steganography by hiding data in tcp/ip headers - IEEE Xplore

20IO 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE)

STEGANOGRAPHY BY HIDING DATA IN TCP/IP HEADERS 4 l 2 3 Miss D. D. DhobaJe Dr. V. R. Ghorpade Mr. B. S. Patjj Mrs. S. B. PatiJ 1,3 PVPIT Budhgaon, Sangli, Maharashtra(India). [email protected] , bsp�[email protected] 2 KIT, Kolhapur, Maharashtra,(India) [email protected] 4 JIM COE, Jaysingpur. [email protected] Abstract

-

protocols

This work relates the areas of steganography, network and

security

for

data

hiding

in

communication

networks employing TCP/IP. Steganography is defined as the art and science of hiding information, which is a process that involves hiding a message in an appropriate carrier for example an image file. The carrier can then be sent to a receiver without anyone else knowing that it contains a hidden message. In this paper we present a novel scheme to send message imperceptibly between points over Internet. This scheme uses fourth-order chaotic system to generate chaos sequence which is used to encrypt secret message, and then embeds the modulated message into identification field of IP header. Compared with Ahsa's scheme, this scheme can provide higher security. Furthermore, this schema allows sending covert message point to point by selecting proper IP packets according to path MTU discovery.

channels,

Keywords : Data hiding, TCPI/P, network security.

steganography,

covert

1. INTRODUCTION As the Internet permeates our daily lives, there is a need to address issues of protection; flexible security for evolving network applications is required. This work attempts to integrate traditional network security with another emerging technology, data hiding. Many forms of information hiding such as encryption are used for data hiding, where both parties encrypt the information and transfer a cipher. These techniques have become much more open and public in the last few years.. The steganography aims to prevent a third party from realizing that any covert communication has taken place better than the encryption. Steganography is defined as the art and science of hiding information, transmitting secret messages through innocuous cover carriers in such a manner that the existence of the embedded messages is undetectable. Only persons who have knowledge of the embedded information and possess a "key" will be able to decode and view the information. This key can take many forms. It can range from a passphrase for electronic steganography to an understanding of a method to decode the information.

II. WHY NETWORK SECURITY? To provide secured communication between 2 or more Computers, exchanging confidential Data like Credit Card Nos., User Names & Passwords, and Tender Amount etc. Prevent Hackers from hacking the above mentioned

978-1-4244-6542-2/$26.00 © 2010 IEEE

confidential Data. Hackers can be Spywares or Virus Applications which runs on User Computers and which collects information about the Computers and its Network Activities (Like Capturing Network Packets) and sending this information to some Remote Computers. In this paper we assert that steganography over Internet must receive more and more attention because that Internet traffic can provide a higher bandwidth than standard image steganography. Furthermore, it can be shown that through "ideal compression" Steganography in images can be eliminated. Hiding Data Packets within TCP I IP Headers is a new approach in sending encrypted Data Packets over the Network. A transfer of information that violates a computer's built-in security systems. A covert storage channel refers to depositing information in a memory or storage location that can be accessed by different security clearances. A covert timing channel is the manipulate. It means, no process at a label A shall be able to perform an action that is detectable by another process at label B except when label B dominates label A. This definition can be broken down into two situations: direct data operations and incidental operations. Direct data operations are intended for users as a direct means of storing or communicating user data, such as reading and writing files. Fig 1 shows the general covert channel framework in TCP/IP. ConrtcloCk

cov!rtinfont

,

StnrityKt, _ __ . I __ � _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ • - - - •

- - - .J

Fig. I The general covert channel framework in TCP/[P

Steganography is not a modem concept. An ancient example comes from the Histories of Herodotus. Xerxes planned to invade Greece and a warning message had to be passed to Sparta. Text was written on wax covered wooden tablets. The wax was removed, the message written on the underlying wood and covered with wax again. These

V4-61

2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE)

"unused" tablets passed inspection easily. A formula for the information hiding process might look like this: cover medium + embedded message + stegokey

