You are here: Home page > Computers > Encryption

Radio encryption equipment used by US military in the 1980s

Encryption and steganography

  • Tweet

by Chris Woodford. Last updated: March 6, 2017.

You've seen a rare book you want to buy online and it costs—wait for it—$500. It's on an online auction so you have to act fast. Fortunately, you bid in time to win and the book is yours. Happy with your success, you type in your credit card details to pay, without even thinking about it. Thanks to the wonders of e-commerce, one of the most valuable pieces of information you own (effectively the key to your entire bank account) whistles across the ether through merchants and banks and the seller receives your payment a few seconds later. Would you dream of sending $500 in cash this way? Passing it from person to person, through a long chain of people you've never met, with a little note attached: "Give this to Joe in Duluth"? Of course not! And yet you feel totally comfortable doing exactly the same thing online. The difference is that, when you pay electronically, your payment information is "scrambled" as it travels so only you and the person who receives the money (or their bank) ever get to see it. That's the brilliance of a mathematical technology called encryption (sometimes also referred to as cryptography). Increasingly, it's used with another technology called steganography, which involves hiding information so you don't even know it's there. Let's take a closer look at how these things work!

Photo: Military forces have always used encryption to ensure secret communications stay out of enemy hands. This is some of the complex encryption and radio communication equipment used by US forces in the 1980s. Today, all of us have encryption at our fingertips. Photo by Vincent Kitts courtesy of Defense Imagery.


Encryption is another word for "coding," so when we talk about encrypting something we really just mean turning it into an indecipherable message using a secret code. We all like playing spies when we're kids, but why would we want to do that as adults? These days, the main reason is that we share so much information online. By its very nature, the Internet is a public medium. Every time you send an email or browse a Web page, the information your computer sends and receives has to pass through maybe a dozen or more other machines on its way to and from its ultimate destination. At every stage, that information could be intercepted by crooks or others of dubious intent. Encrypting information keeps it safe just long enough to make the journey. There's another reason you might want to use encryption: proving information really comes from you. Anyone can send an email pretending to be from someone else; you can use encryption to digitally "sign" your messages and verify your identity.

Installing an Advanced Encryption Standard (AES) encryption chip in a cellphone

Photo: This cellphone is having an encryption chip installed in it to ensure secure communications. The chip uses a type of encryption called AES (Advanced Encryption Standard). Photo by Andrew Rodier courtesy of US Air Force and Defense Imagery.

How does secret-key cryptography work?

All codes are a bit like padlocks. You "lock" your message, the message travels to its destination, and then the recipient "unlocks" it and reads it. But not all codes work the same way.

Secret agents in spy movies use a method called secret-key cryptography. Suppose you're an agent working in Washington, DC and you need to send a message to another agent in Rome, Italy. The best way to do it is for the two of you to meet up in advance, in person, and agree on a method of locking and unlocking all the messages you'll send and receive in future. This method is called a secret key, because only the two of you will have access to it. The secret key could be something like "Replace every letter in the message with another letter three further on in the alphabet." So, to send the message "HELLO" to your contact in Rome, you simply move each letter three forward, which gives you "KHOOR." When the person at the other end gets the message, he simply has to move each letter back three positions in the alphabet to find out what you're really saying. In this case, the key isn't a piece of metal you poke in a lock: it's the method of cracking the code by shifting the letters. Real secret keys are obviously much more complex and sophisticated than this.

This way of securing information is also called PSK (pre-shared key) and in some circumstances it's very effective. It's widely used to secure wireless Internet networks, for example. When you set up a secure wireless network, you're asked to choose a secret key (effectively, a password) that's known to both your wireless router (your main local access point to the Internet) and to any portable computers that need to use it. When you're using wireless Internet, you may notice that your connection is encrypted with something called WPA-PSK (Wi-Fi Protected Access-Pre-Shared Key). If you try to log onto a new wireless network and you're asked for a password, what you're really supplying is a secret key that will be used to encrypt and decrypt all the messages that pass back and forth.

Although secret (pre-shared) keys are effective and secure for things like this, they're not at all useful in other situations—like sending secure messages to people you've never met. That's because they rely on your knowing and meeting the person you're communicating with in advance to exchange the secret key. What if you can't do that? What if you want to exchange secure information with someone you've never met—someone who could be on the opposite side of the world? That's exactly the problem you have when you're paying for things online.

How does public-key encryption work?

