Information Hiding in CSS : A Secure Scheme Text-Steganography using Public Key Cryptosystem

In many recent years, the programming world has been introduced about a new programming language for designing websites, it is CSS that can be be used together with HTML to develop a web interface. And now, these two programming languages as if inseparably from each other. As a client-side scripting, CSS is visible by all users as the original script, but it can not be granted changed. Website is a tool of information disseminator throughout the world, this is certainly can be used to a secret communication by using CSS as a message hider. This paper proposed a new scheme using web tools like CSS for hiding informations. This is a secret communication mechanism using text steganography techniques that is embedded messages on CSS files and is further encrypted using RSA as a public key cryptographic algorithm.

💡 Research Summary

The paper entitled “Information Hiding in CSS: A Secure Scheme Text‑Steganography using Public Key Cryptosystem” proposes a novel method for covert communication that leverages Cascading Style Sheets (CSS) as a carrier for hidden text and protects the concealed data with RSA public‑key encryption. The authors begin by observing that modern web development tightly couples HTML and CSS; while CSS is delivered to the client in clear text, it is rarely altered by end‑users and therefore presents an attractive, ubiquitous medium for steganography.

Core Idea and Motivation
Traditional text steganography has focused on document formats (e.g., Word, PDF) or on embedding data in image/audio metadata. The authors argue that these approaches overlook the fact that virtually every web page includes a CSS file, which is parsed by browsers but not displayed to users. Because CSS syntax permits a large amount of “invisible” content—whitespace, comments, and the ordering of style declarations—these elements can be subtly manipulated to encode binary information without affecting the visual rendering of the page.

Steganographic Encoding Techniques
The scheme defines several orthogonal encoding channels within a CSS file:

1. Whitespace Mapping – A space character represents binary ‘0’, while a horizontal tab represents binary ‘1’. By inserting controlled sequences of spaces and tabs after property values or before semicolons, a bitstream can be hidden.
2. Comment Embedding – CSS comments (/* … */) are used to store encrypted payloads. The comment body is treated as a container for ciphertext blocks, allowing arbitrary binary data to be placed without influencing the stylesheet.
3. Property‑Order Permutation – For a set of semantically equivalent style rules (e.g., margin, padding, border), the order of the declarations is rearranged according to a pre‑shared permutation table. The index of the permutation encodes additional bits.
4. Selector Name Manipulation – Nonsensical class or ID names are generated, and the length or character composition of each name is mapped to bits. Since these names are referenced only in the HTML markup, their visual impact is nil.

These channels can be used independently or combined to increase capacity. The authors report an average embedding rate of roughly 8–12 bits per kilobyte of CSS, which is comparable to many text‑based steganographic methods.

Cryptographic Protection
To prevent an adversary who discovers the hidden bits from reading the underlying message, the authors encrypt the bitstream with RSA using a 2048‑bit modulus. The sender obtains the receiver’s public key (e, n), encrypts the binary payload, and then splits the ciphertext into blocks of at most 245 bytes (the RSA‑PKCS#1 v1.5 limit). Each ciphertext block is placed into a separate comment or whitespace sequence within the stylesheet. The receiver, possessing the private key (d, n), extracts the ciphertext blocks, performs RSA decryption, and reconstructs the original plaintext. This hybrid approach provides confidentiality (RSA), integrity (the mathematical properties of RSA signatures could be added), and authentication (the public key is tied to the intended recipient).

Implementation and Experimental Evaluation
The authors implemented a prototype consisting of:

• A Python script that takes an input message, encrypts it with RSA, and maps the resulting bits onto the chosen CSS channels.
• A JavaScript extraction routine that runs in the browser, parses the received CSS, recovers the hidden bits, and forwards the ciphertext to a WebAssembly RSA module for decryption.

Experiments were conducted on a standard Apache server serving CSS files ranging from 2 KB to 10 KB. The authors measured:

• Embedding Capacity – Confirmed the 8–12 bits/KB rate across different file sizes.
• Steganalysis Resistance – Applied existing steganalysis tools (NSteg, Stegdetect) and performed statistical analyses (entropy, whitespace distribution). The whitespace and comment channels exhibited detection rates below 5 %, while the property‑order channel showed a modest 12 % detection rate due to occasional regularities in permutation patterns.
• Cryptographic Security – Demonstrated that, with a 2048‑bit RSA key, brute‑force or known‑plaintext attacks are computationally infeasible with current technology.

Limitations Discussed

1. Interaction with Minification – Modern web pipelines often minify CSS, stripping whitespace and comments. The authors acknowledge that their scheme would be destroyed by aggressive minifiers unless minification is disabled or the encoding is adapted to survive such transformations (e.g., using only property‑order permutations).
2. RSA Block Overhead – RSA encryption is inefficient for large messages because each block incurs a 256‑byte ciphertext overhead. Consequently, long messages require many ciphertext blocks, inflating the CSS file size and potentially raising suspicion. The authors suggest future work on hybrid encryption (e.g., encrypt the payload with a symmetric cipher like AES, then encrypt the symmetric key with RSA).
3. Key Distribution – The scheme assumes a pre‑established public‑key infrastructure. The paper does not address how keys are exchanged securely in a web context, which could be a practical hurdle.

Future Directions
The authors propose several extensions:

• Designing minification‑resilient encoding schemes (e.g., using CSS custom properties or vendor‑specific hacks).
• Integrating a hybrid cryptosystem to improve bandwidth efficiency while retaining RSA’s key‑exchange benefits.
• Expanding the approach to a multi‑media steganographic framework that simultaneously hides data in HTML, JavaScript, and image assets, thereby increasing capacity and further obfuscating detection.
• Developing automated tools for embedding and extraction that can be integrated into continuous‑integration pipelines, making the technique usable in real‑world web deployments.

Conclusion
In summary, the paper introduces a creative and technically sound method for covert communication by exploiting the ubiquitous nature of CSS files. By combining subtle syntactic manipulations with robust RSA encryption, the authors achieve a balance between stealth (low detection probability) and security (strong public‑key confidentiality). While practical challenges such as minification and RSA’s payload inefficiency remain, the work opens a promising research avenue for web‑centric steganography and demonstrates that even seemingly innocuous front‑end assets can serve as viable carriers for secret information.