=

Sow-ce POlt

stego­

Destillatioll POlt Sequeuce Nwnber

medium

The cover medium is any innocent looking digital image in which the secret message will be embedded. The stegokey is any additional information required to imbed the information. The resulting image is called the stego­ image or stego-medium and is the final image to be sent. Cryptography can and should be used in conjunction with steganography. If a hidden message is discovered the attacker will need to decipher the code before the message is revealed. A simple comparison between steganography and cryptography is shown in Figure 3. III. PROBLEM DEFINITION The traditional approach encrypts the data in the Application layer e.g. HTTP protocol, the most popular and common protocol used over the Internet, uses SSL (Secured Socket Layer) technique for encryption and decryption of Data send over the Internet. It uses 1 28 bit Cipher Lock, supported by latest Internet Browsers like Internet Explorer (IE 6.0 & above), Netscape Navigator 7.0 & above, and Web Servers like IIS (Internet Information Server (Microsoft only)), Apache, Tomcat etc. The new method proposes a completely new approach for sending & receiving of encrypted Data. Instead of sending encrypted Data over Application Layer, it wiII be hidden in the IP Identification field. The hacker wiII be deceived, because it wiII look for data in the Application Layer. The Application Layer will contain a Fake message e.g. a fake HTML Web Page using HTTP protocol (HTTP Client & Server). It will use the TCP Port No. 80 for HTTP Protocol. The Hacker wiII be deceived into thinking that it is a genuine HTTP Data. IV..A PACKET HEADER HIDING & PREVIOUS TECHNOLOGIES Fig. 2 shows how the TCPiIP header can be used as a carrier for Stereogenographic Covert channel.

Tep/IP Header can serve as a carrier for a steganographic covert channel

Fig2. The TCPIIP header as a carrier for Stereogeno­ graphic Covert channel. •

Fig. 5 and Fig. 6 shows the header fonnats of TCP and IP respectively. •

Ackuo!edgemeut Nwnber Offset

i

ReseryOl!

i

Flags

Wuu!ow

Checkswn

Urgeut POUlter

I

Optious (Iucludiug Tunestamps)

Fig.

Bit·

3

The format of TCP header

0 Version

I

f IHL

I

f

Type of Service

Identification Time 10 Live

I

31

19

16 f

Pa(!dUlg

Total Length Flags

Protocol

I

Fragment Offset Header Checksum

Source Address

Deslination Address Oplions + Padding

•

A.

Fig. 4The fonnat of IP header.

FIRST SCENARIO

A close study of [3] reveals that there exists redundancy in the Internet Protocol's fragmentation strategy. Figure 2 displays the IPv4 header. The Flags field contains fragmentation information. The first bit is reserved, the second is denoted DF (to represent Do not Fragment), and the third is denoted MF (to represent More Fragment). An un-fragmented datagram has all zero fragmentation information (i.e. MF 0 and 1 3-bit Fragment Offset 0) which gives rise to a redundancy condition, i.e. OF (Do not Fragment) can carry either "0" or "I" subject to the knowledge of the maximum size of the datagram. This aspect is exploited in Data Hiding Scenario I. Consider two workstations on the same network with users Alice and Bob who have decided to have a covert communication employing the protocol suite of the network. They are aware that the network administrator is very security cautious and the TCPiIP software is configured properly as per the security policy of the organization. Alice and Bob have knowledge of the MTU (maximum transmission unit) of their network and are aware of the fragmentation strategy, which follows the standard design considerations of IP . Based on the above explanation, it can be shown the datagrams in Tables 1 and 2 bear the same meaning to the overt network provided that Alice and Bob have the MTU information beforehand. Thus, this redundancy leads to the possibility of covert

V4-62

=

=

2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE)

information through judicious selection of each representation. Datagrams 1 and 2 sent by Alice can therefore communicate " 1 " and "0" respectively to Bob. The constraint, however, is that both parties require prior knowledge of the MTU. Datagr

3-bit

13-bit

l6-bit

flag

frag.

Total

1

field

field

offset

len.

1

XX ... XX

00 ...00

472

Datagra m 2

1

l6-bit Id.

am

0 10

l6-bit Id. field

XX ...XX

3-bit

13-bit

16-bit

flag

frag.

Total

field

offset

len.

00 0

00 ...00

v. NEW APPROACH FOR DATA HIDING Data Hiding Scenario 2 involves the 1 6-bit identification field of the IPv4 header shown in Fig. 5, through chaotic mixing. This identification field carries a value assigned by the sender to aid in assembling the fragments of a datagram at the receiver. The only limitation on the identification field by the fragmentation strategy is that it is unique for a specific source-destination pair as long as the datagram is alive on the Internet. The Layers and an Identification field in IP layer of TCPI IP protocol are shown in fig. 7.