In that case, you can use a different system called public-key cryptography, which is how online encryption works. The basic idea is simple. Each person has two keys, one called a public key and one called a secret key. Each "key" is actually a long, meaningless string of numbers—nothing like a metal key you'd use to open and close a door lock. The public key is something you can share with anyone, while the secret key is something you must keep private. Suppose you want to send a message to a friend using public key cryptography. You use their public key (which they've freely shared with the world) to encrypt the message and turn it into gibberish. You email the scrambled message to them over the Internet and when they receive it they use their secret key to decrypt (unscramble) and read it. That then is the essence of public-key cryptography: anyone can encrypt a message and send it to you (using your public key), but only you can read it (using your secret key).

How to send a message with public-key encryption

Suppose Annie wants to send a secure message to Bob, whom she's never met. Here's how they can do it with public-key encryption.

1. Generate keys

How public key encryption/cryptography works step 1: generate keys

First, each of them has to generate public and secret (private) keys with their computer. They need to do this only once. After they've generated a public and secret key pair, they can use it to communicate with any number of different people.

2. Swap public keys

How public key encryption/cryptography works step 2: swap keys

Next they swap their public keys. They keep their secret keys to themselves and never share them with anyone else. They can send their public keys to whoever they wish—it's okay even to publish your public key on your website or attach it to your emails.

3. Exchange messages

How public key encryption/cryptography works step 2: swap keys

To send Bob a message, Annie uses Bob's public key to encrypt her words. The encrypted message is complete gibberish and it doesn't matter who sees it. When Bob receives the message, he uses his secret key to decrypt it (turn it back into a message he can read). If he wants to reply securely to Annie, he simply runs the process in reverse: he uses Annie's public key to encrypt his message and she uses her secret key to decrypt it.

4. Digitally signing messages

Bob and Annie can also use their keys to prove messages they send really come from them by adding what's called a digital signature. Bob can add a digital signature to his emails using his secret key. When Annie receives a signed message from someone claiming to be Bob, she can use his public key to prove that the message really did come from him.

What's the trick?

It sounds like a trick! How can anyone encrypt a message but only you can decrypt it? Surely if one person can encrypt a message using a publicly available key, other people can decrypt it too using the same key? Not so! The answer lies in the two different keys and in the fact that some mathematical processes are much harder to do one way than the other.

Consider the two prime numbers 7901 and 7919 (prime numbers are ones that you can divide by no other numbers than one and themselves). Suppose you multiply them together to get 62568019. That's a pretty simple operation anyone can do in two seconds flat with a calculator. But what if I give you the number 62568019 and tell you to figure out the two numbers I multiplied together to make that number. You'd be there all day!

What if encrypting a message were as easy as multiplying two prime numbers but decrypting were as hard as figuring out what those numbers were? That's the basic idea behind public-key cryptography. When you secure a message with someone's public key, your computer performs an easy mathematical operation anyone could do. But once the message is encrypted, figuring out what information it contains is a very tough mathematical operation that would take you days, weeks, or months to complete (unless you happen to know the secret key).

You'll see from this that there is a basic flaw in public-key encryption. Given enough time and computing power, you could always figure out the secret key from the public key and decrypt the message. That's why public-key encryption relies on keys that are really big. The keys my computer uses, for example, are made up of 1024 bits (binary digits): a string of 1024 zeros or ones in a long line. The longer the keys you use (that is, the more bits they have), the tougher the encryption and the more secure your message will be. Secure Web pages typically use 128-bit or 256-bit encryption when they travel to and from your browser carrying banking information.

Types of public-key encryption

EAWIS encrypted military radio

Photo: Modern military radios have instant, built-in encryption. This is the handheld EAWIS (Encrypted Aircraft Wireless Intercom System) radio set developed jointly by the US Army and Navy. Photo courtesy of US Army.

There are various different types of public-key encryption that you'll come across. The original idea was invented in the mid-1970s by two Stanford University mathematicians named Whitfield Diffie and Martin Hellman and systems that use their particular mathematical coding method (which is known as an algorithm) are usually called DH (Diffie-Hellman). Others include RSA (named for Ron Rivest, Adi Shamir, and Leonard Adleman), Elgamal (named for Taher Elgamal), Data Encryption Standard (DES) and Triple-DES, and the successor to DES, known as Advanced Encryption Standard (AES) or Rijndael. Web browsers and servers use encryption methods called SSL (Secure Sockets Layer) and TLS (Transport Layer Security), themselves based on algorithms such as RSA and DH, to protect information traveling back and forth over the Net. Some email programs have built-in encryption to make it easy to send and receive secure messages; there's also a popular web-based email system called Hushmail that has encryption built-in as standard. Many PCs use a widely available encryption program named PGP (Pretty Good Privacy) developed by American software engineer Philip Zimmermann in 1991 (Linux equivalents of PGP include KGPG and GnuPG, and the Android smartphone equivalent is APG).

