to construct collisions
o In crypto, Trudy is the enemy, not “random”
 CRC has been mistakenly used where
crypto integrity check is required (e.g.,
WEP)
Part 1  Cryptography
16
 Popular Crypto Hashes
 MD5  invented by Rivest (of course…)
o 128 bit output
o MD5 collisions easy to find, so it’s broken
 SHA family  A U.S. government
standard, inner workings similar to MD5
o SHA-1 160 bit output
 Hashes work by hashing message in
blocks

Part 1  Cryptography
17
 Crypto Hash Design
 Desired property: avalanche effect
o Change to 1 bit of input should affect about
half of output bits
 Crypto hash functions consist of some
number of rounds
 Want security and speed
o “Avalanche effect” after few rounds
o But simple rounds
 Analogous to design of block ciphers

Part 1  Cryptography
18
 Cryptographic hash
functions
 When security people talk about hash
functions, they mean cryptographic (or secure)
hash functions
 These should provide
o Collision resistance
 Difficult to find any M, M’≠ M s.t. h(M) = h(M’)
o Preimage resistance
 Given h(M), difficult to find M’ s.t. h(M’)=h(M)
o Second preimage resistance
 Given M, difficult to find M’ s.t. h(M’)=h(M), M’≠M
 If a hash function h does not meet these
IL!
requirements… FA
But what does it all mean?
 If h is secure
o Easy to compute in one direction
o Very difficult to compute in the other
direction
 Computationally infeasible
 i.e. your grandchildren’s grandchildren’s
grandchildren will be long gone before
that computation finishes
o Very difficult to find two messages
that hash to the same value
MD5
MD5
 MD5 algorithm was developed by Professor
Ronald L. Rivest in 1991. According to RFC
1321, “MD5 message-digest algorithm takes
as input a message of arbitrary length and
produces as output a 128-bit "fingerprint" or
"message digest" of the input …The MD5
algorithm is intended for digital signature
applications, where a large file must be
"compressed" in a secure manner before being
encrypted with a private (secret) key under a
public-key cryptosystem such as RSA.”
MD5 Algorithm Structure
Implementation Steps
 Step1 Append padding bits
The input message is "padded" (extended) so
that its length (in bits) equals to 448 mod 512.
Padding is always performed, even if the
length of the message is already 448 mod 512.
Padding is performed as follows: a single "1"
bit is appended to the message, and then "0"
bits are appended so that the length in bits of
the padded message becomes congruent to
448 mod 512. At least one bit and at most 512
bits are appended.
Implementation Steps
Step2. Append length
A 64-bit representation of the length of the
message is appended to the result of step1. If
the length of the message is greater than
2^64, only the low-order 64 bits will be used.
The resulting message (after padding with bits
and with b) has a length that is an exact
multiple of 512 bits. The input message will
have a length that is an exact multiple of 16
(32-bit) words.
 Implementation Steps
 Step3. Initialize MD buffer
A four-word buffer (A, B, C, D) is used to compute
the message digest. Each of A, B, C, D is a 32-bit
register. These registers are initialized to the
following values in hexadecimal, low-order bytes
first):

word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
Implementation Steps
Step4. Process message in 16-word blocks
Four functions will be defined such that each
function takes an input of three 32-bit words
and produces a 32-bit word output.

F (X, Y, Z) = XY or not (X) Z

G (X, Y, Z) = XZ or Y not (Z)
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or not (Z))
Implementation Steps
Round 1.

[abcd k s i] denote the operation a = b + ((a + F

(b, c, d) + X [k] + T [i]) <<< s).

Do the following 16 operations.

[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3]
[BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7]
[BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11]
[BCDA 11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15]
[BCDA 15 22 16]
Performance
Key size/hash Extrapolated PRB
size(bits) Speed Optimized
(Kbytes/sec.) (Kbytes/sec.)
TEA 128 700 -
DES 56 350 7746
Triple-DES 112 120 2842
IDEA 128 700 4469
RSA 512 7 -
SHA 160 750 25162

MD5 128 1740 62425

Secure Hash Algorithm
(SHA)
Who can compute a hash?
A hash is a keyless algorithm
 Anyone can compute h(x) if they
know x
 Eve could replace M with M’ and
h(M) with h(M’)
o The hash matches what Bob computes,
so he assumes that Alice sent him M’

 How could we stop Eve from doing

 HMAC
(Hash-based Message
Authentication Code)
 HMAC
 Can compute a MAC of the message M with
key K using a “hashed MAC” or HMAC
 Provides some level of authentication
o If only and Alice and Bob know the key and the HMAC
is correct, it must have come from one of them
 HMAC is a keyed hash
o Why would we need a key?
 How to compute HMAC?
 Two obvious choices: h(K,M) and h(M,K)
 Which is better?