472

Table 1. Datagram 1 Covertly Communicating 1 Fr.une Layer (Source:MAC Address, DestiJtation MAC Address)

Table 2. Datagram 2 Covertly Communicating 0

To demonstrate how both datagrams are similar from the perspective of a network, we note that Datagram 1 is of moderate length, but fragmentation is not allowed since the DF bit is set. Datagram 2 of the same length has the fragmentation bit unset, yet fragmentation is not possible since it is below the value of the MTU. Since Alice and Bob know the MTU of their network and have agreed to send a datagram of size smaller than MTU there will be no fragmentation. B.

SECOND SCENARIO

IP Checksum Covert Channels and Selected Hash Collision. This method can be used for any protocol that uses the Internet checksum, including ICMP, UDP, TCP, as well as many others. The most interesting use though comes from the IP header, because the fact that upon forwarding the packet to the gateway, and along each intermediate router, the TTL is decremented, and the checksum is recalculated, therefore losing the immediate covert-channel checksum. The end destination, in order to retrieve the original checksum, must replace the TTL with the original TTL and calculate the sum in the normal fashion, and then retrieve m. An extension to this would be to use the IP ID field as a 32-bit 'key', which the target node must also replace in order to retrieve the message. The fact that the internet checksum fails to be a secure method for validating data integrity because of the ability for a user to arbitrarily create a selected collision in the hashing mechanism in a trivial period of time, and because the fact that the original message can be retrieved from the hash, this demonstrates the two-way characteristic of the checksum function

Fig 7

.

The Layers of the TCP/JP Protocol Suite

Sometimes, some network and system administrators decide that ICMP is a bad thing, and block it. This is fair enough on the surface: ICMP can be used both as a convenient flooding tool and a way to map networks. If, specifically, they block the "can't fragment" ICMP, then any attempt at MTU path discovery will fail quietly: packets wi\l be dropped on the floor, and the request to re­ send a smaller packet wi\l never get back to the originating host. A method for Packetization Layer Path MTU Discovery (PLPMTUD) which is an extension to classic Path MTU Discovery methods as described above. If ICMP processing can be completely disabled, PLPMTUD can completely replace classical Path MTU Discovery. A.

THE FORTH ORDER CHAOTIC METHOD FOR PACKET SEQUENCE GENERATION

A fourth-order Chebyshev chaotic system can be described by a simple mathematical equation as following: Xn+l = cos (4arccosxn),xn € (- 1 , 1 ) ..........[4] Given a value of xO, one can generate a specific sequence from an initial using equation 4. In order to enhance random city and meet our use as well, we need to convert the chaotic sequence to binary sequence. The convert function is equation S. M(X) = 1 , X >= 0 -1 , X < 0 ...........[S]. A special example is shown in Fig.8 Suppose xO=O.IS, after iterative for SOD times (n=SOO), we get a

V4-63

2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE)

chaotic sequence (as upper). After convert, we get a binary sequence. Thus the secret key will be a type of combinatorial xO and n. For example, the key may be: Key =Xo ExOR n ......... [6] The strength of a data hiding scheme depends on its non detectability either by the administrator or by any automated network-monitoring scheme; its identification field appears to be perfectly "normal". Chaotic mixing provides structured scrambling. Compared with Toral Auto orphism System, it can provide higher random city and higher security. B.

.INDICATION OF PACKETS ORDER

We can use a simple method to identifY the packets order. Suppose we embed message into IP identification field. This field has 1 6 bits, the first 8 bits can be used to carry message and the next 8 bits can be used to identifY the order. For example, if we want send text "ABCDEFGH" to someone, ASCII value for B is 66 and its binary equivalent is OJ 0000 1 0, ASCII equivalent of H is 72 and the binary representation of 72 is 1 00 1 000. Packet 2 will carry B and packet 8 will carry H. So ID field of packet 2 will be 0 1 0000 I0 000000 I0 and ID field of packet 8 will be 1 00 1 000 0000 1 000. When these packets arrive, receiver knows that B should be placed at the second position and H should be placed at 8th.This method will narrow bandwidth, but it's a balance between complexity and bandwidth. VI.PROPOSED CONCEPTUAL SCHEME We assume that our communicating parties denoted as Alice and Bob, transfer information overtly over a computer network, and employ data hiding involving the TCP/IP protocol suite to communicate supplementary information covertly. The basic framework is shown in Fig.l. Alice's End