Will quantum computers make encryption impossible?

There's a huge amount of interest in quantum computers that use atoms (or subatomic particles such as electrons) to carry out similar tasks to conventional computers but at far higher speed, in parallel. As we've just seen, the effectiveness of public-key encryption rests on the difficulty of figuring out factors of large numbers; even by brute force trial-and-error, conventional computers take far too long to solve essentially "intractable" problems such as this. But a quantum computer using parallel processing could potentially decrypt information encrypted in this way in the blink of an eye, rendering conventional public-key encryption useless. Goodbye secure online transactions!

Fortunately, this frightening possibility has an equally tantalizing solution: using quantum-mechanical methods to make codes that are theoretically uncrackable. The basic idea is that two people, Annie and Bob, use the inherent unpredictability of quantum states to generate and share a key securely (a technique known as quantum key distribution (QKD), which they then use to securely encrypt and decrypt the messages they exchange. Unlike in public-key cryptography, where the key is public but essentially useless, this is an example of a pre-shared key (PSK) system where the actual key remains secret from third parties. With QKD, it's also possible to detect any attempt by a third party to eavesdrop and discover the key, which would change it in a noticeable way (because eavesdropping would be equivalent to "measuring" the key and, according to the laws of quantum mechanics, you can't measure something like this without altering it in some way).


Screenshot of the Steg-O-Matic steganography iPhone app

Photo: Steganography is growing in popularity, partly because of easy-to-use software. Here's one example: the very cool Steg-O-Matic app for smartphones, which hides messages in images. Search for "steganography" on your favorite app store and you'll find lots more programs like this.

The trouble with encryption is that it draws attention to itself. If you send an encrypted email with PGP, it's not just a string of random-looking bytes carrying innocent data: it's clearly labeled BEGIN PGP SIGNED MESSAGE, so it's pretty much saying "I'm an exciting secret! Look at me!" This poses a real problem for people who want to use encryption to send things securely: the more attention you draw to something secret, the more likely it is that people will look at it and try to decrypt it. That's why there's growing interest in steganography, which is a totally different way of concealing information.

What is steganography?

Steganography is all about hiding messages so you don't even know they're there. When you mark your belongings with anti-theft ink that shows up in ultraviolet light, that's an example of steganography. Writing a message in invisible ink is another example. Suppose you overheard this conversation on a bus:

Annie: Doing anything special this weekend?

Bob: Going out, love driving!

Annie: Oh yeah? Anywhere in particular?

Bob: Zoos in Nebraska, Carolina...

Annie: Cool. I love animals too. What's the best thing you've ever seen?

Bob: Turtles in Nevada!

Annie: Turtles, amazing! Where else can you see them?

Bob: Not in Carolina. Kentucky.... even Louisiana.

Innocent enough, perhaps? But if you're Annie, and Bob has previously told you he's going to be sending coded information to you using the initial letters of each word, you'll pick up an entirely different message—gold, zinc, tin, nickel—which might be a list of secret metallic ingredients. That's steganography too, albeit of a very basic—and easy-to-detect—kind.

The steganography people use today is much more sophisticated than this and relies on the way that we mostly now communicate by digital means. When we email a photo to someone, we send a digitally coded picture down a fiber-optic line; when we download music from the Net, our computers suck in digitally encoded MP3 files; when we voice chat to someone using Skype (a type of VoIP), we're swapping audio information coded digitally. It's relatively simple to conceal information in digital pictures, MP3 files, and voice chats in such a way that no-one even knows it's there. You can even use steganography to hide information in the ordinary chit-chat of computer network traffic (packets of Internet data). And, of course, you can use steganography to conceal encrypted information, which makes it doubly difficult to find and decipher.

How does steganography work?

If you want to hide information in a picture, you can do it by subtly adjusting the color or brightness of each successive pixel (the squares that make up a digital image). That's barely noticeable to human eyes, but very easy for computers to detect.

Suppose the brightness value of a pixel is a number between 0 (black) and 255 (white). If you want to code an A, you could add 1 to the brightness of a pixel (since A is the first letter of the alphabet); if you want to code E, you would add 5; and so on. In that way, with very subtle adjustments to the brightness values, you could hide a whole string of text in an image: for example, if you changed the brightness of three successive pixels by 1, 3, and 5, you could invisibly send the code word "ACE." You can also hide one image inside another. If you're concealing information in music files, you take advantage of the way the MP3 algorithm (mathematical process) converts and compresses analog audio into digital form. In this case, your secret information is not only hidden but encrypted as well, so it's very hard to detect and decrypt.

