Embedding Covert Channels into TCP/IP

11 years 7 months ago
Embedding Covert Channels into TCP/IP
It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header fields seemingly filled with “random” data, such as the IP identifier, TCP initial sequence number (ISN) or the least significant bit of the TCP timestamp. We show that this is not the case; these fields naturally exhibit sufficient structure and non-uniformity to be efficiently and reliably differentiated from unmodified ciphertext. Previous work on TCP/IP steganography does not take this into account and, by examining TCP/IP specifications and open source implementations, we have developed tests to detect the use of na¨ıve embedding. Finally, we describe reversible transforms that map block cipher output onto TCP ISNs, indistinguishable from those generated by Linux and OpenBSD. The techniques used can be extended to other operating systems. A message can thus be hidden so that an attacker cannot demonstrate its existence without knowing a secret key.
Steven J. Murdoch, Stephen Lewis
Added 27 Jun 2010
Updated 27 Jun 2010
Type Conference
Year 2005
Where IH
Authors Steven J. Murdoch, Stephen Lewis
Comments (0)