{% extends "base.html" %} {% block title %}About - Stegasoo{% endblock %} {% block content %}
About Stegasoo

Stegasoo is a secure steganography tool that hides encrypted messages and files inside ordinary images using multi-factor authentication.

Key Features
  • Text & File Embedding
    Hide messages or any file type (PDF, ZIP, documents)
  • Multi-Factor Security
    Combines photo + passphrase + PIN/RSA key
  • AES-256-GCM Encryption
    Military-grade authenticated encryption
  • Single Passphrase v3.2.0
    Stronger default security
  • DCT Mode v3.0
    Survives JPEG recompression for social media
  • Random Pixel Embedding
    Defeats statistical steganalysis
  • Large Capacity
    Up to {{ max_payload_kb }} KB payload, 24MP images
  • Zero Server Storage
    Nothing saved, files auto-expire
Embedding Modes

New in v3.0 Stegasoo now supports two embedding modes, each optimized for different use cases.

LSB Mode Default

LSB (Least Significant Bit) embeds data in the lowest bit of each color channel. Changing the LSB changes pixel values by at most 1, which is imperceptible to the human eye.

  • Capacity: ~375 KB per megapixel
  • Output: PNG (lossless)
  • Color: Full color preserved
  • Speed: Fast (~0.5s)
Email attachments
Cloud storage (Dropbox, Drive)
Direct file transfer
Social media (recompresses)
DCT Mode v3.0

DCT (Discrete Cosine Transform) embeds data in frequency coefficients rather than raw pixels. This survives JPEG recompression because coefficients are preserved during re-encoding.

  • Capacity: ~75 KB per megapixel
  • Output: JPEG or PNG
  • Color: Color or grayscale
  • Speed: Slower (~2s)
Instagram, Facebook
WhatsApp, Signal, Telegram
Twitter/X
Any platform that recompresses
Comparison
Aspect LSB Mode DCT Mode
Capacity (1080p) ~770 KB ~50 KB
Survives JPEG ❌ No ✅ Yes
Social Media ❌ Broken ✅ Works
Detection Resistance Moderate Better
Dependencies Pillow, NumPy + scipy, jpegio
Auto-Detection: When decoding, Stegasoo automatically detects whether LSB or DCT mode was used. You don't need to specify the mode during decoding.
How Security Works

Stegasoo uses hybrid multi-factor authentication to derive encryption keys:

Reference Photo
Something you have
~80-256 bits
Passphrase v3.2.0
Something you know
~44 bits (4 words)
Static PIN
Something you know (fixed)
~20 bits (6 digits)
RSA Key
Something you have (optional)
~128 bits (2048-bit)
Combined entropy: 144-424+ bits depending on configuration. For reference, 128 bits is considered computationally infeasible to brute force.
Key Derivation

{% if has_argon2 %} Argon2id Available Using Argon2id with 256MB memory cost — the winner of the Password Hashing Competition and current best practice for key derivation. This makes GPU/ASIC attacks infeasible. {% else %} Argon2 Not Available Falling back to PBKDF2-SHA512 with 600,000 iterations. Install argon2-cffi for stronger security. {% endif %}

Steganography Techniques

LSB Mode: Uses Least Significant Bit embedding with pseudo-random pixel selection. The pixel locations are determined by a key derived from your credentials, making the hidden data's location unpredictable without the correct inputs.

DCT Mode: Uses Discrete Cosine Transform embedding with Quantization Index Modulation (QIM). Data is hidden in mid-frequency coefficients of 8×8 blocks, making it resilient to JPEG recompression. {% if has_dct %} DCT Available {% else %} DCT Requires scipy {% endif %}

File Embedding

Stegasoo supports embedding any file type, not just text messages.

Supported
  • PDF documents
  • ZIP/RAR archives
  • Office documents (DOCX, XLSX, PPTX)
  • Source code files
  • Any binary file up to {{ max_payload_kb }} KB
How It Works
  • Original filename is preserved
  • MIME type is stored for proper handling
  • File is encrypted identically to text
  • Decoding auto-detects text vs. file
Tip: For larger files, compress them first (ZIP) to maximize capacity. Note that DCT mode has ~10× less capacity than LSB mode.
REST API

FastAPI Stegasoo includes a complete REST API with automatic documentation and type validation.

Endpoints
  • POST /generate – Generate credentials
  • POST /encode – Encode text (JSON)
  • POST /encode/multipart – Encode with uploads
  • POST /decode – Decode message (JSON)
  • POST /decode/multipart – Decode with uploads
  • POST /image/info – Get image capacity
  • POST /extract-key-from-qr – Extract RSA from QR
  • GET / – API status and capabilities
  • GET /docs – Swagger documentation
  • GET /redoc – ReDoc documentation
Example: DCT Encode
# Encode with DCT mode for social media
curl -X POST "http://localhost:8000/encode/multipart" \
  -F "passphrase=apple forest thunder mountain" \
  -F "pin=123456" \
  -F "embed_mode=dct" \
  -F "dct_output_format=jpeg" \
  -F "reference_photo=@photo.jpg" \
  -F "carrier=@meme.png" \
  -F "message=secret message" \
  --output stego.jpg
Command Line
# Generate credentials
stegasoo generate --pin --words 4

# Encode with LSB (default)
stegasoo encode -r photo.jpg -c meme.png -p "apple forest thunder mountain" \
  --pin 123456 -m "secret"

# Encode with DCT for social media
stegasoo encode -r photo.jpg -c meme.png -p "apple forest thunder mountain" \
  --pin 123456 -m "secret" --mode dct --dct-format jpeg

# Decode (auto-detects mode)
stegasoo decode -r photo.jpg -s stego.png -p "apple forest thunder mountain" \
  --pin 123456

{% if has_argon2 %}Argon2{% else %}PBKDF2{% endif %} {% if has_dct %}DCT Available{% else %}DCT Unavailable{% endif %} {% if has_qrcode_read %}QR Reading{% else %}No QR Reading{% endif %}

Usage Guide

  1. Both parties agree on a reference photo (shared secretly, never transmitted)
  2. Go to Generate and create credentials
  3. Memorize the passphrase and PIN
  4. If using RSA, download and securely store the key file
  5. Share credentials with your contact through a secure channel

  1. Go to Encode
  2. Choose your embedding mode:
    • LSB – for email, cloud storage, direct transfer
    • DCT – for social media (Instagram, WhatsApp, etc.)
  3. Upload your reference photo and carrier image
  4. Enter your message or select a file to embed
  5. Enter your passphrase and PIN/key
  6. Download the resulting stego image
  7. Send through any channel!

  1. Go to Decode
  2. Upload your reference photo (same one used for encoding)
  3. Upload the stego image you received
  4. Enter your passphrase
  5. Enter your PIN and/or RSA key
  6. View the decoded message or download the extracted file
Auto-detection: Stegasoo automatically detects LSB vs DCT mode.
Limits & Specifications
Max text message 2 million characters
Max file payload {{ max_payload_kb }} KB
Max carrier image 24 megapixels (~6000×4000)
LSB capacity ~375 KB/megapixel
DCT capacity ~75 KB/megapixel
Max upload size 30 MB
Temp file expiry 5 minutes
PIN length 6-9 digits
RSA key sizes 2048, 3072, 4096 bits
Passphrase length v3.2.0 3-12 words (BIP-39, recommended: 4+ words)

Stegasoo v{{ version }} • Open Source • Built with Python, Flask/FastAPI, and cryptography

{% endblock %}