Polish researchers have proposed a new method of network steganography based on the features of the widely used TCP transport layer protocol. The authors of the work believe that their scheme, for example, can be used to send hidden messages in totalitarian countries that introduce strict Internet censorship. Let's try to figure out what, in fact, the innovation consists of and how useful it really is.
First of all, you need to define what steganography is. So, steganography is the science of covert messaging. That is, using its methods, the parties are trying to hide the fact of transfer. This is the difference between this science and cryptography, which tries to make message content unreadable. It is worth noting that the professional community of cryptographers is quite contemptuous of steganography due to the proximity of its ideology to the principle of βSecurity through obscurityβ (I donβt know how it sounds right in Russian, something like βSecurity through ignoranceβ). This principle, for example, is used by Skype Inc. - the source code of the popular dialer is closed and no one really knows exactly how data is encrypted. Recently, by the way, the NSA complained about this, about which the well-known specialist Bruce Schneier in my blog.
Returning to steganography, let's answer the question why is it needed at all, if there is cryptography. Indeed, it is possible to encrypt a message using some modern algorithm, and when using a sufficiently long key, no one will be able to read this message unless you wish it. Nevertheless, sometimes it is more useful to hide the very fact of a secret transmission. For example, if the relevant authorities intercepted your encrypted message, they cannot decrypt it, but they really want to, then in the end there are non-computer methods of influencing and extracting information. It sounds anti-utopian, but, you see, this is in principle possible. Therefore, it would be better to make sure that those who are not supposed to know at all that the transfer took place. Polish researchers just proposed such a method. Moreover, they offer to do this using a protocol that each Internet user uses a thousand times a day.
Here we come close to the Transmission Control Protocol (TCP). Explaining all its details, of course, does not make sense - long, boring, those who need it already know. In short, we can say that TCP is a transport layer protocol (i.e., it works "above" IP and "under" application layer protocols, such as HTTP, FTP or SMTP), which provides reliable delivery of data from the sender to the recipient. Reliable delivery means that if a packet is lost or changed, then TCP takes care of forwarding the packet. Note that changes in the package here do not mean deliberate distortion of data, but transmission errors that occur at the physical level. For example, while the packet was traveling over copper wires, a couple of bits changed their value to the opposite or were completely lost among the noise (by the way, for Ethernet, the Bit Error Rate is usually taken to be about 10-8). Packet loss in transit is also a relatively common occurrence on the Internet. It can occur, for example, due to the workload of routers, which leads to buffer overflows and, as a result, the rejection of all newly arriving packets. Usually, the percentage of lost packets is about 0.1%, and at a value of a couple of percent, TCP stops working normally at all - everything will be terribly slow for the user.
Thus, we see that the forwarding (retransmission) of packets is a frequent and generally necessary phenomenon for TCP. So why not use it for the needs of steganography, despite the fact that TCP, as noted above, is used everywhere (according to various estimates, today the share of TCP on the Internet reaches 80-95%). The essence of the proposed method is to send in the forwarded message not what was in the primary packet, but the data that we are trying to hide. At the same time, it is not so easy to detect such a substitution. After all, you need to know where to look - the number of simultaneous TCP connections passing through the provider is simply huge. If you know the approximate level of retransmission in the network, then you can fine-tune the steganographic forwarding mechanism so that your connection will be no different from others.
Of course, this method is not free from drawbacks. For example, from a practical point of view, it will not be so easy to implement it - it will require a change in the network stack in operating systems, although there is nothing prohibitively complicated in this. In addition, if you have enough resources, you can still detect "secret" packets, for this you need to view and analyze every packet on the network. But as a rule, this is almost impossible, so they usually look for something that stands out for packets and connections, and the proposed method just makes your connection unremarkable. And no one bothers you to encrypt secret data just in case. In this case, the connection itself can remain unencrypted to arouse less suspicion.
The authors of the work (by the way, for those who are interested, She) showed at the simulation level that the proposed method works as intended. Perhaps in the future someone will be engaged in the implementation of their ideas in practice. And then, hopefully, there will be a little less censorship on the Internet.
Source: habr.com