 So this is steganography and cryptography 101. So you know it is a 101, so don't expect me to get into all of the crazy algorithms and math that's involved in cryptography and tell you how it's used. First of all, let's start with cryptography. Since cryptography, you're taking something that everyone can see, standard message, picture, data, whatever you want to have and you're taking it and you're going to pass it through a bunch of equations and you're going to get out jarbled text that nobody knows what to do with. That's pretty much the essence of cryptography and you do the reverse to decrypt something and you come back with a standard message. A little bit of where it started, cryptography standarded out like long, long time ago and some of the earlier crypto methods were transposition, so you know you can see here that what they did is they moved a bunch of characters around and you can do that to get transposition cryptography. The other one I'm sure you've all seen on the back of cereal boxes and you know whatever you know gummy fruit that you may or may not eat, you see substitution and that's just pretty much lining up letters by letters and substituting them for one another. So then the computer era allowed us to take data you know represented as ones and zeros and things like that and pass those through those equations that we talked about and alluded to earlier and use a shared key to encrypt that data into unusable text for anybody. Now some of the common algorithms that are used for this, I know this is a wall of text so this is pretty much as proof that there are thousands and thousands of different crypto types out there. The most common ones are up there, some of the ones you may come across and some of the programs you may or may not use are up there and then there's even more that you know typically though you want what's considered good crypto, cryptos that stood the test of time that's open where you can actually see the mathematical equations in it. AES and Blowfish and the ones listed up top, those are all open, people can see them, they've proved the test of time, people have tried to crack them and you know you'll see lots and lots of talks here at DEF CON and people who are circumventing crypto and things like that but not one of those is about actually breaking the math on crypto. So just know that there that most of the time when people are talking about breaking crypto, they're not actually breaking the math because the math behind crypto was made by really, really smart people. Much smarter than I am. Alright so get back to you know people, crypto does rule, it absolutely rocks, like I said the math behind it is amazing but by definition crypto if you have a 128 bit key it should take two to the 227th tries on average to crack it so no super computer is going to be doing that, that takes forever. So people like to argue about how big of keys we should use, 128 bit, 256, 512 all the way up to 4096, that's all great but you're getting into a battle there like well how high should we make this fence? Should we make this fence two miles high, four miles high, eight miles high? Well it comes a point where the attack vector is not going to be the fence any longer. If you have the crypto and the fence is built people are probably going to go to try to go around the fence or under the fence. You know the same analogy if you had a box and it was made out of a cardboard you're not going to buy one of those awesome locks and expect someone to just start picking a lock they're just cardboard. So those are a lot of people wonder like well how much crypto should I use and things like that so it's analogous to these pictures here where yeah you can lock things up but you can also fail at locking things up. Should you encrypt everything? Just remember the data that you have and what you're trying to protect and who you're trying to protect it from. Those all come with the infosec mind and what people are here learning about. Yeah this is going on further with that. The other attack vectors do exist. You know that's the perfect example of that here. You can protect the heck out of something but other ways people will find to get into your data. Alright so now on to steganography. Steganography essentially you're hiding one message within another. There's lots of different forms of steganography. It's a good example here. It started out a long time ago. A lot of kings and higher ups and armies and things like that would tattoo messages in the backs of people's heads or on their heads after they shave them and let the hair grow out and send them to somebody else and they can shave their head and read the message. Which is great and all however that takes time. Lots and lots of time for people's hair to grow. It goes a different way. Then moved into some things called micro dots. That was a big thing in like World War II. I don't know if you've ever seen the movie paycheck but in paycheck there's a good example of that there. The guy has the extra stamp on the envelope and he gets under the microscope, zooms in on the eye and there's headlines from other disasters that are to come. If you haven't seen paycheck go see paycheck. Simigram. These are analogous to what you guys would look at like as hyla-graphics. There are other ways to present them but simigram is really cool because you can have a picture and you will unbeknownst to anybody else that there's actually a message in that picture like the crow flying over the field means that the British are coming or something. Null ciphers they moved into null ciphers. Those are really cool too. But one of the bad parts about null ciphers is that you have to have a lot of text just to get a little message. I'm sure you've all seen on the internet where somebody takes some form of null cipher like the first line and Rick rolls somebody in a paper, things like that. You'll see the never going to let you down thing on the left hand side. But like again those are long, long papers that make a lot of sense but you may not be knowing that there's actually a secret smaller message within. Anamorphosis. Try saying that Tim Tynes fast. That's an image that you can look at from one angle and can be one thing. Look at it from another angle. It can mean something totally different. This is a good example of that here where you have a mirrored cylinder and you can see them talking around looks like some sort of beverage or food. Type spacing and offsetting. Again this is a lot like the null cipher. You have to have a really, really long message in order to get out a really short message. So you know those are the shortcomings involved there. You'll end up with a really long message and you translate all the way across into something and you get something as simple as high. So modern steganography, a lot of people use that today. You guys probably use it and don't even know it. Metadata and all of your MP3s and things like that. That's technically steganography. If you didn't know it was there, it is definitely steganography but it's all intended messages now so you guys all know it's there. A lot of the things that what they do to hide that is in current things like