StegoCrypt - A Learning Exercise In combining Steganography and Encryption
Ahmad, Husnain (2025)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202601121227
https://urn.fi/URN:NBN:fi:amk-202601121227
Tiivistelmä
StegoCrypt is a web-based Python application that combines modern encryption with steganography to hide secret messages inside ordinary PNG files. Users can protect their messages with passwords before concealing them in normal-looking images. The application encrypts messages using AES-256-GCM with a 256-bit key derived from the user's password through PBKDF2-HMAC-SHA256 (600,000 iterations), a random 16-byte salt, and a 96-bit nonce. The encrypted message, nonce, and 128-bit authentication tag are hidden within the image's color channels using Least Significant Bit (LSB) substitution.
The tool runs through any web browser using Flask, allowing users to hide and reveal messages without installing software. It includes automatic capacity checks based on image size, clear error messages for common problems, authentication checks to detect tampering or wrong passwords, and lossless PNG format support to preserve hidden data. The web interface makes complex cryptographic processes accessible to non-technical users while maintaining security.
This project uses best practices (AES-GCM is the recommended authenticated encryption), the tool serves as a learning prototype. It demonstrates real-world challenges in combining cryptography and steganography: metadata management, embedding capacity limits (theoretically 3 bits per pixel), vulnerability to statistical detection, and sensitivity to image modifications. The thesis documents the development process, analyzes security properties, discusses design choices (PBKDF2 versus Argon2id), and examines limitations to provide insights for bachelor-level cybersecurity education.
The tool runs through any web browser using Flask, allowing users to hide and reveal messages without installing software. It includes automatic capacity checks based on image size, clear error messages for common problems, authentication checks to detect tampering or wrong passwords, and lossless PNG format support to preserve hidden data. The web interface makes complex cryptographic processes accessible to non-technical users while maintaining security.
This project uses best practices (AES-GCM is the recommended authenticated encryption), the tool serves as a learning prototype. It demonstrates real-world challenges in combining cryptography and steganography: metadata management, embedding capacity limits (theoretically 3 bits per pixel), vulnerability to statistical detection, and sensitivity to image modifications. The thesis documents the development process, analyzes security properties, discusses design choices (PBKDF2 versus Argon2id), and examines limitations to provide insights for bachelor-level cybersecurity education.