Features

• Protect your invisible secret using passwords and HMAC integrity

• Cryptographically secure by encrypting the invisible secret using AES-256-CTR.

• Uses 6 Invisible characters in unicode characters that works everywhere in the web.

  Including the most important ones Tweets, Gmail, Whatsapp, Telegram, Instagram, Facebook etc.

• Maximum Compression to reduce the payload (LZ, Huffman).

• Completely invisible, uses Zero Width Characters instead of white spaces or tabs.

• Super fast! Hides the Wikipedia page-source for steganography (800 lines and 205362 characters) within a covertext of 3 words in under one second.

• Hiding files in strings can be achieved by uploading the file to cloud and stegcloaking the link in the string

• Written in pure functional style.

• Usage - Available as an API module, a CLI and also a Web Interface (optimized with web workers).

Installing

Using npm,

$ npm install -g stegcloak

Using npm (to use it locally in your program),

$ npm install stegcloak

How it works

CLI Usage

Hide

$ stegcloak hide

Options:

  hide [options] [secret] [cover]

  -fc, --fcover <file>      Extract cover text from file
  -fs, --fsecret <file>     Extract secret text from file
  -n, --nocrypt             If you don't need encryption (default: false)
  -i, --integrity           If additional security of preventing tampering is needed (default: false)
  -o, --output <output>     Stream the results to an output file
  -c, --config <file>       Config file
  -h, --help                display help for command

Reveal

$ stegcloak reveal       

Options:

  reveal [message]

  -f, --file <file>       Extract message from file
  -cp, --clip             Copy message directly from clipboard
  -o, --output <output>   Stream the secret to an output file
  -c, --config <file>     Config file
  -h, --help              display help for command

Additional support

• STEGCLOAK_PASSWORD environment variable if set will be used by default as password

• Config file support to configure Stegcloak CLI and to avoid prompts. Read Config docs here

API Usage

const StegCloak = require('stegcloak');

const stegcloak = new StegCloak(true, false);  // Initializes with encryption true and hmac false for hiding

// These arguments are used only during hide

// Can be changed later by switching boolean flags for stegcloak.encrypt and stegcloak.integrity

What's HMAC and do I need it?

Hide

stegcloak.hide(secret,password,cover) -> string

const magic = stegcloak.hide("Voldemort is back", "mischief managed", "The WiFi's not working here!");

// Uses stegcloak.encrypt and stegcloak.integrity booleans for obfuscation

console.log(magic);  // The WiFi's not working here!

Reveal

stegcloak.reveal(data, password) -> string

const secret = stegcloak.reveal(magic, "mischief managed");

// Automatically detects if encryption or integrity checks were done during hide and acts accordingly

console.log(secret); // Voldemort is back

Important

Resources

The following papers were referred to for insight and understanding of using Zero Width Characters in steganography.

• Milad Taleby Ahvanooey, Qianmu Li , Jun Hou, Ahmed Raza Rajput and Chen Yini

Modern Text Hiding, Text Steganalysis, and Applications: A Comparative Analysis

• Taleby Ahvanooey, Milad & Li, Qianmu & Hou, Jun & Dana Mazraeh, Hassan & Zhang, Jing.

AITSteg: An Innovative Text Steganography Technique for Hidden Transmission of Text Message via Social Media.
IEEE Access

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

MIT - Copyright (c) 2020 Jyothishmathi CV, Kandavel A, Mohanasundar M

Acknowledgements

The StegCloak logo was designed by Smashicons.