[guardian-dev] Pixelknot: a new app

Harlo Holmes harlo at guardianproject.info
Thu Feb 28 09:18:17 EST 2013


Nice hat! Will get on this...
On Feb 28, 2013 9:16 AM, "Abel Luck" <abel at guardianproject.info> wrote:

> *puts on his crypto enthusiast hat*
>
> It appears [1] you are using standard AES-CBC to encrypt the message
> contents before the stego process. AES-CBC is an unauthenticated form of
> encryption. I don't see any code doing additional MACing of the
> ciphertext, so Pixel Knot is vulnerable to active attackers flipping
> bits as the messages travel on the wire.
>
> I recommend switching to an authenticated encryption cipher mode,
> namely, GCM.
>
> If you're interested in Authenticated Encryption, Mathew Green's blog
> post on this is super [2].
>
> ~abel
>
> [1]:
>
> https://github.com/guardianproject/PixelKnot/blob/master/src/info/guardianproject/pixelknot/crypto/Aes.java#L81
>
> [2]:
>
> http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
>
> Mark Belinsky:
> > Hey Guardians,
> >
> > This hacker union *needs your help*! The team has been working on an app
> > experiment called Pixelknot. The idea is to create a steganography app on
> > Android.
> >
> > Before we go public with it, we'd love feedback from the trusted devs and
> > users on this list. Whether it's about the graphics, user experience,
> code,
> > security or just finding bugs, we need some smart minds on this. Right
> now,
> > there are a lot of stego apps out there but we thought we might be able
> to
> > do a better job. Hopefully we can.
> >
> > Our goal is to make a stego app that:
> >
> >    1. Has the original image appear, to the trained human eye,
> *unedited*.
> >    2. Has the bytes of the image appear, to a trained analyst,
> *undistorted* so
> >    much so as to arouse suspicion.
> >    3. Has the complete message be *recoverable* no matter how it is
> >    transmitted.
> >
> > The good news is that we're well on our way to achieving this.
> >
> > You can *download **latest APK* straight to your Android phone here -
> >
> >    - https://bit.ly/pkfeb4
> >
> > Or via qr code:
> > [image: Inline image 1]
> >
> > Here's the code if you want to dig into it:
> >
> >    - https://github.com/guardianproject/PixelKnot
> >    - https://github.com/harlo/F5Android port of the F5-steganography
> >    library to android
> >
> > Thanks so much! It's always exciting to launch a new experiment and we're
> > happy to have you all along for the ride. Have a great weekend,
> internets!
> >
> > All the Best,
> > Mark
> >
> > P.S. We know there are some bugs with the camera on the Galaxy S3 so
> sorry
> > to those users. For everyone else, please get the app here
> > https://bit.ly/pkfeb4
> > P.P.S Thanks for keeping this quiet and not spreading it around on the
> > social medias... for now.
> >
> > --*
> > @mbelinsky <https://twitter.com/mbelinsky> | guardianproject.info |
> phone:
> > +1-347-466-9327 | ostel: 1003 **| pgp:
> > 0xEFBFA7278D8EFFDA<
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEFBFA7278D8EFFDA>
> > *
> >
> >
> >
> > _______________________________________________
> > Guardian-dev mailing list
> >
> > Post: Guardian-dev at lists.mayfirst.org
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >
> > To Unsubscribe
> >         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
> >         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
> >
> > You are subscribed as: abel at guardianproject.info
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130228/88ec7714/attachment.html>


More information about the Guardian-dev mailing list