[guardian-dev] Pixelknot: a new app
Abel Luck
abel at guardianproject.info
Thu Feb 28 09:15:28 EST 2013
*puts on his crypto enthusiast hat*
It appears [1] you are using standard AES-CBC to encrypt the message
contents before the stego process. AES-CBC is an unauthenticated form of
encryption. I don't see any code doing additional MACing of the
ciphertext, so Pixel Knot is vulnerable to active attackers flipping
bits as the messages travel on the wire.
I recommend switching to an authenticated encryption cipher mode,
namely, GCM.
If you're interested in Authenticated Encryption, Mathew Green's blog
post on this is super [2].
~abel
[1]:
https://github.com/guardianproject/PixelKnot/blob/master/src/info/guardianproject/pixelknot/crypto/Aes.java#L81
[2]:
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Mark Belinsky:
> Hey Guardians,
>
> This hacker union *needs your help*! The team has been working on an app
> experiment called Pixelknot. The idea is to create a steganography app on
> Android.
>
> Before we go public with it, we'd love feedback from the trusted devs and
> users on this list. Whether it's about the graphics, user experience, code,
> security or just finding bugs, we need some smart minds on this. Right now,
> there are a lot of stego apps out there but we thought we might be able to
> do a better job. Hopefully we can.
>
> Our goal is to make a stego app that:
>
> 1. Has the original image appear, to the trained human eye, *unedited*.
> 2. Has the bytes of the image appear, to a trained analyst, *undistorted* so
> much so as to arouse suspicion.
> 3. Has the complete message be *recoverable* no matter how it is
> transmitted.
>
> The good news is that we're well on our way to achieving this.
>
> You can *download **latest APK* straight to your Android phone here -
>
> - https://bit.ly/pkfeb4
>
> Or via qr code:
> [image: Inline image 1]
>
> Here's the code if you want to dig into it:
>
> - https://github.com/guardianproject/PixelKnot
> - https://github.com/harlo/F5Android port of the F5-steganography
> library to android
>
> Thanks so much! It's always exciting to launch a new experiment and we're
> happy to have you all along for the ride. Have a great weekend, internets!
>
> All the Best,
> Mark
>
> P.S. We know there are some bugs with the camera on the Galaxy S3 so sorry
> to those users. For everyone else, please get the app here
> https://bit.ly/pkfeb4
> P.P.S Thanks for keeping this quiet and not spreading it around on the
> social medias... for now.
>
> --*
> @mbelinsky <https://twitter.com/mbelinsky> | guardianproject.info | phone:
> +1-347-466-9327 | ostel: 1003 **| pgp:
> 0xEFBFA7278D8EFFDA<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEFBFA7278D8EFFDA>
> *
>
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
>
> You are subscribed as: abel at guardianproject.info
>
More information about the Guardian-dev
mailing list