Steganography techniques: MD5 implementation or RC4 encryption?

Although it is difficult to decipher encrypted data, steganography itself is relatively easy to detect. Expert Michael Cobb reviews which encryption algorithm is best to use when hiding important data.

We are doing a project in steganography. Which algorithm will be best for the encryption of the text and image? MD5 or RC4? Which is more secure and why?

Before looking at the merits of MD5 implementation and RC4 encryption, let me explain steganography techniques to readers who may not have come across them before.

Although it is difficult to decipher encrypted data, the technique itself is relatively easy to detect. Encryption only tries to obscure the meaning of a message, not its actual existence.

This is why steganography, a Greek word meaning covered or hidden writing, is growing in importance. Steganography techniques hide the existence of a message as opposed to its contents. It's often used to supplement encryption, so a message is first encrypted and then hidden within another message.

Modern steganography is difficult to detect and works by replacing bits of unused data in computer files or communication channels, such as telephone lines or radio broadcasts. For example, a message can be secretly buried in the least significant bits of a digital image, called the covertext, without visibly changing the appearance of the image itself. Because steganographic data can be hidden within apparently innocuous files, it doesn't trigger network surveillance and monitoring systems. For instance, if an employee was trying to steal confidential data, he or she could conceal it using steganographic techniques, perhaps placing it in another file and sending it out in an innocent looking email.

So what encryption algorithm should you choose for the data you want to hide using steganography? You suggest either MD5 or RC4, but these two algorithms serve different purposes. MD5 (Message Digest 5) is not an encryption algorithm, but a cryptographic one-way hash function, which produces a hash of a message. It was developed at MIT in the early 1990s and is used to create digital signatures and verify the integrity of information, ensuring it hasn't been tampered with. Anyway, confidence in the security of MD5 is on the wane and Microsoft has banned its use in new products due to the increasing sophistication of cryptanalysis attacks.

More appropriate for your needs is RC4, a symmetric key stream cipher. The RC4 algorithm was designed by RSA's Ron Rivest in 1987 and most commonly protects Internet traffic using the SSL (Secure Sockets Layer) protocol. Stream ciphers can be thought of as seeded random number generators -- the seed being the key, with the random numbers being combined with the plain text to generate ciphertext.

When using stream ciphers, it's important to generate a new key for each piece of encrypted data. Otherwise an attacker can mount a successful attack by analyzing a large number of messages encrypted with the same key. If you don't follow recommended practices for key generation, an RC4-based application can be very insecure. Overall, you would be better choosing a block cipher such as AES, Twofish or Triple-DES. Remember, for whichever algorithm you choose, you still have to solve the problem of getting the encryption key safely to the intended recipient.

This was last published in July 2009

Dig Deeper on Disk and file encryption tools