Introduction :
==============

Steghide is a steganography tool which is able to hide data in "container
files" and to extract this data again. If you do not know what steganography is
take a look at Neil F. Johnson's paper about steganography at
http://www.isse.gmu.edu/~njohnson/stegdoc/
Steghide is designed to be portable and configurable and features hiding data
in bmp, wav and au files, blowfish encryption, MD5 hashing of passphrases to
blowfish keys and pseudo-random distribution of hidden bits ("stego bits") in
the container data. The current version is 0.3.

Compilation and Installation :
==============================

Linux / Unix :
--------------
1) ./configure 
2) make
3) make install

For more info see the generic installation instructions in the file INSTALL.
Tarballs and RPM packages are available from the steghide website at:
http://www.crosswinds.net/~shetzl/steghide/index.html
 
Windows :
---------
The easiest way is probably downloading the win32 console executable which is
available from http://www.crosswinds.net/~shetzl/steghide/index.html
If you want to compile the sources yourself you need a C compiler. How you need
to compile the source code depends on the compiler you are using: Please
consult your compiler's documentation.

Description :
=============

Steghide can be run in interactive mode or in non-interactive mode.
Non-interactive mode simply means that steghide is called from the command line
with some arguments. If steghide is started without arguments or with the "-i"
argument only, then interactive mode is started.
In interactive mode you need not enter all arguments on one line (like you
would have to if you would call steghide directly from the command line), but
can type one or more arguments, then hit return and type more arguments on
another line and so on.  In interactive mode, all commands have the same syntax
as the arguments on the command line.

A stego file (a bmp, wav or au file with embedded data) has a special format:
The first three bytes after the "native header(s)" (bmp, wav or au header(s))
contain a value in their least significant bits: the amount of space between
two bytes in the stego file that contain an embedded bit of the "stego header".
The stego header is a few bytes long and contains the information that is
necessary to permit the receiver to extract the plain data from the stego data
again. Immediately after the last byte that contains a hidden bit of the
stego header is the first byte that contains a hidden bit / hidden bits of the
plain data.

Steghide is able to encrypt the plain data before embedding it / after
extracting it. The encryption process works as follows: The user enters a
passphrase that can be of any length. Steghide hashes this passphrase to a
128 bit value using the MD5 algorithm. This 128 bit hash value is passed to
blowfish and used as a key for encrypting or decrypting the plain data and/or
the stego header.

Steghide is able to use bmp, wav and au files as container files. The file
format of the container and the stego file is detected automatically. However,
there are some restrictions: only Windows 3.1 and later bmp files, OS/2 1.x bmp
files; pcm wav files with a bit per sample rate that is a multiple of 8; and
all au files can be used.
These "sub-"formats are the most common anyway so it will hardly ever happen
that steghide refuses to hide data in a file because it does not know its
format. If you are in doubt if the file you want to use is in one of the
formats mentioned above, just try it.

Usage :
=======

-i, --interactive
If this argument is given or if no arguments are given at all, steghide starts
in interactive mode. In interactive mode, all arguments have the same syntax as
on the command line, however there are two more commands than on the command
line: You can quit steghide (without embedding or extracting data) if you type
"quit" or "cancel". If you have finished giving arguments you can embed or
extract data if you type "start" or "ok". To get help you can type "help" which
prints the same info as "-h" or "--help" but does not quit afterwards.
See the sample session below (in the examples section) for more info.

-w, --write, --embed
Embed plain data in container data, resulting in stego data.

-r, --read, --extract
Extract plain data from stego data.

One of these two arguments ("-w" and "-r") must be given.

-s, --space
This argument defines the method that is used to calculate the space between
two bytes that contain hidden data ("stego bytes") in the stego file. You can
choose among two different methods: a constant space and a pseudo-random
space.
To use a constant space you have to specify this argument in the following
form: "-s cnst <a>", whereas "cnst" tells steghide to use a CoNSTant space and
<a> is a decimal number that defines the amount of space between two stego
bytes (in bytes).
To use a pseudo-random space this argument should be given as follows: "-s linc
<a> <b>", whereas "linc" tells steghide to use pseudo-random numbers that are
generated using a LINear Congruency generator, <a> is the seed of the generator
(<a> can be any positive integer, but will be truncated if its value exceeds
2^32) and <b> is the maximum value that the generator will output and therefor
also the maximum space between two stego bytes.
This argument ("-s") must always be given if "-w" is activated (if data is
embedded) and will be ignored if "-r" is activated.

