A secure, production-ready web application for image steganography with AES encryption
Kabutr is a sophisticated steganography application that enables users to securely embed encrypted text messages within digital images. By combining advanced LSB (Least Significant Bit) steganography techniques with industry-standard AES encryption, Kabutr ensures that hidden messages remain both invisible and protected against unauthorized access.
Live Demo: kabutr.onrender.com
- Features
- Technology Stack
- Architecture
- Installation
- Usage
- How It Works
- Security Considerations
- API Endpoints
- Development
- Contributing
- License
- Author
- 🔒 Advanced Encryption: Messages are encrypted using AES-256 (Fernet) with PBKDF2 key derivation (100,000 iterations) before embedding
- 🖼️ Invisible Embedding: LSB steganography ensures zero visible quality degradation in the host image
- 🔐 Password Protection: Strong cryptographic key derivation from user passwords with random salt generation
- ⚡ High Performance: Optimized NumPy and OpenCV operations for millisecond-level encoding/decoding
- 🌐 Modern Web Interface: Responsive, AJAX-powered UI with Bootstrap 5 and custom animations
- 📱 Cross-Platform: Fully responsive design supporting desktop, tablet, and mobile devices
- ✅ Data Integrity: Magic header validation and comprehensive error handling for robust operation
- Format Support: PNG and JPG input/output with automatic format conversion
- Capacity Management: Automatic validation of image capacity before encoding
- Error Handling: Comprehensive error messages for invalid inputs, corrupted data, and incorrect passwords
- Client-Side Processing: Seamless user experience with no page refreshes
- Framework: Flask 2.0+
- Language: Python 3.9+
- OpenCV (
cv2): Advanced image manipulation and format conversion - NumPy: High-performance array operations for bit manipulation
- Pillow (PIL): Image I/O and format handling
- cryptography: Fernet (AES-128 in CBC mode) for symmetric encryption
- PBKDF2HMAC: Password-based key derivation with SHA-256 hashing
- HTML5/CSS3: Modern semantic markup and styling
- JavaScript: AJAX for asynchronous operations
- Bootstrap 5: Responsive UI framework
- Animate.css: Smooth animations and transitions
User Input (Image + Message + Password)
↓
Message Encryption (AES-256 Fernet)
↓
Payload Construction [Length | Magic Header | Salt | Encrypted Data]
↓
LSB Embedding (Least Significant Bit Steganography)
↓
Stego Image Output (PNG)
Stego Image Input
↓
LSB Extraction
↓
Magic Header Validation
↓
Payload Extraction [Salt | Encrypted Data]
↓
Message Decryption (AES-256 Fernet)
↓
Decrypted Message Output
- Python 3.9 or higher
- pip (Python package manager)
- Git (for cloning the repository)
-
Clone the repository
git clone https://github.com/pradeepx-dev/Kabutr.git cd Kabutr -
Create a virtual environment (recommended)
# Windows python -m venv venv venv\Scripts\activate # macOS/Linux python3 -m venv venv source venv/bin/activate
-
Install dependencies
pip install -r requirements.txt
-
Run the application
python app.py
-
Access the application Open your browser and navigate to
http://127.0.0.1:5000(or the port specified inapp.py)
For production deployment (e.g., on Render, Heroku, or similar platforms):
- Ensure
Procfileis configured correctly - Set appropriate environment variables
- Use a production WSGI server (e.g., Gunicorn)
- Configure proper security headers and HTTPS
- Navigate to the application homepage
- Click on the "Encrypt & Hide Message" tab
- Upload a PNG or JPG image file
- Enter the secret message you wish to hide
- Set a strong password (used for encryption)
- Click "Encrypt & Hide Message"
- Download the generated stego image
Note: The stego image will appear visually identical to the original image.
- Navigate to the application homepage
- Click on the "Decrypt & Reveal Message" tab
- Upload the stego image that contains the hidden message
- Enter the password used during encoding
- Click "Decrypt & Reveal Message"
- The decrypted message will be displayed
Important: You must use the exact same password that was used during encoding. Incorrect passwords will result in an error message.
-
Key Derivation: The user's password is processed through PBKDF2HMAC with:
- Algorithm: SHA-256
- Iterations: 100,000
- Salt: 16-byte random salt (unique per message)
- Key Length: 32 bytes (256 bits)
-
Message Encryption: The plaintext message is encrypted using Fernet (AES-128 in CBC mode) with the derived key.
