Encryption and steganography

by Chris Woodford. Last updated: December 6, 2022.

You've seen a rare book you want to buy online and it costs—wait for it—$500. It's on an online auction so you have to act fast. Fortunately, you bid in time to win and the book is yours. Happy with your success, you type in your credit card details to pay, without even thinking about it. Thanks to the wonders of e-commerce, one of the most valuable pieces of information you own (effectively the key to your entire bank account) whistles across the ether through merchants and banks and the seller receives your payment a few seconds later. Would you dream of sending $500 in cash this way? Passing it from person to person, through a long chain of people you've never met, with a little note attached: "Give this to Joe in Duluth"? Of course not! And yet you feel totally comfortable doing exactly the same thing online. The difference is that, when you pay electronically, your payment information is "scrambled" as it travels so only you and the person who receives the money (or their bank) ever get to see it. That's the brilliance of a mathematical technology called encryption (sometimes also referred to as cryptography). Increasingly, it's used with another technology called steganography, which involves hiding information so you don't even know it's there. Let's take a closer look at how these things work!

Photo: Before the age of digital computers, part electrical, part mechanical machines like this World War II German Enigma were used for military encryption. It has a kind of typewriter keyboard for entering messages; inside, it uses gears called "rotors" to turn those messages into super-secret encrypted gibberish! Photo by Rama published on Wikimedia Commons under a Creative Commons (CC BY-SA 2.0 FR) licence.

Encryption

Encryption is another word for "coding," so when we talk about encrypting something we really just mean turning it into an indecipherable message using a secret code.

We all like playing spies when we're kids, but why would we want to do that as adults? These days, the main reason is that we share so much information online. By its very nature, the Internet is a public medium. Every time you send an email or browse a Web page, the information your computer sends and receives has to pass through maybe a dozen or more other machines on its way to and from its ultimate destination. At every stage, that information could be intercepted by crooks or others of dubious intent. Encrypting information keeps it safe just long enough to make the journey. There's another reason you might want to use encryption: proving information really comes from you. Anyone can send an email pretending to be from someone else; you can use encryption to digitally "sign" your messages and verify your identity.

How does secret-key cryptography work?

All codes are a bit like padlocks. You "lock" your message, the message travels to its destination, and then the recipient "unlocks" it and reads it. But not all codes work the same way.

Secret agents in spy movies use a method called secret-key cryptography. Suppose you're an agent working in Washington, DC and you need to send a message to another agent in Rome, Italy. The best way to do it is for the two of you to meet up in advance, in person, and agree on a method of locking and unlocking all the messages you'll send and receive in future. This method is called a secret key, because only the two of you will have access to it. The secret key could be something like "Replace every letter in the message with another letter three further on in the alphabet." So, to send the message "HELLO" to your contact in Rome, you simply move each letter three forward, which gives you "KHOOR." When the person at the other end gets the message, he simply has to move each letter back three positions in the alphabet to find out what you're really saying. In this case, the key isn't a piece of metal you poke in a lock: it's the method of cracking the code by shifting the letters. Real secret keys are obviously much more complex and sophisticated than this.

Photo: A piece of cryptographic artwork at the CIA Headquarters in Virginina, USA. Photographs in the Carol M. Highsmith Archive, Library of Congress, Prints and Photographs Division.

This way of securing information is also called pre-shared key (PSK) and in some circumstances it's very effective. It's widely used to secure wireless Internet networks, for example. When you set up a secure wireless network, you're asked to choose a secret key (effectively, a password) that's known to both your wireless router (your main local access point to the Internet) and to any portable computers that need to use it. When you're using wireless Internet, you may notice that your connection is encrypted with something called WPA-PSK (Wi-Fi Protected Access-Pre-Shared Key). If you try to log onto a new wireless network and you're asked for a password, what you're really supplying is a secret key that will be used to encrypt and decrypt all the messages that pass back and forth.