Part 1  Cryptography
47
 HMAC
 Should we compute HMAC as h(K,M) ?
 Hashes computed in blocks
o h(B ,B ) = F(F(A,B ),B ) for some F and
1 2 1 2
constant A
o Then h(B ,B ) = F(h(B ),B )
1 2 1 2
 Let M’ = (M,X)
o Then h(K,M’) = F(h(K,M),X)
o Attacker can compute HMAC of M’ without K
 Is h(M,K) better?
o Yes, but… if h(M’) = h(M) then we might have
h(M,K)=F(h(M),K)=F(h(M’),K)=h(M’,K)
Part 1  Cryptography
48
 Correct Way to HMAC
 Described in RFC 2104
 Let B be the block length of hash, in
bytes
o B = 64 for MD5 and SHA-1 and Tiger
 ipad = 0x36 repeated B times
 opad = 0x5C repeated B times
 Then
HMAC(M,K) = h(K  opad, h(K  ipad, M))

Part 1  Cryptography
49
 Hash Uses
 Authentication (HMAC)
 Message integrity (HMAC)
 Message fingerprint
 Data corruption detection
 Digital signature efficiency
 Anything you can do with symmetric
crypto
 Also, many, many clever/surprising
Partuses…
1  Cryptography
50
Reading part
 Tiger Hash
 “Fastand strong”
 Designed by Ross Anderson and Eli
Biham  leading cryptographers
 Design criteria
o Secure
o Optimized for 64-bit processors
o Easy replacement for MD5 or SHA-1

Part 1  Cryptography
60
 Tiger Hash
 Like MD5/SHA-1, input divided into 512
bit blocks (padded)
 Unlike MD5/SHA-1, output is 192 bits
(three 64-bit words)
o Truncate output if replacing MD5 or SHA-1
 Intermediate rounds are all 192 bits
 4 S-boxes, each maps 8 bits to 64 bits
 A “key schedule” is used

Part 1  Cryptography
61
a b c
Xi
Tiger Outer
Round
F5 W  Input is X
key schedule o X = (X0,X1,…,Xn-1)
o X is padded
F7 W
o Each Xi is 512 bits
key schedule
 There are n iterations
F9 W of diagram at left
o One for each input
   block
a b c
 Initial (a,b,c)
a b c constants
 Final (a,b,c) is hash
Part 1  Cryptography
62  Looks like block
 Tiger Inner
Rounds a b c
 Each Fm consists of
fm,0 w0
precisely 8 rounds
 512 bit input W to fm.1 w1
Fm
fm,2 w2
o W=(w0,w1,…,w7)
o W is one of the input
blocks Xi
 All lines are 64 bits fm,7 w7

 The fm,i depend on

a b c
the S-boxes (next
Part 1  Cryptography
63
slide)
 Tiger Hash: One Round
 Each fm,i is a function of a,b,c,wi and m
o Input values of a,b,c from previous round
o And wi is 64-bit block of 512 bit W
o Subscript m is multiplier
o And c = (c0,c1,…,c7)
 Output of fm,i is
o c = c  wi
o a = a  (S0[c0]  S1[c2]  S2[c4]  S3[c6])
o b = b + (S3[c1]  S2[c3]  S1[c5]  S0[c7])
ob=bm
 Each Si is S-box: 8 bits mapped to 64
bits
Part 1  Cryptography
64
Tiger Hash
Key x0 = x0  (x7 
0xA5A5A5A5A5A5A5A5)
Schedule x1 = x 1  x0
x2 = x 2  x1
 Input is X x3 = x3  (x2  ((~x1) << 19))
o X=(x0,x1, x4 = x 4  x3
…,x7) x5 = x5 +x4
x6 = x6  (x5  ((~x4) >> 23))
 Smallchange x7 = x 7  x6
in X will x0 = x0 +x7
produce large x1 = x1  (x0  ((~x7) << 19))
x2 = x 2  x1
change in key x3 = x3 +x2
schedule x4 = x4  (x3  ((~x2) >> 23))
output x5 = x 5  x4
Part 1  Cryptography x6 = x6 +x5
65 x7 = x7 (x6 
 Tiger Hash Summary (1)
 Hash and intermediate values are 192
bits
 24 (inner) rounds
o S-boxes: Claimed that each input bit affects
a, b and c after 3 rounds
o Key schedule: Small change in message
affects many bits of intermediate hash values
o Multiply: Designed to ensure that input to S-
box in one round mixed into many S-boxes in
next
 S-boxes, key schedule and multiply
Parttogether
1  Cryptographydesigned to ensure strong
66
avalanche effect
 Tiger Hash Summary (2)
 Uses lots of ideas from block
ciphers
o S-boxes
o Multiple rounds
o Mixed mode arithmetic
 At a higher level, Tiger employs
o Confusion
o Diffusion

