Difference between revisions of "Hidden channels"

From Forensics Wiki
Jump to: navigation, search
(New page: {{expand}} '''Hidden channels''' (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operato...)
 
(Detection of hidden channels)
Line 1: Line 1:
{{expand}}
 
 
 
'''Hidden channels''' (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.
 
'''Hidden channels''' (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.
  
Line 16: Line 14:
 
* TCP options;
 
* TCP options;
 
* etc.
 
* etc.
 +
 +
== Detection of hidden channels ==
 +
 +
Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS ''Client/Server Hello'' random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.
 +
 +
However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts.
  
 
== External Links ==
 
== External Links ==

Revision as of 14:15, 10 October 2008

Hidden channels (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.

Contents

Common Uses

  • Bypassing network filters;
  • Bypassing network sniffers.

Techniques

Information can be hidden within:

  • IP ID;
  • TCP SEQ/ACK numbers;
  • TCP options;
  • etc.

Detection of hidden channels

Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS Client/Server Hello random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.

However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts.

External Links