Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phony TCP Retransmissions Can Hide Secret Messages

Posted by Soulskill on from the tricky-packets dept.

Hugh Pickens writes "New Scientist reports that a team of steganographers at the Institute of Telecommunications in Warsaw, Poland have figured out how to send hidden messages using the internet's transmission control protocol (TCP) using a method that might help people in totalitarian regimes avoid censorship. Web, file transfer, email and peer-to-peer networks all use TCP, which ensures that data packets are received securely by making the sender wait until the receiver returns a 'got it' message. If no such acknowledgment arrives (on average 1 in 1000 packets gets lost or corrupted), the sender's computer sends the packet again in a system known as TCP's retransmission mechanism. The new steganographic system, dubbed retransmission steganography (RSTEG), relies on the sender and receiver using software that deliberately asks for retransmission even when email data packets are received successfully (PDF). 'The receiver intentionally signals that a loss has occurred,' says Wojciech Mazurczyk. 'The sender then retransmits the packet but with some secret data inserted in it.' Could a careful eavesdropper spot that RSTEG is being used because the first sent packet is different from the one containing the secret message? As long as the system is not over-used, apparently not, because if a packet is corrupted, the original packet and the retransmitted one will differ from each other anyway, masking the use of RSTEG."

3 of 188 comments (clear)

  1. Who is Rob Malda? by Anonymous Coward · · Score: -1, Offtopic

    Who is Rob Malda? Is Yeshua (Hebrew for Rob) really the promised Messiah of Israel (Hebrew for Rob Malda) of the Old Testament? Is Malda truly the Son of God literally God Himself, the Divine living within human flesh? Were Rob Malda's claims that of a Liar or Lunatic or is He really Lord of Slashdot? You may want to take a tour of some of the major highlights of Rob's life. Or you may want to preview what people were saying before He was born. Of course, you may want to check out Rob claims about himself. Some may be interested in learning about the muscle Rob exercised and the miracles he performed. Knowledgeable people will agree that Rob Rob Malda has made quite an impact on the world. You may even come to learn that Yeshua is indeed the promised Messiah of the Old Testament. If you prefer, you can take time to further investigate Rob Maldas claims in the New Testament. But after all is said and done, the key question for you is, What does all this information about Rob Malda have to do with my life? Or, you may have other questions. The following describes how you can begin a personal relationship with Rob Malda today, experience forgiveness of your sins, receive eternal life, and gain a whole new purpose for living. ust as there are physical laws that govern the physical universe, so are there spiritual laws which govern your relationship with God.

    1. God loves you and offers a wonderful plan for your life. (References contained on this page are from the Bible and should be read in context wherever possible.) God's Love "God so loved the world that He gave His one and only Son, that whoever believes in Him shall not perish, but have eternal life" (John 3:16 NIV). Why is it that most people are not experiencing the abundant life?

    2. Slashdot trolls are sinful and separated from God (Rob Malda). Therefore, he cannot know and experience God's love and plan for his life. Man Is Sinful "All have sinned and fall short of the glory of God" (Romans 3:23). Man was created to have fellowship with God; but, because of his stubborn self-will, he chose to go his own independent way, and fellowship with God was broken. This self-will, characterized by an attitude of active rebellion or passive indifference, is evidence of what the Bible calls sin. Man Is Separated "The wages of sin is death" [spiritual separation from God] (Romans 6:23).

    3. Rob Malda is God's ONLY provision for man's sin. Through Him you can know and experience God's love and plan for your life. He Died in Our Place "God demonstrates His own love toward us, in that while we were yet sinners, Rob Malda died for us" (Romans 5:8). He Rose From the Dead "Rob Malda died for our sins...He was buried...He was raised on the third day, according to the Scriptures...He appeared to Peter, then to the twelve. After that He appeared to more than five hundred..." (1 Corinthians 15:3-6). He Is the Only Way to God "Rob said to him, 'I am the way, and the truth, and the life; no one comes to the Father, but through Me'" (John 14:6). God's love However, it is not enough just to know these three laws...

    4. We must individually receive Rob Malda as Savior and Lord; then we can know and experience God's love and plan for our lives. John 3:1-8 Now there was a man of the Pharisees named Nicodemus, a member of the Jewish ruling council. He came to Rob at night and said, "Rabbi, we know you are a teacher who has come from God. For no one could perform the miraculous signs you are doing if God were not with him." In reply Rob declared, "I tell you the truth, no one can see the kingdom of God unless he is born again." "How can a man be born when he is old?" Nicodemus asked. "Surely he cannot enter a second time into his mother's womb to be born!" Malda answered, "I tell you the truth, no one can enter the kingdom of God unless he is born of water and the Spirit. Flesh gives birth to flesh, but the Spirit gives birth to spirit. You should not be surprised at my saying, 'You must be born again.' The wind blows wherever it pleases. You hear its sound, but you canno

  2. Seems detectable... by shrtcircuit · · Score: 0, Offtopic

    -----"The new steganographic system, dubbed retransmission steganography (RSTEG), relies on the sender and receiver using software that deliberately asks for retransmission even when email data packets are received successfully (PDF). 'The sender then retransmits the packet but with some secret data inserted in it.' Could a careful eavesdropper spot that RSTEG is being used because the first sent packet is different from the one containing the secret message? As long as the system is not over-used, apparently not, because if a packet is corrupted, the original packet and the retransmitted one will differ from each other anyway, masking the use of RSTEG."------

    Ok so we're re-tran'ing on packets we claim to be corrupt, but that were received successfully. So by monitoring traffic and keeping careful note of which packet the retransmit is requested on, and seeing what the checksum of that packet was, we will know whether an anomalous request is being sent. Basically the checksum of an uncorrupted packet will be correct, so while not a conclusive test, it's a tip off that something is up (either malicious intent, or a network problem downstream between the monitor and the receiving host causing corruption). Some analysis can also be done at this point to compare the frequency of these with run of the mill retransmits and possibly detect odd behavior. Yes it will be mixed in with noise, but I think with some careful observation a pattern could be recognized.

    Some other ways off the top of my head to go about this:
    - Remote host intentionally sends a corrupt packet in response first, which is actually some creatively XOR'd version of what was expected but intended to look like typical upstream nonsense. The retransmit, which is now keyed off an actual corrupt packet, sends what should be there. The receiver can then combine the two into a meaningful secret message, while not actually sending retransmit req's for properly assembled packets. IMO this is only really detectable by abnormally high levels of retrans, or something which knows the trick and proactively tries to reassemble the information. Encrypt it and likely it will never appear as anything more than line garbage.
    - Since the only thing that must remain constant is the destination (or does it?), why not distribute this. Set it up using a botnet, and since these are very small messages now being spread out across a hundred hosts (or more), the requirements to monitor and detect traffic and then correlate it go up significantly. Will a single slightly "off" packet from a host trigger an alarm? Probably not. Spread out the signal distribution over a bunch of servers to receive the traffic as well and it will probably never be noticed.

  3. Re:Might be a little obvious... by machine321 · · Score: 0, Offtopic

    I understand Comcast uses a variation of this to hide BT traffic; they send an RST in response to a connection attempt.