Part 1  Cryptography
67
 Online Bids
 Suppose Alice, Bob and Charlie are
bidders
 Alice plans to bid A, Bob B and Charlie C
 They don’t trust that bids will stay secret
 A possible solution?
o Alice, Bob, Charlie submit hashes h(A), h(B),
h(C)
o All hashes received and posted online
o Then bids A, B, and C submitted and
revealed
 Hashes don’t reveal bids (one way)
 Can’t change bid after hash sent
68 (collision)
Part 1  Cryptography
 Hashing for Spam
Reduction
 Spam reduction
 Before accept email, want proof
that sender had to “work” to
create email
o Here, “work” == CPU cycles
 Goal is to limit the amount of email
that can be sent
o This approach will not eliminate spam
o Instead, make spam more costly to
Part 1  Cryptography
69 send
 Spam Reduction
 Let M = complete email message
R = value to be determined
T = current time
 Sender must determine R so that

h(M,R,T) = (00…0,X), that is,

initial N bits of hash value are all zero
 Sender then sends (M,R,T)
 Recipient accepts email, provided
that…
h(M,R,T) begins with N zeros
Part 1  Cryptography
70
 Spam Reduction
 Sender: h(M,R,T) begins with N zeros
 Recipient: verify that h(M,R,T) begins
with N zeros
 Work for sender: on average 2N
hashes
 Work for recipient: always 1 hash
 Sender’s work increases exponentially
in N
 Small work for recipient, regardless of N
 Choose N so that…
o Work acceptable for normal amounts of
email
Part 1  Cryptography
71
o
 Secret Sharing

Part 1  Cryptography
72
 Shamir’s Secret Sharing
Y  Two points determine a
line
 Give (X ,Y ) to Alice
(X1,Y1) (X0,Y0) 0 0

 Give (X1,Y1) to Bob

(0,S)  Then Alice and Bob must
cooperate to find secret S
X  Also works in discrete
2 out of 2 case
 Easy to make “m out of n”
Part 1  Cryptography
73 scheme for any m  n
 Shamir’s Secret Sharing
Y  Give (X0,Y0) to Alice
(X0,Y0)  Give (X1,Y1) to Bob
(X1,Y1)  Give (X2,Y2) to Charlie
(X2,Y2)
 Then any two can
(0,S) cooperate to find secret S
 No one can determine S
X
 A “2 out of 3” scheme
2 out of 3

Part 1  Cryptography
74
 Shamir’s Secret Sharing
Y  Give (X0,Y0) to Alice
(X0,Y0)  Give (X1,Y1) to Bob
(X1,Y1)
 Give (X2,Y2) to Charlie
(X2,Y2)
 3 pts determine
(0,S)
parabola
Alice, Bob, and Charlie
X
3 out of 3 must cooperate to find S
 A “3 out of 3” scheme
Part 1  Cryptography
75
 What about “3 out of
 Secret Sharing Use?
 Key escrow  suppose it’s required
that your key be stored somewhere
 Key can be “recovered” with court order
 But you don’t trust FBI to store your
keys
 We can use secret sharing
o Say, three different government agencies
o Two must cooperate to recover the key

Part 1  Cryptography
76
 Secret Sharing Example
Y  Your symmetric key is
(X0,Y0) K
 Point (X0,Y0) to FBI
(X1,Y1)
(X2,Y2)  Point (X1,Y1) to DoJ
(0,K)  Point (X2,Y2) to DoC
 To recover your key K,
X
two of the three
agencies must
cooperate
Part 1  Cryptography
77  No one agency can get
 Visual Cryptography
 Another form of secret sharing…
 Alice and Bob “share” an image
 Both must cooperate to reveal the
image
 Nobody can learn anything about image
from Alice’s share or Bob’s share
o That is, both shares are required
 Is this possible?

