Appendix A: Hiding Data in Network Traffic Various network protocols have characteristics that can be used to hide information [23, 34, 69]. TCP/IP packets are used to transport information and an uncountable number of packets are transmitted daily over the Internet. Any of these packets can provide a covert communication channel. The packet headers have unused space or other values that can be manipulated to hide information. However, filters can be set to detect information in the "unused" or reserved spaces. One way to circumvent this detection is to take advantage of information in the headers that typically go unchecked by most systems. Such information includes the values for sequence and identification numbers. Covert-tcp is a steganography tool that takes advantage of TCPIIP headers to pass hidden messages in apparently innocent network traffic [69]. The packets being sent may appear as initial connection requests, established data streams, or other intermediate steps in transmission. The data is embedded in the IP packet identification and TCP sequence number fields. These fields are less likely to be distorted due to network routing or filtering. Hiding in the Header - Identification Field Figure 67 illustrates the layout of the IP packet headers. The IP identification (IPID) field assists with the re-assembly of packet data by remote routers and host systems. The value of the field provides a unique number so if packets get fragmented along a route, they can be reassembled in the proper order. Encoding information in the IPID involves replacing the 112 Appendicies 16-bit numerical value with a value that contains the representation of the encoded information (a 16-bit numerical value may be as large as 65,535). IP Header Bits ~ o 4 8 16 19 24 32 IVERS HLEN I Service Type Total Length I Identification I Flags I Fragment Offset ------------------------------------------------------------------------ I Source IP Address Destination IP Address I IP Options Padding ------------------------------------------------------------------------ I Data Figure 67. Sample IP Header Simply substituting an ASCII value in place of the IPID will work, but results in identification values from 0 through 255; too small to be realistic. An option is to base the IPID on a function of the ASCII values. A solution is to make the IPID the product of the ASCII value and some fixed "key." In this example the key is 256 (the size of the ASCII set). This key provides a range of values from 0 through 65,280. Dividing the IPID value by 256 results in the decoding of the embedded ASCII value. Table 5 illustrates hiding the word "Neil" (ASCII values 78, 101, 105 108) in the IPID field of four IP packets as viewed from a TCP Dump. (Two bytes can be sent using the same technique. The characters Ne can be represented with the IPID value of 20069 and il can be represented as the value 26988). Appendix A: Hiding Data in Network Traffic 113 Table 5. Encoding "Neil" in the IP Identification Field Encoding (view from TCPDump) Decoding Packet One: Packet One: 18:50:13.551117 ... (ttl 64, id 19968/256) sender.mydomain.com.7180> [ASCII: 78 (N) ) receiver.mydomain.com.www:S537657344: 537657344(0) win 512 (ttl 64, id 19968) Packet Two: Packet Two: 18:50:14.551117 ... (ttl 64, id 25856/256) sender.mydomain.com.51727 > [ASCII: 101(e») receiver.mydomain.com.www:S1393295360 :1393295360(0) win 512 (ttl 64, id 25856) Packet Three: Packet Three: 18:50:15.551117 ... (ttl 64, id 26880/256) sender.mydomain.com.9473 > [ASCII: 105 (i») receiver.mydomain.com.www:S3994419200 :3994419200(0) win 512 (ttl 64, id 26880) Packet Four: Packet Four: 18:50:16.551117 .,. (ttl 64, id 27648/256) sender.mydomain.com.41727 > [ASCII: 108(1») receiver.mydomain.com.www:S1393295360 :1393295360(0) win 512 (ttl 64, id 27648) Hiding in the TCP Header - Sequence Number Field Figure 68 illustrates the layout of the TCP packet headers. The sequence number (SEQ) field is a 32-bit number that enables a client to establish a reliable protocol negotiation with a remote server. A 32-bit number can range in values from 0 to 4,294,967,295 (quite a bit if information can be hidden in this value). 114 Appendicies 'l'CP Header f­ Bits -7 o 4 8 16 19 24 32 Source Port Destination Port I ------------------------------------------------------------------------- Sequence NUmber I Acknowledgment Number IHLEN Reserved I Code Bits Window Checksum Urgent Pointer Options Padding Data Figure 68. Sample TCP Header Table 6 illustrates hiding the word "Neil" (ASCn values 78, 101, 105 108) in the SEQ field of four IP packets as viewed from a TCP Dump. Like in the previous example, simply using the ASCn values 0 through 255 produces SEQ numbers that are too small to produce realistic values for the sequence numbers. Table 6. Encoding "Neil" in the TCP Sequence Number Field Encoding (view from 'l'CPDump) Decoding Packet One: Packet One: 18: 50: 29.071117 ... S 1303511040/16711680 sender.mydomain.com.45321 > [ASCII: 78 (N) ] receiver.mydomain.com.www:S1303511040 :1303511040(O} win 512 (ttl 64, id 49408) Packet Two: Packet Two: 18:50:30.071117 ... S 1687879680/16711680 sender.mydomain.com.65292 > [ASCII: 101 (e) ] receiver.mydomain.com.www:S1687879680 :1687879680(O} win 512 (ttl 64, id 47616) Packet Three: Packet Three: 18: 50: 31. 