Alice performs the following operations to encode a covert data symbol: Step 1 . Use PLPMTUD to determine the path MTU. Step 2. Choose an initial xO and n to generate a chaotic sequence Kn. The secret key is generated by equation 6. Bob is told to use this key to extract secret information. Then divide Kn into groups ( 1 6bit/group) and get {Kj, Kz, ... , Kd Step 3. Convert secret message into binary sequence Mn and divide it into groups (8bit/group). Per group will be padded with its group number (its binary equivalent, 8 bit). We can get {Mj, M2 ... Md. Step 4. Use {KI, K2, ..., Kk} to encrypt {MI, M2, ..., Mk}. We can get covert information {Cd: Ci = Mi ExOR Ki, ( i = 1 , 2, ..., k). Step 5. Select k packets {Pj, P2 ... Pd and embed Ci into Pi's identification field (i=l, 2 ... k). We can get stego-network packets {Sd.

Step 6. Send {Sd to Bob. Bob's End

Bob can use the key that Alice told him to generate the same chaotic sequence Kn and then divide it into {Kj, K2, ..., Kd same as Alice. To decode the secret message he can use an exhaustive algorithm. Suppose Bob receive k packets. So all these packets have k! Permutations. Combine identification fields of all received packets according to the permutations and each permutation can generate a binary sequence {CJ*, C2* ... Ck*}. Decrypt {CJ*, C2* ... Ck*} and get binary sequence of middle result as {TJ, Tz, ..., Tk} Ti - C/ ExOR Ki (i = 1,2,3,---k) [7] Convert the last 8 bit of every Ti into normal style. If we can get legitimate and sequential numbers, we can assert that we get the right packets order. Otherwise, try the next permutation. After determine the right order of arrival packets, Bob can extract the right secret message according the right order. VII. APPLICATIONS Associating supplementary information sent via covert mechanisms employing packet header manipulation algorithms find the following application scenarios: 1 . Enhanced filtering criteria in packet filtering routers (firewalls). If the additional information pertains to a user or an application, a more reinforced filtering policy can be defined. 2. A client server architecture wherein several clients make a request to the FTP server, say of a library. A log file can be maintained, for audit purposes, based on the requests sent by various users. Moreover, serving the request by transferring a digital image to the user, say, can have the same user information or library information tied to the content packets. This scenario of tags tied to the content can allow for audit. 3. A logging process for the above application scenario based on the user or application specific­ information completes the picture (i.e. logging of valid user), maintaining the record of user requests based on user information and ultimately serving the user requests by having either the user information or the server I source (library) information tied to the content packets to avoid unlawful use such as copyright violation. 4. Adding value to content delivery networks. A content delivery network is an overlay network to the public Internet or private networks, built specifically for the high performance delivery of content. Use of supplementary covert data adds intelligence to networking wherein the network makes path decisions based on more than simple labels such as IP address. ..• ...•.

REFERENCES [ I )S.J. Murdoch, S. Lewis University of Camhridge, United Kingdom 7th

V4-64

lriformation Hiding Workshop, June

2005

20I 0 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE)

[2]R.

1. Anderson and A. P. Petitcolas, "On the limits of steganography" IEEE Journal on Selected Areas in Communications, vol. 16, no. 4 , pp. 474--481, May 1998.

[3]D. K. Kamran Ahsan. Practical Data Hiding in TCP/IP. Proc. Workshop on Multimedia Security at ACM Multimedia, 2002. [4]

U S. C Information Sciences Institute, "Internet protocol, darpa internet

program

,

protocol

specification,"

September

1981.

Specification prepared for Defense Advanced Research Projects Agency. [5] ZHANG lie etc. "Information hiding in TCPIIP based on chaos". Journal on Communication.voJ.26 NO. I A January 2005. [6] Steven

1. Murdoc and Stephen Lewis, "Embedding Covert Channels

into TCP/IP". Information Hiding Workshop

2005 proceedings on, 2005

[7] Handel, T., Sandford, "Hiding data in the OSI network model" In Anderson,R., ed: lriformation Hiding. Volume 1174 of Lecture Notes in Computer Science, Springer­ Verlag (1996). [8] Christopher Abad, "IP checksum covert channels and selected hash collision". Technical report, 200!. [9] Chandramouli,R, Subbalakshmi, K.P., "Active steganalysis of spread

2003. ISCAS '03. Proceedings of the 2003 International Symposium on ,2005

spectrum image steganography" Circuits and Systems, Volume TCP/[P

3,

May 25-28,

Steven

[1O]Embedding Covert Channels into

J. Murdoch and Stephen Lewis University of

Cambridge, Computer Laboratory

V4-65