Hash steganography using vkapi

Hello, Habr. Some time ago I decided to figure out what steganography is, what is its meaning and what it is. And after a few links I came across an interesting article about hash steganography. The question arose - why not try to put such a transfer method into practice? To begin with - in the form of proof of concept.
image


Hash steganography?


If the reader did not want to read the article (I highly recommend it), I will briefly convey the meaning.
What do we imagine when we hear the word steganography? We have a certain container in which we insert information. We insert so that at the first (preferably the second) view of the container does not change. But is there a way to transfer information without touching the container?


Here hash steganography comes to the rescue. The meaning is simple - we take a container (the best option is a picture with seals) and take a hash from it. We cut off the symbol 1 from the hash 1 (2,5,10) - let's say we got the letter z. We take another 25 pictures and if we are lucky, then we got a dictionary containing 26 entries of the form "letter" - "picture". If you are unlucky, you will have to go through more pictures. Thus, we have an alphabet that can be used to send messages. We load 10 specific seals on the server, the recipient downloads them from the server, receives a hash, cuts off 1 character each and receives "HelloWorld". And if you also encrypt it ...


image


What came of this and where does vkapi come from?


So, the task is clear - we need a program that will receive a message at the input, compress it, encrypt it, turn it into seals, send it to the server. On the other side, you need to get pictures, turn them into letters, decode, "unclench".


Now we need a convenient Internet service that would enable us to freely (to a certain extent) upload pictures to and from the server. I chose vk.com. Everything you need is there for us - convenient albums that preserve the order of uploaded photos, nice api.


And the last - somewhere we need to store a lot of pictures. MongoDB was selected. There are stored entries like "path to the image - hash of the image - date of last use". We find the desired hash, select the picture that has been used for a long time, load it using the provided path.


And does it work?


Yes, and it really works. After downloading and installing, run the program:


python vkhs.py -e -l [login] -aid [album id] -m HelloHabr

Password:
message = HelloHabr
len = 10

chip = b'....'
len = 18

upload message?
Total uploaded: 18

We run to see what happened:



We received a message consisting of 18 pictures. This is not suspicious - especially if the pictures are on the same topic.


Now we need to get our message:


python vkhs.py -l [login] -aurl [albumxxxxxxxx_xxxxxxxxx]

Password:
Login success
1
2
3
4
...
message: HelloHabr
очистить папку с фалами?

Voila, hidden chat is working.


Problems


Here are some of them:


  1. Compression algorithm - as can be seen on the screenshots provided, a message with a length of 11 characters turns into a message with a length of 18 characters. For long message lengths, this algorithm works just fine, reducing the source text more than twice. On the small - terrible.
  2. DB It needs to be updated regularly. However, vk uses a very interesting way to store photos. When we upload a photo there, the server automatically compresses it - so the hash also changes. However, there are photos whose hash does not change. I did not understand the reasons. And so the database is filled in according to the following algorithm - we download pictures from the Internet (ideally, we photograph beautiful landscapes in the park ourselves). Then we upload them to the VK server, load them back. Now fill it again, saving the hashes in the database, load it back again. We check the changed ones, delete and repeat the procedure. After sifting, those photos remain that the server likes. We load them into the database.
    As you can see, the operation is not very pleasant, you need to think about how to do better. However, there are so-called comparable hashes. For example on habr there was a cool article . To circumvent this "random attack", instead of the usual hash, you can take a comparable hash.

Conclusion


As a result of the work done, it was proved that the concept of use seals hash steganography has the right to life. If you fix problems and shortcomings in the existing version, you can create a chat that will be absolutely safe (in theory).


All materials related to this project are presented in my repository .


I want to thank the user PavelMSTU for help in developing the concept of the program and this article.