explain case study in cryptography and security

When it comes to data security , the ancient art of cryptography has become a critical cornerstone of today’s digital age. From top-secret government intelligence to everyday personal messages, cryptography makes it possible to obscure our most sensitive information from unwanted onlookers. Whether shopping online or saving valuable trade secrets to disk, we can thank cryptography for any semblance of privacy we may have. 

The main principles of cryptography establish trust when conducting business online. They include the following:

• Confidentiality: Encrypted information can only be accessed by the person for whom it is intended and no one else. 
• Integrity: Encrypted information cannot be modified in storage or in transit between the sender and the intended receiver without any alterations being detected.
• Non-repudiation: The creator/sender of encrypted information cannot deny their intention to send the information.
• Authentication: The identities of the sender and receiver—as well as the origin and destination of the information—are confirmed.
• Key management: The keys used in encrypting and decrypting data and associated tasks like key length, distribution, generation, rotation, etc. are kept secure.

Before diving into cryptography’s many use cases, let’s review the basics of cryptography.

Understanding cryptography basics

Throughout history, cryptologists have used various methods for encoding private information and creating encrypted messages. While modern cryptographic algorithms are far more advanced, the fundamental steps remain very similar. 

Basic cryptology takes the original, unencoded information (known as plaintext) and encodes it into a scrambled code (known as ciphertext) with the aid of a secret key or keys, which can also be used to decode the ciphertext back into plaintext. 

Cryptographic algorithms

Cryptographic algorithms are the mathematical formulas used to encrypt and decrypt data. These algorithms create secret keys to determine how data is transformed from its original plaintext into ciphertext and vice versa. Some well-known cryptographic algorithms include RSA (Rivest-Shamir-Adleman) , AES (Advanced Encryption Standard) and ECC (Elliptic Curve Cryptography) . 

At a basic level, most cryptographic algorithms create keys by multiplying large prime numbers. While multiplication is easy for modern computers, factoring large numbers back into two large primes requires so much computing power, it’s practically impossible. Cryptosystems that use smaller keys can be reverse-engineered rather easily, but even the fastest supercomputers would require hundreds to hundreds of thousands of years to brute-force attack today’s stronger cryptographic algorithms. Elliptic curve cryptography adds an additional level of security by using random numbers to create much stronger keys that even next-generation quantum computers can’t break. 

Key management

Key management is an integral part of cryptography; every cryptosystem uses keys to both encrypt and decrypt data. Key management involves securely generating, storing and distributing encryption keys between users. Proper key management is crucial for maintaining the security of encrypted data, as weak or stolen keys can create critical vulnerabilities in any cryptosystem. Key sizes, randomness and storage are all crucial functions of key management. 

Symmetric encryption

Also known as private-key cryptography or secret-key cryptography, symmetrical cryptosystems use only one key for both encryption and decrypting. For these types of systems to work, each user must already have access to the same private key. Private keys might be shared either through a previously established trusted communication channel (such as a private courier or secured line) or, more practically, a secure key exchange method (such as the Diffie-Hellman key agreement ). 

Despite vulnerabilities created by the use of only a single key, this type of encryption is faster and more efficient than alternative methods. Popular symmetric encryption algorithms include DES (Data Encryption Standard) , 3DES (Triple DES) and AES .

Asymmetric encryption

Asymmetric en cryption , also known as public-key encryption, uses a pair of keys—a public key and a private key. The public key is used for encryption, the private key is used for decryption and each user has their own key pair. The two encryption keys used in public-key cryptography add an additional layer of security, but this added protection comes at the cost of decreased efficiency. RSA, ECC and the Secure Shell Protocol (SSH) are common asymmetric cryptography algorithms.

Cryptography use cases

Secure communication .

One of the most common use cases of cryptography is providing secure communication over the internet. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use cryptographic protocols to establish protected connections between web browsers and servers. This secure channel ensures that data shared between a user’s browser and a website remains private and cannot be intercepted by malicious actors. 

Cryptography is also used for common messaging applications like email and WhatsApp to provide end-to-end encryption (E2EE) and maintain the privacy of users’ conversations. With E2EE, only the sender and intended recipient can decrypt and read their messages, making it nearly impossible for third parties—including users’ own service providers—to access the content.

Data encryption

Data encryption is a widely used form of cryptography that protects sensitive information stored on various devices, such as hard drives, smartphones and cloud storage services. Strong encryption algorithms like AES effectively transform plaintext into ciphertext, ensuring that even if an unauthorized party gains access, they won’t be able to decrypt sensitive data without access to the authorized users’ encryption key. 

Data integrity

Cryptography is also used to ensure the integrity of data. Hash functions are a type of cryptographic algorithm that generate fixed-size hashes (also known as digests) of data–essentially transforming a set of data into a unique numerical hash number. These hashes are so unique that changing even a single character or space within the plaintext would produce a totally different numerical value. Recipients, applications or websites can verify data integrity by comparing the hash of received data to the expected hash, and they can confirm that data has not been altered during transmission. 

Hash functions are also frequently used to verify user passwords without needing to create a vulnerable client-side database of private passwords. Instead, services like online banking portals will only collect and store the hashes of user passwords. Even if such a database was stolen, a malicious actor would not be able to deduce any user’s password from their hash alone. 

Authentication

Verifying the authenticity of sent and received information is a critical function of cryptography used for conducting all manners of business, made possible by the use of digital signatures . Through asymmetric cryptography, documents can be amended with digital signatures, which can only be generated with the use of a private key. Recipients of digitally signed documents can use the sender’s public key to verify the signature’s authenticity and confirm that the document has not been tampered with during transmission. 

Non-repudiation

Non-repudiation is a legal concept that ensures the authenticity of received messages and prevents a sender from potentially denying the validity of any given sent message. Digital signatures are a critical component of non-repudiation, as they prove that the sender, and no one else, signed the message or document. Cryptography-enabled non-repudiation, as established by data integrity protocols and digital signatures, provides a viable framework for verifying lawfully binding negotiations, contracts, and other types of legal dealings and business.

Key exchange 

A major component of secure communication, key exchange is a critical aspect of establishing a secure connection, especially in asymmetric cryptosystems. Cryptography plays a valuable role in this preliminary step, as well. A landmark in the development of public-key cryptography, the Diffie-Hellman key exchange algorithm allows two parties to securely exchange encryption keys over an insecure channel. This method ensures that even if an eavesdropper intercepts the key exchange dialogue, they cannot decipher the encryption keys being exchanged. Through cryptography, algorithms like the Diffie-Hellman key exchange protocol allow parties to establish secure connections through public-key encryption, without the need for a previously established and potentially vulnerable alternative key exchange. 

Securing API communication

A hallmark of Web 2.0 (and beyond), cooperative inter-app operability allows for various applications and web services to pull data from within their respected walled virtual ecosystems, enabling massively expanded functionality of all sorts of apps—from embedding social media posts into news articles to sharing critical systems analytics into advanced operational dashboards.

Known as application programming interfaces (APIs) , these systems are designed to facilitate cross-program communication, and cryptography ensures that this sensitive data remains protected from intrusive eavesdropping or tampering, ensuring that only authorized parties can access the information. API keys and tokens are often used alongside encryption to protect sensitive data exchanged between applications, especially in situations where security is most critical, such as public works and infrastructure. 

Quantum computing cybersecurity

The rise of quantum computing poses a significant threat to existing encryption methodologies and cybersecurity systems. Most modern cryptosystems are designed to withstand the potential computing power of traditional computers, which would simply require hundreds to hundreds of thousands of years to successfully brute-force attack today’s cryptographic algorithms. Quantum computers, however, could potentially increase the power of today’s computers by orders of magnitude, reducing the time it would take to crack even the strongest cryptographic keys from thousands of years to mere seconds. While most modern cryptographic algorithms won’t be able to withstand theoretical quantum computer attacks, cryptologists are responding to these vulnerabilities with the development of quantum-resistant cryptography techniques. The use cases for quantum-resistant and post-quantum cryptography are as numerous as the cryptography use cases are in general. Although quantum computing is still considered to be in the prototyping stages at best, most computer scientists agree major breakthroughs within the next 10 to 50 years will make the development of quantum-resistant cryptography as critical as quantum computing itself.

Blockchain security

Blockchain technology relies heavily on cryptography to ensure the security and immutability of all on-chain transactions and updates. Cryptocurrencies like Bitcoin use cryptographic algorithms to mine and mint new coins, while cryptographic hash functions secure the integrity of blocks in the chain. When making transactions, public-key cryptography is used to create and verify digital signatures. Encompassing most of cryptography’s core tenets, blockchain technology uses encryption to create a trustless ecosystem where all actions can be easily authenticated and verified.

Learn how IBM cryptography solutions help businesses guard critical data

IBM cryptography solutions combine cutting-edge technology, consulting, systems integration and managed security services to help ensure crypto-agility, quantum-safety and solid governance and risk policies. From symmetric to asymmetric cryptography, to hash functions and beyond, ensure data and mainframe security with end-to-end encryption tailor-made to meet your business needs.

More from Cloud

A clear path to value: overcome challenges on your finops journey .

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Case Study on Cryptography

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

What is Cryptography? Types and Examples You Need to Know

By Tibor Moes / Updated: July 2023

What is Cryptography?

Tech-savvy individuals talk about encrypted data and its importance all the time. Data encryption is the practical application of cryptography, a method of taking plaintext, scrambling it, and sending it to a receiver.

Cryptography is incredibly complex and requires advanced knowledge of mathematics. Social media platforms, banks, digital wallets, and text messaging apps all rely on cryptography. But how does it work?

To clarify how it works, we’ll tell you about its history, the different types, a few examples, and some challenges that come with cryptography.

• Cryptography is a method of protecting information and communications by employing codes, so that only those for whom the information is intended can read and process it. This complex science combines elements of mathematics, computer science, and electrical engineering to secure digital transactions, control the creation of new coins, and verify the transfer of assets.
• The process works by using algorithms and cryptographic keys to encrypt and decrypt data. Two common types of cryptography are symmetric (private key cryptography) and asymmetric (public key cryptography). The first uses a single key for encryption and decryption, while the latter utilizes a pair of keys, one public for encryption and a private one for decryption.
• Cryptography plays a pivotal role in securing sensitive information, especially in the fields of online banking, computer passwords, and e-commerce transactions. It also provides the backbone for cryptocurrencies, such as Bitcoin, that rely on blockchain technology, which uses cryptographic methods to ensure the immutability and security of transactions.

Don’t become a victim of cybercrime. Protect your devices with the best antivirus software and your privacy with the best VPN service .

Unless you’re an expert in computer science, the broadness of the term “cryptography” can be challenging to explain.

Perhaps the best answer to the question, “What is cryptography?” is that it’s an entire art form of keeping specific information secure by making it cryptic and impossible to understand by anyone other than the intended recipient .

Let’s take a simple message readable by humans, also known as plaintext, and apply mathematical operations and algorithms.

The result will be unintelligible nonsense, otherwise referred to as a cipher. However, cryptography would be pointless if the intended recipient of an encrypted message wouldn’t know how to read it. Therefore, the algorithm and mathematical processes also apply to cryptographic key generation, digital signatures, or a single key for verification that protects data privacy.

They are also necessary to ensure safe web browsing and secure and confidential communication via email and banking systems.

A Brief History of Cryptography

We’ve touched on the issue of what is cryptography, but it’s also essential to examine its origin and how it became a huge part of computer science. The term “cryptography” comes from the Greek language and the word “kryptos,” which means hidden.

That explains the first part of the word. The second part of this compound, “-graphy” means writing. So, in unambiguous terms, cryptography translates to “hidden writing.”

The study of cryptography dates back to ancient Egypt, some 4,000 years ago, and is evident in their very complex pictograms, or hieroglyphics. The very first use of modern cryptography and ciphers still used today is attributed to Julius Caesar, a Roman general and politician.

He distrusted messengers and went to great lengths to conceal the communications with his officers and governors. The fear of important secrets leaking to the wrong people led to the development of a system where every character in his message was replaced by a letter three places ahead in the Roman alphabet.

T his system is also known as a Caesar cipher or substitution cipher. It was medieval Arab mathematicians that realized that some letters in any language are more used than others; thus, patterns become easier to recognize.

Their main contribution was to the art of decryption. By today’s standards, both the cryptography and decryption were relatively basic, and with the introduction of computers, both are now revolutionized. It’s fair to say that the development of computer science, computer technology, and cryptography go hand in hand.

Understanding Cryptography, Cryptology, and Encryption

Before exploring cryptography types, examples, and everyday application, it’s vital to distinguish between cryptography, cryptology, and encryption.

Naturally, they are all related, but have important differences we want to highlight. We’ve established that cryptography in the literal sense means “hidden writing,” but cryptology represents “knowledge of secrecy” because the suffix “-logy” means “study.”

Basically, cryptography is a field of study of cryptology, though the two terms are often used interchangeably . But where does encryption fit it? It represents the actual process of turning plain text into ciphers.

The encryption process facilitates moving sensitive information by creating encrypted messages. Freely distributed secure communication is at the core of privacy protection, and many industries rely on encryption and decryption.

Secure cryptographic systems involve an algorithm and a key that is nearly always a number. It allows a sender and receiver to read the message.

The Kerckhoffs Principle

Cryptography has several principles, but none is more important than the Kerckhoffs principle, created by the renowned Dutch cryptographer Auguste Kerckhoffs.

This principle was designed long before computers, at the end of the 19th century, and has one basic premise, which says that any cryptographic system must be secure even if every part of the system, other than the key, is a matter of public knowledge.

His work mostly focused on military cryptography, as that was the primary purpose of science before the invention of computers.

The Kerckhoffs principle has been thoroughly studied and is a part of most modern encryption algorithms, including Data Encryption Standard (DES) and Advanced Encryption Standard (AES). How secure an encrypted communication is depends solely on the encryption key and quality.

The Four Standards of Cryptography

Contemporary cryptography has many procedures and cryptographic protocols that make up complex cryptosystems. Usually, this term stands for computer programs and mathematical procedures, but it is also used to explain certain human behaviors. For example, opting for complex passwords, not discussing sensitive data with individuals outside a set system, or choosing to log off every time you leave your computer.

All of these protocols rely on four standards or cryptographic techniques: confidentiality, integrity, non-repudiation, and authentication .

Confidentiality

This standard describes a fundamental rule that only the intended receiver of an encrypted message can read the information. And they can do so only with a private key.

No one has the authority to change the message information while in storage or in transit between sender and receiver without this change being detected.

Non-Repudiation

Both the sender and receiver are in a position of not being able to deny their intent of the information’s existence or transmission.

Authentication

The senders and receivers must be able to confirm each other’s identity, as well as the origin of the encrypted message.

Cryptography Types

While there are many cryptographic algorithms found in computer science practice and cybersecurity, they are generally broken down into three categories.

The most prominent types of cryptography include symmetric key cryptography, asymmetric cryptography, and cryptographic hash functions.

Symmetric Key Cryptography

Perhaps one of the best examples of symmetric encryption is the substitute, as in the Caesar cipher mentioned above. When creating a symmetric encryption, both parties must know the same key or the private key required to decrypt it.

That’s what signifies the symmetrical process. It’s also imperative for the private key to stay fully secret between the two parties, which is why symmetric cryptography is sometimes referred to as secret key cryptography.

If the sender chose to send the private key via messenger, it would mean a third party was involved and they could be compromised. The key exchange can only occur between the sender and the intended recipient.

One of the most relevant uses of symmetric cryptography is to keep data confidential . This type of cryptography allows an efficient way to keep a local hard drive private.

Often, one user is both encrypting and decrypting protected data, meaning that a private key is not required. But it can also be used for network security and safely sending private messages online. However, it’s asymmetric cryptography that usually deals with these processes.

Asymmetric Key Cryptography

If symmetric cryptography is known as private key cryptography, then the asymmetric type is better known as public key cryptography. For two parties to practice secure communication over an inherently insecure network, they need to create a special, secure communication channel.

To establish this channel successfully, the parties need to apply public key cryptography. Every participant in this system has two keys. One is a public key and can be sent to anyone with whom you want to establish communication. Essentially, these types of public keys are encryption keys.

But there’s also the private key, designed to not be shared with anyone and used to decrypt messages.

A simple yet effective metaphor is to imagine a public key as a discreet slot on the mailbox, designed for dropping letters, and the private key as the actual physical key used to open the mailbox.

It’s vital to understand that mathematical concepts that suggest using one key for encryption and another for decryption create a one-way functionality. This means that the two keys must be related to each other in a way that a public key can be derived from a private key, but not the other way around.

In terms of complexity, asymmetric cryptography requires more resources and stronger infrastructure than symmetric cryptography.

Hash Functions

Public and private key cryptographic algorithms both transform messages from plaintext to secret messages, and then back to plaintext again.

On the other hand, a hash function relies on one-way algorithms. Once a plaintext has been encrypted, it remains a ciphertext, also known as hash.

Logically, one might wonder what the purpose of hash functions are then. Are they only a pointless exercise? One of the most interesting aspects of hash functions is that a single plaintext cannot produce the same hash, or ciphertext. Therefore, in terms of data integrity, hashing algorithms are an efficient tool.

So, how would a hash function be applied in practice? A sender could encrypt a message with a hash value and when the receiver gets the message, they can use the same hashing algorithm for the text.

If the resulting hash is different from the received message, it means the content of the message has been altered in transit.

Hash functions are also used for confidentiality of computer passwords, as storing pass codes in plaintext is considered a great vulnerability.

Cryptography Examples

All three cryptography types are implemented in different algorithms and techniques, and they are generally complex and broad in scope. Still, it’s important to cover several important cryptography examples and discuss whether they use secret key, public key, or hash value.

Data Encryption Standard (DES)

When Data Encryption Standard (DES) was established in 1971, it was a major breakthrough in cybersecurity. It relies on symmetric encryption. While it’s one of the oldest and most widely used cybersecurity tools, it’s no longer the only one available.

It’s important to understand this type of algorithm and what it means for cryptography. The DES uses a 56-bit size key to take a block of 64-bit plaintext and generate it into 64-bit ciphertext.

Each step in the DES process is called a round, and the number of rounds depends on several factors, including the size of a public key used for encryption.

The implementation of DES requires a security provider, but which one to choose depends on the programming language one uses, like Phyton, Java, or MATLAB. The DES algorithm is used for random number generation, but it doesn’t have the best track record for producing strong encryption.

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is the successor of DES and is considered the most secure encryption algorithm today. It’s even the federal standard, used by the U.S. government, but also by major social media platforms and corporations.

The AES falls under the category of symmetric encryption, meaning it requires the same key encryption to protect communications. This encryption standard is incredibly robust, especially when talking about the AES-256, which uses 14 rounds of encryption.

The steps of the process include splitting data into blocks, adding different bytes, mixing columns, and shifting rows, all to ensure the data is scrambled entirely. The end result is a random set of characters that have zero meaning to anyone other than a person with a corresponding private key.

It’s also important to point out that AES-256 is the standard for reliable virtual private network providers and that it works with popular programming languages such as Java, C, C++, and Python.

Also, modern Intel and AMD processors have a built-in AES, allowing them to scramble data.

Diffie-Hellman Key Exchange

One example of an asymmetric encryption is the Diffie-Hellman, or exponential key exchange. This is a digital encryption method that relies on numbers raised to specific powers in order to create decryption keys that were never sent directly.

This approach makes the job of a code-breaker incredibly difficult, and likely impossible. This method was created in 1976 and is used today to secure different online services.

The patent for the Diffie-Hellman key exchange expired a year after it was published and has since been a public-domain algorithm.

Rivest-Shamir-Adleman (RSA)

Rivest-Sharmir-Adleman (RSA) is another public key, or asymmetric, cryptosystem used for secure data exchange, and also one of the oldest.

It was created by a group of cryptographers in 1977, though the same system was secretly developed in 1973 by Government Communications Headquarters, a British intelligence agency.

In this system, the public key differs from the secret key, but the public key is based on two large prime numbers, with an added value. Anyone can encrypt the message, but only those with knowledge of the prime numbers can read it.

Hashing Algorithms

Hash values and algorithms offer a wide range of functions and are used for specific purposes. Password verification, proof-of-work in blockchain technology, and file or data identification are just some of the many ways hash algorithms are used.