Although secret (pre-shared) keys are effective and secure for things like this, they're not at all useful in other situations—like sending secure messages to people you've never met. That's because they rely on your knowing and meeting the person you're communicating with in advance to exchange the secret key. What if you can't do that? What if you want to exchange secure information with someone you've never met—someone who could be on the opposite side of the world? That's exactly the problem you have when you're paying for things online.

What's the trick?

Photo: Military forces have always used encryption to ensure secret communications stay out of enemy hands. This military cellphone is having an encryption chip installed in it to ensure secure communications. The chip uses a type of encryption called AES (Advanced Encryption Standard). Photo by Andrew Rodier courtesy of US Air Force.

It sounds like a trick! How can anyone encrypt a message but only you can decrypt it? Surely if one person can encrypt a message using a publicly available key, other people can decrypt it too using the same key? Not so! The answer lies in the two different keys and in the fact that some mathematical processes are much harder to do one way than the other.

Consider the two prime numbers 7901 and 7919 (prime numbers are ones that you can divide by no other numbers than one and themselves). Suppose you multiply them together to get 62568019. That's a pretty simple operation anyone can do in two seconds flat with a calculator. But what if I give you the number 62568019 and tell you to figure out the two numbers I multiplied together to make that number. You'd be there all day!

What if encrypting a message were as easy as multiplying two prime numbers but decrypting were as hard as figuring out what those numbers were? That's the basic idea behind public-key cryptography. When you secure a message with someone's public key, your computer performs an easy mathematical operation anyone could do. But once the message is encrypted, figuring out what information it contains is a very tough mathematical operation that would take you days, weeks, or months to complete (unless you happen to know the secret key).

You'll see from this that there is a basic flaw in public-key encryption. Given enough time and computing power, you could always figure out the secret key from the public key and decrypt the message. That's why public-key encryption relies on keys that are really big. The keys my computer uses, for example, are made up of 1024 bits (binary digits): a string of 1024 zeros or ones in a long line. The longer the keys you use (that is, the more bits they have), the tougher the encryption and the more secure your message will be. Secure Web pages typically use 128-bit or 256-bit encryption when they travel to and from your browser carrying banking information.

Photo: Adjusting the encryption on a military radio set in a US Army Humvee, Photo by Michael Needham courtesy of US Army and DVIDS.

Types of public-key encryption

There are various different types of public-key encryption that you'll come across. The original idea was invented in the mid-1970s by two Stanford University mathematicians named Whitfield Diffie and Martin Hellman and systems that use their particular mathematical coding method (which is known as an algorithm) are usually called DH (Diffie-Hellman). Others include RSA (named for Ron Rivest, Adi Shamir, and Leonard Adleman), Elgamal (named for Taher Elgamal), Data Encryption Standard (DES) and Triple-DES, and the successor to DES, known as Advanced Encryption Standard (AES) or Rijndael. Web browsers and servers use encryption methods called SSL (Secure Sockets Layer) and TLS (Transport Layer Security), themselves based on algorithms such as RSA and DH, to protect information traveling back and forth over the Net. Some email programs have built-in encryption to make it easy to send and receive secure messages; there's also a popular web-based email system called Hushmail that has encryption built-in as standard. Many PCs use a widely available encryption program named PGP (Pretty Good Privacy) developed by American software engineer Philip Zimmermann in 1991 (Linux equivalents of PGP include KGPG and GnuPG, and the Android smartphone equivalent is APG).

Photo: Modern military radios have instant, built-in encryption. This is the handheld EAWIS (Encrypted Aircraft Wireless Intercom System) radio set developed jointly by the US Army and Navy. Photo courtesy of US Army.

Will quantum computers make encryption impossible?

