• How to Hide Secrets in Strings — Modern Text hiding in JavaScript
  • Mohan Sundar
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: niayyy
  • Proofreader: FateZeros, Zenblo

How to Hide secrets in strings — modern text hiding in JavaScript

The safest place is the most dangerous place.

If you are a spy in a hostile country, it is a crime to send information only to the US. If the message is encrypted, that can lead to a bigger crime, which is made worse when you refuse to decrypt the message for the authorities. Steganography, literally “hidden words,” refers to the presence of hidden messages.

Chet Hosmer, founder of Python Forensics, said:

Steganography masks the presence of information. Unlike its cousin cryptography, which is easy to detect and hard to crack, steganography offers the most interesting feature of “hiding in plain sight”. (Steganography hides the mere existence of the communication. Unlike its cousin cryptography, which is easy to detect but difficult to break, Steganography provides the most interesting element of all ‘To Hide in Plain sight’.)

Did you know there was a hidden secret in the steganography reference above? If I hadn’t mentioned it, would you have known it was there? Well, read the rest of this article to see what it means.

Invisible characters in Unicode

A zero-width character is a non-print character and is part of the Unicode table. As the name implies, they don’t even show their presence. They are used to wrap long sentences, concatenate emoticons, join two characters together, prevent them from joining together, and more.

These characters are increasingly found hidden in text, and their total invisibility is a remarkable feature. Because they’re so integral to multiple languages and emojis, there’s no way to block them. And, it turns out, ZWC isn’t the only invisible character. For example, the invisible delimiter — U+2063.

But there is a slight problem with this form. Gmail blocks U+200B (zero width space). To say nothing of other software, Twitter blacklists unnecessary invisible characters, and none of the characters in the list work except U+200C, U+200D, and U+ 180E. So now we have three characters!

Oh wait, U+180e is not invisible and presents exceptions on iOS devices. Now we only have 2 characters.

So, we opened the Unicode table and started testing for cross-platform/Web visibility for every possible invisible character. Fortunately, we were able to add four more characters to the table for a total of six invisible characters that we can now use to hide secrets in strings. All right, all right! Prepare for battle.. !

What is StegCloak and how does it work?

StegCloak is a pure JavaScript steganography module that is used to hide secrets in plain text after two layers of maximum compression and one layer of encryption. So not only does it hide secrets, but it also protects them with passwords you choose and a host of other features. Check out our demo here.

hidden

According to

A brief explanation of how StegCloak hides your secrets and compresses them

Step 1: Compress and encrypt the secret.

Security policies never play a role in these system intrusions, and we hope to use StegCloak to satisfy the Kerckhoff principle, which states:

An ideal encryption system should have strong security guarantees and be able to be secure even when all the contents of the system except the key are made public.

Even if an attacker can figure out how the algorithm works, it should be impossible to crack the secret message.

Meet the principle of

To do this, we need symmetric encryption based on passwords. Given people’s habit of using simple, weak passwords, and their tendency to use the same password multiple times, we decided to derive strong keys from a given password and increase the randomness of the keys by introducing random salt. Based on the analysis of multiple ciphertexts generated using the same key, the key needs to be random to prevent attacks. Now, regular block cipher patterns in AES like ECB or CBC result in at least 16-byte blocks being filled. For example, sending “Hi” CBC mode to fill in 0 to make it 16 in length and remove it during extraction is not a good idea. Therefore, we use stream cipher mode CTR (less populated cipher) to generate ciphertext.

Step 2: Encode and compress again with the extra two characters.

As shown in the figure above, even though we have six ZWC characters, only four are used because six is not a power of two. Two additional characters (U+2063, U+2064) are used to make an additional abstract Huffman layer compression to reduce redundancy. After converting the secret to ZWC, the two most repeated ZWCS in the flow are identified, such as U+200D and U+200C. Now, every two consecutive occurrences of U+200D and U+200C are replaced by a U+2063 or U+2064. Because redundancies are often observed, many savings can be made.

Step 3: Embed the invisible stream at the beginning of the cover text.

Hi is now hidden in a six-character Hello World, so the total length of the string is

10 + 6 = 16 characters

extract

Vice versa, nothing complicated, but considering that payload length increases when we add features like encryption and invisibility, we did two layers of compression (before and after) to minimize the cost. Therefore, extraction costs very little.

You can turn off certain features at any time to reduce the payload length, and StegCloak has been designed to be flexible enough to meet user needs.

Module style

Life is easier when you can visualize functions as curves in a graph — Kyle Simpson

StegCloak follows the paradigm of programmatic function and generally contains only two functions: hide and show. These two functions build blocks of code like piles of wood. These fragments are simply pure functions or versions of the same pure function after currie transformation. StegCloak just having encrypt() is not a pure function because it generates random salt to increase password security.

flow

In my opinion, taking a functional approach increases readability by making your program look more like a flowchart.

StegCloak uses a functional programming library called RamdaJS. R.ipe takes the input function and passes the parameters to the first function, then takes its output as the input to the next function in the pipe. As you can see, these snippets can be proxied to another pipe or manipulated before being sent to the next pipe. Readability and implicit programming style is one of the biggest points of design

Uncover the mystery of quotation

* Duplicate the Chet Hosmer quote above and access Stegcloat.surge. Sh * Enter the password in Reveal — “Aparecium”

  • Paste the copied sentence into the STEGCLOAKED MESSAGE text box

  • Click Get Confidential and look!

conclusion

It was built by me and my two friends Jyothishmathi CV and Kandavel

We hope you enjoy it as much as we built it!

Search StegCloak on Github or visit stegcloat.surge.

Thank you for reading this article 🖤.

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.

The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.