Everyday Application of Cryptography

We’ve covered the standard, types, and examples of cryptography, but it’s also crucial to understand how the cryptographic algorithms and cryptographic keys are used in everyday life, whether we’re discussing symmetric or asymmetric encryption.

Digital Signatures

When it comes to public key cryptography, digital signature authentication is essential. Authentication refers to any process that verifies specific information.

If you want to verify the identity of a sender or the origin of a document, or when it was signed, cryptography uses a digital signature as a means to check the information.

A single document’s digital signature uses the secret key and the document’s content for authentication.

Because private keys in the context of digital signatures often come from a trusted directory and others may learn them, they can be vulnerable. But this problem can be solved with a certificate with the document issuer’s name and time stamps.

Time Stamping

It may seem a somewhat irrelevant application, but time stamping can be incredibly important in certain situations. A digital time stamp tells us that a certain digital document was created or delivered at a specific time.

The cryptographic system used for time stamping is called a blind signature scheme, which allows senders to transmit a message to a recipient via a third party without revealing any part of the message to them.

In some ways, time stamping is quite similar to sending registered post via the U.S. mail, though it contains an additional verification level. A practical application of time stamping includes copyright archives, contracts, and patent registration.

Electronic Money

Digital money, or electronic cash, is a constantly evolving concept. Essentially, it involves financial transactions done electronically from one party to another.

Cryptography is applied in both debit and credit card transactions and digital wallets. And it is required for anonymous and identified transactions.

Another option is the hybrid approach, which includes anonymous payments with respect to the seller, but not the bank.

Cryptocurrency

It’s essential to understand how cryptography relates to cryptocurrency. Unsurprisingly, the blockchain technology through which digital assets are moved relies on cryptographic mechanisms.

The application of cryptography allows blockchains to maintain security, which is at the core of cryptocurrency systems. In fact, it was the cryptography message board that prompted the creation of Bitcoin in 2009.

Satoshi Nakamoto, the father of Bitcoin, suggested cryptography principles for a double-spend solution that has been an issue with digital currencies from the start.

Modern Cryptography Concerns

A modern cryptographic algorithm is considered unbreakable, for the most part at least. But as the number of entities relying on cryptography for security continues to grow, the demands for higher security levels also increase.

A single compromised key can lead to fines, damage to reputation, and loss of users or customers. The impact of inefficient cryptography implementation can also include a reduction in share price, dismissed executives, and even litigation.

Applications such as WhatsApp, Facebook, and Instagram, for example, have a strong incentive to secure the lines of communication by means of cryptography because they deal with a lot of sensitive data and user information. The same applies for all companies that deal with sensitive data.

They also have a reasonable duty to protect their users especially as there is increasing pressure in this direction as of late.

So, what are some of the cryptography key-based issues that could occur and jeopardize online security, and what are some of the ways they can be prevented?

The longer the key is, the more difficult it is to crack. But we also know that both private and public keys are random, so it’s easy to not concern yourself with how weak or strong it is.

Not all number generators are efficient, so it’s advisable to use one that collects the density of a file in characters from a reliable hardware number generator.

Key Non-Rotation

If one encryption key is overused, meaning that it encrypts too much data, it becomes vulnerable and prone to cracking. This is especially the case when older, symmetric cryptography algorithms are used. Ideally, keys should be renewed and updated at previously set and appropriate intervals.

Incorrect or Reused Key

It’s vital to keep in mind that a generated cryptographic key should only be used once and for one decryption purpose. Furthermore, a generated key used incorrectly or encoded improperly is a liability. It makes it easier for cybercriminals to hack the encrypted message.

Inadequate Key Storage

There is a lot of talk about how to properly store an encryption key. A good rule of thumb is to not store it in a large database or server, as these can be breached and compromised.

Inadequate Key Protection

Storing keys properly is essential, and appropriate key protection requires additional encryption. A stored key should only be able to be decrypted when moved to a secure environment, and sometimes even kept offline.

Insider Threats

Undeniably, these types of cryptography threats are the most severe. An employee with access to a key can use it for nefarious purposes or sell it for profit to a hacker.

How to Reduce the Risk of Cryptography-Related Issues

A dedicated electronic key management system is essential for both organizations and individuals. Many reputable providers offer effective solutions that rely on hardware security modules designed to protect keys. Other important features of keeping the cryptosystems safe include the following.

• Strong key generation
• Strict policy-based controls
• Secure key destruction
• Strong user authentication
• Secure workflow management
• Audits and usage logging

How to stay safe online:

• Practice Strong Password Hygiene : Use a unique and complex password for each account. A password manager can help generate and store them. In addition, enable two-factor authentication (2FA) whenever available.
• Invest in Your Safety : Buying the best antivirus for Windows 11 is key for your online security. A high-quality antivirus like Norton , McAfee , or Bitdefender will safeguard your PC from various online threats, including malware, ransomware, and spyware.
• Be Wary of Phishing Attempts : Be cautious when receiving suspicious communications that ask for personal information. Legitimate businesses will never ask for sensitive details via email or text. Before clicking on any links, ensure the sender's authenticity.
• Stay Informed. We cover a wide range of cybersecurity topics on our blog. And there are several credible sources offering threat reports and recommendations, such as NIST , CISA , FBI , ENISA , Symantec , Verizon , Cisco , Crowdstrike , and many more.

Happy surfing!

Frequently Asked Questions

Below are the most frequently asked questions.

What are block ciphers?

What is quantum cryptography, what does a cryptographer do.

Author: Tibor Moes

Founder & Chief Editor at SoftwareLab

Tibor has tested 39 antivirus programs and 30 VPN services , and holds a Cybersecurity Graduate Certificate from Stanford University.

He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.

You can find him on LinkedIn or contact him here .

Antivirus Comparisons

Best Antivirus for Windows 11 Best Antivirus for Mac Best Antivirus for Android Best Antivirus for iOS

Antivirus Reviews

Norton 360 Deluxe Bitdefender Total Security TotalAV Antivirus McAfee Total Protection

• Top Courses
• Online Degrees
• Find your New Career
• Join for Free

Introduction to Applied Cryptography

Taught in English

Some content may not be translated

Financial aid available

7,313 already enrolled

Gain insight into a topic and learn the fundamentals

Instructor: Professor Keith M. Martin

(51 reviews)

Included with Coursera Plus

Details to know

Add to your LinkedIn profile

See how employees at top companies are mastering in-demand skills

Earn a career certificate

Add this credential to your LinkedIn profile, resume, or CV

Share it on social media and in your performance review

There are 4 modules in this course

This course is a non-mathematical introduction to the role that cryptography plays in providing digital security for everyday applications such as the internet, mobile phones, wireless networks and cryptocurrency.

In this introductory course you will develop an understanding of the functionality and purpose of the main cryptographic tools we use today. You will learn how to make decisions about which cryptographic tools are most appropriate to deploy in specific settings. You will also explore the wider infrastructure surrounding cryptography and how this impacts the overall security of systems deploying cryptography. Cryptography provides the core toolkit that underpins most digital security technologies. An understanding of what cryptography does, and its limitations, is critical to developing a wider appreciation of the security of everyday digital applications. Since cryptography provides tools for atomic security services such as confidentiality and data integrity, an appreciation of cryptography will also equips you with a fundamental understanding of what security means in cyberspace. Learning outcomes for the module. By the end of this module learners will be able to: 1. Explain the precise role that cryptography plays in the security of any digital system. 2. Appreciate the breadth of use of cryptography to support security of digital systems. 3. Identify core concepts and terminology concerning use of cryptography 4. Assess the points of vulnerability relating to cryptography in any digital system deploying it.

Introduction to the course and the Cryptographic Toolkit

In week 1 we discuss the need for cryptography and the core security services it provides.

What's included

6 videos 11 readings 3 quizzes 3 discussion prompts

6 videos • Total 27 minutes

• Introduction to the course • 11 minutes • Preview module
• How to setup a study journal • 1 minute
• Introduction to cryptography • 1 minute
• Physical world security services • 6 minutes
• Core services • 5 minutes
• Week 1 summary • 1 minute

11 readings • Total 175 minutes

• Course syllabus • 10 minutes
• Starting your studies • 10 minutes
• Principles of good peer feedback in peer review assignment • 10 minutes
• Everyday cryptography: fundamental principles and applications by Keith Martyn • 10 minutes
• First thoughts on cryptography • 15 minutes
• Risks to information • 30 minutes
• Security services • 10 minutes
• Relationship between services • 10 minutes
• Cryptographic terminology • 10 minutes
• Activity: Identifying algorithms • 30 minutes
• Reflection • 30 minutes

3 quizzes • Total 50 minutes

• Week 1 test • 30 minutes
• Stealing data • 10 minutes
• Cryptography and availability • 10 minutes

3 discussion prompts • Total 95 minutes

• Introduce yourself • 20 minutes
• Comparing the physical and digital world • 45 minutes
• Examples using services • 30 minutes

Applications of Cryptography

In week 2 we discuss uses of cryptography to support a wide range of digital systems.

4 videos 2 readings 1 quiz 3 discussion prompts

4 videos • Total 18 minutes

• Introduction to applications of cryptography • 2 minutes • Preview module
• Introduction to the Big Six • 8 minutes
• Wi-Fi services • 6 minutes
• Week 2 summary • 1 minute

2 readings • Total 60 minutes

• Case study: Supporting mobile call protection • 30 minutes

1 quiz • Total 30 minutes

• Week 2 test • 30 minutes

3 discussion prompts • Total 90 minutes

• Applications of cryptography • 30 minutes
• First look at the Big Six • 30 minutes
• Services for other Big Six • 30 minutes

Cryptosystems

In week 3 we explain the main components of a cryptosystem and introduce some core terminology.

4 videos 3 readings 3 quizzes 3 discussion prompts

4 videos • Total 21 minutes

• Introduction to cryptosystems • 2 minutes • Preview module
• Algorithms and keys • 8 minutes
• How different types of cryptosystem are used • 7 minutes
• Week 3 summary • 2 minutes

3 readings • Total 65 minutes

• Model of a cryptosystem • 25 minutes
• Two types of cryptosystem • 10 minutes

3 quizzes • Total 70 minutes

• Week 3 test • 30 minutes
• Is this a cryptosystem? • 20 minutes
• Navajo code talker • 20 minutes
• Cryptography, steganography and access control • 20 minutes
• Key management implications • 30 minutes
• Symmetric or Public-key? • 45 minutes

Attacking Cryptosystems

In week 4 we identify various ways in which an attacker could try to overcome the protection offered by cryptography.

5 videos 7 readings 5 quizzes 1 peer review 2 discussion prompts

5 videos • Total 23 minutes

• Introduction to attacking cryptosystems • 1 minute • Preview module
• Points of weakness • 6 minutes
• Two worlds • 7 minutes
• Week 4 summary • 1 minute
• Course summary • 6 minutes

7 readings • Total 137 minutes

• Security assumptions • 2 minutes
• Exhaustive key search • 25 minutes
• Activity: Large numbers • 25 minutes
• Key lengths • 30 minutes
• Classes of attack • 10 minutes
• Latest thoughts on cryptography • 15 minutes

5 quizzes • Total 120 minutes

• Week 4 test • 30 minutes
• Kerckhoff assumptions • 30 minutes
• Public v proprietary • 30 minutes
• Practicalities of key search • 25 minutes
• DES and AES key searches • 5 minutes

1 peer review • Total 60 minutes

• Two worlds – which is securer? • 60 minutes

2 discussion prompts • Total 50 minutes

• Single points of failure • 20 minutes
• Big Six vulnerabilities • 30 minutes

Instructor ratings

We asked all learners to give feedback on our instructors based on the quality of their teaching style.

The University of London is a federal University which includes 17 world leading Colleges. With extensive experience in distance learning since 1858, University of London has enriched the lives of thousands of students, delivering high quality degrees across the globe. Today, University of London is a global leader in flexible study, offering degree programmes to over 45,000 students in over 190 countries, delivering world-leading research across the world. To find out more about University of London, visit www.london.ac.uk

Recommended if you're interested in Algorithms

University of London

Cyber Security Fundamentals

University of Maryland, College Park

Cryptography

University of Colorado System

Classical Cryptosystems and Core Concepts

Cryptography and Information Theory

Prepare for a degree.

Taking this course by University of London may provide you with a preview of the topics, materials and instructors in a related degree program which can help you decide if the topic or university is right for you.

Master of Science in Cyber Security

Degree · 24 - 60 months

Why people choose Coursera for their career

Learner reviews

Showing 3 of 51

Reviewed on May 15, 2023

Thank you so much during this 4 weeks, i gained more knowledges about cryptography in this course. This course really help me to learn in flexiblw time.

Reviewed on Mar 8, 2023

This course is amazing and it is very helpful for me to improve my knowledge about cryptography and other security related concepts

New to Algorithms? Start here.

Open new doors with Coursera Plus

Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs - all included in your subscription

Advance your career with an online degree

Earn a degree from world-class universities - 100% online

Join over 3,400 global companies that choose Coursera for Business

Upskill your employees to excel in the digital economy

Frequently asked questions

When will i have access to the lectures and assignments.

Access to lectures and assignments depends on your type of enrollment. If you take a course in audit mode, you will be able to see most course materials for free. To access graded assignments and to earn a Certificate, you will need to purchase the Certificate experience, during or after your audit. If you don't see the audit option:

The course may not offer an audit option. You can try a Free Trial instead, or apply for Financial Aid.

The course may offer 'Full Course, No Certificate' instead. This option lets you see all course materials, submit required assessments, and get a final grade. This also means that you will not be able to purchase a Certificate experience.

What will I get if I purchase the Certificate?

When you purchase a Certificate you get access to all course materials, including graded assignments. Upon completing the course, your electronic Certificate will be added to your Accomplishments page - from there, you can print your Certificate or add it to your LinkedIn profile. If you only want to read and view the course content, you can audit the course for free.

What is the refund policy?

You will be eligible for a full refund until two weeks after your payment date, or (for courses that have just launched) until two weeks after the first session of the course begins, whichever is later. You cannot receive a refund once you’ve earned a Course Certificate, even if you complete the course within the two-week refund period. See our full refund policy Opens in a new tab .

Is financial aid available?

Yes. In select learning programs, you can apply for financial aid or a scholarship if you can’t afford the enrollment fee. If fin aid or scholarship is available for your learning program selection, you’ll find a link to apply on the description page.

More questions

• Talk to Expert
• Machine Identity Management
• October 20, 2023
• 9 minute read

7 Data Breach Examples Involving Human Error: Did Encryption Play a Role?

Despite an overall increase in security investment over the past decade, organizations are still plagued by data breaches. What’s more, we’re learning that many of the attacks that result in breaches misuse encryption in some way. (By comparison, just four percent of data breaches tracked by Gemalto’s Breach Level Index were “secure breaches” in that the use of encryption rendered stolen data useless). Sadly, it’s often human error that allows attackers access to encrypted channels and sensitive information. Sure, an attacker can leverage “gifts” such as zero-day vulnerabilities to break into a system, but in most cases, their success involves provoking or capitalizing on human error.

Human error has a well-documented history of causing data breaches. The 2022  Global Risks Report  released by the World Economic Forum, found that 95% of cybersecurity threats were in some way caused by human error. Meanwhile, the  2022 Data Breach Investigations Report  (DBIR) found that 82% of breaches involved the human element, including social attacks, errors and misuse. 

I think it’s interesting to look at case studies on how human error has contributed to a variety of data breaches, some more notorious than others. I’ll share the publicly known causes and impacts of these breaches. But I’d also like to highlight how the misuse of encryption often compounds the effects of human error in each type of breach.

SolarWinds: Anatomy of a Supersonic Supply Chain Attack

Data breach examples.

Here is a brief review of seven well-known data breaches caused by human error.

1. Equifax data breach—Expired certificates delayed breach detection

In the spring of 2017, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) sent consumer credit reporting agency Equifax a notice about a vulnerability affecting certain versions of Apache Struts. According to former CEO Richard Smith, Equifax sent out a mass internal email about the flaw. The company’s IT security team should have used this email to fix the vulnerability, according to Smith’s testimony before the House Energy and Commerce Committee. But that didn’t happen. An automatic scan several days later also failed to identify the vulnerable version of Apache Struts. Plus, the device inspecting encrypted traffic was misconfigured because of a digital certificate that had expired ten months previously. Together, these oversights enabled a digital attacker to crack into Equifax’s system in mid-May and maintain their access until the end of July.

How encryption may become a factor in scenarios like this:  Once attackers have access to a network, they can install rogue or stolen certificates that allow them to hide exfiltration in encrypted traffic. Unless HTTPS inspection solutions are available and have full access to all keys and certificates, rogue certificates will remain undetected.

Impact:  The bad actor is thought to have exposed the personal information of 145 million people in the United States and more than 10 million UK citizens. In September 2018, the Information Commissioner’s Office  issued Equifax a fine of £500,000, the maximum penalty amount allowed under the Data Protection Act 1998, for failing to protect the personal information of up to 15 million UK citizens during the data breach.

2. Ericsson data breach—Mobile services go dark when the certificate expires

At the beginning of December 2018, a digital certificate used by Swedish multinational networking and telecommunications company Ericsson for its SGSN–MME (Serving GPRS Support Node—Mobility Management Entity) software expired. This incident caused outages for customers of various UK mobile carriers including O2, GiffGaff, and Lyca Mobile. As a result, a total of 32 million people in the United Kingdom alone lost access to 4G and SMS on 6 December. Beyond the United Kingdom, the outage reached 11 countries including Japan.

How encryption may become a factor in scenarios like this: Expired certificates do not only cause high-impact downtime; they can also leave critical systems without protection. If a security system experiences a certificate outage , cybercriminals can take advantage of the temporary lack of availability to bypass the safeguards.

Impact:  Ericsson restored the most affected customer services over the course of 6 December. The company also noted in a  blog post  that “The faulty software [for two versions of SGSN–MME] that has caused these issues is being decommissioned.”

3. LinkedIn data breach—Millions miss connections when the certificate expires

On 30 November, a certificate used by business social networking giant LinkedIn for its country subdomains expired. As reported by The Register , the incident did not affect www.linkedin.com, as LinkedIn uses a separate certificate for that particular domain. But the event, which involved a certificate issued by DigiCert SHA2 Secure Server CA, did invalidate us.linkedin.com along with the social media giant’s other subdomains. As a result, millions of users were unable to log into LinkedIn for several hours.

How encryption may become a factor in scenarios like this:  Whenever certificates expire, it may indicate that overall protection for machine identities is not up to par. Uncontrolled certificates are a prime target for cybercriminals who can use them to impersonate the company or gain illicit access.

Impact:  Later in the afternoon on 30 November, LinkedIn deployed a new certificate that helped bring its subdomains back online, thereby restoring all users’ access to the site.

4. Strathmore College data breach—Student records not adequately protected

In August 2018, it appears that an employee at Strathmore secondary college accidentally published more than 300 students’ records on the school’s intranet. These records included students' medical and mental health conditions such as Asperger’s, autism and ADHD. According to The Guardian , they also listed the exposed students’ medications along with any learning and behavioral difficulties. Overall, the records remained on Strathmore’s intranet for about a day. During that time, students and parents could have viewed and/or downloaded the information.

How encryption may become a factor in scenarios like this:  Encrypting access to student records makes it difficult for anyone who doesn’t have the proper credentials to access them. Any information left unprotected by encryption can be accessed by any cybercriminals who penetrate your perimeter.

Impact:  Strathmore’s principal said he had arranged professional development training for his staff to ensure they’re following best security practices. Meanwhile, Australia’s Department of Education announced that it would investigate what had caused the breach.

5. Veeam data breach—Customer records compromised by unprotected database

Near the end of August 2018, the Shodan search engine indexed an Amazon-hosted IP. Bob Diachenko, director of cyber risk research at Hacken.io, came across the IP on 5 September and quickly determined that the IP resolved to a database left unprotected by the lack of a password. The exposed database contained 200 gigabytes worth of data belonging to Veeam, a backup and data recovery company. Among that data were customer records including names, email addresses and some IP addresses.

How encryption may become a factor in scenarios like this:  Usernames and passwords are a relatively weak way of securing private access. Plus, if an organization does not maintain complete control of the private keys that govern access for internal systems, attackers have a better chance of gaining access.

Impact:  Within three hours of learning about the exposure, Veeam took the server offline. The company also reassured  TechCrunch  that it would “conduct a deeper investigation and… take appropriate actions based on our findings.”

