[Written on September 18th 2002 - Updated May 6th 2003]
Steganography strength (is it easy to see there is hidden data?): Low
Cryptography strength (is it easy to recover the hidden data?): Low
The author states on his page: "JPegX is completely FREEWARE and hopefully will become a new standard in security!". Well, I don't think so. I have nothing against him, I know it's always fun to code something new (and I like the fact that his program is small), but I would prefer if he had explained how this program worked, so we don't have to reverse it to know that the security level is close to zero.
1. The data is added at the end of jpg files with a nice signature. Very easy to detect.
2. The "encryption" is an alphabet substitution of characters. Very easy to break. Because it works on one byte, whatever the password you choose, you have just 256 possibilities to test.
If no password is used, the byte value of the first ASCII character from the "secret message" is added with 187, that is "BB" in hexa. If there's a carry it's added too. Then the second one is added with 188, than 189, etc... That's it. To decrypt, do the inverse processus.
If a password is used, the program seems to sum the ASCII values of the password, then use this value as a substitution key for the first letter, than "key+1" to the second character, etc... That's the "encryption" process. Then it does the same substitution explained in part 1. That's it. The password is not saved, so you have to check the 256 substitution possibilities. You can reduce this number by eliminating certain non-printable ASCII characters.
A quick example:
Let's hide the text "Tuesday at 12 !!" with the password "gloup2=". Here's what JpegX is going to do:
This is the final stored scrambled text if we don't use a password. Now let's see what happens with the password. First, let's add all the ASCII values of the password:
If we add them all (plus 2 carries, and then plus 1), we obtain the value 99 in hexa. This is the key. Let's now add it to each byte of the scrambled text, plus carry if necessary, plus 0, 1, 2, 3, etc...
Now let's compare these results with what's inside real images transformed with the above example by JpegX, under an hexadecimal editor. The original image is here (5.139 bytes).
First, the one without password (5.245 bytes):
Second, the image with the password (5.245 bytes):
It looks like we have a perfect match.
To automatize the process, I've coded a small utility to deal with JpegX [Now version 0.2]. Note that it won't display the good text if you used in it ASCII characters values smaller than 32 (with the exception of line breaks) or higher than 126 (accents, etc...). It was just to keep the result window small. You can remove my ASCII filter and recompile if you want, the source is here too.
Once again: if a security software does not explain how it works precisely, don't trust it for serious purposes.
Have a nice day!