in reply to Gif steganography

Since GIF uses LZW compression, your bit-twiddling is damaging the data severely. It's not like a bitmap (BMP) file where there is a one-to-one correlation between bits in the file and bits on screen. In fact, a one-bit change can ruin your entire GIF from that point on. JPEG, while it employs a different compression system, is likely to suffer the same sort of damage.

First, use PNG. It's better for your application because it can express more colors, and unlike JPEG, the compression does not destroy any data, so the image you get out is exactly what you put in. JPEG will take some liberties with your image in order to compress it, so the output may be substantially different from the input.

So with that established, no matter what image you use, you will have to decompress it first. You can use a library like Image::Magick to do this for you. When you have this in a regular "bitmap" format, you can go to town on it, perhaps using something like vec to twiddle your bits, or any other method you can think of. When you're finished, you can pack it back up as a PNG and fire it off.

Of course, the tricky part is finding a "sneaky" way of modifying the bitmap image.

Replies are listed 'Best First'.
Re: Re: Gif steganography
by Ryszard (Priest) on Aug 13, 2001 at 02:33 UTC
    ahhh! i should have realised that compression bit.. now, how dumb do i feel?

    As an alternative i could then convert the gif to a jpg, however wouldnt that be reasonably expensive for a web application?..

    The reason i'm interested particularly in gifs is i have a CGI that generates a graph as a gif. What i need to be able to do is determine whether the generated graph is authentic (ie a user has not altered it..) As the website generates a reasonable amount of hits, what i cant do is store a digest anywhere..
    i figure embedding a 'fingerprint' in the graph is a reasonable method of achieving this.

    The next question is, what do i use as a message? i figure a SHA1 or MD5 digest seeded with a combination of the users name and a long, strong password, known only to administrators.

[reply]
      If that's what you're trying to do, you needn't be so devious. Instead, I would suggest using a PGP-type signature and putting that in the "comment" field of the GIF file. When you validate the GIF for authenticity, you can strip the comment out and evaluate the image for integrity. The GIF comment field should be able to contain a regular signature, which is really just text.

      This way, if the image is modified, the comment signature will not check out, and since the signature is based on a private key that they don't have, they can't forge a new one. You could achieve the same thing with SHA1 or MD5 using a long and secure "passphrase" as well.

      JPEG, as I have tried to emphasise, is a very bad idea since the compression will pretty much destroy any subtle fingerprinting you do on a bit level. A more sophisticated "watermarking" technique is required in that case, and these are generally non-trivial to implement, as they often involve things like "fuzzy logic" to detect partial patterns, or to correct damage done by the JPEG compression.
[reply]

        The commet thingy sounds interesting, and makes a lot more sense than going around playing with file formats.. i'll go check it out.

        The gif->jpg transition would go something like:

        1. Generate gif
        2. Convert to jpg
        3. Bit fiddle
        4. send to browser

        The advantage i can see in this, is if the output jpg is modified the fingerprint is destroyed, hence the modified jpg is a fake.

        the downside is it's an expensive process..
[reply]

In Section Seekers of Perl Wisdom