6. Marine Corps data breach—Unencrypted email misfires

At the beginning of 2018, the Defense Travel System (DTS) of the United States Department of Defense (DOD) sent out an unencrypted email with an attachment to the wrong distribution list. The email, which the DTS sent within the usmc.mil official unclassified Marine domain but also to some civilian accounts, exposed the personal information of approximately 21,500 Marines, sailors and civilians. Per Marine Corp Times , the data included victims’ bank account numbers, truncated Social Security Numbers and emergency contact information.

How encryption may become a factor in scenarios like this:  If organizations are not using proper encryption, cybercriminals can insert themselves between two email servers to intercept and read the email. Sending private personal identity information over unencrypted channels essentially becomes an open invitation to cybercriminals.

Impact:  Upon learning of the breach, the Marines implemented email recall procedures to limit the number of email accounts that would receive the email. They also expressed their intention to implement additional security measures going forward.

7. Pennsylvania Department of Education data breach—Misassigned permissions

In February 2018, an employee in Pennsylvania’s Office of Administration committed an error that subsequently affected the state’s Teacher Information Management System (TIMS). As reported by PennLive , the incident temporarily enabled individuals who logged into TIMS to access personal information belonging to other users including teachers, school districts and Department of Education staff. In all, the security event is believed to have affected as many as 360,000 current and retired teachers.

How encryption may become a factor in scenarios like this: I f you do not know who’s accessing your organization’s information, then you’ll never know if it’s being accessed by cybercriminals. Encrypting access to vital information and carefully managing the identities of the machines that house it will help you control access.

Impact:  Pennsylvania’s Department of Education subsequently sent out notice letters informing victims that the incident might have exposed their personal information including their Social Security Numbers. It also offered a free one-year subscription for credit monitoring and identity protection services to affected individuals.

How machine identities are misused in a data breach

Human error can impact the success of even the strongest security strategies. As the above attacks illustrate, this can compromise the security of machine identities in numerous ways. Here are just a few:

• SSH keys grant privileged access to many internal systems. Often, these keys do not have expiration dates. And they are difficult to monitor. So, if SSH keys are revealed or compromised, attackers can use them to pivot freely within the network.
• Many phishing attacks leverage wildcard or rogue certificates to create fake sites that appear to be authentic. Such increased sophistication is often required to target higher-level executives.
• Using public-key encryption and authentication in the two-step verification makes it harder to gain malicious access. Easy access to SSH keys stored on computers or servers makes it easier for attackers to pivot laterally within the organization.
• An organization’s encryption is only as good as that of its entire vendor community. If organizations don’t control the keys and certificates that authenticate partner interactions, then they lose control of the encrypted tunnels that carry confidential information between companies.
• If organizations are not monitoring the use of all the keys and certificates that are used in encryption, then attackers can use rogue or stolen keys to create illegitimate encrypted tunnels. Organizations will not be able to detect these malicious tunnels because they appear to be the same as other legitimate tunnels into and out of the organization.

How to avoid data breaches

The best way to avoid a data breach to make sure your organization is using the most effective, up-to-date security tools and technologies. But even the best cybersecurity strategy is not complete unless it is accompanied by security awareness training for all who access and interact with sensitive corporate data. 

Because data breaches take many different forms and can happen in a multitude of ways, you need to be ever vigilant and employ a variety of strategies to protect your organization. These should include regular patching and updating of software, encrypting sensitive data, upgrading obsolete machines and enforcing strong credentials and multi-factor authentication.

In particular, a zero-trust architecture will give control and visibility over your users and machines using strategies such as least privileged access, policy enforcement, and strong encryption. Protecting your machine identities as part of your zero trust architecture will take you a long way toward breach prevention. Here are some machine identity management best practices that you should consider: 

• Locate all your machine identities.  Having a complete list of your machine identities and knowing where they’re all installed, who owns them, and how they’re used will give you the visibility you need to ensure that they are not being misused in an attack.
• Set up and enforce security policies.  To keep your machine identities safe, you need security policies that help you control every aspect of machine identities — issuance, use, ownership, management, security, and decommissioning. 
• Continuously gather machine identity intelligence.  Because the number of machines on your network is constantly changing, you need to maintain intelligence their identities, including the conditions of their use and their environment. 
• Automate the machine identity life cycle.  Automating he management of certificate requests, issuance, installation, renewals, and replacements helps you avoid error-prone manual actions that may leave your machine identities vulnerable to outage or breach. 
• Monitor for anomalous use.  After you’ve established a baseline of normal machine identity usage, you can start monitoring and flagging anomalous behavior, which can indicate a machine identity compromise.
• Set up notifications and alerts.  Finding and evaluating potential machine identity issues before they exposures is critical. This will help you take immediate action before attackers can take advantage of weak or unprotected machine identities.
• Remediate machine identities that don’t conform to policy.  When you discover machine identities that are noncompliant, you must quickly respond to any security incident that requires bulk remediation.

Training your users about the importance of machine identities will help reduce user errors. And advances in AI and RPA will also play a factor in the future. But for now, your best bet in preventing encryption from being misused in an attack on your organization is an automated machine identity management solution that allows you to maintain full visibility and control of your machine identities. Automation will help you reduce the inherent risks of human error as well as maintain greater control over how you enforce security policies for all encrypted communications. 

( This post has been updated. It was originally published Posted on October 15, 2020. ) 

Related posts

• Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities
• Breaches Are Like Spilled Milk: It Doesn’t Help to Cry
• The Major Data Breaches of 2017: Did Machine Identities Play a Factor?

2024 Machine Identity Management Summit

Help us forge a new era of cybersecurity

Looking to vulcanize your security with an identity-first strategy? Register today and save up to $100 with exclusive deals. But hurry, this sale won't last!

• Data Breach

What is Cryptography?

Discover the types of cryptography and how to minimize the potential risks it poses.

• Get a Threat Assessment

Speak with an Expert

Cryptography Definition

Cryptography is the process of hiding or coding information so that only the person a message was intended for can read it. The art of cryptography has been used to code messages for thousands of years and continues to be used in bank cards, computer passwords, and ecommerce.

Modern cryptography techniques include algorithms and ciphers that enable the  encryption  and decryption of information, such as 128-bit and 256-bit encryption keys. Modern  ciphers , such as the Advanced Encryption Standard (AES), are considered virtually unbreakable.

A common cryptography definition is the practice of coding information to ensure only the person that a message was written for can read and process the information. This  cybersecurity  practice, also known as cryptology, combines various disciplines like computer science, engineering, and mathematics to create complex codes that hide the true meaning of a message.

Cryptography can be traced all the way back to ancient Egyptian hieroglyphics but remains vital to securing communication and information in transit and preventing it from being read by untrusted parties. It uses algorithms and mathematical concepts to transform messages into difficult-to-decipher codes through techniques like cryptographic keys and digital signing to protect data privacy, credit card transactions, email, and web browsing.

The Importance of Cryptography

Cryptography remains important to protecting data and users, ensuring confidentiality, and preventing cyber criminals from intercepting sensitive corporate information. Common uses and examples of cryptography include the following:

Privacy and confidentiality

Individuals and organizations use cryptography on a daily basis to protect their privacy and keep their conversations and data confidential. Cryptography ensures confidentiality by encrypting sent messages using an algorithm with a key only known to the sender and recipient. A common example of this is the messaging tool WhatsApp, which encrypts conversations between people to ensure they cannot be hacked or intercepted. 

Cryptography also secures browsing, such as with virtual private networks (VPNs), which use encrypted tunnels, asymmetric encryption, and public and private shared keys.

Authentication

Similar to how cryptography can confirm the authenticity of a message, it can also prove the integrity of the information being sent and received. Cryptography ensures information is not altered while in storage or during transit between the sender and the intended recipient. For example, digital signatures can detect forgery or tampering in software distribution and financial transactions.

Nonrepudiation

Cryptography confirms accountability and responsibility from the sender of a message, which means they cannot later deny their intentions when they created or transmitted information. Digital signatures are a good example of this, as they ensure a sender cannot claim a message, contract, or document they created to be fraudulent. Furthermore, in email nonrepudiation, email tracking makes sure the sender cannot deny sending a message and a recipient cannot deny receiving it.

Key exchange

Key exchange is the method used to share cryptographic keys between a sender and their recipient.

Get a Cybersecurity Threat Assessment

Know your vulnerabilities - get the facts about your security risk and at no cost.

Types of Cryptographic Algorithms

There are many types of cryptographic algorithms available. They vary in complexity and security, depending on the type of communication and the sensitivity of the information being shared.

Secret Key Cryptography

1. stream ciphers.

Stream ciphers work on a single bit or byte at any time and constantly change the key using feedback mechanisms. A self-synchronizing stream cipher ensures the decryption process stays in sync with the encryption process by recognizing where it sits in the bit keystream. A synchronous stream cipher generates the keystream independently of the message stream and generates the same keystream function at both the sender and the receiver.

2. Block ciphers

Block ciphers encrypt one block of fixed-size data at a time. It will always encrypt a plaintext data block to the same ciphertext when the same key is used. A good example of this is the Feistel cipher, which uses elements of key expansion, permutation, and substitution to create vast confusion and diffusion in the cipher. 

The stages of encryption and decryption are similar if not identical, which means reversing the key reduces the code size and circuitry required for implementing the cipher in a piece of software or hardware.

Public Key Cryptography

RSA was the first and remains the most common PKC implementation. The algorithm is named after its MIT mathematician developers, Ronald Rivest, Adi Shamir, and Leonard Adleman, and is used in data encryption, digital signatures, and key exchanges. It uses a large number that is the result of factoring two selected prime numbers. It is impossible for an attacker to work out the prime factors, which makes RSA especially secure.

2. Elliptic Curve Cryptography (ECC)

ECC is a PKC algorithm based on the use of elliptic curves in cryptography. It is designed for devices with limited computing power or memory to encrypt internet traffic. A common use of ECC is in embedded computers, smartphones, and cryptocurrency networks like bitcoin, which consumes around 10% of the storage space and bandwidth that RSA requires.

3. Digital Signature Algorithm (DSA)

DSA is a standard that enables digital signatures to be used in message authentication. It was introduced by the National Institute of Standards and Technology (NIST) in 1991 to ensure a better method for creating digital signatures.

4. Identity-based Encryption (IBE)

IBE is a PKC system that enables the public key to be calculated from unique information based on the user’s identity, such as their email address. A trusted third party or private key generator then uses a cryptographic algorithm to calculate a corresponding private key. This enables users to create their own private keys without worrying about distributing public keys.

5. Public Key Cryptography Standards (PKCS)

All PKC algorithms and usage are governed by a set of standards and guidelines designed by RSA Data Security. These are as follows:

• PKCS #1 or RFC 8017: RSA Cryptography Standard
• PKCS #3: Diffie-Hellman Key Agreement Standard
• PKCS #5 and PKCS #5 v2.1 or RFC 8018: Password-Based Cryptography Standard
• PKCS #6: Extended-Certificate Syntax Standard (being replaced by X.509v3)
• PKCS #7 or RFC 2315: Cryptographic Message Syntax Standard 
• PKCS #8 or RFC 5958: Private Key Information Syntax Standard
• PKCS #9 or RFC 2985: Selected Attribute Types
• PKCS #10 or RFC 2986: Certification Request Syntax Standard
• PKCS #11: Cryptographic Token Interface Standard
• PKCS #12 or RFC 7292: Personal Information Exchange Syntax Standard 
• PKCS #13: Elliptic Curve Cryptography Standard
• PKCS #14: Pseudorandom Number Generation Standard
• PKCS #15: Cryptographic Token Information Format Standard

6. Diffie-Hellman and Key Exchange Algorithm (KEA)

The Diffie-Hellman algorithm was devised in 1976 by Stanford University professor Martin Hellman and his graduate student Whitfield Diffie, who are considered to be responsible for introducing PKC as a concept. It is used for secret key exchanges and requires two people to agree on a large prime number. 

KEA is a variation of the Diffie-Hellman algorithm and was proposed as a method for key exchange in the NIST/National Security Agency’s (NSA) Capstone project, which developed cryptography standards for public and government use.

Hash Function

Hash functions ensure that data integrity is maintained in the encryption and decryption phases of cryptography. It is also used in databases so that items can be retrieved more quickly. 

Hashing is the process of taking a key and mapping it to a specific value, which is the hash or hash value. A hash function transforms a key or digital signature, then the hash value and signature are sent to the receiver, who uses the hash function to generate the hash value and compare it with the one they received in the message. 

A common hash function is folding, which takes a value and divides it into several parts, adds parts, and uses the last four remaining digits as the key or hashed value. Another is digit rearrangement, which takes specific digits in the original value, reverses them, and uses the remaining number as the hash value. Examples of hash function types include Secure Hash Algorithm 1 (SHA-1), SHA-2, and SHA-3.

Types of Cryptographic Key Attacks and Risks

1. weak keys.

Keys are essentially random numbers that become more difficult to crack the longer the number is. Key strength and length need to be relative to the value of the data it protects and the length of time that data needs to be protected. Keys should be created with a high-quality, certified random number generator that collects entropy—the information density of a file in bits or characters—from suitable hardware noise sources.

2. Incorrect use of keys

When keys are used improperly or encoded poorly, it becomes easier for a hacker to crack what should have been a highly secure key.

3. Reuse of keys

Every key should only be generated for a specific single-use encrypt/decrypt purpose, and use beyond that may not offer the level of protection required.

4. Non-rotation of keys

Keys that are overused, such as encrypting too much data on a key, become vulnerable to attacks. This is particularly the case with older ciphers and could result in data being exposed. Keys need to be rotated, renewed, and updated when appropriate.

5. Inappropriate storage of keys

Storing keys alongside the information they have been created to protect increases their chances of being compromised. For example, keys stored on a database or server that gets breached could also be compromised when the data is exfiltrated.

6. Inadequate protection of keys

Huge cyberattacks like Meltdown/Spectre and Heartbleed have been capable of exposing cryptographic keys stored in server memory. Therefore, stored keys must be encrypted and only made available unencrypted when placed within secure, tamper-protected environments, or even kept offline.

7. Insecure movement of keys

Moving keys between systems should only occur when the key is encrypted or wrapped under an asymmetric or symmetric pre-shared transport key. If this is not possible, then the key must be split up into multiple parts that are kept separate, re-entered into the target system, then destroyed.

8. Insider threats (user authentication, dual control, and segregation of roles)

Insider threats are one of the most serious threats posed to any key. This is most likely to occur through a rogue employee having access to a key, then using it for malicious purposes or giving or selling it to a hacker or third party.

9. Lack of resilience

Resilience is vital to protecting the availability, confidentiality, and integrity of keys. Any key that suffers a fault with no backup results in the data the key protects being lost or inaccessible.

10. Lack of audit logging

Key life cycles must be logged and recorded in full to ensure any compromise can be tracked and enable subsequent investigations to occur smoothly.

11. Manual key management processes

Recording key management processes manually on paper or spreadsheets runs the risk of human error and makes the keys highly vulnerable to attack or theft.

How to Minimize the Risks Associated with Cryptography

Organizations and individuals can minimize and mitigate cryptography-related threats with a dedicated electronic key management system from a reputable provider. The solution must use a hardware security module to generate and protect keys, and underpin the entire system’s security. 

It needs to include features like full key management life cycle, strong key generation, strict policy-based controls, swift compromise detection, secure key destruction, strong user authentication, secure workflow management, and a secure audit and usage log. This will protect the organization's keys, enhance efficiency, and ensure compliance with data and privacy regulations. 

Another potential solution is cryptography quantum, whereby it is impossible to copy data encoded in a quantum state.

Cryptography FAQs

1. what do you mean by cryptography.

In computer science, cryptography is the collection of secure information and communication techniques employing mathematical concepts and algorithms used to disguise the content of messages.

3. What are the three types of cryptography?

The three types of cryptography are:

• Secret key cryptography
• Public key cryptography
• Hash function cryptography

3. What is an example of cryptography

The Rivest-Shamir-Adleman (RSA) algorithm is widely used on the Internet. RSA uses a pair of keys to encrypt and decrypt information.

Cybersecurity Resources

• Cybersecurity
• Types of Cyber Attacks
• IT vs OT Cybersecurity
• AI Cybersecurity
• Cyber Threat Intelligence
• Cybersecurity Management
• Network Security
• Data Security
• Email Security
• Endpoint Security
• Web Security
• Enterprise Security
• Cybersecurity Mesh

Quick Links

• Fortinet Products
• Fortinet Demos
• Analyst Reports

Related Topics

More cryptography resources.

WHITE PAPER: FortiMail Identity Based Encryption

WHITE PAPER: Fortinet and Secure Email Security Solution

WHITE PAPER: The Fortinet Secure Health Architecture

Please fill out the form and a knowledgeable representative will get in touch with you soon.

By clicking submit you agree to the Fortinet Terms and Conditions & Privacy Policy .

Evaluating the merits and constraints of cryptography-steganography fusion: a systematic analysis

• Regular Contribution
• Open access
• Published: 05 May 2024

Cite this article

You have full access to this open access article

• Indy Haverkamp 1 &
• Dipti K. Sarmah 1  

209 Accesses

Explore all metrics

In today's interconnected world, safeguarding digital data's confidentiality and security is crucial. Cryptography and steganography are two primary methods used for information security. While these methods have diverse applications, there is ongoing exploration into the potential benefits of merging them. This review focuses on journal articles from 2010 onwards and conference papers from 2018 onwards that integrate steganography and cryptography in practical applications. The results are gathered through different databases like Scopus, IEEE, and Web of Science. Our approach involves gaining insights into real-world applications explored in the existing literature and categorizing them based on domains and technological areas. Furthermore, we comprehensively analyze the advantages and limitations associated with these implementations, examining them from three evaluation perspectives: security, performance, and user experience. This categorization offers guidance for future research in unexplored areas, while the evaluation perspectives provide essential considerations for analyzing real-world implementations.

Similar content being viewed by others

Cyber risk and cybersecurity: a systematic review of data availability

Ethics in Cybersecurity. What Are the Challenges We Need to Be Aware of and How to Handle Them?

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Avoid common mistakes on your manuscript.

1 Introduction

Our daily lives are becoming increasingly linked with the digital realm, encompassing various activities such as messaging, cloud data storage, and financial transactions. Ensuring the security and confidentiality of this data is vital. Cryptography and steganography, two essential sciences of information security [ 74 , 77 ], offer solutions to render messages unintelligible to eavesdroppers and imperceptible to detection, respectively. These techniques play a crucial role in protecting sensitive information. Both fields serve the purpose of ensuring the confidentiality of data [ 69 ], however, in different ways: Cryptography shields the content of a message through the use of encryption keys, ensuring its protection. On the other hand, steganography focuses on concealing the very presence of the message within a "cover" medium [ 74 ]. While cryptography finds extensive usage in various everyday applications, both techniques have their respective domains of application and can potentially be combined for enhanced security measures. Steganography encompasses a wide range of techniques and can be applied in different forms, such as images, audio, video, and text, to many applications, for example, IoT communication [ 7 , 21 , 39 ], military [ 71 ], cloud storage [ 2 , 18 , 46 , 67 ], and more [ 28 , 31 , 32 , 89 , 93 ]. The growth of interest in steganography was sparked in two ways: the multimedia industry could greatly benefit from possible water-marking techniques, and restrictions on cryptographic schemes by governments triggered interest in alternative ways for communication to stay secretive [ 8 ] (Fig. 1 ).

Graph of published journal articles and conference papers on Scopus ( https://www.scopus.com/ —with query: ("cryptography" AND "steganography") AND ("application" OR "real-world") AND ("security" OR "cyberattack" OR "cybersecurity")) from 1996 to June 2023

Figure 2 visually represents the exponential growth of publications focusing on the applications of combining steganography and cryptography, as observed in Scopus. Footnote 1 This trend highlights the increasing interest in merging or comparing these two disciplines within the research community. While the combination of multiple security mechanisms may appear advantageous, it is important to note that the suitability of combining cryptography with steganography can vary. Several factors, including bandwidth availability [ 37 , 81 ] and latency considerations [ 88 ], can influence the feasibility of such integration. For instance, incorporating additional layers of security may result in increased data size, potentially exceeding the available bandwidth and causing slower transmission speeds. Interestingly, the computational complexity of a combined approach does not always exhibit a linear increase. A notable example is presented in [ 25 ], where steganography with Diffie-Hellman encryption demonstrated the same time complexity as steganography alone. However, when using RSA [ 91 ] encryption, a higher time complexity was observed [ 25 ]. Therefore, the choice between these techniques heavily relies on the specific security requirements of the given situation and the particular types of cryptography and steganography employed. In this paper, we refer to "a combined approach" to the combined use of steganography and cryptography. Furthermore, ’method’ and’scheme’ interchangeably refer to a paper’s combined implementation.