How steganography can hide information in an image by changing the brightness values of pixels.How steganography can hide information in an image by changing the color values of pixels.

Artwork: How to hide the word "ACE" by changing the brightness or color values of pixels. Image 1) Suppose I have an extremely simple picture made of just three pixels (top), which happen to be various shades of gray. In things like web pages, colors are represented by three pairs of two hexadecimal (base-16) codes, each made from the numbers 0–9 and the letters A–F. The first pair represents the red content of the pixel, the second pair the blue content, and the third pair the green content. In gray shades, the red, blue, and green values are equal. If I add 1 to the first pixel, 3 to the second pixel, and 5 to the third pixel, I get three new pixels that look virtually identical to a human eye (bottom). But if I compared the two images, or used a computer to subtract the color values, I could easily figure out that the difference between them is 1—3—5, representing the word ACE with a simple substitution code (A=1, B=2, C=3, and so on). It's a trivial example, but it illustrates the idea very clearly: I can hide information by changing the colors in an image so slightly that no-one would notice.

Image 2) I can do the same thing in a slightly more complex way by changing the red, green, and blue part of each pixel separately. If I subtract 1 from the red value of the red pixel (FF−1 = FE), 3 from the green value of the green pixel (A9−3 = A6), and 5 from the blue value of the blue pixel (FF−5 = FA), I get three new pixels that, again, look virtually identical to the human eye, but still hide my secret message (ACE). This is slightly harder to detect than my simple brightness change because I'm hiding the code in a different "place" (a different part of the color value) each time. If you'd spotted and cracked the steganography trick I used in the black and white example, you wouldn't immediately be able to figure out what I'd hidden in the color example: I'm doing something slightly different this time!

Who uses it?

Search around online and you'll find all kinds of rumors about terrorists using steganography to send secret messages to supporters through social media. It's impossible to prove or disprove those sorts of things, but it makes for a good story in the feverish atmosphere that terrorism creates. Security experts are much more skeptical, but there's no doubt that steganography could be used in all kinds of nefarious ways. Steganography tools are now widely available (just search the app store from your mobile device and you'll find plenty), so it's anyone's guess how many people might be using the technology.

Does it have legitimate uses?

Steganography sounds very devious and you might think only shady spies, criminals, and terrorists would be interested in using it. In fact, it has some quite legitimate applications. Political dissidents and journalists can use it to send messages without putting themselves or their contacts at risk. Photographers who want to protect their pictures from copyright theft can embed invisible steganographic "watermarks." MP3 files, DVD movies, and ebooks are also sometimes protected this way to prevent piracy. And steganography is sometimes used to protect documents from industrial espionage. If confidential documents are given to a few people in a company, but each one is secretly marked with a unique steganographic "signature," any leaks can easily be traced back to the person responsible.

Can you crack it?

Given enough time and computing power, it's theoretically possible to crack any kind of encryption. But what about steganography? The first problem is detecting that a secret message is even present. If we're talking about messages concealed in Internet traffic, that's an incredibly tall order, because the number of messages using steganography represents an absolutely minuscule fraction of all the digital traffic zapping back and forth around the world. Experts say that spotting steganography isn't like looking for a needle in a haystack but for a slightly off-color piece of straw; in reality, given the huge amount of Internet traffic, it's more like detecting one or two shady bits of straw in the world's entire hay harvest.

But just as cryptography (code making) spawned cryptanalysis (code breaking), so steganography (information hiding) has led to steganalysis (detecting hidden information). The original method boiled down to a simple visual inspection (where information has been concealed in a picture, can you spot subtle changes in brightness or color?), but now steganography has gone digital, we have to rely on brute-force statistical analysis instead (such as trying to find a pattern hidden in digital images or unusual information in MP3 files and Internet traffic). From MP3stego (which hides things in music files) to SkyDe (a steganographic add-on for Skype), the web abounds with tools for concealing information; but there's a growing battery of steganalysis tools too, such as Stegdetect (for finding information hidden in images) and StegoHunt™ (from Wetstone Technologies).

A brief history of steganography

  • Tweet
Sponsored links

Find out more

On this website

On other sites






Please do NOT copy our articles onto blogs and other websites

Text copyright © Chris Woodford 2008, 2017. All rights reserved. Full copyright notice and terms of use.

Follow us

Rate this page

Please rate or give feedback on this page and I will make a donation to WaterAid.

Save or share this page

Press CTRL + D to bookmark this page for later or tell your friends about it with:

Cite this page

Woodford, Chris. (2008/2017) Encryption and steganography. Retrieved from [Accessed (Insert date here)]

More to explore on our website...

Back to top