ASCII ART STEGANOGRAPHY. ASP.NET WEB-BASED CASE STUDY Vlatko Grujoski1 Scientific adviser Dmytro Zubov, Ph.D.2 1
University of Information Science and Technology “St. Paul the Apostle”,
[email protected],
[email protected],
[email protected]
Abstract – Nowadays, approximately a quarter of all web-sites were developed using ASP.NET technology. Hence, the security issue of ASP.NET web-site data is topical nowadays. The main treats are spoofing, tampering, repudiation, information disclosure, a denial of service attack, an elevation of privilege attack. Three main security solutions are authorization, authentication, and cryptography. In addition, the steganography is proposed for the secure transmission of data. ASCII art is used as a steganographic container. The encoding of letters is realized using a Huffman tree. Кеу words – steganography, ASCII art, ASP.NET, Huffman encoding.
1 INTRODUCTION Nowadays, steganography is very dynamic branch which spreads its methods for usage in different software apps. ASP.NET web-sites are one of the beneficiaries of this methodology. Currently, approximately a quarter of all web-sites were developed using ASP.NET technology [1]. Content of the transmitted information is crucial for some apps. Hence, the data security issue for ASP.NET web-sites is topical (e.g. [16]). The main treats are [6]: spoofing (impersonating a user or process in an unauthorized way), tampering (changing or deleting a resource without authorization), repudiation (it involves carrying out a transaction in such a way that there is no proof after the fact of the principals involved in the transaction), information disclosure (stealing or revealing information that is supposed to be private), a denial of service attack (to deliberately cause an application to be less available than it should be), an elevation of privilege attack (to use malicious means to get more permissions than normally assigned). Three main classical security solutions are authorization, authentication, and cryptography [6-9]. In fact, none of the above methods can protect information safely. In these cases, the steganography can be used for the secure data transmission (e.g. [10-14]). It is well known that steganography allows writing the hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. Hence, the security system is improved. Digital steganography is used, for example, in graphics files, HTML, sound files, video, and text files, but image files are favored and referred to as stego-images. ASCII art is one of the simplest graphic design techniques which is very convenient for the discussion of stego-images. This paper main goal is to show a case study for ASP.NET web-based ASCII art steganography. Initially, security system organization and existing steganography methodologies are analyzed. Finally, an ASP.NET web-based example for the ASCII art steganography is shown.
2 REPRESENTATION OF THE ASP.NET WEB-PAGES BY THE WEB-BROWSER The specificity of ASP.NET technology is splitting of front-end (user interface – client side) and back-end (background code – server side) parts [3]. Hence, the web-
browsers receive the XHTML code only (representation of web-pages) from the webserver. The ASP.NET web-site content (methods, databases, security options, etc.) is hidden from the end-user. In this sense, the steganography techniques are suitable because the data processing takes place on the web-server (which is Microsoft Internet Information Server for ASP.NET), and therefore security system of ASP.NET web-sites is improved. The example of the discussed below web-site “http://steganogramona.azurewebsites.net/” is shown in Fig. 1 – it is clear that the web-site content (based on C#; Visual Studio 2010 is on the left) is hidden from the end-user (source XHTML code in Internet Explorer is on the right).
Fig. 1 The example of the splitting of the of back-end and front-end parts (Visual Studio 2010 with C# behind code on the left and Internet Explorer with source XHTML code on the right)
3 PREVIOUS STUDIES OF STEGANOGRAPHIC METHODS Steganography techniques can be classified into different ways [10-14] – physical (e.g. invisible ink), digital (e.g. concealing messages within the lowest bits of noisy images or sound files), network (e.g. control elements of communication protocols and their basic intrinsic functionality are used), printed (e.g. the letter size, spacing, typeface, or other characteristics of a cover text can be manipulated to carry the hidden message), audio (e.g. the text or audio secret message are embedded within a cover audio message), text (e.g. HTML files can be used to send information since adding spaces, tabs, special characters, extra lines are invisible for web-browsers), etc. Textual steganography is considered as the most difficult because of the lack of redundancy in text compared to image or audio files [14]. However, it requires less memory and very convenient for slow connections. A method that might be in use for the textual steganography is data representation with Huffman tree. Huffman encoding assigns a smaller length for the code words with more frequently occurring source symbols. The selection of the embedding algorithm is based on the analysis of the steganographic channel’s robustness [10-14] – a bandwidth of the whole embedding system is decreased when the steganographic robustness is increased. In general, the selection of embedding scheme for the achievement of the steganographic system’s
optimal values is not trivial. In some cases, it is necessary to take into account a structure of the steganographic container which reduces a risk of the detection of the hidden information. According to the present authors, the effective steganographic algorithm must include the preliminary analysis of the container as well. Thus, the selection of steganographic method depends on many factors such as a probability of detection, a structure of the steganographic container, a robustness of the steganographic channel, etc.