Data gathering and study selection processes of both literature searches

As the number of systems requiring protection from cyberattacks continues to rise, the exploration of applications where steganography and cryptography can be combined becomes increasingly intriguing. Nonetheless, to identify potential areas for improvement or future research, it is imperative to gain a comprehensive understanding of the current state of research in this field.

The goal of this research is in threefold steps as mentioned in the following. This also helps to formulate the research questions.

The research does a systematic literature review aiming to bring forth a novel perspective by identifying and analyzing papers that delve into the combined application of cryptography and steganography across real-world applications.

The research categorizes these applications based on diverse domains and contexts, such as their domain of applications (e.g., Medical or Transportation) and technological domain (e.g., Cloud Computing or Internet of Things).

The research also explores several relevant studies to identify the advantages, limitations, and trade-offs discussed in the existing literature and gain insight into how the performance of these combined implementations can be effectively analyzed.

The findings derived from this comprehensive review yield valuable insights into the current research landscape, contributing to advancements in fortifying systems against cyber threats. Consequently, these findings prompt the formulation of the following research questions, which further drive exploration and inquiry in this field. The primary research question focuses on exploring the advantages and limitations of utilizing a combined steganography and cryptography approach in diverse real-world applications as a means to enhance security against cyberattacks on a system.

To address this primary question, three key sub-questions necessitate analysis:

What are the various real-world applications where combined steganography and cryptography approaches can be used? (RQ1)

What are the advantages, limitations, and trade-offs of using a combined approach in these applications? (RQ2)

How are implementations of a combined approach evaluated across different real-world applications? (RQ3)

By addressing these sub-questions, a comprehensive understanding of the benefits, constraints, and evaluation methods surrounding the combined application of steganography and cryptography can be obtained, leading to significant insights for bolstering system security against cyber threats.

This paper is organized into several sections, including the Introduction section as referred to in Sect. 1 . Section 2 discusses the background and related work of the steganography and cryptography techniques as well as evaluation methods. Section 3 elaborates on the methodology of the research including the search strategy for conducting a literature review, databases to collect resources, and tools to optimize the efficiency of the review process. The results are presented in Sect. 4 which includes different types of applications and categorization approaches of these applications, exploring limitations and advantages of the applications, and analyzing these methods to provide valuable insights into the combination of cryptography and steganography methods in terms of security, performance, and user perspective. Section 5 gives the concluding remarks and presents the future scope of the research. References are drawn at the end of the paper.

2 Background and related work

There is high interest in organizations, researchers, and end users in the sciences of steganography and cryptography to enhance security for different applications and several domains. In this research, we analyzed several papers that focus on the combination of cryptography and steganography to identify the real gap and pros and cons of combining both sciences. For that, we focused on several relevant applications, and one of the important and interesting applications in the medical domain where Bhardwaj, R. [ 13 ] addresses the critical challenge of ensuring patient data privacy and security in telemedicine applications. The author proposes an enhanced reversible data-hiding technique operating in the encrypted domain. The proposed algorithm embeds secret messages in hexadecimal form and utilizes four binary bits of electronic patient information (EPI) in each cover image block, ensuring secure communication. However, this approach mitigates underflow and overflow problems, enabling precise information embedding even in low-intensity pixel areas.

On the other side, the research [ 22 ] discusses the growing challenge of securing medical data in healthcare applications due to the expanding presence of the Internet of Things (IoT). They propose a hybrid security model combining cryptography and steganography to protect diagnostic text data within medical images. The encryption process precedes the embedding of encrypted data into cover images, both color and grayscale, to accommodate varying text sizes. Performance evaluation based on six statistical parameters indicates promising results, with PSNR values ranging from 50.59 to 57.44 for color images and from 50.52 to 56.09 for grayscale images. The proposed model demonstrates its effectiveness in securely hiding confidential patient data within cover images while maintaining high imperceptibility and capacity, with minimal degradation in the received stego-image.

Further, the research [ 34 ] states that as the elderly population increases and more people suffer from heart problems, hospitals worldwide are expected to use remote electrocardiogram (ECG) patient monitoring systems. These systems will gather a lot of ECG signals from patients at home, along with other health measurements like blood pressure and temperature, for analysis by remote monitoring systems. It's crucial to keep patient information safe when transmitting data over public networks and storing it on hospital servers. This study introduces a technique using wavelets, which are like a special math tool, to hide patient data in ECG signals. It combines encryption, which is like a lock, and scrambling, which is like mixing things up, to protect the data. This technique lets us put patient info into ECG signals without changing how they look or work. Tests show that the technique keeps data safe (with less than 1% change) and doesn't mess up the ECG readings. This means doctors can still read the ECGs even after we take out the hidden patient info, keeping medical data private and accurate.

Furthermore, the paper [ 41 ] proposes a novel steganography technique in their work, aiming to enhance the security of data transmission in telemedicine applications. This technique involves concealing patient information within medical images using a dynamically generated key, determined through graph coloring and the pixel count of the cover image. By combining steganography with cryptography, the patient information is encrypted using the RSA algorithm to strengthen security measures. Notably, this proposed method ensures reversibility, allowing for the lossless restoration of original medical images after data extraction from the stego medical image. Experimental evaluations demonstrate the efficacy of this approach, showcasing its superior security compared to alternative information hiding methods, particularly in terms of key generation complexity and the quality of restored images as measured by Peak Signal-to-Noise Ratio (PSNR) and Mean Square Error (MSE).

The researchers in [ 45 ] also worked along similar lines to enhance robust security measures in the handling of medical images, particularly when sensitive patient records are involved. To address this, a 128-bit secret key is generated based on the histogram of the medical image. Initially, the digital imaging and communications in medicine (DICOM) image undergoes a decomposition process to extract its sensitive features. The resulting image is then divided into blocks dependent on the generated key, followed by key-dependent diffusion and substitution processes. Encryption is performed over five rounds to ensure robust security. Subsequently, the secret key is embedded within the encrypted image using steganography, further enhancing the security of the proposed cipher. At the receiver's end, the secret key is extracted from the embedded image and decryption is carried out in reverse.

An innovative approach is presented in this paper [ 48 ], proposing an integrated method that combines cryptography and steganography to bolster data security in automotive applications. In this technique, data is first encrypted using a modified RSA cryptographic algorithm, and the encrypted data is then embedded along the edges of an image using the Least Significant Bit (LSB) technique. Edge detection [ 55 ] is accomplished using a fuzzy logic approach. This integrated approach is primarily designed for applications such as Diagnostics over Internet Protocol (DoIP) and Software Updates over the Air (SOTA), which involve the exchange of highly sensitive data. Additionally, the authenticity of the source of software updates is verified using a Hash Algorithm in SOTA.

Additionally, this paper [ 57 ] introduces a technique for encrypting and decrypting patient medical details, medical images, text, and pictorial forms using unique algorithms, aligning with the literature discussed above in the medical field. However, this research enhances security through the utilization of chaotic signals [ 59 ]. Signal generation and analysis are conducted using Matlab 7.10, demonstrating the efficacy of this method. In similar lines, the paper by Parah et al. [ 61 ] introduces a novel and reversible data hiding scheme tailored for e-healthcare applications, emphasizing high capacity and security. The Pixel to Block (PTB) conversion technique is employed to generate cover images efficiently, ensuring the reversibility of medical images without the need for interpolation. To enable tamper detection and content authentication at the receiver, a fragile watermark and Block Checksum are embedded in the cover image, computed for each 4 × 4 block. Intermediate Significant Bit Substitution (ISBS) is utilized to embed Electronic Patient Records (EPR), watermark, and checksum data, preventing LSB removal/replacement attacks. Evaluation of the scheme includes perceptual imperceptibility and tamper detection capability under various image processing and geometric attacks. Experimental results demonstrate the scheme's reversibility, high-quality watermarked images, and effective tamper detection and localization.

In this research [ 75 ], the authors propose a new and secure steganography-based End-to-End (E2E) verifiable online voting system to address issues within the voting process. This research introduces a novel approach to online voting by integrating visual cryptography with image steganography to bolster system security while maintaining system usability and performance. The voting system incorporates a password-hashed-based scheme and threshold decryption scheme for added security measures. Further, the research [ 78 ] discusses the advantages of combining both steganography and cryptography for having more secure communication. Initially, the Advanced Encryption Standard (AES) algorithm is adapted and employed to encrypt the secret message. Subsequently, the encrypted message is concealed using a steganography method. This hybrid technique ensures dual-layered security, offering both high embedding capacity and quality stego images for enhanced data protection.

Furthermore, the authors in [ 87 ] introduce a novel Reversible data hiding in encrypted images (RDHEI) scheme leveraging the median edge detector (MED) and a hierarchical block variable length coding (HBVLC) technique. In this approach, the image owner predicts the pixel values of the carrier image with MED, followed by slicing the prediction error array into bit-planes and encoding them plane by plane. Experimental results demonstrate that the proposed scheme not only restores secret data and the carrier image without loss but also surpasses state-of-the-art methods in embedding rate across images with diverse features.

The previously discussed paper primarily centered around application domains. In contrast, we examined several papers that primarily focused on technological domains. This paper [ 1 ] presents the Circle Search Optimization with Deep Learning Enabled Secure UAV Classification (CSODL-SUAVC) model tailored for Industry 4.0 environments. The CSODL-SUAVC model aims to achieve two core objectives: secure communication via image steganography and image classification. The proposed methodology involves Multi-Level Discrete Wavelet Transformation (ML-DWT), CSO-related Optimal Pixel Selection (CSO-OPS), and signcryption-based encryption. The proposed CSODL-SUAVC model is experimentally validated using benchmark datasets, demonstrating superior performance compared to recent approaches across various evaluation aspects.

In their paper [ 5 ], the authors introduce an improved system designed to safeguard sensitive text data on personal computers by combining cryptography and steganography techniques. The system's security is fortified by employing RSA cryptography followed by audio-based steganography. The study includes system modeling and implementation for testing, aimed at exploring the relationship between security, capacity, and data dependency. Experimentation involved securing data within 15 differently sized audio files, yielding insightful results.

Additionally, the research in [ 7 ] discusses the promising growth of the Internet of Things (IoT) and the prevalent use of digital images, which has resulted in an increased adoption of image steganography and cryptography. However, current systems encounter challenges related to security, imperceptibility, and capacity. In response, they propose a new Crypt-steganography scheme that integrates three primary elements: hybrid additive cryptography (HAC) for secure message encryption, the bit interchange method (BIGM) to ensure imperceptibility during embedding, and a novel image partitioning method (IPM) for enhanced randomness in pixel selection. Evaluations confirm the scheme's effectiveness in addressing these challenges.

Also, the authors of [ 9 ] presented a novel approach to safeguard data on the cloud using Reversible Data Hiding in an Encrypted Image (RDHEI), coupled with homomorphic encryption and a rhombus pattern prediction scheme. With this method, third parties can perform data-hiding operations on encrypted images without knowledge of the original content, ensuring high-level security. The proposed method demonstrates strong protective measures, as evidenced by experimentations. Additionally, the approach enables seamless image recovery and covert extraction.

Further, in this paper, the authors [ 10 ], explore how malicious Android applications are evading detection by hiding within images using techniques like Concatenation, Obfuscation, Cryptography, and Steganography. They assess the vulnerability of ten popular Android anti-malware solutions to these methods. Surprisingly, only one solution detected two hiding techniques, while the others remained blind to all eight. This evaluation offers insights into the evolving landscape of Android malware and the effectiveness of current detection systems.

Insufficient security measures in data transmission led to issues like data integrity, confidentiality, and loss, especially with big data. Executing multiple security algorithms reduces throughput and increases security overhead, impacting robustness against data loss. Conversely, compression techniques sacrifice data confidentiality. Existing studies lack comprehensive security policies to address these concerns collectively. Therefore, the authors in their paper [ 14 ] propose an integrated approach to enhance confidentiality and provide backup for accidental data loss by combining simplified data encryption standards (SDES) and advanced pattern generation. A novel error control technique maximizes data integrity against transmission errors. A new compression method improves robustness against data loss while maintaining efficiency. Enhanced confidentiality and integrity are achieved through advanced audio steganography. Implementing this integrated technique in a GPU environment accelerates execution speed and reduces complexity. Experiments validate the method's effectiveness in ensuring data confidentiality and integrity, outperforming contemporary approaches.

By covering one more technological aspect, the research [ 19 ] introduces a secure Near Field Communication (NFC) smartphone access system using digital keys and Encrypted Steganography Graphical Passwords (ESGP). User perceptions and intentions are evaluated through experiments and surveys, emphasizing security as a key factor in adopting NFC ESGP systems. This offers valuable insights for enhancing security through two-factor authentication on NFC-enabled smartphones.

Further, recognizing Fog computing as an intriguing domain bridging the cloud and Internet of Things (IoT) necessitates a secure communication channel to prevent attacks. In the paper [ 33 ], the strengths and weaknesses of hybrid strategies of cryptography and steganography in fog environments, where real-time transmission is crucial, are discussed. This paper presents a novel Fog-Based Security Strategy (FBS2) that integrates cryptography and steganography techniques. The Cryptography Technique (PCT) entails two phases: confusion and diffusion, which scramble and modify pixel values of secret images using innovative methodologies. The Steganography Technique utilizes discrete wavelet packet transform, employing a new matching procedure based on the most significant bits of encrypted secret images and cover image pixels. Experimental results illustrate FBS2's superiority in efficiency, security, and processing time, executing it well-suited for fog environments.

Furthermore, the paper [ 36 ] explores Industry 5.0, which merges human and machine capabilities to meet complex manufacturing demands through optimized robotized processes. Industry 5.0 utilizes collaborative robots (cobots) for improved productivity and safety, while unmanned aerial vehicles (UAVs) are expected to have a significant role. Despite UAVs' advantages like mobility and energy efficiency, challenges such as security and reliability persist. To address this, the article presents AIUAV-SCC, an artificial intelligence-based framework tailored for Industry 5.0. It consists of two main phases: image steganography-based secure communication and deep learning (DL)-based classification. Initially, a new image steganography technique is employed, integrating multilevel discrete wavelet transformation, quantum bacterial colony optimization, and encryption processes.

Another interesting method proposed in the research [ 85 ] for encrypting digital images using a special type of mathematical system called a chaotic system. Chaotic systems have properties that make them very difficult to predict and control, which is useful for encryption. The method proposed in this paper uses a specific type of chaotic system called the two-dimensional Hénon-Sine map (2D-HSM), which has been designed to be more effective than other chaotic systems for this purpose. Additionally, the method incorporates a technique inspired by DNA to further enhance the encryption process. This new encryption scheme aims to protect images when they are sent over the Internet. The paper presents experimental tests to show that this scheme performs better than other methods in terms of security and resistance to attacks.

Furthermore, advanced cloud computing is considered one of the prominent technologies offering cost-saving benefits and flexible services. With the increasing volume of multimedia data, many data owners choose to outsource their data to the cloud. However, this trend raises privacy concerns, as users relinquish control over their data. To address these concerns, reversible data hiding schemes for encrypted image data in cloud computing have been proposed by [ 86 ]. These schemes aim to ensure data security without relying on the trustworthiness of cloud servers. Theoretical analysis confirms the security and correctness of the proposed encryption model, with acceptable computation costs adjustable based on security needs.

We also focused on Conference papers that explore the combination of cryptography and steganography, covering various applications and technological domains. The work at [ 23 ], presents a novel framework that combines a hybrid encryption scheme using chaotic maps and 2D Discrete Wavelet Transform (DWT) Steganography to enhance security by maintaining patient privacy. Additionally, a web-based monitoring platform is deployed for tracking electronic medical records during transmission. Experimental results show that the proposed framework outperforms existing approaches in terms of accuracy, sensitivity, and perceptibility, with high imperceptibility and limited degradation in the stego image.

Along similar lines, the authors [ 29 ] present the aim of their study to protect the privacy and confidentiality of data during multimedia exchanges between two IoT hops in uncertain environments. To achieve this, a robust multilevel security approach based on information hiding and cryptography is proposed to deter attackers and ensure data confidentiality. Existing schemes often struggle to strike a balance between medical image quality and security, and directly embedding secret data into images followed by encryption can make it easy for intruders to detect and extract hidden information. This study yields superior results in terms of imperceptibility and security by employing the right method in the right context.

Also, another application aspect Reversible data hiding (RDH) ensures secure digital data transmission, especially vital in telemedicine where medical images and electronic patient records (EPR) are exchanged. This study [ 47 ] proposes a novel RDH scheme that embeds EPR data during image encryption. Using a block-wise encryption technique, the scheme hides EPR data bits within the encrypted image. A support vector machine (SVM)-based classification scheme is employed for data extraction and image recovery. Experimental results show superior performance compared to existing schemes in terms of embedding rate and bit error rate.

Further, Network security is crucial in safeguarding against malicious attacks, especially with the rapid growth of e-commerce worldwide. This study [ 52 ] proposes a novel approach to enhance online shopping security by minimizing the sharing of sensitive customer data during fund transfers. Combining text-based steganography, visual cryptography, and OTP (One Time Password), the proposed payment system ensures customer data privacy, prevents identity theft, and increases customer confidence. By utilizing steganography and visual cryptography, the method minimizes information sharing between consumers and online merchants, thereby enhancing data security and preventing misuse of information.

Further moving forward with another interesting research [ 62 ] that focusses on E-commerce platform transactions. this study proposes a two-layered security mechanism for e-transactions using dynamic QR codes. The first layer involves encapsulating payment information within a dynamic QR code, unique to each order, which includes bank details, user information, and order specifics. The second layer employs encryption through Secure Electronic Transactions (SET) to further secure the payment process. This dual-layer approach enhances security by introducing dynamic QR codes, reducing vulnerability to cyber-attacks and ensuring secure transmission of payment data. On the other side, the authors [ 3 ] proposed a lightweight dynamic encryption algorithm using DNA-based stream ciphers. This algorithm generates a one-time dynamic key (DLFSR) based on collected data, encoding both the text and key into a dynamic DNA format. The ciphertext is then produced through an addition process using a proposed table, with decryption information hidden within for key distribution. Statistical tests and performance evaluations demonstrate the algorithm's effectiveness in providing security for restricted devices, outperforming previous approaches.

To safeguard IPv6 packet identities against Denial-of-Service (DoS) attacks, this paper [ 6 ] proposes a combination of cryptography and steganography methods. Ensuring secure communication in IPv6 network applications is crucial due to prevalent issues like DoS attacks and IP spoofing. The proposed approach involves generating unique identities for each node, encrypting them, and embedding them into transmitted packets. Upon reception, packets are verified to authenticate the source before processing. The paper conducts nine experiments to evaluate the proposed scheme, which includes creating IPv6 addresses, applying logistics mapping, RSA encryption, and SHA2 authentication. Network performance is assessed using OPNET modular, demonstrating improved computation power consumption and better overall results, including memory usage, packet loss, and traffic throughput. In a similar line, the paper [ 11 ] suggests a hybrid security method using hashing, encryption, and image steganography to better protect user credentials in databases. The aim is to help developers integrate strong password security practices into their software development process to prevent data breaches. Experimental results show the effectiveness of this approach.

Security is crucial across various applications, including cloud storage and messaging. While AES, DES, and RSA are common encryption methods, relying solely on one can lead to vulnerabilities if the encryption key is compromised. To address this, hybrid cryptography is employed in this research [ 12 ], combining existing techniques with three new methods. Data is divided into three sections and encrypted with AES, DES, and RSA respectively. Encryption keys are stored using LSB steganography in an image, ensuring additional security. Users must retrieve the keys from the image to access and decrypt the data stored in the cloud, enhancing overall security. Further, Castillo et al. [ 17 ] present a new mobile app that secures images using AES encryption and LSB steganography. It employs a 256-bit AES key for robust protection and utilizes the Diffie-Hellman algorithm for secure key exchange. The app development follows the Rapid Application Development Model, ensuring iterative refinement and early testing. Evaluation based on ISO/IEC/IEEE 29119 Testing Standards indicates user satisfaction with an overall mean rating of 4.17.

