TCP steganography or how to hide data transmission on the Internet

Polish researchers have proposed a new method of network steganography based on the features of the widely used TCP transport layer protocol. The authors of the work believe that their scheme, for example, can be used to send hidden messages in totalitarian countries introducing strict Internet censorship. Let's try to figure out what, in fact, is innovation and how it is really useful.


')
First of all, you need to determine what steganography is. So, steganography is the science of hidden messaging. That is, using its methods, the parties try to hide the fact of the transfer . This is the difference between this science and cryptography, which is trying to make the content of the message inaccessible for reading . It is worth noting that the professional community of cryptographers is rather contemptuous about steganography due to its ideology being close to the principle of “Security through obscurity” (I don’t know how it sounds right in Russian, something like “Security through ignorance”). This principle, for example, is used by Skype Inc. - the source code of a popular dialer is closed and no one really knows exactly how data is encrypted. Recently, by the way, the NSA complained about this, as the well-known specialist Bruce Schneier wrote about in his blog.

Returning to steganography, let's answer the question: why is it needed at all, if there is cryptography? Indeed, because you can encrypt a message with the help of some modern algorithm and using a sufficiently long key, no one can read this message unless you want it. Nevertheless, it is sometimes more useful to hide the fact of a secret transmission. For example, if the relevant authorities intercepted your stitched message, they cannot decipher it, but they really want to, then in the end there are non-computer methods for influencing and extracting information. It sounds dystopian, but, you see, this is possible in principle. Therefore, it would be better to ensure that those who are not supposed to not know at all that the transfer took place. Polish researchers have proposed this method. And they offer to do this with the help of a protocol that every Internet user uses a thousand times a day.

Here we came close to the Transmission Control Protocol (TCP). Of course, it makes no sense to explain all its details - it's long, boring, those who need it and so know it. In short, we can say that TCP is a transport layer protocol (that is, it works on IP and under application protocols, for example HTTP, FTP or SMTP), which ensures reliable delivery of data from the sender to the receiver. Reliable delivery means that if a packet is lost or arrived with changes, TCP will take care of forwarding the packet. Note that the changes in the package here mean not the deliberate distortion of the data, but errors in the transmission arising at the physical level. For example, while the packet went through copper wires, a couple of bits changed their value to the opposite or even got lost among the noise (by the way, for Ethernet, the Bit Error Rate is usually taken equal to about 10 ^-8 ). Packet loss in transit is also relatively frequent on the Internet. It can occur, for example, because of the workload of routers, which leads to buffer overflow and, as a result, the rejection of all newly arriving packets. Typically, the share of lost packets is about 0.1%, and at a value of a couple of percent, TCP generally stops working normally - everything will be terribly slow for the user.

Thus, we see that forwarding (retransmission) of packets is a frequent and generally necessary phenomenon for TCP. So why not use it for steganography needs, while TCP, as noted above, is used everywhere (according to various estimates, the TCP share on the Internet today reaches 80-95%). The essence of the proposed method is to send the message sent not what was in the primary packet, but the data that we are trying to hide. At the same time to detect such a substitution is not so easy. After all, you need to know where to look - the number of simultaneous TCP connections passing through the provider is simply huge. If you know the approximate level of retransmission in the network, then you can fine-tune the steganographic transfer mechanism so that your connection will not be different from others.

Of course, this method is not free from flaws. For example, from a practical point of view, it will not be so easy to implement it - it will require changing the network stack in operating systems, although there is nothing extremely complex in this. In addition, if there are enough resources, you can still find "secret" packets, for this you need to view and analyze each packet in the network. But as a rule it is almost impossible, therefore, usually looking for something that stands out packages and connections, and the proposed method just makes your connection unremarkable. And no one bothers you to encrypt secret data just in case. At the same time, the connection itself may remain unencrypted in order to cause less suspicion.

The authors of the work (by the way, who cares, here it is) at the level of simulations showed that the proposed method works as intended. Perhaps in the future someone will be engaged in the implementation of their ideas in practice. And then, let's hope the Internet will be a little less censorship.