071117 ... S 1754726400/16711680 sender.mydomain.com.25120 > [ASCII: 105 (i) ] receiver.mydomain.com.www:S1754726400 :1754726400(O} win 512 (ttl 64, id 41984) Packet Four: Packet Four: 18: 50: 32.071117 . .. S 1804861440/16711680 sender.mydomain.com.37291 > [ASCII: 108(l}] receiver.mydomain.com.www:S1804861440 :1804861440(O} win 512 (ttl 64, id 37315) Appendix A: Hiding Data in Network Traffic 115 Since the values for a SEQ can be as large as 4,294,967,295, a larger multiplier (16,711,680 = 65,280*256) is used. This provides values ranging from 0 to 4,261,478,400 when multiplied by the appropriate ASCII values. Since the SEQ is such a large value, four bytes of information can easily be passed in a single packet header. For example, Neil can be sent as the single value 1,340,352,872. Dividing the SEQ value by 16,711,680 will result in the decoding the embedded ASCII value. The process selected in these two examples is simple and straightforward. Any function can be used in selecting values for these fields as long as the result complies with the restrictions of the carrier. Appendix B: Glossary of Methods to Distort Stego­ Images These descriptions and definitions are based on the processing instructions and descriptions from the software used to perform the manual image processing test for distortion in Chapter 3. This appendix has the definitions ordered in three sections. This appendix defines processes for image conversions, image processing techniques, and methods and options for image color reduction. IMAGE CONVERSIONS 24-bit color to 8-bit color Converting 24-bit color images to 8-bit color image format. For options used in color reduction, (see the subsection Color Reduction Options, Methods, and Dithering below). 24-bit color to 8-bit grayscale Converting 24-bit color images to 8-bit grayscale image format. 8-bit color to 8-bit grayscale Converting 8-bit color images to 8-bit grayscale image format. This test is only applied to images surviving the 24-bit color to 8-bit color conversion. JPEG Compression Joint Photographic Experts Group compression is a compression technique that supports 24-bit images and can reduce a file size by as much as 96%. It removes some color information while retaining the brightness data. At higher compressions it can result in a visible loss of quality. It does not support transparency or layers. JPEG is best for photographs and for images that contain a variety of tonal values. 118 Appendicies IMAGE PROCESSING Blur Blurring smoothes transitions and decreases contrast by averaging the pixels next to hard edges of defined lines and areas where there are significant color transitions. Add noise Adding noise to an image reduces the amount of detail in an image and creates a grainy texture. Two types of noise insertion are Random and Uniform. Random Noise Inserts random colored pixels to an image. Uniform Noise Inserts pixels and colors that more closely resemble the original pixels. Noise Reduction Reduces noise by adjusting colors and averaging pixel values. Two filters for noise reduction are Despeckle and Median Cut. DespeckJe The Despecke filter blurs an image except at its edges and areas of contrast. Median Cut The Median Cut filter removes noise by averaging the colors in an image one pixel at a time. It calculates the median of a block of pixels around the pixel in question and then sets the pixel's value to the median. Sharpen Sharpen filters produce the opposite effect of the Blur filters by increasing the contrast between adjacent pixels where there are significant color contrasts, usually at the edges of objects. Edge Enhancement Enhance Edge Filter increases the contrast along the edges in the image. Rotate Moves an image around its center point in a given plane. Scale and Resize Scaling and resizing include ways to increase or decrease an image's dimensions. Scaling or resizing involves duplicating or removing pixels as necessary to achieve the selected width and height of an image. It produces better results than the resampling methods when used with hard-edged images. Appendix B: Glossary of Methods to Distort Stego-Images 119 Resample Resampling involves an interpolation process to minimize the "raggedness" normally associated with expanding an image. As applied here, interpolation smoothes out rough spots by estimating how the "missing" pixels should appear, and then filling them with the appropriate color.