There's a huge amount of interest in quantum computers that use atoms (or subatomic particles such as electrons) to carry out similar tasks to conventional computers but at far higher speed, in parallel. As we've just seen, the effectiveness of public-key encryption rests on the difficulty of figuring out factors of large numbers; even by brute force trial-and-error, conventional computers take far too long to solve essentially "intractable" problems such as this. But a quantum computer using parallel processing could potentially decrypt information encrypted in this way in the blink of an eye, rendering conventional public-key encryption useless. Goodbye secure online transactions!

Fortunately, this frightening possibility has an equally tantalizing solution: using quantum-mechanical methods to make codes that are theoretically uncrackable. The basic idea is that two people, Annie and Bob, use the inherent unpredictability of quantum states to generate and share a key securely (a technique known as quantum key distribution (QKD), which they then use to securely encrypt and decrypt the messages they exchange. Unlike in public-key cryptography, where the key is public but essentially useless, this is another example of a pre-shared key (PSK) system where the actual key remains secret from third parties. With QKD, it's also possible to detect any attempt by a third party to eavesdrop and discover the key, which would change it in a noticeable way (because eavesdropping would be equivalent to "measuring" the key and, according to the laws of quantum mechanics, you can't measure something like this without altering it in some way).

Steganography

Photo: Steganography is growing in popularity, partly because of easy-to-use software. Here's one example: the very cool Steg-O-Matic app for smartphones, which hides messages in images. Search for "steganography" on your favorite app store and you'll find lots more programs like this.

The trouble with encryption is that it draws attention to itself. If you send an encrypted email with PGP, it's not just a string of random-looking bytes carrying innocent data: it's clearly labeled BEGIN PGP SIGNED MESSAGE, so it's pretty much saying "I'm an exciting secret! Look at me!" This poses a real problem for people who want to use encryption to send things securely: the more attention you draw to something secret, the more likely it is that people will look at it and try to decrypt it. That's why there's growing interest in steganography, which is a totally different way of concealing information.

What is steganography?

Steganography is all about hiding messages so you don't even know they're there. When you mark your belongings with anti-theft ink that shows up in ultraviolet light, that's an example of steganography. Writing a message in invisible ink is another example. Suppose you overheard this conversation on a bus:

Annie: Doing anything special this weekend?

Bob: Going out, love driving!

Annie: Oh yeah? Anywhere in particular?

Bob: Zoos in Nebraska, Carolina...

Annie: Cool. I love animals too. What's the best thing you've ever seen?

Bob: Turtles in Nevada!

Annie: Turtles, amazing! Where else can you see them?

Bob: Not in Carolina. Kentucky.... even Louisiana.

Innocent enough, perhaps? But if you're Annie, and Bob has previously told you he's going to be sending coded information to you using the initial letters of each word, you'll pick up an entirely different message—gold, zinc, tin, nickel—which might be a list of secret metallic ingredients. That's steganography too, albeit of a very basic—and easy-to-detect—kind.

The steganography people use today is much more sophisticated than this and relies on the way that we mostly now communicate by digital means. When we email a photo to someone, we send a digitally coded picture down a fiber-optic line; when we download music from the Net, our computers suck in digitally encoded MP3 files; when we voice chat to someone using Skype (a type of VoIP), we're swapping audio information coded digitally. It's relatively simple to conceal information in digital pictures, MP3 files, and voice chats in such a way that no-one even knows it's there. You can even use steganography to hide information in the ordinary chit-chat of computer network traffic (packets of Internet data). And, of course, you can use steganography to conceal encrypted information, which makes it doubly difficult to find and decipher.

Who uses it?

Search around online and you'll find all kinds of rumors about terrorists using steganography to send secret messages to supporters through social media. It's impossible to prove or disprove those sorts of things, but it makes for a good story in the feverish atmosphere that terrorism creates. Security experts are much more skeptical, but there's no doubt that steganography could be used in all kinds of nefarious ways. Steganography tools are now widely available (just search the app store from your mobile device and you'll find plenty), so it's anyone's guess how many people might be using the technology.

Does it have legitimate uses?