-
Payload Construction: The encrypted data is packaged with:
- Length Header (4 bytes): Total payload size
- Magic Header (4 bytes):
STG1identifier for validation - Salt (16 bytes): Random salt used for key derivation
- Encrypted Data: The Fernet-encrypted message
-
Image Preparation: The input image is converted to RGB format (3 channels) with uint8 data type.
-
Capacity Check: The application verifies that the image has sufficient pixels to store the payload:
- Required bits = (4 + 4 + 16 + encrypted_data_length) × 8
- Available bits = image_height × image_width × 3
-
LSB Embedding:
- The payload is converted to a binary bit stream
- Each bit is embedded into the least significant bit of image pixel values
- The image is flattened to a 1D array for efficient processing
- Bits are embedded sequentially across all color channels
-
Image Reconstruction: The modified pixel array is reshaped back to the original image dimensions.
-
LSB Extraction: The least significant bits are extracted from the stego image pixels.
-
Length Validation: The first 32 bits (4 bytes) are read to determine the payload length.
-
Magic Header Verification: The next 32 bits are checked for the
STG1magic header to ensure valid steganography data. -
Salt Extraction: The 16-byte salt is extracted from the payload.
-
Key Derivation: The same PBKDF2HMAC process is used with the extracted salt to derive the decryption key.
-
Message Decryption: The encrypted data is decrypted using Fernet and the derived key.
- Strong Encryption: AES-256 encryption provides industry-standard security
- Key Derivation: PBKDF2 with 100,000 iterations makes brute-force attacks computationally expensive
- Random Salt: Each message uses a unique salt, preventing rainbow table attacks
- Secure Random Generation: Uses
os.urandom()for cryptographically secure random number generation
- Invisibility: LSB modification is imperceptible to human eyes
- Format Preservation: Output images maintain visual fidelity
- Magic Header: Prevents false positives and validates data integrity
- Password Strength: Users should use strong, unique passwords
- Image Selection: Larger images provide more capacity and better security through obscurity
- Secure Transmission: Always use HTTPS in production environments
- Data Disposal: Securely delete original images and messages after use if handling sensitive data
- Capacity Constraints: Message size is limited by image dimensions
- Format Requirements: Input images must be in PNG or JPG format
- Password Dependency: Lost passwords result in permanent data loss (by design)
- Not Quantum-Resistant: Current encryption algorithms are not quantum-resistant
Kabutr/
├── app.py # Flask application and route handlers
├── helper_functions.py # Core steganography and encryption logic
├── requirements.txt # Python dependencies
├── Procfile # Deployment configuration
├── LICENSE # MIT License
├── README.md # Project documentation
├── templates/
│ └── index.html # Frontend template
└── static/
├── css/ # Stylesheet directory
├── style.css # Custom styles
└── favicon.png # Site favicon
python app.pyThe application will run with debug mode enabled on http://127.0.0.1:5000.
- Follow PEP 8 style guidelines for Python code
- Use meaningful variable and function names
- Include docstrings for all functions
- Handle exceptions appropriately
- Validate all user inputs
Contributions are welcome and encouraged! To contribute:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes with appropriate tests and documentation
- Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Ensure all code follows the existing style and conventions
- Add comments and docstrings for new functions
- Test your changes thoroughly
- Update documentation as needed
- Keep commits focused and atomic
This project is licensed under the MIT License - see the LICENSE file for details.
Copyright (c) 2025
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the conditions specified in the LICENSE file.
Pradeep Kumar Maurya
- GitHub: @pradeepx-dev
- Project Link: https://github.com/pradeepx-dev/Kabutr
Anurag Kumar
- GitHub: @Account1-Anurag
- Project Link: https://github.com/Account1-Anurag/Kabutr
Priya Yadav
- GitHub: @Account1-Priya
- Project Link: https://github.com/Account1-Priya/Kabutr
- Built with Flask
- Image processing powered by OpenCV and NumPy
- Cryptography provided by cryptography
- UI framework: Bootstrap
Note: This tool is intended for legitimate purposes only. Users are responsible for complying with all applicable laws and regulations regarding the use of steganography and encryption technologies.