4 EXAMPLE OF TEXTUAL STEGANOGRAPHIC CONTAINER Nowadays, ASCII art is used frequently when textual steganography is discussed [1719]. Lets to use the ASCII equivalent of the world known Leonardo da Vinci painting “Mona Lisa” [20] (see Fig. 2). This painting was converted to ASCII code 400character width [18]. The preliminary analysis showed that the rectangular sector with coordinates [290,150] (left top) and [308,250] (right bottom) is the most suitable for a steganographic container because of the random positions of two letters ‘N’ and ‘M’ (see Fig. 3). It allows to hide the information in binary view (letter ‘N’ corresponds to the bit ‘1’, letter ‘M’ – ‘0’). It is necessary to admit that number of letters ‘N’ is much greater than letters ‘M’. Table 1 represents the scheme for the binary encoding of letters. The frequencies of the letters occurrences are presented in [21]. In fact, binary codes were calculated by the Huffman tree algorithm using the prefix encoding. In addition, the structure of a steganographic container was taken into consideration (Fig. 3 represents the encoded text “Steganography plus ASP.NET is very interesting”). Visual analysis shows that depicted screenshots are similar. ASP.NET web-based app was developed in the Visual Studio 2010 environment (see Fig. 4) with C# behind code [3]. The web-site was hosted in Microsoft Azure. URL is “http://steganogramona.azurewebsites.net/”. The screenshot of web-page after the embedding of the phrase “Steganography plus ASP.NET is very interesting” is shown in Fig. 5 (an initial file is “TextImage.txt”; the file with embedded text – “TextImageNew.txt”). The screenshot of the web-page after the text file’s decoding is shown in Fig. 6. Users can download files “TextImage.txt” and “TextImageNew.txt” (hyperlinks “View the initial file” and “View the coded file” respectively). In addition, users can decode their own files. In this case, it is necessary to upload file “TextImageNew.txt” and then decode appropriate information (see Fig. 7).
Fig. 2 Leonardo da Vinci painting “Mona Lisa” and its ASCII-art equivalent
Fig. 3 A textual steganographic container without (on the left) and with (on the right) hidden information Table 1. Scheme for the binary encoding of letters No. Letter Frequency Binary code 1 E, e 12.86 0 2 T, t 9.72 10 3 A, a 7.96 110 4 I, i 7.77 1110 5 N, n 7.51 11110 6 R, r 6.83 111110 7 O, o 6.62 1111110 8 S, s 6.62 11111110 9 H, h 5.39 111111110 10 D, d 4.01 1111111110 11 L, l 3.51 11111111110 12 C, c 2.84 111111111110 13 F, f 2.62 1111111111110 14 U, u 2.48 11111111111110 15 M, m 2.43 111111111111110 16 G, g 1.99 1111111111111110 17 P, p 1.81 11111111111111110 18 W, w 1.80 111111111111111110 19 B, b 1.60 1111111111111111110 20 Y, y 1.52 11111111111111111110 21 V, v 1.15 111111111111111111110 22 K, k 0.41 1111111111111111111110 23 Q, q 0.17 11111111111111111111110 24 X, x 0.17 111111111111111111111110 25 J, j 0.16 1111111111111111111111110 26 Z, z 0.05 11111111111111111111111110 27 blank 0 111111111111111111111111110 28 End of the hidden text 0 111111111111111111111111111
5 SUMMARY AND CONCLUSION In this paper, ASCII art steganography was discussed using ASP.NET web-based case study. It was shown that main treats are following: a spoofing, a tampering, a
repudiation, the information disclosure, a denial of service attack, an elevation of privilege attack. Three main existing security solutions are authorization, authentication, and cryptography. However, none of the above methods can protect information safely. Hence, the steganographical approach was proposed for the hidden text information sending and retrieving using the ASCII pictures. This approach is based on the preliminary analysis of the steganographic container. An example uses the ASCII equivalent of the world known Leonardo da Vinci painting “Mona Lisa” as steganographic container. The encoding of letters was realized using a Huffman tree. The most likely prospect of this work is the development of an adaptive algorithm which takes into consideration the location of a symbol in a text.