Steganography sounds very devious and you might think only shady spies, criminals, and terrorists would be interested in using it. In fact, it has some quite legitimate applications. Political dissidents and journalists can use it to send messages without putting themselves or their contacts at risk. Photographers who want to protect their pictures from copyright theft can embed invisible steganographic "watermarks." MP3 files, DVD movies, and ebooks are also sometimes protected this way to prevent piracy. And steganography is sometimes used to protect documents from industrial espionage. If confidential documents are given to a few people in a company, but each one is secretly marked with a unique steganographic "signature," any leaks can easily be traced back to the person responsible.

Can you crack it?

Given enough time and computing power, it's theoretically possible to crack any kind of encryption. But what about steganography? The first problem is detecting that a secret message is even present. If we're talking about messages concealed in Internet traffic, that's an incredibly tall order, because the number of messages using steganography represents an absolutely minuscule fraction of all the digital traffic zapping back and forth around the world. Experts say that spotting steganography isn't like looking for a needle in a haystack but for a slightly off-color piece of straw; in reality, given the huge amount of Internet traffic, it's more like detecting one or two shady bits of straw in the world's entire hay harvest.

But just as cryptography (code making) spawned cryptanalysis (code breaking), so steganography (information hiding) has led to steganalysis (detecting hidden information). The original method boiled down to a simple visual inspection (where information has been concealed in a picture, can you spot subtle changes in brightness or color?), but now steganography has gone digital, we have to rely on brute-force statistical analysis instead (such as trying to find a pattern hidden in digital images or unusual information in MP3 files and Internet traffic). From MP3stego (which hides things in music files) to SkyDe (a steganographic add-on for Skype), the web abounds with tools for concealing information; but there's a growing battery of steganalysis tools too, such as Stegdetect (for finding information hidden in images) and StegoHunt™ (from Wetstone Technologies).

A brief history of steganography

• ~BCE: Ancient Greeks develop two cunning steganographic methods. They tattoo secret messages on the heads of slaves, before waiting for their hair to grow back to conceal what's written. The slaves are then shipped off to new owners who promptly shave their heads and read the message. They also learn how to write messages on tablets which are then concealed under a thick layer of wax that easily be scraped or melted off.
• 1641: Bishop John Wilkins writes the first English book on cryptography and pioneers the use of glow-in-the-dark invisible ink.
• 1770s: Invisible ink is widely used to carry secret messages during the American Revolution (and again during the US Civil War of 1861–1865).
• World War II: Steganographers use invisible ink and microdots (information shrunk down to pinpoint size and concealed in documents or pictures).
• 1980s: Before the age of emails and digital documents, British Prime Minister Margaret Thatcher reputedly uses steganography to trace the source of government leaks. Printed documents are circulated to different people with varying patterns of spaces between words, allowing leaked versions to be traced back to the individuals responsible.
• 1996: Academics hold the world's first international conference on steganography.
• 2001: Rumors circulate that steganography has been used to plan acts of terrorism, such as the 2001 World Trade Center attack in New York City. Although widely reported in the media, this is never proved.
• 2003: The CIA wrongly claims terrorist group al-Qaida is sending secret messages concealed in TV broadcasts.
• 2020: Sophos highlights "Cloud Snooper", a new malware threat to servers that uses steganography to sneak past firewalls.

Don't want to read our articles? Try listening instead

If you'd rather listen to our articles than read them, please subscribe to our new podcast on Apple Podcasts, Spotify, Audible, Amazon, Podchaser, or your favorite podcast app, or listen below:

Find out more

On this website

• Fingerprint scanners
• Iris scanners
• Locks and keys
• One-time passwords (security tokens)
• Quantum computers

On other sites

• How PGP works: A good, clear introduction to cryptography and the widely available PGP public cryptography tool. [Archived via the Wayback Machine.]
• Philip Zimmermann: Website of the PGP creator, with lots of useful background about PGP.
• OpenPGP Alliance: Responsible for OpenPGP, an open world standard based on PGP.
• GNU Privacy Guard (GnuPG): The GNU project's free implementation of OpenPGP, available for various operating systems.
• Professor Ross Anderson: The website of a leading computer security expert at Cambridge University covers a broad range of technical/security issues.

