TCP steganography or how to hide data transfer on the Internet
Polish researchers have proposed a new method of network steganography based on the features of the widespread transport layer protocol TCP. The authors of the work believe that their scheme, for example, can be used to send hidden messages in totalitarian countries introducing strict Internet censorship. Let's try to figure out what, in fact, is the innovation and how much it is really useful.
First of all, you need to determine what steganography is. So, steganography is the science of covert messaging. That is, using its methods, the parties are trying to hide the very fact of the transfer . This is the difference between this science and cryptography, which is trying to make the content of the message inaccessible for reading.. It is worth noting that the professional community of cryptographers is rather contemptuous of steganography due to the closeness of its ideology to the principle of “Security through obscurity” (I don’t know how it sounds in Russian, something like “Security through ignorance”). This principle, for example, is used by Skype Inc. - The source code of the popular dialer is closed and no one really knows how the data is encrypted. Recently, by the way, the NSA complained about this, about which a well-known specialist Bruce Schneier wrote on his blog.
Returning to steganography, we will answer the question of why it is needed at all, if there is cryptography. Indeed, you can encrypt a message using some modern algorithm, and if you use a long enough key, no one can read this message unless you want to. Nevertheless, sometimes it is more useful to hide the very fact of secret transmission. For example, if the relevant authorities intercepted your sealed message, they cannot decrypt it, but you really want to, then in the end there are non-computer methods of influencing and extracting information. It sounds dystopian, but, you see, this is possible in principle. Therefore, it would be better to make sure that those who are not supposed to know at all that the transfer took place. Polish researchers just proposed this method.
Here we come close to the Transmission Control Protocol (TCP). To explain all its details, of course, does not make sense - it’s long, boring, those who need it already know. In short, we can say that TCP is a transport layer protocol (that is, it works “on” IP and “under” application level protocols, such as HTTP, FTP or SMTP), which ensures reliable data delivery from sender to receiver. Reliable delivery means that if a packet is lost or arrives with changes, then TCP will take care to forward this packet. Note that under the changes in the package here is meant not a deliberate distortion of the data, but transmission errors that occur at the physical level. For example,-8 ). Packet loss in transit is also a relatively common occurrence on the Internet. It can occur, for example, due to congestion of routers, which leads to buffer overflows and, as a result, rejection of all newly arriving packets. Typically, the percentage of lost packets is about 0.1%, and at a value of a couple of percent TCP generally stops working normally - everything will terribly slow down for the user.
Thus, we see that forwarding (retransmission) of packets is a frequent and necessary phenomenon for TCP. So why not use it for steganography needs, while TCP, as noted above, is used everywhere (according to various estimates, the share of TCP on the Internet today reaches 80-95%). The essence of the proposed method is to send in the forwarded message not what was in the primary packet, but the data that we are trying to hide. However, detecting such a substitution is not so simple. After all, you need to know where to look - the number of simultaneous TCP connections passing through the provider is simply huge. If you know the approximate level of retransmission in the network, you can adjust the steganographic transmission mechanism so that your connection will not be different from others.
Of course, this method is not free from disadvantages. For example, from a practical point of view, it will not be easy to implement it - it will require changing the network stack in operating systems, although there is nothing beyond that complicated. In addition, if there are enough resources, you can still find "secret" packets, for this you need to view and analyze each packet on the network. But as a rule, this is practically impossible, so they usually look for packages and connections that stand out with something, and the proposed method just makes your connection unremarkable. And no one bothers you to encrypt secret data just in case. In this case, the connection itself may remain unencrypted to cause less suspicion.
Authors of the work (by the way, who cares, hereshe) at the level of simulations showed that the proposed method works as intended. Perhaps in the future, someone will be engaged in putting their ideas into practice. And then, hopefully, the Internet will become slightly less censored.