Part 1  Cryptography
78
 Visual Cryptography
 How to “share” a pixel?
 Suppose image is black and white
 Then each
pixel is either
black or white
 We split pixels
as shown

Part 1  Cryptography
79
 Sharing Black & White
Image
 If pixel is white, randomly choose
a or b for Alice’s/Bob’s shares
 If pixel is
black,
randomly
choose c or d
 No
information
in one “share”
Part 1  Cryptography
80
 Visual Crypto Example
 Alice’s  Bob’s  Overlai
share share d
shares

Part 1  Cryptography
81
 Visual Crypto
 How does visual “crypto” compare
to regular crypto?
 In visual crypto, no key…
o Or, maybe both images are the key?
 With encryption, exhaustive search
o Except for the one-time pad
 Exhaustive search on visual crypto?
o No exhaustive search is possible!

Part 1  Cryptography
82
 Visual Crypto
 Visual crypto  no exhaustive search…
 How does visual crypto compare to
crypto?
o Visual crypto is “information theoretically”
secure  also true of secret sharing
schemes
o With regular encryption, goal is to make
cryptanalysis computationally infeasible
 Visual crypto an example of secret
sharing
o Not really a form of crypto, in the usual
sense
Part 1  Cryptography
83
 Random Numbers in
Cryptography

Part 1  Cryptography
84
 Random Numbers
 Random numbers used to generate keys
o Symmetric keys
o RSA: Prime numbers
o Diffie Hellman: secret values
 Random numbers used for nonces
o Sometimes a sequence is OK
o But sometimes nonces must be random
 Random numbers also used in
simulations, statistics, etc.
o In such apps, need “statistically” random
numbers
Part 1  Cryptography
85
 Random Numbers
 Cryptographic random numbers must
be statistically random and
unpredictable
 Suppose server generates symmetric
keys
o Alice: K
A
o Bob: K
B
o Charlie: K
C
o Dave: K
D
 Alice, Bob, and Charlie don’t like Dave…
PartAlice, Bob, and Charlie, working
 1  Cryptography
86
together, must not be able to determine
 Non-random Random
Numbers
 Online version of Texas Hold ‘em Poker
o ASF Software, Inc.

 Random numbers used to shuffle the

deck
 Program did not produce a random
shuffle
Part 1  Cryptography
87 A serious problem, or not?

 Card Shuffle
 There are 52! > 2225 possible shuffles
 The poker program used “random” 32-
bit integer to determine the shuffle
o So, only 232 distinct shuffles could occur
 Code used Pascal pseudo-random
number generator (PRNG):
Randomize()
 Seed value for PRNG was function of
number of milliseconds since midnight
 Less than 227 milliseconds in a day
o So, less than 227 possible shuffles
Part 1  Cryptography
88
 Card Shuffle
 Seed based on milliseconds since
midnight
 PRNG re-seeded with each shuffle
 By synchronizing clock with server,
number of shuffles that need to be
tested  218
 Could then test all 218 in real time
o Test each possible shuffle against “up”
cards
 Attacker knows every card after the
first of five rounds of betting!
Part 1  Cryptography
89
 Poker Example
 Poker program is an extreme example
o But common PRNGs are predictable
o Only a question of how many outputs must
be observed before determining the
sequence
 Crypto random sequences not
predictable
o For example, keystream from RC4 cipher
o But “seed” (or key) selection is still an issue!
 How to generate initial random values?
o Keys (and, in some cases, seed values)
Part 1  Cryptography
90
 What is Random?
 True“random” is hard to define
 Entropy is a measure of
randomness
 Good sources of “true” randomness
o Radioactive decay  but, radioactive
computers are not too popular
o Hardware devices  many good ones
on the market
o Lava lamp  relies on chaotic
Part 1 behavior
Cryptography
91
 Randomness
 Sources of randomness via software
o Software is supposed to be deterministic
o So, must rely on external “random” events
o Mouse movements, keyboard dynamics,
network activity, etc., etc.
 Can get quality random bits by such
methods
 But quantity of bits is very limited
 Bottom line: “The use of pseudo-random
processes to generate secret quantities
can result in pseudo-security”
Part 1  Cryptography
92
 Information Hiding

