[guardian-dev] Pixelknot: a new app

Abel Luck abel at guardianproject.info
Thu Feb 28 09:15:28 EST 2013


*puts on his crypto enthusiast hat*

It appears [1] you are using standard AES-CBC to encrypt the message
contents before the stego process. AES-CBC is an unauthenticated form of
encryption. I don't see any code doing additional MACing of the
ciphertext, so Pixel Knot is vulnerable to active attackers flipping
bits as the messages travel on the wire.

I recommend switching to an authenticated encryption cipher mode,
namely, GCM.

If you're interested in Authenticated Encryption, Mathew Green's blog
post on this is super [2].

~abel

[1]:
https://github.com/guardianproject/PixelKnot/blob/master/src/info/guardianproject/pixelknot/crypto/Aes.java#L81

[2]:
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html

Mark Belinsky:
> Hey Guardians,
> 
> This hacker union *needs your help*! The team has been working on an app
> experiment called Pixelknot. The idea is to create a steganography app on
> Android.
> 
> Before we go public with it, we'd love feedback from the trusted devs and
> users on this list. Whether it's about the graphics, user experience, code,
> security or just finding bugs, we need some smart minds on this. Right now,
> there are a lot of stego apps out there but we thought we might be able to
> do a better job. Hopefully we can.
> 
> Our goal is to make a stego app that:
> 
>    1. Has the original image appear, to the trained human eye, *unedited*.
>    2. Has the bytes of the image appear, to a trained analyst, *undistorted* so
>    much so as to arouse suspicion.
>    3. Has the complete message be *recoverable* no matter how it is
>    transmitted.
> 
> The good news is that we're well on our way to achieving this.
> 
> You can *download **latest APK* straight to your Android phone here -
> 
>    - https://bit.ly/pkfeb4
> 
> Or via qr code:
> [image: Inline image 1]
> 
> Here's the code if you want to dig into it:
> 
>    - https://github.com/guardianproject/PixelKnot
>    - https://github.com/harlo/F5Android port of the F5-steganography
>    library to android
> 
> Thanks so much! It's always exciting to launch a new experiment and we're
> happy to have you all along for the ride. Have a great weekend, internets!
> 
> All the Best,
> Mark
> 
> P.S. We know there are some bugs with the camera on the Galaxy S3 so sorry
> to those users. For everyone else, please get the app here
> https://bit.ly/pkfeb4
> P.P.S Thanks for keeping this quiet and not spreading it around on the
> social medias... for now.
> 
> --*
> @mbelinsky <https://twitter.com/mbelinsky> | guardianproject.info | phone:
> +1-347-466-9327 | ostel: 1003 **| pgp:
> 0xEFBFA7278D8EFFDA<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEFBFA7278D8EFFDA>
> *
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
> 
> You are subscribed as: abel at guardianproject.info
> 



More information about the Guardian-dev mailing list