-H, --stegoheader
This argument defines how the "stego header" is embedded in the container file.
The first argument of -H can be a a value for the constant space (must be
between 0-7). This value is also embedded in the container file to make it
possible for the receiver to extract the senders message again. If you omit
this number, a random number is chosen if -w is enabled. If -r is enabled the
number you specify is ignored because the correct value is embedded in the file
anyway.
The second argument of -H is the encryption algorithm that is used to encrypt
the stego header. You have two possibilities: "blowfish" and "none". If you
specify "none" the stego header will not be encrypted which is very insecure.
If you specify "blowfish" the stego header will be encrypted with the blowfish
algorithm.
You then have to specify a passphrase as third argument of -H. If this
passphrase consists of more than one word, you must enclose it in quotes (").
This will enable the program to recognize the passphrase as one argument. If
you specify "none", you - of course - do not need a passphrase.  If the -H
argument is not given and data is embedded, a random number is used as constant
space and no encryption is used.
If -H is not given and data is extracted it is supposed that the embedded stego
header is not encrypted. Be careful: Steghide can not find out if an embedded
stego header is encrypted or not, you have to tell it! It can lead to weird
results or error messages if you tell steghide that an embedded and encrypted
stego header is not encrypted.  

-e, --encryption
This argument defines if and which encryption is applied to the plain data
before embedding it / after extracting it. You have three different
possibilities: "blowfish", "sthdr" and "none".
If you specify "blowfish", the second argument of -e is a passphrase (use
quotes if the passphrase is longer than one word!).
If you specify "sthdr", the same encryption (with the same passphrase) that has
been applied to the stego header is used on the plain data (this can be
blowfish or none). This option is pretty handy if you want to use the same
encryption (and the same passphrase) for the stego header and the plain data
but do not want to type your 789-character passphrase twice.
If you specify "none" then - you guessed it - the plain data is not encrypted.

-m, --mask
This argument is followed by a decimal number which specifies an 8 bit mask
that is used to hide data in the container bytes. If the mask is for example 3
then data is embedded in the least significant and second least significant bit
of the container byte. Normally, you do not have to worry about this. The
default is 1 which is pretty secure, you should not change it. Note that it can
be very insecure to embed data in bits other than the least significant.

-cf, --containerfile
This argument is followed by a filename. This file will be used as container
file (file in which data will be embedded).

-sf, --stegofile
This argument is followed by a filename. The given file will be used as stego
file (file that contains or will contain embedded data).

-pf, --plainfile
This argument is followed by a filename. This file will be used as plain file
(file that contains the data to be embedded / will contain the embedded data).

If one of the file-arguments is not given or if the filename is a -, standard
input or standard output is used like appropriate (standard input is used if
data is needed and standard output is used if data is generated), see the
following table:

        |   -pf    |   -cf    |   -sf    |
  -----------------------------------------
    -w  |  stdin   |  stdin   |  stdout  |
  -----------------------------------------
    -r  |  stdout  |     /    |  stdin   |

-v, --version
Print version information.

-h, --help
Print short help (usage information).

Examples :
==========

Here are some examples how steghide could be used:

A sample interactive session (constant space 3 for data, space 5 for stego
header, blowfish encryption for stego header and for plain data, container
file: cnt.au, plain file: secret.txt, stego file: stg.au). You can give one or
more commands on one line:
$ steghide
steghide 0.3
Copyright 1999, Stefan Hetzl
steghide is covered by the GNU General Public License
(steghide) -w
(steghide) -s cnst 3
(steghide) -H 5 blowfish "This is a passphrase." -e sthdr
(steghide) -cf cnt.au
(steghide) -pf secret.txt
(steghide) -sf stg.au
(steghide) ok
done.
$

The following command has the same effect as the example above (in interactive
mode). The order of the arguments does not matter.
steghide -cf cnt.au -s cnst 3 -pf secret.txt -H 5 blowfish "This is a passphrase." -w -sf stg.au -e sthdr

To extract the data that has been embedded with the command(s) above, type:
steghide -r -sf stg.au -pf result.txt -H blowfish "This is a passphrase." -e sthdr

If you are using a system that supports pipes you can also pass data via
standard input to steghide. In the following example data is compressed before
it is (encrypted and) embedded:
gzip -c pln.txt | steghide -w -s linc 1234567 5 -cf cnt.bmp -sf stg.bmp -H blowfish "This is another passphrase." -e sthdr

To extract (and read) the data from this file again, you could do something
like this:
steghide -r -sf stg.bmp -H blowfish "This is another passphrase." -e sthdr | gunzip | less 

How to Contact me :
===================

If you have found a bug or if you have questions, comments, suggestions, etc.
please contact me at shetzl@teleweb.at. You can get the latest version of
steghide as well as some additional info from
http://www.crosswinds.net/~shetzl/steghide/index.html