Skip to content

Hiding Private Keys

Steganography includes the concealment of information within computer files.

It comes from the Greek words steganos, which means “covered” or “hidden,” and graph, which means “to write.” Hence, “hidden writing.”

You can use steganography to hide text, video, images, or even audio data, and although the technique is centuries old there are unique ways we can use it within computer science.

Why

Ummm because it's cool 😎? How awesome would it be to split a RSA key pair into raw text files, encrypt each part, and maybe hide them inside the Windows 10 default background images? In the event you ever need to recreate that key data, pull your innocuous Win10_x64.iso & mount to grab the backgrounds folder. A bit like hiding your key under a rock. Each part was encrypted with something you know so if this key file didn't have a password on it you aren't at risk of losing control of the key if someone hashes all the files to the Windows iso and notices the few wallpaper files sizes that are a bit larger.

How

You should not trust security through obscurity. Encrypt the data before hiding it.

openssl rsa -aes256 -in private_key.pem -out encrypted_file.pem

or GPG is great too!

gpgtar -c -o encrypted_file.gpg private_key.pem

steganopy.api

Simply import a python library called steganopy.api

Create

We will take an image called photo1.png and hide encrypted_file.pem data created with openssl earlier, then output a new image called background_in_hiding.png.

import steganopy.api

steganopy.api.create_stegano_image(original_image="photo1.png", data_to_hide="encrypted_file.pem").save("background_in_hiding.png")

Deobfuscate

hidden variable calls steganopy.api.extract_data and on the final line of this python script we call this variable with print. The rest is just taking the output of print(hidden)and sending it to a file on the local system.

import steganopy.api
from contextlib import redirect_stdout

hidden = steganopy.api.extract_data_from_stegano_image(image="background-in-hiding.png")

pathname = "encrypted_file.pem"
pathname = input("Save the file as: ", pathname)

with open(pathname, 'w') as f:
    with redirect_stdout(f):
        print(hidden)

Decrypt

Finally we can decrypt the data that we deobfuscated.

openssl rsa -in encrypted_file.pem -out private_key.pem

Bonus

We are going to split your RSA keys into multiple encrypted pieces with checksum encrypted pieces (at this point we should decrypt and assemble the key to test). Use Steganography to hide the encrypted bits in plain sight. Use command line tools to identify the images hiding the information, deobfuscate the subject images, and verify the integrity of the encrypted files with the checksums. Decrypt the file parts and reassemble the key parts.

Coming soon...