As mentioned above, one of the interesting areas is Cloud Computing (CC) which has emerged as a popular model for delivering services over the Internet, with Software as a Service (SaaS) being a prominent example. Despite its benefits, security remains a concern. This paper [ 24 ] presents an application model for securing SaaS applications hosted on private clouds. The model consists of two micro-services: an Application Layer Firewall to prevent malicious activity, and a secure login application for sensitive data transmission. Additionally, a Hidden Markov Model layer is implemented for intrusion detection. The second micro-service uses Advanced Encryption Standard (AES) for document encryption within the private cloud. Further security is provided through a novel Video Steganography approach using the Least Significant Bit (LSB) technique. Overall, the paper outlines a comprehensive approach to enhance security in SaaS applications.

Further, considering confidentiality and integrity important aspects for sharing confidential information while communication, the research [ 38 ] introduces “Stag-chain”, a blockchain-based design combining steganography, AES encryption, and InterPlanetary File System (IPFS) Protocol for decentralized cloud storage. The image file is stored on the cloud temporarily, replaced by a normal image afterward. This scheme aims to develop an app ensuring data confidentiality, secure data transmission, and protection against unauthorized access. Furthermore, Madavi et al. [ 43 ] introduce a compact steganography technique for robust data hiding while maintaining perfect invisibility. It combines DES, AES, and RC4 encryption methods for enhanced security. The study aims to achieve data security using steganography with the Least Significant Bit (LSB) Algorithm and Hybrid Encryption, encrypting user input and concealing it within image files for maximum security during message transmission.

Additionally, the authors [ 51 ] introduce a highly secure web-based authentication system utilizing Image Steganography and the 128-bit Advanced Encryption Standard (AES) algorithm. This system encrypts user passwords using AES. Also, face identification photographs are used as stegoimages to conceal the encrypted passwords, further enhancing security. The proposed work demonstrated resilience against advanced steganalysis attacks, including the chi-squared attack and neighborhood histogram. The authors recommended this secure authentication method for future web applications dealing with sensitive user data.

In [ 65 ], the authors investigate using audio signal processing for cybersecurity in voice applications. As voice interfaces become ubiquitous in devices, the research focuses on securely identifying and authenticating users through cryptography and audio steganography, ensuring both security and usability. Also, the paper [ 66 ] introduces security strategies aimed at enhancing data protection in the cloud, addressing concerns such as confidentiality, accessibility, and integrity. By leveraging steganography, encryption-decryption techniques, compression, and file splitting, our proposed approach aims to overcome the limitations of traditional data protection methods, providing clients with an effective and secure means to store and share information.

Further, the transmission of satellite images via the Internet has gained considerable attention, especially with the rise of cloud and web-based satellite information services. Ensuring secure and high-quality data transfer to users has become a priority. To address this in the research [ 70 ], a combination of steganography and cryptography techniques is employed. Steganography hides data within images, audio, or video, while cryptography ensures data remains unintelligible to cyber attackers. This fusion approach offers a unique method for information protection. The paper proposes combining steganography algorithms such as Least Significant Bit (LSB) and Most Significant Bit (MSB) with cryptography algorithms like Rivest-Shamir-Adleman (RSA) for enhanced security.

This is another interesting research under technology development [ 73 ]. The rise of multimedia applications has fueled the use of digital archives, with cloud storage being a common choice for storing, transmitting, and sharing multimedia content. However, the reliance on cloud services poses security risks, compromising data privacy. To mitigate these risks, data access is restricted to authenticated users, and data is encrypted before storage in the cloud. Cipher Text-Policy Attribute-Based Encryption (CP-ABE) is used to encrypt data and control access, but traditional CP-ABE requires substantial computing resources. To address this, an efficient pairing-free CP-ABE scheme using elliptic curve cryptography is proposed, reducing memory and resource requirements. However, even with CP-ABE, plaintext retrieval is easier with cryptanalysis. To enhance data security and ownership, cryptography is combined with steganography, embedding ciphertext into images to thwart cryptanalysis and improve data security and privacy, particularly for multimedia applications.

Further, Modern healthcare relies on secure medical imaging systems for accurate diagnosis. This paper [ 79 ] proposes a method to protect the JPEG compression processor used in these systems from threats like counterfeiting and Trojan insertion. By integrating robust structural obfuscation and hardware steganography, the approach ensures double-layered defense with minimal design cost. Also, Online shopping presents risks such as credit card fraud and identity theft. This paper [ 80 ] introduces a novel scheme to detect and prevent phishing sites using extended visual cryptography, steganography, and an Android application. The scheme reduces user interaction by automatically uploading shares and QR code details during authentication, enhancing security by minimizing errors from manual intervention.

Ensuring image security and copyright protection, especially post-COVID-19, is challenging. This paper [ 98 ] introduces SecDH, a medical data hiding scheme designed to address these challenges specifically for COVID-19 images. The scheme begins by normalizing the cover image to enhance resistance against geometric attack and computes a normalized principal component for embedding. Experimental results show SecDH's imperceptibility and advantages over traditional schemes. In a similar line, this research [100] introduces a robust technique with a high embedding capacity for color images. By fusing multi-focus images using NSCT and computing hash values for authentication, the technique enhances information richness and security. Embedding the fused image and hash value into the cover media using transformed-domain schemes, along with encryption, ensures higher security. Additionally, a hybrid optimization algorithm computes an optimal factor for improved imperceptibility and robustness. Experimental results demonstrate the technique's effectiveness and resistance to common attacks, achieving a 9.5% increase in robustness and an 8.8% enhancement in quality compared to existing works.

Further, the research [ 99 ] proposes SIELNet, a robust encryption algorithm for color images. Utilizing a novel chaotic map and custom network, SIELNet ensures secure data transmission and storage. Experimental results validate its superior performance, promising enhanced data integrity in Industry 5.0.

Furthermore, the evaluation of these techniques relies on a diverse set of metrics that assess their performance in terms of security, robustness, capacity, perceptual quality, and statistical characteristics. This research background provides an overview of the key evaluation metrics, tools, and attacks used for steganography, and cryptography, including their definitions and significance in assessing the effectiveness of covert communication methods. With the help of the following information on evaluation criteria, tools, and attacks, numerous research papers spanning both cryptography and steganography domains have been analyzed and are presented in Table 10 . This provides readers with in-depth information to facilitate their understanding of the Results section with clarity.

Evaluation criteria

Peak signal to noise ratio (PSNR) [ 1 , 5 , 7 , 92 , 95 , 97 ] PSNR is a widely used metric in image processing that quantifies the quality of reconstructed signals by measuring the ratio of the peak signal power to the noise power. In steganography, PSNR is employed to evaluate the perceptual quality of stego images by comparing them to their original counterparts, with higher PSNR values indicating better image fidelity. The PSNR of the grey-level image is defined as follows:

Mean square error (MSE) [ 1 , 22 , 92 , 95 , 97 ] MSE measures the average squared difference between the pixel values of the original and reconstructed signals, providing a quantitative measure of reconstruction accuracy. In steganography, MSE is utilized to assess the distortion introduced by embedding hidden data, with lower MSE values indicating reduced perceptual distortion.

Correlation coefficient (CC) [ 1 , 9 , 22 , 95 ] CC serves as a robust metric commonly applied to evaluate message correlation, particularly within image formats through median filtering. While not extensively employed in steganography, its utility is more pronounced when messages adopt image form. In the realm of image watermarking, CC finds wider usage owing to the prevalent image-based nature of watermarks. Notably, CC's modus operandi doesn't hinge on error quantification but centers on computing the correlation between original message image pixels and their counterparts extracted from the message. Consequently, CC values, ranging from −1 to 1, signify correlation strength, with 1 denoting optimal correlation. Its computation can be executed using the following equation:

Capacity [ 5 , 92 , 95 , 97 ] Capacity refers to the maximum amount of hidden information that can be embedded within a cover signal without causing perceptible distortion. In steganography, capacity metrics assess the payload capacity of steganographic algorithms, guiding the selection of embedding techniques to achieve a balance between data hiding capacity and perceptual quality.

Structural similarity index (SSIM) [ 7 , 22 , 33 , 96 ] It's a metric used in image processing to quantify the similarity between two images. SSIM considers luminance, contrast, and structure, mimicking human visual perception. It's widely used in research to evaluate the quality of image compression, denoising, and restoration algorithms.

Human visual system (HVS) metrics [ 7 , 95 ] HVS metrics model the perceptual characteristics of the human visual system to evaluate the visual quality and perceptibility of stego signals. In steganography, HVS metrics such as the Structural Similarity Index (SSIM) and perceptual entropy are utilized to assess the visibility of embedded data and ensure imperceptibility to human observers.

Entropy [ 33 , 88 , 96 ] Entropy measures the randomness or uncertainty of a signal and is used to quantify the information content of cover and stego signals. In steganography, entropy metrics assess the statistical properties of stego signals, with lower entropy values indicating a higher degree of hidden information. The entropy can be calculated for an 8-bit image as follows:

\(H\left(I\right)=-\sum_{i=1}^{{2}^{8}}{P(I}_{i}){log}_{b}P{(I}_{i})\) , where I denote the Intensity value, and \({P(I}_{i})\) represents the probability of intensity value \({I}_{i}\) .

Histogram analysis [ 9 , 45 , 92 , 95 , 97 ] Histogram analysis examines the distribution of pixel intensities in cover and stego signals to detect statistical anomalies introduced by steganographic embedding. In steganalysis, histogram-based metrics evaluate the statistical differences between cover and stego signals, facilitating the detection of hidden information.

Bit error ratio (BER) [ 9 , 13 , 22 , 95 ] BER quantifies the ratio of incorrectly received bits to the total number of transmitted bits and is used to measure the accuracy of data transmission in digital communication systems. In steganography, BER is employed to evaluate the accuracy of data extraction from stego signals, with lower BER values indicating a higher level of data integrity.

Bits per pixel (BPP) [ 41 , 61 , 85 , 95 ] BPP measures the average number of embedded bits per pixel in stego images and is used to quantify the embedding efficiency of steganographic algorithms [ 96 ]. In steganography, BPP metrics assess the trade-off between embedding capacity and visual quality, guiding the selection of embedding parameters.

Signal-to-noise ratio (SNR) [ 14 , 95 ] SNR measures the ratio of signal power to noise power and is used to quantify the quality of transmitted signals in communication systems. In steganography, SNR metrics evaluate the robustness of steganographic algorithms to noise interference, with higher SNR values indicating better signal quality.

Amplitude difference (AD) [ 14 ] AD measures the difference in amplitude or magnitude between the original plaintext and the corresponding ciphertext resulting from the encryption process. It quantifies the level of distortion introduced during encryption, with lower AD values indicating minimal alteration in amplitude between the plaintext and ciphertext. The assessment of AD aids in evaluating the perceptual quality and robustness of cryptographic algorithms, ensuring that encrypted data retains fidelity and is resistant to unauthorized tampering.

Avalanche effect (AE) [ 14 ] AE characterizes the sensitivity of a cryptographic algorithm to small changes in the input, resulting in significant changes in the output ciphertext. A robust cryptographic algorithm exhibits a pronounced avalanche effect, where even minor modifications in the input plaintext lead to extensive changes in the resulting ciphertext. AE plays a pivotal role in assessing the security and strength of encryption algorithms, as it indicates the extent to which encrypted data conceals underlying patterns and resists cryptanalysis attempts aimed at deciphering the original plaintext.

Bits per code (BPC) [ 14 ] BPC refers to the average number of bits used to represent each symbol or code in a given data encoding scheme or communication system. It quantifies the efficiency of data representation and transmission by measuring the ratio of the total number of bits to the total number of codes or symbols transmitted. In data encoding and compression techniques, a lower BPC indicates higher efficiency in representing data using fewer bits, while ensuring minimal information loss or distortion.

Throughput [ 14 ]: Throughput represents the rate at which data is successfully transmitted or processed over a communication channel or system within a specific time. It measures the amount of data transferred per unit time and is typically expressed in bits per second (bps) or a similar unit of data transmission rate. Throughput is influenced by factors such as channel bandwidth, data encoding efficiency, error correction mechanisms, and system latency. Higher throughput values indicate greater data transmission capacity and efficiency, enabling faster and more reliable communication.

Uncorrectable error rate (UER) [ 14 ] UER is a metric used in error detection and correction systems to quantify the frequency or probability of errors that cannot be successfully detected or corrected by error correction mechanisms. It represents the rate of errors that remain undetected or uncorrected despite the implementation of error detection and correction techniques. A low Uncorrectable Error Rate is desirable in communication systems, indicating a high level of reliability and effectiveness in error detection and correction processes.

Cronbach’s alpha (CA) [ 19 ] Cronbach's alpha is a measure of internal consistency and reliability of steganographic or cryptographic algorithms. It ensures that they consistently perform as intended across different datasets or scenarios.

Composite reliability (CR) [ 19 ] Composite reliability is another measure of internal consistency reliability, similar to Cronbach's alpha. It evaluates the reliability of a set of items in measuring a latent construct, taking into account the factor loadings of the items.

Average variance extracted (AVE) [ 19 ] AVE is a measure of convergent validity in structural equation modeling (SEM). It assesses the amount of variance captured by a latent construct in relation to the variance due to measurement error.

Structural equation modeling (SEM) [ 19 ] SEM is a statistical method used to test and validate theoretical models that specify relationships among observed and latent variables. It allows researchers to assess the structural relationships between variables and evaluate the goodness-of-fit of the proposed model.

Normalized chi-square (Normalized χ2) [ 19 ] Normalized chi-square is a goodness-of-fit measure used in SEM, indicating the discrepancy between the observed and expected covariance matrices relative to the degrees of freedom.

Goodness-of-fit index (GFI) [ 19 ] GFI is a measure of the overall fit of the structural equation model to the observed data. It assesses the extent to which the model reproduces the observed covariance matrix.

Root mean square error (RMSE) [ 19 ] RMSE is a measure of discrepancy between observed and predicted values in SEM. It quantifies the average difference between observed and model-estimated covariance matrices, with lower RMSE values indicating better model fit.

Normed fit index (NFI) [ 19 ] NFI is a goodness-of-fit index in SEM that evaluates the relative improvement in the fit of the proposed model compared to a null model. Higher NFI values indicate a better fit.

Tucker lewis index (TLI) 19] TLI, also known as the Non-Normed Fit Index (NNFI), is a measure of incremental fit in SEM. It compares the proposed model to a baseline model with uncorrelated variables, with TLI values close to 1 indicating a good fit.

Comparative fit index (CFI) [ 19 ] CFI is another measure of incremental fit in SEM, assessing the improvement in the fit of the proposed model relative to a null model. CFI values close to 1 indicate a good fit.

Normalized cross-correlation coefficient (NCCC) [ 33 ] NCCC is employed to measure the similarity between the cover and stego-images. A high NCCC value close to 1 signifies that the steganographic process has been performed effectively, resulting in minimal detectable differences between the original cover image and the stego-image, thereby ensuring the concealment of hidden information within the cover image. This can be evaluated as \({\gamma }_{p,q}=\frac{cov(p,q)}{\sqrt{D(p)\sqrt{D(q)}}}, with D\left(p\right),\) where p and q represent two variables that can denote either the secret and decrypted images in the cryptography process or the cover and stego-images in the steganography process. The correlation coefficient is \(\gamma \) , and each of the \(cov(p, q)\) , \(D(p),\) and \(D(q)\) , correspond to the covariance and variances [ 33 ] of these variables p and q.

Number of pixel change rates (NPCR) [ 33 ] The NPCR metric is utilized during the encryption stage to evaluate the disparity between cipher images before and after a single pixel alteration in a plaintext image. Let P represent the total number of pixels, where C1 and C2 denote the cipher images before and after the pixel change, respectively. Additionally, D is a bipolar array defined such that \(D(i,j)=0\) \(if C1(i,j)=C2(i,j), and D(i,j)=1\) otherwise. The NPCR determines the percentage of differing pixel values between the original and encrypted images. This metric gauges the resilience of the encryption method against potential intrusions and attacks, with higher NPCR values indicating a stronger strategy. \(N\left(C1,C2\right)=\sum_{i,j}\frac{D(i,j)}{P}\times 100\%\) .

Unified average changing intensity (UACI) [ 33 ] UACI calculates the mean intensity of variances between two images with the following formula: \(UACI=\frac{1}{2}[\sum_{pq}\frac{{{I}_{1}\left(p,q\right)}_{-}{I}_{2}\left(p,q\right)}{255}]\times 100\) , where \({I}_{1}\) , \({I}_{2}\) represent the two encrypted images derived from the original image by altering a single pixel, with, p and q denoting the coordinates of the pixels being considered \({I}_{1}\) , and \({I}_{2}\) respectively.

Percentage residual difference (PRD) [ 34 ] This metric assesses the variance between the original ECG host signal and the resulting watermarked ECG signal, calculated as \(PRD=\sqrt{\frac{\sum_{i=1}^{N}{(}^{{{x}_{i}-{y}_{i})}^{2}}}{{\sum }_{i=1}^{N}{{x}^{2}}_{i}}}\) , where \(x\) represents the Original ECG signal, and y is the watermarked signal.

Weighted wavelet percentage residual difference (WWPRD) [ 34 ] This metric is used particularly in the context of watermarking techniques. It is employed to evaluate the effectiveness of image watermarking algorithms by quantifying the perceptual differences between the original image and the watermarked version. In WWPRD, the residual difference between the original image and the watermarked image is calculated in the wavelet domain. By analyzing the WWPRD values, researchers can assess the trade-off between watermark invisibility (how imperceptible the watermark is to human observers) and robustness (how resistant the watermark is to various image processing operations and attacks).

Steganography and steganalysis tools used

Stegdetect [ 10 ] This tool is designed to detect and analyze hidden information within digital media, providing users with powerful steganalysis capabilities. It employs advanced algorithms and techniques to identify subtle modifications or anomalies in digital files that may indicate the presence of hidden information. StegDetect [ 10 ] is widely used by digital forensics experts, law enforcement agencies, and cybersecurity professionals to uncover hidden threats and investigate potential security breaches.

Steganalysis attack [ 61 , 75 , 86 ]

Salt and pepper noise Salt and Pepper Noise, also known as impulse noise, introduces sporadic white and black pixels in an image, resembling grains of salt and pepper scattered throughout the image. This type of noise typically occurs due to errors in data transmission or faults in image acquisition devices.

Additive white gaussian noise (AWGN) AWGN is a type of noise that follows a Gaussian distribution and is characterized by its constant power spectral density across all frequencies. It represents random variations in pixel values added to the original image, often resulting from electronic interference or sensor noise in imaging devices.

Median filtering Median filtering is a spatial domain filtering technique commonly used to remove impulsive noise such as Salt and Pepper Noise. It replaces each pixel value with the median value of its neighboring pixels within a defined window, effectively reducing the impact of outliers caused by noise.

Lowpass filtering Lowpass filtering is a technique used to suppress high-frequency components in an image while preserving low-frequency information. It is commonly employed to mitigate noise by smoothing the image, thereby reducing the effect of high-frequency noise components such as AWGN.

Weiner filtering Weiner filtering is a signal processing technique used to deconvolve images corrupted by additive noise, such as AWGN. It employs a frequency domain approach to estimate and suppress the noise while enhancing the signal-to-noise ratio in the restored image.

Sharpening Sharpening techniques aim to enhance the perceived sharpness and clarity of an image by accentuating edges and details. However, when applied to noisy images, sharpening can exacerbate the visibility of noise, making it a potential target for attacks aimed at degrading image quality.

Histogram equalization attack Histogram equalization is a technique used to adjust the contrast of an image by redistributing pixel values across a wider dynamic range. However, adversaries can exploit this technique to amplify the visibility of noise, especially in regions with low contrast, thereby degrading the overall quality of the image.

Rotation attack Rotation attacks involve rotating an image by a certain angle, which can introduce geometric distortions and potentially exacerbate the visibility of noise. Adversaries may employ rotation attacks to degrade the quality of images, particularly those affected by noise, as part of malicious activities or security breaches.

Pitch removal attacks These involve the removal or alteration of specific pitch frequencies in audio signals. These attacks are often used in scenarios where certain frequency components need to be suppressed or modified, such as in audio watermarking or enhancement techniques.