Books

General

• Serious Cryptography by Jean-Philippe Aumasson. No Starch, 2017. An up-to-date introduction that takes in such topics as hash functions, SSL/TLS website encryption, quantum encryption, and various kinds of public-key cryptography (such as RSA and Diffie-Helmann).
• Understanding Cryptography: A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Springer, 2014. A wide-ranging, practical guide.
• The Mathematics of Secrets: Cryptography from Caesar Ciphers to Digital Encryption by Joshua Holden. Princeton University Press, 2017. A comprehensive look at how we keep information secret, from historic ciphers and today's popular forms of public-key cryptography to the likely future of quantum encryption.
• Computer Security Basics by Rick Lehtinen, Deborah Russell, and G. T. Gangemi. O'Reilly, 2011. A good overview of computer security for people like IT managers (who need to know the general concepts rather than the extreme nitty gritty of implementation).
• A Shortcut Through Time: The Path to the Quantum Computer by George Johnson. Random House, 2007. A reasonably simple introduction to quantum computing. Chapter 6 covers how quantum computers might be used to decrypt codes, while chapter 9 looks at quantum key distribution.

PGP

• The Official PGP User's Guide by Philip R. Zimmermann. DIANE Publishing Company, 1999. An introduction to PGP by its inventor.
• PGP: Pretty Good Privacy by Simson Garfinkel. O'Reilly, 1995. A good introduction to PGP and its history, plus a lot of stuff about Internet privacy (a topic for which Garfinkel is best known), but somewhat dated now.

Steganography

• Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols by Michael Raggo and Chet Hosmer. Syngress, 2012.
• Steganography in Digital Media: Principles, Algorithms, and Applications by Jessica Fridrich. Cambridge University Press, 2010.

Articles

• The Scandalous History of the Last Rotor Cipher Machine by Jon D. Paul. IEEE Spectrum, 31 August 2021. How do Enigma-type rotor ciphers actually work?
• Malware Payloads Hide in Images: Steganography Gets a Reboot by Derek Manky. Threat Post, 25 March 2019. How steganography is used in things like memes in Twitter feeds.
• The Race Is On to Protect Data From the Next Leap in Computers. And China Has the Lead. by Cade Metz and Raymond Zhong. The New York Times, 3 December 2018. Who will win the race to perfect quantum encryption?
• How to Encode a Secret Message in a Fingerprint by Michelle Hampson. IEEE Spectrum, 2 Nov 2018. Patterns hidden in fingerprints are a cunning new form of steganography.
• Hiding Information in Plain Text by Charles Q. Choi. IEEE Spectrum, 15 May 2018. FontCode hides information in ordinary text by subtly changing individual letters.
• The Dark Side of Steganography by Lauren J. Young. IEEE Spectrum, 13 August 2015. How security researchers are using steganography to smoke out malware.
• It's Time to Encrypt the Entire Internet by Klint Finley. Wired, 17 April 2014. An argument for using encrypted (https) web pages.
• A Call for a Highly Encrypted Future by Nicole Perlroth. The New York Times Bits Blog, 12 March 2014. Why end-to-end encryption matters online.
• N.S.A. Able to Foil Basic Safeguards of Privacy on Web by Nicole Perlroth et al. The New York Times, 5 September 2013. Online encryption is not as safe as many people believe.
• Surveillance fears for the UK by Chris Vallance. BBC News, 4 May 2009. A brief interview with Phil Zimmermann about the use of surveillance.
• 'Unbreakable' encryption unveiled by Roland Pease. BBC News, 9 October 2008. Scientists in Vienna demonstrate an example of quantum key distribution.