Hash steganography using vkapi

Hi, Habr. Some time ago I decided to figure out what steganography is, what its meaning is and what it is like. And after a few links I came across an interesting article about hash-steganography. The question arose - why not try to implement this method of transmission in practice? For starters - in the form of proof of concept.

Hash steganography?

If the reader did not want to get acquainted with the mentioned article (I strongly advise), briefly convey the meaning.
What do we imagine when we hear the word steganography? We have a container in which we insert information. We insert it so that at first (preferably at second) the container does not change. But is there a way to transfer information without touching the container?

Here hash steganography comes to the rescue. The meaning is simple - we take a container (the best option is a picture with cats) and take a hash from it. We cut off the hash 1 (2,5,10) character - let's say we received the letter z. We take another 25 pictures and if we are lucky, then we got a kind of dictionary containing 26 entries of the form "letter" - "picture". If you are unlucky, you will have to go through more pictures Thus, we have an alphabet that can be used to send messages. We load 10 specific cats on the server, the recipient downloads them from the server, gets a hash, cuts off 1 character and gets "HelloWorld". And if you also encrypt it ...

What came out of it and where is vkapi?

So, the task is clear - we need a program that will receive a message at the input, compress it, encrypt it, turn it into a seal, send it to the server. On the other side, you need to get pictures, convert them to letters, decipher, "unclamp."

Now we need a convenient Internet service, which would give the opportunity to freely (to a certain extent) upload pictures to the server and back. I chose vk.com. Everything you need for us is there - convenient albums that preserve the order of the uploaded photos, nice api.

And the last - somewhere we need to store a lot of pictures. MongoDB has been selected. There are stored records of the form "path to the picture - hash pictures - the date of last use." Find the desired hash, select the image that has been used for a long time, load it using the path shown.

And does it work?

Yes, and it really works. After downloading and installing run the program:

python vkhs.py -e -l [login] -aid [album id] -m HelloHabr Password: message = HelloHabr len = 10 chip = b'....' len = 18 upload message? Total uploaded: 18 

We run to see what we did:

We received a message consisting of 18 pictures. It does not cause suspicions - especially if the pictures on one topic.

Now we need to get our message:

 python vkhs.py -l [login] -aurl [albumxxxxxxxx_xxxxxxxxx] Password: Login success 1 2 3 4 ... message: HelloHabr    ? 

Voila, hidden chat works.

Problems

Here are some of them:

1. The compression algorithm - as seen on the provided screens, a message 11 characters long turns into a message 18 characters long. On a long message length, this algorithm works fine, reducing the source code more than twice. On a small - terrible.
2. DB. It needs to be updated regularly. However, vk uses a very interesting way to store photos. When we upload a photo there, the server automatically compresses it - it means that the hash changes. However, there are photos whose hash does not change. The reasons I did not understand. And so the database is filled in according to the following algorithm - we download images from the Internet (ideally, we photograph beautiful landscapes in the park ourselves). Then we upload them to the server, download it back. Now we fill it again, saving the hashes in the database, load it back again. We check the changed, delete and repeat the procedure. After "sifting" there are those photos that "like" the server. They are also loaded into the database.
   As you can see, the operation is not very pleasant, you need to think about how to do better. However, there are so-called comparable hashes. For example on Habré was a cool article . To bypass this "random attack" instead of the usual hash, you can take a comparable hash.

Conclusion

As a result of the work done, it was proved that the concept of using seals hash steganography has the right to life. If you correct the problems and shortcomings in the existing version, you can create a chat that is absolutely safe (in theory).

All materials related to this project are presented in my repository .

I want to thank the user PavelMSTU for help in developing the concept of the program and this article.