Bit-plane removal attacks This type of attack targets the bit-plane decomposition of images. In digital image processing, images are often represented using a bit-plane decomposition, where each bit-plane represents a different level of image detail or intensity. Bit-plane removal attacks aim to remove or modify specific bit-planes, thereby altering the visual appearance or content of the image.

Chi-Square attack [ 89 ] This is a prominent technique used to detect the presence of hidden information within digital media, particularly images. This attack leverages statistical analysis to uncover inconsistencies or anomalies in the distribution of pixel values within an image. The rationale behind the Chi-Square Attack lies in the fact that steganographic embedding typically introduces subtle changes to the statistical properties of an image, such as the distribution of pixel values. These changes, while imperceptible to the human eye, can be detected through statistical analysis methods like the chi-square test.

Regular singular (RS) analysis [ 75 ] RS analysis involves analyzing the regular and singular components of an image to identify irregularities or inconsistencies introduced by steganographic embedding techniques. This analysis leverages mathematical properties to distinguish between the regular content of an image and any additional hidden data.

Binary similarity measures (BSM) analysis [ 75 ] BSM are statistical measures used to assess the similarity between the binary representations of two images. In steganalysis, these measures are employed to compare the binary data of an original image with that of a potentially steganographic image. Deviations or discrepancies in binary similarity may indicate the presence of hidden data.

The next section discusses the methodology employed by this research.

3 Methodology

In this section, we outline a reproducible search strategy employed for conducting a comprehensive literature survey. Initially, data collection was performed utilizing the selected databases, namely Footnote 2 Scopus, Footnote 3 IEEE Digital Library, and Footnote 4 ISI Web of Science, with search queries formulated as detailed in Sect. 3.1 . Subsequently, the study selection process was executed, elucidated in Sect. 3.2 . Finally, the final data was extracted from the literature, as described in Sect. 3.3 . The Footnote 5 Parsifal tool was employed to optimize the efficiency of the review process, including the tasks of reviewing, screening, and extracting relevant literature.

3.1 Data gathering (DG)

The initial step in the literature exploration process involves data gathering. Two distinct literature searches were conducted: one encompassing journal articles and a supplementary search focused on conference papers. These papers are also discussed in Sect. 2 . The results of the additional literature search contribute primarily to gaining further insights related to RQ1. To effectively explore the selected databases, essential keywords, and criteria were identified. While both literature searches share common keywords, their criteria, such as publication year and language, were slightly adjusted to ensure a manageable scope. These criteria were refined through an iterative process that involved fine-tuning the keywords and assessing the quantity of relevant literature available on Scopus. The final keywords used for the search query can be expressed as follows:

Search Query: ("cryptography" AND "steganography") AND ("application" OR "real-world") AND ("security" OR "cyberattack" OR "cybersecurity").

Upon utilizing the specified keywords, the three databases collectively yielded a total of 749 results as of May 24th, 2023. Subsequently, inclusion criteria, encompassing year, language, and type, were applied to filter the obtained results. The application of these criteria is detailed in the following two sub-sections.

(a) DG-Literature Search 1: Journal Articles. A comprehensive literature search was conducted specifically for journal articles, with the databases accessed on May 24th, 2023. The criteria applied to this search are as follows:

Only literature published from 2010 onwards was included.

The literature must be classified as a journal article, excluding review papers, conference papers, books, and other sources.

Publications from any region are considered, but they must be in English.

The search encompassed the examination of titles, abstracts, and keywords. These criteria collectively establish the following additional query options:

year >  = 2010

AND language =  = English

AND type =  = Journal Article

These search criteria, along with the keywords from Sect. 2.1, resulted in the total number of 217 journal articles:

Scopus: 179

Web of Science: 31

After removing duplicates using the Parsifal tool, 194 journal articles were left for further analysis.

(b) DG-Literature Search 1: Conference Papers. Furthermore, a supplementary literature search focusing on conference papers was conducted, with the databases accessed on June 23rd, 2023. The search criteria and query vary slightly from the previous literature search as outlined below:

Only conference papers from conference proceedings published from 2018 onwards were considered.

Review papers, journal articles, books, and other sources were excluded.

Similar to the previous search, publications from any region were eligible, provided they were in English.

These criteria lead to the following query options:

year >= 2018

AND language == English

AND type == Conference Paper

AND source type == Conference Proceedings

These search criteria, along with the keywords from Sect. 2.1, resulted in a total number of 147 conference papers:

Web of Science: 11

After removing duplicates using the Parsifal tool, 113 conference papers were left for further analysis.

3.2 Study selection (SS)

The subsequent stage of the literature exploration process involves the selection of pertinent studies, which comprises two distinct phases. The following are seven conditions established to ensure that only literature addressing the research questions outlined in Sect. 1 is considered while filtering out literature of insufficient quality. It is important to note that the two literature searches applied these conditions differently

The paper focuses on researching the combination of cryptography and steganography disciplines.

The paper investigates the application of cryptography and steganography within specific domains (e.g., medical, military, financial) or contexts rather than a general application for "secure communications."

The paper addresses efforts to enhance the security of a system or process rather than solely transmitting additional data.

Is the objective of the paper clearly defined?

Have related works been adequately studied?

Is the methodology employed in the paper clearly described?

Are the results presented clearly and measurably?

(a) SS-Literature Search 1: Journal Articles. In the first literature search focused on journal articles, papers were assessed for relevance based on conditions 1–3 (Sect. 3.2 ), considering the information presented in the title and abstract. Subsequently, papers were further scrutinized to determine if they met conditions 4–7 (Sect. 3.2 ) by examining their contents. Only papers that fulfilled all seven conditions were included in the selection process. As a result of this rigorous selection process, the initial total of results was reduced to 24 journal articles. The flow chart depicted in Fig. 2 a illustrates the sequential steps involved in data gathering and study selection. Papers that discussed no specific application, such as "secure communications," were not categorized as such since a significant number of such papers were already omitted during the search query phase. Including them in the list would have resulted in an incomplete compilation of relevant articles.

(b) SS-Literature Search 2: Conference Papers. In the second literature search, focusing on conference papers, the selection process entailed examining papers for conditions 1–3 (Sect. 3.2 ) based on the information presented in the title and abstract. These conditions were crucial in determining whether a paper should be considered for RQ1. As a result of this selection process, 21 conference papers met the criteria. It is worth noting that two papers were identified as having been released before 2018 and were subsequently manually filtered out. The flow chart illustrated in Fig. 2 b provides a visual representation of the data-gathering process and study selection for this search.

3.3 Data extraction (DE)

The third step of exploring literature is extracting data. Data extraction consists of two parts, both performed using Parsifal. To answer RQ1 features related to a paper’s application have been extracted (both literature searches). The list of features evolved during the process of extraction as it was expanded, restructured, and finalized (Sect. 3.1 ) to encompass all encountered literature. Next, to answer RQ2 and RQ3, information related to the algorithms and metrics, advantages, limitations, and evaluation methods discussed by the literature were extracted (only literature search 1: journal articles). The results of data gathering, study selection, and data extraction are presented in the subsequent sections.

In this section, we present the comprehensive findings derived from the systematic review, addressing the research questions outlined in Sect. 1 . To facilitate a better understanding of the findings, figures, and tables are provided. The subsequent sections are organized in alignment with the order of the research questions. Section 4.1 delves into the encountered types of applications and explores potential categorization approaches. Additionally, Sect. 4.2 discusses the applications, their limitations, and advantages identified during the review process. Lastly, Sect. 4.3 focuses on the analysis methods employed in the literature. By following this structured arrangement, we aim to provide a clear and cohesive presentation of the research findings, offering valuable insights into the combined application of steganography and cryptography in various domains and contexts.

4.1 RQ1: exploring applications

For each study, relevant characteristics pertaining to the context in which the combined application of steganography and cryptography is explored were extracted. The analysis of the literature emphasizes the significance of categorizing the application of each article in two distinct ways:

The application domain : This refers to the specific industry sector or domain in which an application operates. The encountered application domains include financial, government, medical, and transportation.

The technological domain/technology [72]: This aspect involves identifying one or more technological topics associated with an application. Technologies are considered tools that can be employed across various domains to solve diverse problems or perform various tasks. The encountered technologies include Big Data, Blockchain, Cyber-Physical Systems (CPS), Cloud Computing (Cloud), Edge Computing (Edge), Fog Computing (Fog), Internet of Things (IoT), IPv6, Machine Learning (ML), Mobile Computing (Mobile), Personal Computing (Personal), Satellite Imaging (Satellite), Unmanned Aerial Vehicles (UAVs), and Voice Operated Systems (Voice).

By employing these two distinct categorizations, namely Application Domain and Technological Domain , it becomes possible to identify specific commonalities and differences within the applications. This facilitates informed research and the development of tailored solutions for specific application domains or technologies. Notably, this categorization approach differs from how other reviews, as exemplified by [ 45 ], typically categorize applications. While some studies may focus on applications specific to a particular application domain, such as the medical domain, other articles ([ 1 , 7 , 9 , 14 , 19 , 33 , 36 , 85 , 86 , 90 ] [ 5 , 10 ]) may exclusively concentrate on applications within a technological domain. A technological domain can be applicable across numerous application domains. Given these considerations, categorization by application domain is given precedence, and cases, where the application domain or technological domain could not be determined, have been excluded from categorization. Furthermore, irrespective of the application or technological domain, the specific focus or functionality of each application is also determined.

Functionality: This refers to the specific features, tasks, or roles performed by an application within its domain. It is important to note that security is considered a common role across the explored literature and is, therefore, not specified as functionality. Examples of functionalities include Smart Monitoring, Anonymization, Healthcare Data Transmission, Vehicle Diagnostics, Malware Detection, and Industry 4.0/5.0 Implementation.

The subsequent sections present the results obtained from both literature searches, providing further insights into the combined application of steganography and cryptography.

4.1.1 Journal articles

The findings from literature search 1, pertaining to RQ1, are presented in two tables. Table 1 provides an overview of articles and their corresponding application domains, while Table 2 focuses on the technologies employed, reflecting the split categorization approach. The core functionality of each paper studied for this review is explicitly mentioned in both tables. In cases where certain studies solely concentrate on a technological domain, potential application domains have been specified in italics (please refer to Table 2 ). These application domains are either suggested by the authors themselves or inferred based on similar literature. It is worth noting that technology often has applicability across a broader range of application domains. In such instances, the application domain is identified as ‘Cross-Domain.’ As showcased in Table 1 and Table 2 , a total of 12 journal articles from each table were analyzed, with each article focusing on distinct application domains and their corresponding technological domains.

Figure 3 a displays journal articles published from 2010 to 2023, categorized by application domains (Medical, Government, and Transportation) or technological domains (N/A). The figure reveals a modest increase in articles exclusively centered on technological domains, surpassing those focused on application domains. Considering the diverse potential of these technologies across various application domains (e.g., IoT [ 63 ]), it is advisable to prioritize innovation in a broader sense. Subsequently, refining these technologies for specific application domains holds the potential for even greater rewards. On the other hand, Fig. 3 b presents conference papers published between 2018 and 2023. In addition to the medical domain, as observed in the Journal articles shown in Fig. 3 a, there is a notable trend toward the financial domain in conference papers in the realm of combining and applying cryptography and steganography. More information on the Conference papers can be found in subsection 4.1.2.

Distribution of literature in application and technological domains (N/A) over time

Figure 4 provides visual representations of the distribution of application domains (Fig. 4 a) and technological domains (Fig. 4 c) based on the data presented in Table 1 . In Fig. 4 a, it is evident that the majority (n = 9, [ 13 , 22 , 34 , 41 , 45 , 56 , 61 , 78 , 88 ]) out of the total 12 articles focus on the medical domain, suggesting a relatively narrow focus of research in this area. Furthermore, only a small number of articles concentrate on governmental applications (n = 2, [ 75 , 87 ]) and transportation (n = 1, [ 48 ]). Similarly, the occurrences of technological domains are visualized in Fig. 4 c. Notably, technologies with an occurrence of 1 are grouped under 'Other,' which includes Big Data, Fog Computing, Web Applications, Personal Computing, Edge Computing, and Cyber-Physical Systems. The visualization in Fig. 4 b and d is completed in subsection 3.1.2, where the conference papers are analyzed in depth. After analysis of the journal articles, it becomes evident that only one article from 2018 focuses on an application in the Transportation domain. Furthermore, in both 2021 and 2022, there is a lack of publications in the medical domain, whereas the four preceding years had such publications. Another notable observation is the surge in articles focusing on a specific technology in 2022. However, the applications discussed in these articles ([ 7 , 36 , 86 , 90 ]) seem unrelated, making it challenging to identify any underlying reason behind this trend.

Distributions of domains of journal articles (left) and conference papers (right)

Furthermore, an attempt was made to employ the VOSviewer Footnote 6 tool to identify any authorship overlap among the identified journal articles. However, none of the articles displayed any shared authors, indicating a dispersed distribution of researchers working on the topic. This suggests that research on the combined approach of steganography and cryptography is relatively new, aligning with the increasing trend observed in the number of articles over the past 13 years in Fig. 3 a. However, it is important to consider that additional factors may contribute to this observation. A more detailed discussion of journal articles focusing on specific application domains is provided in Sect. 3.2 .

4.1.2 Conference papers

To gain further insights, conference papers were also subjected to analysis. The results of this additional literature search are presented in Tables 3 and 4 , providing additional data for a comprehensive review. Similarly, to journal papers, the publication years of conference papers are depicted in Fig. 3 b. Notably, there has been a relatively consistent number of papers published each year, suggesting either a sustained interest in combining steganography and cryptography or a stabilization of the field following a previous period of change. However, due to time constraints, papers published before 2018 were not explored in this study. Surprisingly, from 2018 to 2023, out of the 21 papers analyzed, only a few (n = 5) focused on specific application domains (as seen in Fig. 4 b). These papers predominantly spanned the medical domain (n = 3, [ 23 , 29 , 47 ]) and a newly emerging financial domain (n = 2, [ 52 , 62 ]). Once again, the medical domain emerged as the most popular area of application. Furthermore, while approximately 50% of the identified literature in journal articles explored applications in specific domains, only 24% of conference papers did the same. This disparity may further emphasize the trend of developing technologies in a more generalized sense rather than focusing exclusively on specific application domains. Similarly, Fig. 4 d showcases the technological domains, revealing the presence of three prominent technologies shared between journal articles and conference papers: Mobile Computing, the Internet of Things, and Cloud Computing, with Cloud Computing being particularly prevalent. It should be noted that making a direct comparison between the two searches is challenging due to the difference in the time covered by the literature.

4.2 RQ2: advantages, limitations, and trade-offs

In this section, we discuss the observations made regarding the algorithms and methodologies employed in the journal articles. Firstly, we present general observations, and subsequently, we delve into the three application domains encountered in the journal articles, namely Government, Medical, and Transportation The research papers are also sorted out (as listed in Table 1 ). The research papers are also arranged in ascending order according to these three categories. The full data collected for this RQ2 can be found in Table 5 . Further, there are other categories identified from Tables 1 and 2 , such as Cross-Domain, Medical-Military, Energy, Medical, Finance, and Military; Cross-domain is also reflected in Table 5 . The research papers are discussed in Sect. 2 .

Government application domain

This category focuses on two articles [ 75 , 87 ] that explore the application of both steganography and cryptography in the government domain, specifically in the areas of surveillance and voting. These articles are listed in Table 6 . Each article presents different approaches with their respective strengths and limitations.

The first article [ 75 ] proposes a two-tiered video surveillance system that offers robustness against cipher-breaking attacks. However, the quality of the recovered data is dependent on the compression rate of the Compressed Sensing (CS) technique used. Additionally, the system could be enhanced to accommodate more than two levels of authorization.

The second article [ 87 ] introduces an online voting system that ensures individual verifiability and security. However, it is susceptible to certain security challenges, such as collusion among polling officers and network eavesdropping. The system provides receipts to voters, but this poses a potential issue in case users lose their receipts. Improvements, such as exploring alternative algorithms, may enhance the system's performance, such as reducing the size of receipts.

Overall, these articles highlight different aspects and considerations in the government domain when implementing steganography and cryptography, emphasizing both the strengths and areas for potential improvement in their respective approaches.

Medical application domain

This section focuses on nine articles that explore applications in the medical domain. The articles are listed in Table 7 , along with their respective advantages and limitations.

Among these articles, three papers ([ 56 , 61 , 88 ]) incorporate the use of chaotic algorithms in their encryption methods. For example, [ 56 ] presents a transmission system for generic data that utilizes chaotic encryption based on a 2D-Henon map ([ 84 ]). However, limited practical implementation details are provided, and future works could be drawn upon [ 53 ] for a more in-depth analysis of the implementation aspects. One drawback is that these three papers lack performance analysis and key measurements such as Computation Time (CT) and Throughput (TP) for the chaotic algorithms. This limitation hampers the assessment of their potential for real-time systems. Nevertheless, [ 61 , 88 ], which also employs chaotic encryption, can serve as inspiration for similar approaches. It should be noted that not all chaotic encryption algorithms, due to their complex iterative operations, are suitable for real-time systems. However, less resource-intensive methods like [ 60 ] could be considered viable alternatives. This aspect could be explored as a future research direction in the field.

Health data in IoT

Two papers ([ 22 , 34 ]) focus on health data transmissions from IoT devices, particularly in the context of remote patient monitoring. These devices typically prioritize low power consumption and low computational complexity. In [ 34 ], data is concealed within ECG signals, while [ 22 ] utilizes image steganography. Both papers employ encryption before embedding the data. In [ 34 ], the receiver must possess knowledge of the encryption and embedding keys, and no key is transmitted. On the other hand, [ 22 ] embeds both the data and the encryption key. [ 34 ] employs XOR cipher for its computational simplicity, while [ 22 ] utilizes AES ([ 30 ]) and RSA ([ 90 ]) encryption methods. It is worth considering more secure or efficient alternatives, such as TEA and its variants [ 50 ] or hardware-accelerated AES ([ 55 ]), for IoT devices. Both papers utilize multi-level DWT (Discrete Wavelet Transform) for steganography. These differences highlight the range of methodologies employed to safeguard patient data during IoT transmissions.

Embedding location restrictions

Among the medical papers focused on healthcare data transmissions, two ([ 41 , 88 ]) discuss methods that impose restrictions on data embedding locations. In [ 88 ], the Distance Regularized Level Set Evolution (DRLSE) algorithm [ 42 ] is utilized to identify the Region of Interest (ROI) and Non-Region of Interest (NROI) in a medical image. Data is embedded in the NROI using adaptive Pixel Expansion Embedding (PEE) to achieve higher capacity. For the ROI, a custom algorithm based on histogram-shifting with contrast enhancement is employed to ensure visual clarity. In this paper, data embedding is performed before image encryption. In contrast, [ 41 ] also identifies ROI and NROI areas, specifically in DICOM images. However, in this case, the encryption process is conducted before the identification of these areas. Edge detection techniques such as the Gabor Filter and Canny Edge [ 55 ] are employed for area identification. Patient data is only embedded in the NROI to preserve image quality. Additionally, to maintain the verifiability of integrity, which is crucial in medical applications, an ROI-generated hash is embedded in the NROI. These approaches demonstrate different strategies for data embedding in specific areas of medical images, highlighting the preservation of image quality, visual clarity, and the importance of integrity verification in healthcare applications.

Transportation Application Domain

An article focuses on an application in the transportation domain, and its advantages and limitations are listed in Table 8 . In [ 48 ], a system is proposed to securely deliver diagnostic data to manufacturers and handle firmware updates. Although the system is innovative, there could be potential drawbacks, such as extended decryption times and potential inefficiency when dealing with larger software updates. To address these challenges, future work could investigate the utilization of more efficient cryptographic algorithms and adapt the method to better accommodate larger files, which is common when dealing with updates. Moreover, future research in the transportation domain could explore vehicle-to-vehicle (V2V) networks, where minimizing the speed and size of communication is essential.

4.3 General observations

Several observations can be made regarding all the journal articles. Firstly, the steganography methods commonly employed in the identified applications primarily focus on images, as indicated in Table 9 .

There is a noticeable underutilization of other cover mediums such as audio, signal, hardware, video, and text. This gap in research highlights the need for further investigation in these areas. Within the medical domain specifically, 7 out of 9 articles utilize image steganography. The choice of image-based steganography in medical applications is effective, considering the frequent use of medical imaging. However, there is potential for diversifying data types by exploring other forms of steganography, such as video steganography in recorded surgeries or expanding signal steganography beyond ECG signals. This diversification would enhance the usability and robustness of steganography in various systems.

