{% extends "base.html" %} {% block title %}About - Stegasoo{% endblock %} {% block content %}
About Stegasoo

Stegasoo is a secure steganography tool that hides encrypted messages and files inside ordinary images using multi-factor authentication.

Key Features
  • Text & File Embedding
    Hide messages or any file type (PDF, ZIP, documents)
  • Multi-Factor Security
    Combines photo + phrase + PIN/RSA key
  • AES-256-GCM Encryption
    Military-grade authenticated encryption
  • Daily Rotating Phrases
    Different passphrase each day of the week
  • Random Pixel Embedding
    Defeats statistical steganalysis
  • Format Preservation
    Maintains PNG/BMP lossless formats
  • Large Capacity
    Up to {{ max_payload_kb }} KB payload, 24MP images
  • Zero Server Storage
    Nothing saved, files auto-expire and are scrubbed from disk.
How Security Works

Stegasoo uses hybrid multi-factor authentication to derive encryption keys:

Reference Photo
Something you have
~80-256 bits
Daily Phrase
Something you know (rotates)
~33 bits (3 words)
Static PIN
Something you know (fixed)
~20 bits (6 digits)
RSA Key
Something you have (optional)
~128 bits (2048-bit)
Combined entropy: 130-400+ bits depending on configuration. For reference, 128 bits is considered computationally infeasible to brute force.
Key Derivation

{% if has_argon2 %} Argon2id Available Using Argon2id with 256MB memory cost — the winner of the Password Hashing Competition and current best practice for key derivation. {% else %} Argon2 Not Available Falling back to PBKDF2-SHA512 with 600,000 iterations. Install argon2-cffi for stronger security. {% endif %}

Steganography Technique

Uses LSB (Least Significant Bit) embedding with pseudo-random pixel selection. The pixel locations are determined by a key derived from your credentials, making the hidden data's location unpredictable without the correct inputs.

File Embedding

New in v2.1 Stegasoo now supports embedding any file type, not just text messages.

Supported
  • PDF documents
  • ZIP/RAR archives
  • Office documents (DOCX, XLSX, PPTX)
  • Source code files
  • Any binary file up to {{ max_payload_kb }} KB
How It Works
  • Original filename is preserved
  • MIME type is stored for proper handling
  • File is encrypted identically to text
  • Decoding auto-detects text vs. file
Tip: For larger files, compress them first (ZIP) to maximize capacity. A 16MP carrier image can hold approximately 6MB of raw data, but we limit payloads to {{ max_payload_kb }} KB for reasonable processing times.
REST API

FastAPI Stegasoo includes a complete REST API built with FastAPI, featuring automatic documentation, type validation, and comprehensive error handling.

API Endpoints
  • POST /generate – Generate credentials
  • POST /encode – Encode text message (JSON)
  • POST /encode/file – Encode binary file (JSON)
  • POST /encode/multipart – Encode with file uploads
  • POST /decode – Decode message (JSON)
  • POST /decode/multipart – Decode with file uploads
  • POST /extract-key-from-qr – Extract RSA key from QR
  • POST /image/info – Get image capacity
  • GET / – API status and capabilities
Note: The /encode/multipart endpoint returns the PNG image directly (with headers indicating metadata), while /decode/multipart returns JSON. Use --output flag to save responses to files.
JSON API Examples
// Generate credentials
curl -X POST "http://localhost:8000/generate" \
  -H "Content-Type: application/json" \
  -d '{"use_pin": true, "use_rsa": false, "pin_length": 6, "words_per_phrase": 3}'

// Encode text message (images must be base64 encoded first)
// First encode images: base64 -w0 photo.jpg > photo.b64
curl -X POST "http://localhost:8000/encode" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "secret message",
    "reference_photo_base64": "'"$(cat photo.b64)"'",
    "carrier_image_base64": "'"$(cat carrier.b64)"'",
    "day_phrase": "apple forest thunder",
    "pin": "123456"
  }'