Part 1  Cryptography
93
 Information Hiding
 Digital Watermarks
o Example: Add “invisible” info to data
o Defense against music/software
piracy
 Steganography

o “Secret” communication channel

o Similar to a covert channel (more
later)
o Example: Hide data in an image file
Part 1  Cryptography
94
 Watermark
 Add a “mark” to data
 Visibility (or not) of watermarks
o Invisible  Watermark is not obvious
o Visible  Such as TOP SECRET
 Strength (or not) of watermarks
o Robust  Readable even if attacked
o Fragile  Damaged if attacked

Part 1  Cryptography
95
 Watermark Examples
 Add robust invisible mark to digital
music
o If pirated music appears on Internet, can
trace it back to original source of the leak
 Add fragile invisible mark to audio file
o If watermark is unreadable, recipient knows
that audio has been tampered with
(integrity)
 Combinations of several types are
sometimes used
o E.g., visible plus robust invisible watermarks
Part 1  Cryptography
96
 Watermark Example (1)
 Non-digital watermark: U.S.
currency

 Image embedded in paper on rhs

o Hold bill to light to see embedded info
Part 1  Cryptography
97
 Watermark Example (2)
 Add invisible watermark to photo
 Claim is that 1 inch2 contains
enough info to reconstruct entire
photo
 If photo is damaged, watermark
can be used to reconstruct it!

Part 1  Cryptography
98
 Steganography
 According to Herodotus (Greece 440 BC)
o Shaved slave’s head
o Wrote message on head
o Let hair grow back
o Send slave to deliver message
o Shave slave’s head to expose a message
warning of Persian invasion
 Historically, steganography used by
military more often than cryptography

Part 1  Cryptography
99
 Images and
Steganography
 Images use 24 bits for color: RGB
o 8 bits for red, 8 for green, 8 for blue
 For example
o 0x7E 0x52 0x90 is this color
o 0xFE 0x52 0x90 is this color
 While
o 0xAB 0x33 0xF0 is this color
o 0xAB 0x33 0xF1 is this color
 Low-order bits don’t matter…
Part 1  Cryptography
100
 Images and Stego
 Given an uncompressed image file…
o For example, BMP format
 …we can insert information into low-
order RGB bits
 Since low-order RGB bits don’t matter,
changes will be “invisible” to human eye
o But, computer program can “see” the bits

Part 1  Cryptography
101
 Stego Example 1

 Left side: plain Alice image

 Right side: Alice with entire Alice in
Wonderland (pdf) “hidden” in the image
Part 1  Cryptography
102
 Non-Stego Example
 Walrus.html in web browser

 “View source” reveals:

<font color=#000000>"The time has come," the Walrus
said,</font><br>
<font color=#000000>"To talk of many things: </font><br>
<font color=#000000>Of shoes and ships and sealing wax
</font><br>
<font color=#000000>Of cabbages and kings </font><br>
<font color=#000000>And why the sea is boiling hot
</font><br>
Part 1  Cryptography
<font
103 color=#000000>And whether pigs have wings."
</font><br>
 Stego Example 2
 stegoWalrus.html in web browser

 “View source” reveals:

<font color=#000101>"The time has come," the Walrus
said,</font><br>
<font color=#000100>"To talk of many things: </font><br>
<font color=#010000>Of shoes and ships and sealing wax
</font><br>
<font color=#010000>Of cabbages and kings </font><br>
<font color=#000000>And why the sea is boiling hot
 “Hidden”
</font><br> message: 011 010 100 100 000
<font color=#010001>And whether pigs have wings."
Part101
</font><br>
1  Cryptography
104
 Steganography
 Some formats (e.g., image files) are
more difficult than html for humans to
read
o But easy for computer programs to read…
 Easy to hide info in unimportant bits
 Easy to damage info in unimportant bits
 To be robust, must use important bits
o But stored info must not damage data
o Collusion attacks are also a concern
 Robust steganography is tricky!
Part 1  Cryptography
105
 Information Hiding:
The Bottom Line
 Not-so-easy to hide digital information
o “Obvious” approach is not robust
o Stirmark: tool to make most watermarks in
images unreadable without damaging the
image
o Stego/watermarking are active research
topics
 If information hiding is suspected
o Attacker may be able to make
information/watermark unreadable
o Attacker may be able to read the
information, given the original document
Part 1  Cryptography
106