Secondly, in certain applications ([ 22 , 44 ]), the encryption key is embedded together with the data in the cover medium. This eliminates the requirement for a separate communication channel (in the case of dynamic keys) or pre-established cryptographic keys.

Thirdly, it is noteworthy that 42% of the identified articles, spanning various application and technological domains, incorporate a Reversible Data Hiding (RDH) technique. RDH techniques enable the lossless reconstruction of the original cover media after the hidden data has been extracted. This capability is particularly crucial in sectors such as healthcare, where preserving the integrity of the original data, such as medical imagery, is often of utmost importance [ 13 , 22 , 41 , 44 , 61 , 88 ].

Based on these findings, it is evident that there is a need to diversify research in terms of methods and cover mediums . Attention should be given to addressing security challenges in government applications, while a more comprehensive assessment of the performance of chaotic algorithms in medical domains is required. Additionally, there is a call for exploring a wider range of steganography methods for healthcare data transmissions. In the transportation domain, it is advisable to explore other cryptographic algorithms to effectively handle larger data files. Overall, research efforts can significantly enhance data security across various sectors by addressing these areas of improvement.

4.4 RQ3: analyzing evaluation methods used

In this section, we discuss the analysis and evaluation methods utilized in the Journal articles, which are listed in Table 10 . The analysis of steganography typically revolves around four main concepts: capacity, robustness, security, and imperceptibility (sometimes divided into undetectability and invisibility) [ 4 , 68 , 82 ]. On the other hand, cryptography evaluation focuses on security, encryption time, key size, plain vs. cipher size , and other related factors [ 26 , 83 ]. Considering the similarities between these concepts, they are grouped into three perspectives: Security, Performance, and User. These perspectives are interconnected and interdependent, as demonstrated in Fig. 5 .

The three discussed analysis perspectives

4.4.1 Security perspective

Similar to cryptography, steganography can also be vulnerable to different types of attacks, such as ciphertext and plaintext attacks [ 49 ]. Steganography is susceptible to similar attack types, including known carrier and known message attacks [ 49 ]. The significance of safeguarding against these attacks is contingent upon the order in which steganography and cryptography are applied.

When data is embedded first and then encrypted, the primary defense against attacks lies in the strength of the encryption itself. Several articles, such as [ 13 , 57 , 87 , 88 ] (listed in Table 5 in section 3.2 ), follow this order of operations. Among these articles, some also address advanced attacks, including histogram equalization ([ 9 , 44 , 61 , 88 ]), while only one article tackles rotation attacks ([ 61 ]). Conversely, when data is encrypted first, the primary defense against attacks lies in the strength or imperceptibility of the stego object. The majority of applications follow this order of operations, as evidenced by articles such as [ 13 , 22 , 34 , 41 , 44 , 48 , 61 , 75 ], among others. These implementations primarily focus on achieving steganographic imperceptibility, utilizing metrics such as PSNR, SSIM, MSE, and BER. They heavily rely on cryptographic evaluations from previous works. Even articles proposing custom or more complex encryption methods ([ 34 , 44 , 48 , 56 , 61 , 88 ]) still analyze cryptographic security as an integral part of their evaluation.

The following insights are drawn based on the security perspective:

Vulnerability to attacks Similar to cryptography, steganography is prone to various attacks, including ciphertext and plaintext attacks. This underscores the necessity of implementing robust defenses to safeguard against potential security breaches.

Order of operations The sequence in which steganography and cryptography are applied influences the defense mechanisms against attacks. Whether data is embedded first and then encrypted, or vice versa, dictates where the primary defense lies, either in the strength of encryption or the imperceptibility of the stego object.

Advanced attack consideration Some articles address advanced attacks, such as histogram equalization and rotation attacks, highlighting the importance of considering sophisticated attack vectors that may compromise the invisibility of stego objects.

Emphasis on imperceptibility The majority of implementations prioritize achieving steganographic imperceptibility by encrypting data first. This emphasizes the importance of concealing hidden data within digital media while maintaining the appearance and quality of the original content.

Integration of cryptographic security Even articles proposing custom encryption methods analyze cryptographic security comprehensively. This integration underscores the interdependence between cryptographic measures and steganographic techniques in ensuring the overall security of hidden information.

4.4.2 Performance perspective

The performance of encountered systems can be influenced by several factors, including computation time (CT), capacity (related to steganography), and key size (related to cryptography).

Computation time , which encompasses both steganography and cryptography, is particularly important as it correlates with power consumption, making it a crucial consideration in real-time and power-sensitive systems. While some articles like [ 1 , 13 , 33 , 36 , 44 , 48 ] incorporate CT measurements, only two similar applications [ 1 , 36 ] specifically address the need for managing power consumption in their environments. CT measurements are often discussed as "total time" or analyzed individually for different components of the system, such as embedding time, extraction time, encryption time, and more. This approach allows for more targeted performance improvements. Interestingly, among the seven articles exploring applications in the Internet of Things (IoT), three articles [ 7 , 22 , 34 ] do not utilize time-based analysis metrics. This omission makes it challenging to accurately assess the performance and efficiency of their proposed applications. A time-based analysis is vital for a comprehensive understanding of application performance as it not only reveals the speed of processes but also provides insights into the efficient utilization of system resources.

Another significant metric to consider is capacity . The balance between imperceptibility and capacity holds importance depending on the specific application. In certain (real-time) applications where relatively small data fragments are shared, the capacity of the cover medium may not be as critical. In such cases, imperceptibility may also be of lesser relevance. Out of the 24 articles analyzed, capacity is evaluated in 9 articles [ 5 , 7 , 9 , 13 , 41 , 61 , 75 , 85 , 86 ], either in comparison to other implementations or by examining different parameters within the same implementation. It is worth noting that only one article ([ 7 ]) focusing on IoT applications specifically analyzed the capacity of the employed steganographic method. The key size in cryptographic algorithms can have a significant impact on encryption time, as explained in [ 40 ]. In the context of IoT, [ 22 ] specifically addresses cryptographic operations using an AES key size of 128 bits. Although AES-128 is generally regarded as secure, larger key sizes can be employed. The utilization of more efficient encryption algorithms could potentially allow for the use of larger keys while maintaining similar encryption times. Surprisingly, the discussion or justification of key sizes for well-known cryptographic algorithms does not appear to be frequently addressed in the analyzed literature.

Upon examining various research papers listed in Table 10 , the following insights regarding performance are observed:

The analysis revealed key considerations related to computation time, capacity, and key size.

Computation time was emphasized as critical due to its association with power consumption, especially in real-time and power-sensitive systems.

Capacity, concerning the balance between imperceptibility and capacity in steganography, was noted to vary depending on specific application requirements.

The analysis underscored the significant impact of key size selection in cryptographic algorithms on encryption time, highlighting the importance of careful consideration in algorithm design.

Despite the importance of these factors, the analysis revealed areas where certain metrics, such as time-based analysis in IoT applications, were lacking, making it challenging to comprehensively assess performance and efficiency.

4.4.3 User perspective

The user perspective evaluates how effectively a system incorporating steganography and cryptography aligns with the user's workflow, emphasizing factors such as ease of use, comprehension, trust, processing time, and system stability. The impact of the system on the user's workflow is particularly crucial for applications where the user directly interacts with the system. However, even in cases where the system operates in the background, it can still potentially influence the user's experience, albeit to a slightly lesser degree. From the reviewed literature, it is observed that only a limited number of studies include usability tests to analyze user experience. For instance, the implementation of an e-voting system discussed in [ 75 ] incorporates usability and user acceptance testing using Nielsen's quality components [ 58 ] and Davis' Technology Acceptance Model (TAM) [ 20 ], respectively. These well-established methods assess the usability and acceptance of the system. Similarly, the NFC access control scheme presented in [ 19 ] includes usability, perceived vulnerability, perceived security, and behavioral intention tests to examine how the proposed security scheme could influence user behavior. The methods utilized in this study were adapted from previous works [ 15 , 35 , 76 ].

Applications such as remote patient monitoring ([ 34 ]) aim to provide a user-friendly experience, requiring minimal complex setup from the user's perspective. It is mentioned that any additional complexity introduced by the implementation of steganography or cryptography should ideally be abstracted away from the user. However, the only user interaction highlighted in the article is related to the imperceptibility of the Human Visual System (HVS), where doctors inspect ECGs. Similarly, the application of hiding files in audio files on PCs [ 5 ] is closely related to end-users, but the article does not delve further into this aspect and omits user testing in this regard. This omission creates an evaluation gap, as it fails to comprehend the actual user experience and potential areas for improvement. User experience can be significantly influenced by other perspectives, such as security and performance. If the combination of steganography and cryptography leads to excessively slow data processing or if the system lacks robustness against attacks like compression or cropping, it could compromise the user's ability to effectively manage stego objects (e.g., share or post-process them). This vulnerability could potentially result in data loss or corruption, ultimately degrading the overall user experience. Therefore, robust implementations of steganography and cryptography are essential for maintaining a high-quality user experience.

After analyzing the User perspective criteria, we identify the following insights:

Despite the importance of user experience, there's a noted lack of usability tests in the reviewed literature, with only a few studies incorporating established methods like Nielsen's quality components and Davis' Technology Acceptance Model (TAM).

Applications aim to provide a user-friendly experience, with additional complexity introduced by steganography or cryptography ideally abstracted away from the user to ensure ease of use.

User experience can be significantly impacted by factors like security and performance, with slow data processing or lack of robustness against attacks compromising the effective management of stego objects and degrading overall user experience.

Robust implementations of steganography and cryptography are crucial for maintaining a high-quality user experience, highlighting the importance of considering user-centric factors in system design and evaluation.

4.5 General observations

In summary, the evaluation of steganography and cryptography requires a comprehensive analysis that encompasses security, performance, and user perspectives. Unfortunately, several studies overlook certain metrics, creating gaps in our understanding of computation time, capacity, key size, and user-friendliness. It is crucial to strike a balance between steganography and cryptography to ensure an optimal user experience, robust security, and efficient performance. Future research should aim to address these oversights and strive for a more comprehensive evaluation framework.

5 Conclusion and future scope

This review examines the state of combined steganography and cryptography applications in journal articles and conference papers, categorized by application and technological domains. While medical applications dominate, IoT and Cloud Computing domains show active research. Real-time constraints and privacy protection are prominent concerns in technological domains. The combined approach provides data security and privacy benefits, but trade-offs and limitations remain. Further research is needed to address these challenges and improve methodologies. The evaluation metrics vary, emphasizing domain-specific knowledge. A comprehensive framework is proposed, incorporating security, performance, and user perspectives. However, there is a notable lack of user testing in the literature, highlighting the need for user-centric system design. This review focused solely on conference papers for RQ1 due to time constraints. Conference papers are valuable sources of the latest findings and innovative practices in the rapidly evolving field of information security, making them relevant not just for RQ1 but also for RQ2 and RQ3. Additionally, the search keywords were limited to "cryptography" and "steganography," but other terms like "encryption" or "data-hiding" may be used. Future research could explore applications in diverse domains such as transportation and energy. Comparative studies could shed light on the advantages of using steganography or cryptography individually in different scenarios. Further investigations into non-image steganographic mediums and the impact of combining steganography and cryptography on end-user experience and acceptance are also warranted.

Data availability

The datasets generated during and/or analyzed during the current study are available from the corresponding author upon reasonable request.

https://www.scopus.com/

https://ieeexplore.ieee.org/

https://www.webofscience.com/

https://parsif.al/

https://www.vosviewer.com/

Alissa, K.A., Maray, M., Malibari, A.A., Alazwari, S., Alqahtani, H., Nour, M.K., Al Duhayyim, M.: Optimal deep learning model enabled secure UAV classification for industry. Comput. Mater. Contin. 74 (3), 5349–5367 (2023)

Google Scholar  

Abbas, M.S., Mahdi, S.S., Hussien, S.A.: Security improvement of cloud data using hybrid cryptography and steganography. In: 2020 International Conference on Computer Science and Software Engineering (CSASE), pp. 123–127. IEEE (2020)

Al Abbas, A.A.M., Ibraheem, N.B.: Using DNA In Adynamic Lightweight Algorithm For Stream Cipher In An IoT Application. In: 2022 International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT), pp. 232–240. IEEE (2022)

Al-Ani, Z.K., Zaidan, A.A., Zaidan, B.B., Alanazi, H.: Overview: main fundamentals for steganography. arXiv preprint arXiv:1003.4086 . (2010)

Al-Juaid, N., Gutub, A.: Combining RSA and audio steganography on personal computers for enhancing security. SN Appl. Sci. 1 , 1–11 (2019)

Article   Google Scholar  

Ali, M.H., Al-Alak, S.: Node protection using hiding identity for IPv6 based network. In: 2022 Muthanna International Conference on Engineering Science and Technology (MICEST), pp. 111–117. IEEE (2022)

Alsamaraee, S., Ali, A.S.: A crypto-steganography scheme for IoT applications based on bit interchange and crypto-system. Bull. Electr. Eng. Inf. 11 (6), 3539–3550 (2022)

Anderson, R.J., Petitcolas, F.A.: On the limits of steganography. IEEE J. Sel. Areas Commun. 16 (4), 474–481 (1998)

Anushiadevi, R., Amirtharajan, R.: Design and development of reversible data hiding-homomorphic encryption & rhombus pattern prediction approach. Multimed. Tools Appl. 82 (30), 46269–46292 (2023)

Badhani, S., Muttoo, S.K.: Evading android anti-malware by hiding malicious applications inside images. Int. J. Syst. Assur. Eng. Manag. 9 , 482–493 (2018)

Banga, P.S., Portillo-Dominguez, A.O., Ayala-Rivera, V.: Protecting user credentials against SQL injection through cryptography and image steganography. In: 2022 10th International Conference in Software Engineering Research and Innovation (CONISOFT), pp. 121–130. IEEE (2022)

Bharathi, P., Annam, G., Kandi, J.B., Duggana, V.K., Anjali, T.: Secure file storage using hybrid cryptography. In: 2021 6th International Conference on Communication and Electronics Systems (ICCES), pp. 1–6. IEEE (2021)

Bhardwaj, R.: An improved reversible data hiding method in encrypted domain for E-healthcare. Multimed. Tools Appl. 82 (11), 16151–16171 (2023)

Bhattacharjee, S., Rahim, L.B.A., Watada, J., Roy, A.: Unified GPU technique to boost confidentiality, integrity and trim data loss in big data transmission. IEEE Access 8 , 45477–45495 (2020)

Bhuiyan, M., Picking, R.: A gesture controlled user interface for inclusive design and evaluative study of its usability. J. Softw. Eng. Appl. 4 (09), 513 (2011)

Bokhari, M.U., Shallal, Q.M.: A review on symmetric key encryption techniques in cryptography. Int. J. Comput. Appl. 147 (10), 43 (2016)

Castillo, R.E., Cayabyab, G.T., Castro, P.J.M., Aton, M.R.: Blocksight: a mobile image encryption using advanced encryption standard and least significant bit algorithm. In: Proceedings of the 1st International Conference on Information Science and Systems, pp. 117–121 (2018)

Caviglione, L., Podolski, M., Mazurczyk, W., Ianigro, M.: Covert channels in personal cloud storage services: the case of dropbox. IEEE Trans. Ind. Inf. 13 (4), 1921–1931 (2016)

Cheong, S.N., Ling, H.C., Teh, P.L.: Secure encrypted steganography graphical password scheme for near field communication smartphone access control system. Expert Syst. Appl. 41 (7), 3561–3568 (2014)

Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13 , 319–340 (1989)

Dhawan, S., Chakraborty, C., Frnda, J., Gupta, R., Rana, A.K., Pani, S.K.: SSII: secured and high-quality steganography using intelligent hybrid optimization algorithms for IoT. IEEE Access 9 , 87563–87578 (2021)

Elhoseny, M., Ramírez-González, G., Abu-Elnasr, O.M., Shawkat, S.A., Arunkumar, N., Farouk, A.: Secure medical data transmission model for IoT-based healthcare systems. IEEE Access 6 , 20596–20608 (2018)

Gamal, S.M., Youssef, S.M., Abdel-Hamid, A.: Secure transmission and repository platform for electronic medical images: case study of retinal fundus in teleophthalmology. In: 2020 International Conference on Computing, Electronics & Communications Engineering (iCCECE), pp. 9–14. IEEE (2020)

Ghuge, S.S., Kumar, N., Savitha, S., & Suraj, V.: Multilayer technique to secure data transfer in private cloud for saas applications. In: 2020 2nd International Conference on Innovative Mechanisms for Industry Applications (ICIMIA), pp. 646–651. IEEE (2020)

Gupta, S., Goyal, A., Bhushan, B.: Information hiding using least significant bit steganography and cryptography. Int. J. Modern Educ. Comput. Sci. 4 (6), 27 (2012)

Gururaja, H.S., Seetha, M., Koundinya, A.K.: Design and performance analysis of secure elliptic curve cryptosystem. Int. J. Adv. Res. Comput. Commun. Eng. 2 (8), 1 (2013)

Haque, M.E., Zobaed, S.M., Islam, M.U., Areef, F.M.: Performance analysis of cryptographic algorithms for selecting better utilization on resource constraint devices. In: 2018 21st International Conference of Computer and Information Technology (ICCIT), pp. 1–6. IEEE (2018)

Sri, P.H., Chary, K.N.: Secure file storage using hybrid cryptography. Int. Res. J. Mod. Eng. Technol. Sci. (2022). https://doi.org/10.56726/IRJMETS32383

Hashim, M.M., Rhaif, S.H., Abdulrazzaq, A.A., Ali, A.H., Taha, M.S.: Based on IoT healthcare application for medical data authentication: Towards a new secure framework using steganography. In: IOP Conference Series: Materials Science and Engineering, vol. 881, no. 1, p. 012120. IOP Publishing (2020)

Heron, S.: Advanced encryption standard (AES). Netw. Secur. 2009 (12), 8–12 (2009)

Hussain, M., Wahab, A.W.A., Batool, I., Arif, M.: Secure password transmission for web applications over internet using cryptography and image steganography. Int. J. Secur. Appl. 9 (2), 179–188 (2015)

Hussein, A.A., Jumah Al-Thahab, O.Q.: Design and simulation a video steganography system by using FFTturbo code methods for copyrights application. Eastern-Euro. J. Enterp. Technol. 2 (9), 104 (2020)

Hussein, S.A., Saleh, A.I., Mostafa, H.E.D.: A new fog based security strategy (FBS 2) for reliable image transmission. J. Ambient Intell. Humaniz. Comput. 11 , 3265–3303 (2020)

Ibaida, A., Khalil, I.: Wavelet-based ECG steganography for protecting patient confidential information in point-of-care systems. IEEE Trans. Biomed. Eng. 60 (12), 3322–3330 (2013)

Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31 (1), 83–95 (2012)

Jain, D.K., Li, Y., Er, M.J., Xin, Q., Gupta, D., Shankar, K.: Enabling unmanned aerial vehicle borne secure communication with classification framework for industry 5.0. IEEE Trans. Ind. Inf. 18 (8), 5477–5484 (2021)

Jankowski, B., Mazurczyk, W., Szczypiorski, K.: PadSteg: introducing inter-protocol steganography. Telecommun. Syst. 52 , 1101–1111 (2013)

Kavitha, V., Sruthi, G.S., Thoshinny, B., Riduvarshini, S.R.: Stagchain–a steganography based application working on a blockchain environment. In: 2022 3rd International Conference on Electronics and Sustainable Communication Systems (ICESC), pp. 674–681. IEEE (2022)

Khan, H.A., Abdulla, R., Selvaperumal, S.K., Bathich, A.: IoT based on secure personal healthcare using RFID technology and steganography. Int. J. Electr. Comput. Eng. 11 (4), 3300 (2021)

Kumar, M.G.V., Ragupathy, U.S.: A survey on current key issues and status in cryptography. In: 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pp. 205–210. IEEE (2016)

Kumar, N., Kalpana, V.: A novel reversible steganography method using dynamic key generation for medical images. Indian J. Sci. Technol. 8 (16), 1 (2015)

Li, C., Xu, C., Gui, C., Fox, M.D.: Distance regularized level set evolution and its application to image segmentation. IEEE Trans. Image Process. 19 (12), 3243–3254 (2010)