// Encode file (base64) - encode file first: base64 -w0 document.pdf > doc.b64
curl -X POST "http://localhost:8000/encode/file" \
  -H "Content-Type: application/json" \
  -d '{
    "file_data_base64": "'"$(cat doc.b64)"'",
    "filename": "document.pdf",
    "reference_photo_base64": "'"$(cat photo.b64)"'",
    "carrier_image_base64": "'"$(cat carrier.b64)"'",
    "day_phrase": "apple forest thunder",
    "pin": "123456"
  }'
Multipart API Examples
# Encode text with file uploads
curl -X POST "http://localhost:8000/encode/multipart" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "carrier=@carrier.png" \
  -F "message=secret" \
  --output stego.png

# Encode file (no message field when using payload_file)
curl -X POST "http://localhost:8000/encode/multipart" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "carrier=@carrier.png" \
  -F "payload_file=@document.pdf" \
  --output stego.png

# Encode with RSA key from QR code (optional)
curl -X POST "http://localhost:8000/encode/multipart" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "carrier=@carrier.png" \
  -F "message=secret" \
  -F "rsa_key_qr=@keyqr.png" \
  --output stego.png

# Decode with file uploads (returns JSON)
curl -X POST "http://localhost:8000/decode/multipart" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "stego_image=@stego.png" \
  --output result.json
QR Code Support

The API can extract RSA keys from QR code images. QR code reading requires pyzbar and libzbar system library. 

# Extract key from QR code (returns JSON)
curl -X POST "http://localhost:8000/extract-key-from-qr" \
  -F "qr_image=@keyqr.png"
Interactive Documentation: When running the API server, visit /docs for Swagger UI or /redoc for ReDoc documentation. All endpoints include detailed schemas and example requests.
Command Line Interface

Stegasoo also includes a full-featured CLI. Install with pip install stegasoo[cli] or see the CLI documentation for complete usage. 

# CLI Examples
stegasoo generate --pin --words 3
stegasoo encode -r photo.jpg -c meme.png -p "phrase" --pin 123456 -m "secret"
stegasoo decode -r photo.jpg -s stego.png -p "phrase" --pin 123456
stegasoo info image.png

{% if has_argon2 %}Argon2 Available{% else %}PBKDF2 Fallback{% endif %} {% if has_qrcode_read %}QR Reading Available{% else %}QR Reading Not Available{% endif %}

Usage Guide

  1. Both parties agree on a reference photo (shared secretly, never transmitted)
  2. Go to Generate and create credentials
  3. Memorize the 7 daily phrases and PIN
  4. If using RSA, download and securely store the key file
  5. Share credentials with your contact through a secure channel

  1. Go to Encode
  2. Upload your reference photo
  3. Upload a carrier image (the image to hide data in)
  4. Choose Text or File mode
  5. Enter your message or select a file to embed
  6. Enter today's phrase and your PIN/key
  7. Download the resulting stego image
  8. Send the stego image through any channel (email, social media, etc.)

  1. Go to Decode
  2. Upload your reference photo (same one used for encoding)
  3. Upload the stego image you received
  4. Enter the phrase for the day it was encoded (check the filename for date)
  5. Enter your PIN and/or RSA key
  6. View the decoded message or download the extracted file
The stego image filename contains the encoding date (e.g., abc123_20251228.png). Use this to determine which day's phrase to use!
Limits & Specifications
Max text message 2 million characters (~2 MB)
Max file payload {{ max_payload_kb }} KB
Max carrier image 24 megapixels (~6000×4000)
Max upload size 30 MB
Temp file expiry 5 minutes
PIN length 6-9 digits
RSA key sizes 2048, 3072, 4096 bits
Phrase length 3-12 words (BIP-39 wordlist)
API documentation /docs (Swagger) and /redoc
QR code support RSA key encoding/extraction (up to 3072 bit keys)

Stegasoo v{{ version }} • Open Source • Built with Python, FastAPI, and cryptography

{% endblock %}