Fig. 4 Screenshot of the initial code (Visual Studio 2010 split regime)
Fig. 5 A screenshot of the web-page after an embedding of the phrase “Steganography plus ASP.NET is very interesting” into the file “TextImage.txt”
Fig. 6 A screenshot of the web-page after decoding of the file “TextImageNew.txt”
Fig. 7 A screenshot of the web-page when a file “TextImageNew.txt” is uploaded
6 REFERENCES [1] Duong T., Rizzo J. Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET. Proc. of 2011 IEEE Symp. on Security and Privacy, p. 481-489. [2] Duong T., Rizzo J. Practical Padding Oracle Attacks. Proc. of 4th USENIX Workshop on Offensive Technologies, 9th August, 2010, Washington, DC. http://static.usenix.org/events/woot10/tech/full_papers/Rizzo.pdf [3] Esposito D. Programming Microsoft ASP.NET 4. Microsoft Press, 2011, 993 p. [4] Magdanurov G. Security of ASP.NET MVC web-sites. http://microgeek.ru/blogs/gaidar/1719/ [5] Guthrie S. Important: ASP.NET Security Vulnerability. http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-securityvulnerability.aspx?CommentPosted=true#commentmessage [6] ASP.NET Web Application Security. http://msdn.microsoft.com/enus/library/330a99hc(v=vs.90).aspx [7] Backlanov S. Security Features of ASP.NET – Authentication. RSDN Magazine #22004. http://www.rsdn.ru/article/inet/aspnet1.xml [8] Backlanov S. Security Features of ASP.NET – Authorization. RSDN Magazine #32004. http://www.rsdn.ru/article/inet/aspnet2.xml [9] Backlanov S. Security Features of ASP.NET – Cryptography. RSDN Magazine #32004. http://www.rsdn.ru/article/inet/aspnet3.xml [10] Wayner P. Disappearing Cryptography: Being and Nothingness on the Net. Academic Press, 1996, 1st ed., 306 p. [11] Johnson N.F., Duric Z., Jajodia S.G. Information Hiding: Steganography and Watermarking – Attacks and Countermeasures (Advances in Information Security, vol. 1). Kluwer Academic Publishing, 2001, 160 p. [12] Katzenbeisser S., Petitcolas F.A. Information Hiding: Techniques for Steganography and Digital Watermarking. Artech House Publishing, 2000, 220 p. [13] Cole E. Hiding in Plain Sight: Steganography and the Art of Covert Communication. Wiley Publishing Inc., 2003, 360 p. [14] Steganography. http://en.wikipedia.org/wiki/Steganography [15] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, Clifford Stein. Introduction to Algorithms, 2nd Ed. MIT Press and McGraw-Hill, 2001, 1184 p. [16] Huffman D.A. A Method for the Construction of Minimum-Redundancy Codes. Proc. of the I.R.E., Sept. 1952, pp. 1098-1102. [17] ASCII art. http://en.wikipedia.org/wiki/ASCII_art [18] Convert into ASCII. http://www.text-image.com/convert/ascii.html [19] ASCII Art. http://www.glassgiant.com/ascii/ [20] Mona Lisa. http://en.wikipedia.org/wiki/Mona_Lisa [21] Text’s Analysis. http://www.statsoft.ru/home/portal/exchange/textanalysis.htm
