Tremendous progress in the internet technology
Along with the tremendous progress in the internet technology, many new applications and technologies are emerging in the field of internetworks. Basically, the applications tend to appear towards network architecture, network security, or VoIP (Voice over Internet Protocol). One such application is steganography over internet.
The project work concerns about the Steganography techniques that can be used for creating covert channels for VoIP (Voice over Internet Protocol) streams. Network Security and VoIP are the major booming areas in networking field of Electrical Engineering. Steganography is evolving alongside technology. A few years ago the cutting edge in Steganography tools involved hiding messages inside digital images or sound files, known as carriers, like that Thriller MP3. The technique quickly evolved to include video files, which are relatively large and can therefore conceal longer messages.
Steganography, in general, is hiding messages so no one even suspects they are there. In digital systems, messages are hidden within apparently legitimate traffic. For example, secret data can be transferred within jpeg files by using the least significant bits to carry it . Because only the least significant bits are used, the hidden messages have little impact on the appearance of the images the files contain. Many programs are available to do this and then extract secret data.
Now a day, Steganography has entered a new era, with stupendously greater potential for mischief. With the latest techniques, the limitations on the length of the message have basically been removed. Consider an example involving the use of Skype. The data were secreted among the bits of a digital Voice over Internet Protocol conversation. In this new era of Steganography, the mule that coconspirators are using is not the carrier itself but the communication protocols that govern the carrier's path through the Internet. Here's the advantage: The longer the communicators talk, the longer the secret message (or more detailed the secret image) they can send. Think, “what if we can transmit secret data while talking on the IP-phone?” Yes, this is known as VoIP steganography. There are very few programs available for VoIP steganography. It sounded very interesting, and that is the reason I am planning to do my project in this field. Moreover, in the laboratories, researchers have come up with three basic ways to carry out the steganography on VoIP.
The first one is to use the unused bits within UDP or RTP protocols - both used for VoIP - for carrying the secret message. The second is hiding data inside each voice payload packet but not so much that it degrades the quality of the sound. The third method is, inserting extra and deliberately malformed packets within the VoIP flow. They will be dropped by the receiving phone, but can be picked up by other devices on the network that have access to the entire VoIP stream. A variation is to insert the packets that are so out of sequence that the receiving device drops them. These techniques require compromised devices or conspirators on both ends of calls or a man-in-the-middle to inject extra packets. The applications of the VoIP covert channels differ in the sense that, they can be a threat to the network communication. It might also be used to improve the functioning of VoIP (e.g. security like in  or quality of service like in ).
Communication flow in VoIP:
According to standards, there are certain sets of protocols that need to be followed to setup a call over internet. First of all, for any two machines to get connected over the internet, TCP/IP protocols are used. Secondly, we know that VoIP is a real-time service that enables voice conversions through IP networks. There are four main groups of protocols (as mention in ) makes the IP telephony possible. They are as follows:
- Signaling protocols that allow creating, modifying, and terminating connections between the calling parties - currently the most popular are SIP , H.323 , and H.248/Megaco ,
- Transport protocols - the most important is RTP , which provides end-to-end network transport functions suitable for applications transmitting real-time audio. RTP is usually used in conjunction with UDP (or rarely TCP) for transport of digital voice stream,
- Speech codece.g. G.711, G.729, G.723.1 that allow compressing/decompressing the digitalized human voice and prepare it for transmission over IP networks.
- Other supplementary protocols like RTCP , SDP, or RSVP etc. completes the VoIP functionality. RTCP is a control protocol for RTP.
Establishing Covert Channels:
We know that, during the conversation phase, audio (RTP) streams are exchanged in both directions and additionally, RTCP messages may be sent. Hence, the available steganographic techniques, for this phase of the call, include:
IP/UDP/TCP/RTP protocols steganography in network and transport layer of TCP/IP stack, RTCP protocol steganography in application layer of TCP/IP stack,
Audio watermarking (e.g. LSB, QIM, DSSS, FHSS, Echo hiding) in application layer of TCP/IP stack,
Codec SID frames steganography in application layer of TCP/IP stack,
Intentionally delayed audio packets steganography in application layer of TCP/IP stack,
Medium dependent steganographic techniques like HICCUPS for VoWLAN (Voice over Wireless LAN) specific environment in data link layer of TCP/IP stack.
Our contribution in the field of VoIP steganography includes the following:
Describing RTP/RTCP protocols' fields that can be potentially utilized for hidden communication,
Proposing security mechanisms fields steganography for RTP/RTCP protocols,
Proposing intentionally delayedaudio packets steganographic method called LACK (Lost Audio Packets Steganographic Method).
Cover channel using TCP/IP:
The covert channels can be established using the signals transferred during the establishment of connection. In TCP/IP stack, there are many methods available, whereby covert channels can be established and data can be exchanged secretly between hosts as stated in . The analyses of the headers of IP, UDP, TCP, HTTP, ICMP, reveals many possibilities where data can be potentially stored and transmitted.
For VoIP steganography, we may exploit the optional fields in IP/UDP/RTP packets because; those protocols are used in almost all IP telephony implementations. As described in , IP header alone posses few fields (e.g. options field), that are available to be used as a covert channel. The total capacity of those fields exceeds 60 bits per packet.
RTP Protocols Steganography:
In conversation phase of the call, when the voice stream is transmitted, the fields of RTP protocol may also be used as a covert channel.
As seen from above figure, RTP provides the following opportunities for covert communication:
- Padding field may be needed by some encryption algorithms. If the padding bit (P) is set, the packet contains one or more additional padding octets at the end of header which are not a part of the payload. The number of the data that can be added after the header is defined in the last octet of the padding as it contains a count of how many padding octets should be ignored, including itself.
- Extension header (when X bit is set) - similar situation as with the padding mechanism, a variable-length header extension may be used.
- Initial values of the Sequence Number and Timestamp fields - because both initial values of these fields must be random, the first RTP packet of the audio stream may be utilized for covert communication
- Least significant bits of the Timestamp field can be utilized.
RTCP Protocol Steganography:
RTCP exchange is based on the periodic transmission of control packets to all participants in the session. Generally, it operates on two types of packets (reports) called: Receiver Report (RR) and Sender Report (SR). Certain parameters that are enclosed inside those reports may be used to estimate network status. Moreover, all RTCP messages must be sent in compound packet that consists of, at least, two individual types of RTCP reports. Fig. 3 presents headers of SR and RR reports of the RTCP protocol.
For sessions with small number of the participants, the interval between the RTCP messages is 5 seconds and moreover, sending RTCP communication (with overhead) should not exceed 5% of the session's available bandwidth. For creating covert channels report blocks in SR and RR reports (marked in Fig. 3) may be utilized. Values of the parameters transferred inside those reports (besides SSRC_1 which is the source ID) may be altered, so the amount of information that may be transferred in each packet is 160 bits. It is clear, that if we use this type of steganographic technique, we lose some (or all) of RTCP functionality (it is a cost to use this solution). Other free/unused fields in these reports may be also used in the similar way. For example, NTP Timestamp may also be utilized.
It is also worth noting that, RTCP messages are based on IP/UDP protocols, so additionally, for one RTCP packet, both protocols can be used for covert transmission. To improve capacity of this covert channel RTCP packets can be sent more frequently then each 5 seconds (which is default value proposed in standard). Steganalysis of this method is not as straightforward as incase of security mechanism field steganography. Active warden can be used to eliminate or greatly limit the fields in which hidden communication can take place although it will be serious limitation of RTCP functionality for overt users.