metadata they actually just add on to the data. So it doesn't hurt the integrity of the actual file but when you're hiding it and you don't want people to know what they'll do is they'll hide it in the lowest bits, noisy bits. Some things that are beyond the scope of what you would hear in an MP3 or view in a movie file or picture. But where it comes in is that that also creates entropy and that's how it can be detected. So you kind of have to be careful for that type of thing if you actually are hiding messages and things like that. There are ways that people will find it. So as you can see down there, you can see right here and here these two. They don't fit in with the standard entropy of the whole data palette or image palette there and they're stored in the lower bits. So let's combine them together and as you can see we took you know Darth Sidious encrypted the message, hid it in Senator Palpatine and you have Senator Palpatine. I tried to think really long and hard about what's a real life example that you guys would seen of this. Thought long and hard and the best thing I could come up with was the movie Contact. So you know she hears the noise from the aliens, the vegans and within that there is a message that's being broadcasted and within that broadcasted message there is these plans and then within those plans there's a cipher or a primer and they use that primer and cipher to put together the plans for the spaceship. When I encrypt, I like to use decrypt that has good crypto in it. If we have time in a second I'll get to the data on that. And then there's some cool ways to do steganography. A good free tool out there is steghyde. It does have the encryption piece into it so you can actually encrypt and hide things within images on the fly right away. And we'll get into those in just a second. Let me hook up this mouse. So these are all freely available under the public license. So feel free to download them, use them. But pretty much true encrypt is great. It's going to run through here at a crate-a-crate volume. Default steadings are usually pretty good on this. Let's make it two gigs. And we'll make it password. Use good passwords. Good eye. Sorry the angle that I have is really bad. I'm using password for my password. So if I forget, you can come up right. You can use key files too. So you can go ahead and, oh, it will warn you that your password sucks. And that takes a second. It'll format a volume for you. And then if I'll put it out here, you guys can see. Well that's going. Let's go ahead and do one in steghyde. That's pretty cool. Hopefully they don't have anything on here. Crap. Being windered. Live dinner sucked by the way. All right. And then you can put your output file in there. My super secrets.jpg. Done. So then to the unbeknownst person, it just looks like Professor Zoiberg having a blast. But to us, if we want to, true grid phone is done great. We can extract it and browse. Go to the desktop. Oh, my super secrets. Output file. Call it secrets.txt. And what was my password? I didn't. All right. Yay. There you go. So there's a text file full of secrets. Oh, I didn't set one. You're right. That was true grid that I did set that one on. So yeah, you can password protect them too. I recommend that. All right. So as you can see, oh, where did it create it? Yeah, it creates a new volume, but it wasn't mounted automatically. It's called secrets. It's something to drive. Okay, cool. All right. So then you can mount one. It says K. Now, then it's mounted as there. You can go to your computer. And there she is. And you can go ahead and take all of your stuff and put it inside of it. And it's encrypted and you can unmount it from there. That's a good way. I know there's a lot of talks about how to circumvent a lot of security and things like that, but I figured a quick one-on-one on how to protect yourself from people who are trying to circumvent the security would probably be helpful for some of the people out there. Does anyone have any questions, comments, concerns? They're open and they've stood the test of time is pretty much the quick, dirty answer to that question. There's high rewards out for people who can circumvent that math. If you can crack that security, a lot of people will pay big money for that. If you want to find it, you want to sell it to the highest bidder. It's the exact size unless you use compression. You'll see in the Steghide tool there, and this is my personal favorite one. I did not write it, but the guy who did is a badass. You can see that you can actually do the compression level here. It's the exact size of the file unless you do that, which comes into play when you want to make sure that you hide things in bigger files. If you don't have enough lower level bits, then you obviously can't hide things with inside of it, and you run out of bits to hide them in, and it becomes really apparent to people that you are doing Stegonography in the back in the hat. I'm sorry. It's just what, the data? Confiscating the data? Yeah, I mean that's how it started out and it moved further and further into this. That's what's considered early cryptography. In light of that, it's changed a lot over the years, and one would say that that's not really cryptography, but you're just obscuring the data exactly, but it's considered the roots of where this was founded. I love two factor authentication. With TrueCrypt, it loves it. Yeah. Again, it comes into the things of what are you securing? I mean, if you're not needing to, if you don't need two factor authentication, you don't need it, but I mean if you really want that, then use it. What's that? You can use a key file as well, so you can have both key and file that you would have to share with others. What's that? No. Actually, it's a total new date time stamp. I don't know one off a hand because technically it is creating a new file, so you'd probably have to hack that. Yeah, you would have to share this with somebody else. Somebody else would have to know the existence of something within this file. How are we doing on time here? Okay, we're coming close. Anybody else? Can we, what? Yes, you can do video files. I just did images here because it's simpler. I mean, obviously it takes longer to create a video file than it does anything else, so yeah, you can actually do that with a lot of different data. There's low bits and just about any type of media file and data file out there. That would be cool. I mean, if you can hide it without the password, right? Like I did instead hide. So if somebody knows that this person hides a lot of things without a password and they were to put them on the web and use like an MD5 hash and then you can check some of them after you download them and you know that there's stuff within each one. It has stock images on your website, but actually you keep some other things in there, too. So that's a practical application to it right there. That's what I just explained. Okay, so then listen. Next question. It does destroy your least significant bits. That's definitely the problem with it and it is, like I said, picked up by statistical analysis and the entropy of the data. Okay, that's all we got time for.