Hiding Secret Messages in Fingerprints

This is a fun steganographic application: hiding a message in a fingerprint image.

Can't see any real use for it, but that's okay.

Posted on November 12, 2018 at 6:17 AM • 10 Comments

Comments

RamriotNovember 12, 2018 7:32 AM

Interesting,it is stenanography but it's not about hiding data in a fingerprint image.

Because the image is generated from the data then it is equivalent to encoding (png).

It could be useful if the image cannot be distinguished from a real fingerprint by simple means & that the decoder produces valid decodings from real fingerprints.

Clive RobinsonNovember 12, 2018 8:35 AM

@ Bruce,

Can't see any real use for it, but that's okay.

Oh combine it with those "gummy bear" quick eat fingerprints, then there are possabilities ;-)

Clive RobinsonNovember 12, 2018 9:13 AM

@ ALL,

Boing boing pointed out why least significant bit stego not only does not work very well but also is fragile with image compression software etc.

The paper author Li, noted however,

    We could still achieve relative high data extraction accuracy even if the constructed fingerprint image is binarized, thinned, or severely compressed

After a few moments thought, I suspect the encoding algorithm actually plays to the strengths of image compression software.

GrayNovember 12, 2018 11:47 AM

Oh combine it with those "gummy bear" quick eat fingerprints, then there are possabilities ;-)


At that point, why rely upon steganography?

You could just encode binary data in an Aztec or QR code for your "fingerprint" - not exactly the most effective way to send a message but likely less error-prone than parsing with this implementation.

ConspiraciesEverywhereNovember 12, 2018 1:14 PM

> Can't see any real use for it, but that's okay.

Police agencies keeping hidden data on citizens? But there are easier ways to do that.

ThunderbirdNovember 12, 2018 5:19 PM

I imagine this warrants an addition to the Bruce Schneier FAQ:

Bruce Schneier's fingerprints steganographically encode his 2048-bit public RSA key.

Jeff RootNovember 12, 2018 8:52 PM

Well, here's one idea: PIV cards usually allow storing a fingerprint. So perhaps I have a nice key that I'd like to be immune to border search, or surrender. I encode my key in my fingerprint, then upload that to the PIV card (who's to say "Schneier Security" doesn't issue you a badge?)

Now I can sanitize my entire travel kit, yet when I reach the other side, I can copy those confidential business files from cloud storage to my laptop, extract the key from my PIV card, then decrypt the files I need.

Encrypt/upload those same files when complete, sanitize the laptop drive, and pass through all borders without a trace of your data.

(Obviously, the actual keys/certs on the PIV card should point to nothing important.)

PeteNovember 13, 2018 8:54 PM

No obvious use?
If the technique is resistant to some error, it's a great way to communicate with police - like an undercover cop needing a covert channel to his bosses. Just add a small "scar" to the print to allow the crime scene tech to ID messages of significance and pass along to the squad

Coyne TibbetsNovember 14, 2018 4:13 AM

How about encoding messages in the real fingerprint? Imagine a hacker who can break into any computer by scanning his fingers on a fingerprint reader. Or someone who carries national secrets encoded in her fingerprints, which she passes on by visiting a theme park where a confederate has corrupted the fingerprint readers.

Laser ablation should be able to do something along that line.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.