Paul Miller avatar

I make projects which help developers to build awesome things. I adore learning more about infosec & austrian economics. Ping me on twitter, check out my github, gitlab, Hell Yeah, or send me an email. My PGP is 697079DA6878B89B

steg

This is demo of Steg (GitHub, npm), steganography library that allows to encrypt and hide arbitrary data inside png images.

  • Encodes data using least significant bits of PNG pixels.
  • Only PNGs are supported, JPGs cannot be used - every time you save them, they can get re-encoded and some data would be lost, which is a no-go for steganography
  • However, you could feed JPG to the encryption form, and it would be converted to PNG
  • Encrypts hidden data and its metadata with AES-GCM-256 + Scrypt. LSB bitsTaken are not encrypted, so it is slightly easier to understand something is hidden inside .png, however, since we are using encryption + padding, it's not trivial to understand what's exactly is inside.
  • Experimental. Use at your own risk.

Encrypt file and hide it inside image


Extract file from image and decrypt it

Technical information

Algorithm

  1. Calculate the capacity of png image at given `bitsTaken` and save it into `capacity`
  2. Create a flat byte array structure with 5 fields ABCDE, that represents file and its metadata:
    • A `bytes 0..1` name length, 4GB max
    • B `bytes 1..[1+name length]` name, 32 bytes max
    • C `bytes B..B+4` file size length, 4GB max
    • D `bytes C..[C+file length]` file contents
    • E `bytes D..end` padding filled with zeros - zeros are okay, since we encrypt them
  3. Encrypt ABCDE under given AES key with AES-GCM-256.
    • IV `bytes 0..12` taken from CSPRNG
    • ciphertext `bytes 12..(end-16)` encrypted ABCD
    • auth tag `bytes end-16..end` GCM authentication tag

The web app

  • We're using Scrypt; with N=2^19, r=8, p=1 and salt="steg-file"
  • If CSPRNG is not available, the app would crash
  • AES GCM Authentication Tag is calculated and verified properly