[guardian-dev] Pixelknot: a new app
abel at guardianproject.info
Thu Feb 28 09:15:28 EST 2013
*puts on his crypto enthusiast hat*
It appears  you are using standard AES-CBC to encrypt the message
contents before the stego process. AES-CBC is an unauthenticated form of
encryption. I don't see any code doing additional MACing of the
ciphertext, so Pixel Knot is vulnerable to active attackers flipping
bits as the messages travel on the wire.
I recommend switching to an authenticated encryption cipher mode,
If you're interested in Authenticated Encryption, Mathew Green's blog
post on this is super .
> Hey Guardians,
> This hacker union *needs your help*! The team has been working on an app
> experiment called Pixelknot. The idea is to create a steganography app on
> Before we go public with it, we'd love feedback from the trusted devs and
> users on this list. Whether it's about the graphics, user experience, code,
> security or just finding bugs, we need some smart minds on this. Right now,
> there are a lot of stego apps out there but we thought we might be able to
> do a better job. Hopefully we can.
> Our goal is to make a stego app that:
> 1. Has the original image appear, to the trained human eye, *unedited*.
> 2. Has the bytes of the image appear, to a trained analyst, *undistorted* so
> much so as to arouse suspicion.
> 3. Has the complete message be *recoverable* no matter how it is
> The good news is that we're well on our way to achieving this.
> You can *download **latest APK* straight to your Android phone here -
> - https://bit.ly/pkfeb4
> Or via qr code:
> [image: Inline image 1]
> Here's the code if you want to dig into it:
> - https://github.com/guardianproject/PixelKnot
> - https://github.com/harlo/F5Android port of the F5-steganography
> library to android
> Thanks so much! It's always exciting to launch a new experiment and we're
> happy to have you all along for the ride. Have a great weekend, internets!
> All the Best,
> P.S. We know there are some bugs with the camera on the Galaxy S3 so sorry
> to those users. For everyone else, please get the app here
> P.P.S Thanks for keeping this quiet and not spreading it around on the
> social medias... for now.
> @mbelinsky <https://twitter.com/mbelinsky> | guardianproject.info | phone:
> +1-347-466-9327 | ostel: 1003 **| pgp:
> Guardian-dev mailing list
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
> You are subscribed as: abel at guardianproject.info
More information about the Guardian-dev