Article   MathSciNet   Google Scholar  

Madavi, K.B., Karthick, P.V.: Enhanced cloud security using cryptography and steganography techniques. In: 2021 International Conference on Disruptive Technologies for Multi-Disciplinary Research and Applications (CENTCON), vol. 1, pp. 90–95. IEEE (2021)

Mancy, L., Vigila, S.M.C.: A new diffusion and substitution-based cryptosystem for securing medical image applications. Int. J. Electron. Secur. Digit. Forens. 10 (4), 388–400 (2018)

Mandal, P.C., Mukherjee, I., Paul, G., Chatterji, B.N.: Digital image steganography: a literature survey. Inf. Sci. 609 , 1451–1488 (2022)

Mandal, S., Khan, D.A.: Enhanced-longest common subsequence based novel steganography approach for cloud storage. Multimed. Tools Appl. 82 (5), 7779–7801 (2023)

Manikandan, V.M., Masilamani, V.: Reversible data hiding scheme during encryption using machine learning. Proc. Comput. Sci. 133 , 348–356 (2018)

Mayilsamy, K., Ramachandran, N., Raj, V.S.: An integrated approach for data security in vehicle diagnostics over internet protocol and software update over the air. Comput. Electr. Eng. 71 , 578–593 (2018)

Mishra, R., Bhanodiya, P.: A review on steganography and cryptography. In: 2015 International Conference on Advances in Computer Engineering and Applications, pp. 119–122. IEEE (2015)

Mishra, Z., Acharya, B.: High throughput novel architectures of TEA family for high speed IoT and RFID applications. J. Inf. Secur. Appl. 61 , 102906 (2021)

Mogale, H., Esiefarienrhe, M., Letlonkane, L. Web authentication security using image steganography and AES encryption. In: 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC), pp. 1–7. IEEE (2018)

More, S.S., Mudrale, A., Raut, S.: Secure transaction system using collective approach of steganography and visual cryptography. In: 2018 International Conference on Smart City and Emerging Technology (ICSCET), pp. 1–6. IEEE (2018)

Mostaghim, M., Boostani, R.: CVC: chaotic visual cryptography to enhance steganography. In: 2014 11th International ISC Conference on Information Security and Cryptology, pp. 44–48. IEEE (2014)

Munoz, P.S., Tran, N., Craig, B., Dezfouli, B., Liu, Y.: Analyzing the resource utilization of AES encryption on IoT devices. In: 2018 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), pp. 1200–1207. IEEE (2018)

Nadernejad, E., Sharifzadeh, S., Hassanpour, H.: Edge detection techniques: evaluations and comparisons. Appl. Math. Sci. 2 (31), 1507–1520 (2008)

MathSciNet   Google Scholar  

Bremnavas, I., Mohamed, I.R., Shenbagavadivu, N.: Secured medical image transmission through the two dimensional chaotic system. Int. J. Appl. Eng. Res. 10 (17), 38391–38396 (2015)

Neetha, S.S., Bhuvana, J., Suchithra, R.: An efficient image encryption reversible data hiding technique to improve payload and high security in cloud platforms. In: 2023 6th International Conference on Information Systems and Computer Networks (ISCON), pp. 1–6. IEEE (2023)

Nielsen, J., Molich, R.: Heuristic evaluation of user interfaces. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 249–256 (1990)

Nissar, A., Mir, A.H.: Classification of steganalysis techniques: a study. Digit. Signal Process. 20 (6), 1758–1770 (2010)

Pande, A., Zambreno, J.: A chaotic encryption scheme for real-time embedded systems: design and implementation. Telecommun. Syst. 52 , 551–561 (2013)

Parah, S.A., Ahad, F., Sheikh, J.A., Bhat, G.M.: Hiding clinical information in medical images: a new high capacity and reversible data hiding technique. J. Biomed. Inform. 66 , 214–230 (2017)

Patil, N., Kondabala, R.: Two-layer secure mechanism for electronic transactions. In: 2022 International Conference on Recent Trends in Microelectronics, Automation, Computing and Communications Systems (ICMACC), pp. 174–181. IEEE (2022)

Perwej, Y., Haq, K., Parwej, F., Mumdouh, M., Hassan, M.: The internet of things (IoT) and its application domains. Int. J. Comput. Appl. 975 (8887), 182 (2019)

Chen, C.P., Zhang, C.Y.: Data-intensive applications, challenges, techniques and technologies: a survey on big data. Inf. Sci. 275 , 314–347 (2014)

Phipps, A., Ouazzane, K., Vassilev, V.: Enhancing cyber security using audio techniques: a public key infrastructure for sound. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1428–1436. IEEE (2020)

Pokharana, A., Sharma, S.: Encryption, file splitting and file compression techniques for data security in virtualized environment. In: 2021 Third International Conference on Inventive Research in Computing Applications (ICIRCA), pp. 480–485. IEEE (2021)

Prabu, S., Ganapathy, G.: Steganographic approach to enhance the data security in public cloud. Int. J. Comput. Aided Eng. Technol. 13 (3), 388–408 (2020)

Pradhan, A., Sahu, A.K., Swain, G., Sekhar, K.R.: Performance evaluation parameters of image steganography techniques. In: 2016 International Conference on Research Advances in Integrated Navigation Systems (RAINS), pp. 1–8. IEEE (2016)

Kumar, P., Sharma, V.K.: Information security based on steganography & cryptography techniques: a review. Int. J. 4 (10), 246–250 (2014)

Preethi, P., Prakash, G.: Secure fusion of crypto-stegano based scheme for satellite image application. In: 2021 Asian Conference on Innovation in Technology (ASIANCON), pp. 1–6. IEEE (2021)

Ramamoorthy, U., Loganathan, A.: Analysis of video steganography in military applications on cloud. Int. Arab J. Inf. Technol. 19 (6), 897–903 (2022)

Angel, N.A., Ravindran, D., Vincent, P.D.R., Srinivasan, K., Hu, Y.C.: Recent advances in evolving computing paradigms: cloud, edge, and fog technologies. Sensors 22 (1), 196 (2021)

Reshma, V., Gladwin, S.J., Thiruvenkatesan, C.: Pairing-free CP-ABE based cryptography combined with steganography for multimedia applications. In: 2019 International Conference on Communication and Signal Processing (ICCSP), pp. 0501–0505. IEEE (2019)

Rout, H., Mishra, B.K.: Pros and cons of cryptography, steganography and perturbation techniques. IOSR J. Electron. Commun. Eng. 76 , 81 (2014)

Issac, B., Rura, L., Haldar, M.K.: Implementation and evaluation of steganography based online voting system. Int. J. Electr. Gov. Res. 12 (3), 71–93 (2016)

Ryu, Y.S., Koh, D.H., Ryu, D., Um, D.: Usability evaluation of touchless mouse based on infrared proximity sensing. J. Usability Stud. 7 (1), 31–39 (2011)

Saleh, M.E., Aly, A.A., Omara, F.A.: Data security using cryptography and steganography techniques. Int. J. Adv. Comput. Sci. Appl. 7 (6), 390 (2016)

Sengupta, A., Rathor, M.: Structural obfuscation and crypto-steganography-based secured JPEG compression hardware for medical imaging systems. IEEE Access 8 , 6543–6565 (2020)

Shaji, A., Stephen, M., Sadanandan, S., Sreelakshmi, S., Fasila, K.A.: Phishing site detection and blacklisting using EVCS, steganography based on android application. In: International Conference on Intelligent Data Communication Technologies and Internet of Things (ICICI) 2018, pp. 1384–1390. Springer International Publishing (2019)

Siregar, B., Gunawan, H., Budiman, M.A.: Message security implementation by using a combination of hill cipher method and pixel value differencing method in mozilla thunderbird email client. In: Journal of Physics: Conference Series, vol. 1255, no. 1, p. 012034. IOP Publishing (2019)

Stanescu, D., Stratulat, M., Ciubotaru, B., Chiciudean, D., Cioarga, R., Micea, M.: Embedding data in video stream using steganography. In: 2007 4th International Symposium on Applied Computational Intelligence and Informatics, pp. 241–244. IEEE (2007)

Subhedar, M.S., Mankar, V.H.: Current status and key issues in image steganography: a survey. Comput. Sci. Rev. 13 , 95–113 (2014)

Wang, X., Zhang, J., Schooler, E.M., Ion, M.: Performance evaluation of attribute-based encryption: toward data privacy in the IoT. In: 2014 IEEE International Conference on Communications (ICC), pp. 725–730. IEEE (2014)

Wu, J., Liao, X., Yang, B.: Image encryption using 2D Hénon-Sine map and DNA approach. Signal Process. 153 , 11–23 (2018)

Xiong, L., Shi, Y.: On the privacy-preserving outsourcing scheme of reversible data hiding over encrypted image data in cloud computing. Comput. Mater. Contin. 55 (3), 523 (2018)

Xu, S., Horng, J.H., Chang, C.C., Chang, C.C.: Reversible data hiding with hierarchical block variable length coding for cloud security. IEEE Trans. Dependable Secure Comput. (2022). https://doi.org/10.1109/TDSC.2022.3219843

Yang, Y., Xiao, X., Cai, X., Zhang, W.: A secure and high visual-quality framework for medical images by contrast-enhancement reversible data hiding and homomorphic encryption. IEEE Access 7 , 96900–96911 (2019)

Zhang, L., Hu, X., Rasheed, W., Huang, T., Zhao, C.: An enhanced steganographic code and its application in voice-over-IP steganography. IEEE Access 7 , 97187–97195 (2019)

Zhang, X.G., Yang, G.H., Ren, X.X.: Network steganography based security framework for cyber-physical systems. Inf. Sci. 609 , 963–983 (2022)

Zhou, X., Tang, X.: Research and implementation of RSA algorithm for encryption and decryption. In: Proceedings of 2011 6th International Forum on Strategic Technology, vol. 2, pp. 1118–1121. IEEE (2011)

Sarmah, D.K., Kulkarni, A.J.: JPEG based steganography methods using cohort intelligence with cognitive computing and modified multi random start local search optimization algorithms. Inf. Sci. 430 , 378–396 (2018)

Yang, Y., Newsam, S.: Bag-of-visual-words and spatial extensions for land-use classification. In: Proceedings of the 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems, pp. 270–279 (2010)

AID: A scene classification dataset, https://www.kaggle.com/datasets/jiayuanchengala/aid-scene-classification-datasets . Accessed 29 Feb 2024

Elshoush, H.T., Mahmoud, M.M.: Ameliorating LSB using piecewise linear chaotic map and one-time pad for superlative capacity, imperceptibility and secure audio steganography. IEEE Access 11 , 33354–33380 (2023)

Michaylov, K.D., Sarmah, D.K.: Steganography and steganalysis for digital image enhanced forensic analysis and recommendations. J. Cyber Secur. Technol. (2024). https://doi.org/10.1080/23742917.2024.2304441

Sarmah, D.K., Kulkarni, A.J.: Improved cohort intelligence—a high capacity, swift and secure approach on JPEG image steganography. J. Inf. Secur. Appl. 45 , 90–106 (2019)

Singh, O.P., Singh, A.K., Agrawal, A.K., Zhou, H.: SecDH: security of COVID-19 images based on data hiding with PCA. Comput. Commun. 191 , 368–377 (2022)

Singh, K.N., Baranwal, N., Singh, O.P., Singh, A.K.: SIELNet: 3D chaotic-map-based secure image encryption using customized residual dense spatial network. IEEE Trans. Consumer Electron. (2022). https://doi.org/10.1109/TCE.2022.3227401

Mahto, D.K., Singh, A.K., Singh, K.N., Singh, O.P., Agrawal, A.K.: Robust copyright protection technique with high-embedding capacity for color images. ACM Trans. Multimed. Comput. Commun. Appl. (2023). https://doi.org/10.1145/3580502

Download references

Author information

Authors and affiliations.

SCS/EEMCS, University of Twente, P.O. Box 217, 7500AE, Enschede, Overjissel, The Netherlands

Indy Haverkamp & Dipti K. Sarmah

You can also search for this author in PubMed   Google Scholar

Contributions

Indy Haverkamp: Conceptualization, Methodology, Validation, Investigation, Formal Analysis, Data Curation, Writing—Original Draft, Visualization, Dipti Kapoor Sarmah: Methodology, Writing—Review & Editing, Visualization, Supervision, Project administration.

Corresponding author

Correspondence to Dipti K. Sarmah .

Ethics declarations

Conflict of interest.

The authors have no competing interests to declare that are relevant to the content of this article.

Human and Animals Participants

Informed consent.

All authors agreed with the content and all gave explicit consent to submit.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Haverkamp, I., Sarmah, D.K. Evaluating the merits and constraints of cryptography-steganography fusion: a systematic analysis. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00853-9

Download citation

Accepted : 12 April 2024

Published : 05 May 2024

DOI : https://doi.org/10.1007/s10207-024-00853-9

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Image steganography
• Cryptography
• Real-world applications
• Evaluation perspectives

Advertisement

• Find a journal
• Publish with us
• Track your research

• Trending Now
• Foundational Courses
• Data Science
• Practice Problem
• Machine Learning
• System Design
• DevOps Tutorial

What is Secure Multiparty Computation?

• What is Encapsulating Security Payload ?
• What is Distributed Computing?
• What is Problem Decomposition?
• Multitenancy in Cloud computing
• Multicasting in Computer Network
• What is Parallel File System in Cloud Computing?
• What is MULTICS?
• Typical Multiprocessing Configuration
• What is MultiSignature Wallets?
• Introduction to Parallel Computing
• unordered_multiset rehash() function in C++ STL
• What Is An Multistage Dockerfile ?
• unordered_multimap rehash() function in C++ STL
• What is SMP (Symmetric Multi-Processing)?
• What is Multi-Version Concurrency Control (MVCC) in DBMS?
• unordered_multiset bucket_count() function in C++ STL
• unordered_multimap bucket_count() function in C++ STL
• Inter Process Communication (IPC)
• Mutual Exclusion in Synchronization

In the last few decades, data privacy and security has become the primary concern to everyone. Due to the rise in technological advancements and the internet, it has been a challenging task to provide data security and data privacy of the data, when data is distributed over large distributed networks. As everyone is now concerned with their data, a lot of research is going on how to provide data security and privacy to the participants in the network. One of the techniques which provide the solution to the problems of data security and data privacy is Secure Multiparty Computation. The secure multiparty computation may be defined as the problem of ‘n’ players to compute jointly on an agreed function securely on the inputs without revealing them.

Secure multiparty computation started early in the 1970s. It was known as multiparty computation at that time. It does not gain popularity at that time as it was not implemented practically. In the 1982’s it was introduced as secure two-party multiparty computation. It is used to solve a lot of problems of computation without revealing the inputs to other parties. Finally, it came with a name as secure multiparty computation in which the functions of different types are computed, that is the reason it is sometimes called SFE- Secure Function Evaluation . 

• The secure multiparty computation is used for the utilization of data without compromising privacy.
• It is the cryptographic subfield that helps in preserving the privacy of the data.
• Emerging technologies like blockchain, mobile computing, IoT, cloud computing has resulted in the rebirth of secure multiparty computation.
• Secure multiparty computation has become the hot area of research in the last decade due to the rise of blockchain technology.
• The researchers are now more interested to implement secure multiparty computation in distributed systems.
• Unlike in centralized systems, secure multiparty computation may have better performance in distributed systems.

Architecture

The secure multiparty computation provides a protocol where no individual can see the other parties data while distributing the data across multi parties. It enables the data scientists and analysts to compute privately on the distributed data without exposing it.

Multiparty sharing data among each other with any third party using a specified protocol.

The co-workers want to compute the maximum salary without revealing their individual salary to others. To perform such a computation, secure multiparty computation is implemented to calculate the maximum salary. The parties in a distributed manner jointly perform a function to calculate it without revealing the salary. Data in use is kept in encrypted form, broken up, and distributed across parties, there are no chances of quantum attacks.  It is impossible to have a trusted party in the real world, as all parties communicate with each other in one or the other way In such a scenario, the parties may get corrupted. The corrupted parties have behavior like semi-honest and malicious. 

• A semi-honest opponent is one who follows the specified protocol but makes the parties corrupted. The protocol is run honestly, but they try to extract information from the messages exchanged between parties.
• A malicious adversary makes an attempt to breach security and does not follow the specified protocol. The adversary can make the changes during the execution process of the protocol.  While using multiparty computation, we assume the party is honest which follows all the protocols.

Suppose we want to compute the average salary among three employees without revealing the actual salary, for such problems one can use secure multiparty computation. Let’s take an example-

Example of computing average salary of multiparty using additive sharing.

Mathematical representation of the problem can be given as:

Sam, Bob, and Cassy want to calculate their average salary. 

• Say Sam’s salary is $40k. Using additive sharing, $40k is split into randomly generated three pieces $44k, $-11k, and $7k.
• Sam keeps one of these secret pieces with herself and distributes the other two to each.
• The same procedure is followed by all three.
• Secret sharing keeps the data in encrypted form when in use. The procedure is given below-

From the above data shared there is no clue about the actual salary, but the average salary is being calculated.

There are a number of techniques developed for secure multiparty computation protocol construction having different features. Some techniques used in secure Multiparty computation are listed below:

• Shamir Secret Sharing: Secret sharing is utilized as the basic tool when there is an honest majority in secure multiparty computation. A secret sharing scheme is that a secret s is shared among n parties, such that t+1 or more parties come together to reconstruct the secret. The parties lesser than t cannot get any information or reconstruct the secret. The scheme which fulfills the requirements of t+1 out of n is called the threshold secret sharing scheme.
• Honest Majority MPC: The function can either be represented by Boolean or arithmetic circuit in an honest majority. For MPC-based secret sharing having the honest majority, there is finite field Zp with p>n for arithmetic circuit and the circuit is Turing complete.
• Input sharing: Every party shares the input using the Shamir secret sharing. The circuit is being provided the input for computation. Every party keeps his input private by adding some random number to the input and finally, after getting the output the random number is known to the party is removed, and we get the output.
• Circuit evaluation: The circuit is evaluated by parties one gate at a time. The gates are evaluated serially from input to output. The evaluation consists of the computation of addition and multiplication gates. For inputs a(x) and b(x), the output of addition for the ith party is calculated as c(i) = a(i) + b(i) . Similarly, the output of multiplication for the i th party is calculated as c(i) = a(i) . b(i).
• Private set intersection: The private set intersection protocol is very efficient for the two parties’ problems. Two parties who wish to find the elements of intersection with private set of inputs without revealing the input, the private set intersection is better approach for both honest and dishonest adversaries.
• Threshold cryptography: Threshold cryptography aims to carry out the cryptographic operations for a set of parties without holding the secret by any of the single party. RSA algorithm is used for the scheme where the basic function is y=xe mod n. RSA is used for encrypting secrets or messages.
• Dishonest majority MPC: In the secure multiparty computation, there can be both honest and dishonest parties. The secure Multiparty computation is secure as long as there is an honest majority. If the adversaries are corrupt more than the majority, new approaches are required for security. For the dishonest majority, there are protocols like GMW oblivious transfer, garbled circuit, Tiny oz and many more protocols.

Benefits Of Secure Multiparty Computation

Let’s discuss some benefits of secure multiparty computation:

• Trusted third party: In Secure Multiparty Computation, we can share data in a distributed manner with different organizations without any third party and even the privacy of data will be preserved while sharing data.
• Data Privacy: The private data of organizations can be shared for computation purposes. The concern of data privacy is provided by using secure multiparty computation, which keeps the data in use in encrypted form. Thus, the data is not revealed or compromised.
• High accuracy: Secure Multiparty Computation provides highly accurate results for different computations using cryptography.
• Quantum safe: The data shared between parties is safe against quantum attacks, as the data is broken up and encrypted when distributed among parties for computation.

Limitations Of Secure Multiparty Computation

Secure multiparty computation being used for solving different problems, but there are few limitations. The main limitations are the computational overhead and high communication costs.

• Computational overhead: To provide the security we need to generate the random numbers, the random number generation requires more computation overhead which slows down runtime.
• High communication costs: Distributing the data to multiple parties for computation over the networks leads to higher costs of communication.

Please Login to comment...

Similar reads.

• Cyber-security
• Computer Subject

Improve your Coding Skills with Practice

What kind of Experience do you want to share?