Today I was thinking in a way of have always my RSA private key with me. The key itself is protected with a strong password, but I want to have it with me in a secure way. I've come up with a proof of concept, using steganography.

I always carry with me a very cheap MP3 player (I love it). If you connect it to a computer is like a USB memory stick, so you can put stuff in it. But I don't want to save a filename like "private-key" on my MP3 player. I have come up with the idea of storing my private key in the metadata of the most common file in a MP3 player: mp3 file. I could store the data in the "comments" field of a mp3 file metadata, but it could be seen if somebody opened the track with Rythmbox/iTunes, etc....  Instead of that, I've prefeared to use a more geeky approach: save the private key in a image, using steganography, and add this image as the front cover of the mp3 file (you know, the image that is displayed by the mp3 player of the artist/album).

This is the proof of concept. You need to have eyeD3 installed in order to modify the metatags of a mp3 file, and steghide for storing the private key in a image. I have this bash script in a directory, a imagecalled img.jpg and a mp3 song of Disclosure called carnival.mp3.

echo "Generating a 'fake/demo' private key"  
ssh-keygen -f priv-key

cp img.jpg text-img.jpg

echo "    Coping the content of the priv-ley to the image... (you don't
need to set a password)"  
steghide embed -cf text-img.jpg -ef priv-key  
echo "    Removing other images from the file..."  
eyeD3 --remove-images carnival.mp3 > /dev/null  
echo "    Embedding the image into the MP3 song...."  
eyeD3 --add-image=text-img.jpg:FRONT_COVER carnival.mp3 > /dev/null  
echo "    Data loaded!"

echo "    Extracting the image from the fila..."  
eyeD3 -i ./ carnival.mp3 > /dev/null  
echo "    Extracting the priv-key from the image..."  
steghide extract -sf FRONT_COVER.jpeg -xf priv-key-out  
echo "    Doing check if the original priv-key is equals to the
extracted one..."  
echo "    (correct if the md5 matches)"  
md5sum priv-key priv-key-out  
echo "Cleaning everything up..."  
echo "Done!"

You can read the comments of the script and everything is very clear. The only thing you MUST check after copy the file to your MP3 is that the MP3 player itself DOES NOT modify the image in any way. The easyest way of doing it is to check the md5sum of the file before and after copying the file to the Mp3 player.

And this is it. You now have your private key always with you, embeded in the image file of a mp3 file. The only downside of this approach is that you need then a machine with both steghide and eyeD3 programs installed for being able to "extract" your private key. This can be done with a live CD, though.

Oh! And remember that steganography is Security Through Obscurity, so you MUST have a strong passphrase on you private key file.

Take care, Jan.