I need advice as to whether it is worth the extra "security" and processing of an AES encrypted text string to be hidden in a PNG image as opposed to an AES encrypted text string to be saved in a read-only text file. Both the PNG image and Text file would serve as publicly available AES placeholders that would be decoded via password in a web application. I gather that any hex editor or similar software could access the AES string anyhow, so, would there be any practical benefit security-wise in hiding the AES string in a PNG?
Asked
Active
Viewed 1,040 times
2 Answers
1
"Hiding" content in an image (or other medium, it's a general technique called steganography) can be done either in a very obvious way (a dedicated data block, called ancillary chunk, which does not form part of the image), or it can be more effectively hidden in the low order bits of the image, thus very subtly degrading the picture.
Both methods can be discovered by a dedicated analyst, there are even automated tools which can flag images if some telltale statistical anomalies are detected.
This method doesn't add any extra security for the secret message - which is already encrypted anyway. The only thing it provides is a very weak protection of the fact that a secret message existed at all.
Gianluca Marcari
- 11
- 2
1
This is called steganography and while the example you give is not significantly better than just having the AES in a "text file" (because it would not look like an actual PNG file), there are algorithms for hiding information in a "cover" file.
However, if you do not mean to hide the fact that you have encrypted something, using AES alone is normally sufficient. There are no known practical attacks on properly implemented AES encryption, so as far as we know your message will remain as secure as your key.
A potential issue is the password. Human chosen passwords are not usually very secure and even if you use proper password hashing, very weak passwords remain weak. If you had good steganography in addition, it might resist cryptanalysis better, but secure steganography is also dependent on strong keys.
