Cognitive Cow

In corporate networks these days, the IT department will often have stringent policies about what can be done over the network. For example, some companies do not allow outgoing or incoming connections on any port besides 80 and 443. Some networks even do protocol analysis to determine if you’re using HTTP over port 80 or if you’re trying to use SSH over port 80. Is there a way to really fully control networks like this?

A protocol is a lot like a spoken language and a firewall is a lot like a conversation moderator. Let’s say we have two people who we want to allow to talk but we do not want them to discuss anything that’s secret without the moderator knowing. The moderator has the power to stop the conversation at any time based on what she hears or sees. So let’s say our two people, Alice and Bob start talking in English. They are discussing the weather and they suddenly start speaking in French. the moderator, Carol, can either speak French and continue moderating or not speak French and stop the conversation short. Since she does not speak French, she terminates that conversation, only allowing them to speak in English.

Alice and Bob want to exchange a secret, they both know what that the secret is a password but only Alice knows what it is and she is trying to tell bob. Bob knows that he wants to figure out the password and he knows that he does not want Carol to know that the password has been exchanged or that he has the password. Alice and Bob figured out that they cannot use a common language that Carol does not know because then communication will be cut off. They’re forced to speak in words that Carol will understand.

After a minute of thinking, Alice thinks of a good way to communicate with Bob that Carol won’t understand. Alice says a word that represents a letter (Alpha, Tango, Charlie…) and the letters strung together make a sentence in French, which Carol cannot understand. After a minute of hearing this strange conversation, Carol picks up on what’s going on, they’re trying to communicate without her knowing. This crude encryption is easily visible by carol because it does not resemble a normal conversation. Carol ends the conversation.

Alice and Bob discuss in private how they can exchange secrets while Carol is moderating. They come up with a great idea to exchange dates and times in plain conversation while masking it so it sounds like normal conversation. Alice and Bob then try out their new approach in the presence of Carol and the conversation goes as follows

Bob: “Hello, Alice, how are you?”
Alice: “I’m excellent!”
Bob: “How’s the weather outside?”
Alice: “Oh, it’s 30 degrees and quite windy I think but I haven’t checked the forecast recently.”
Bob: “You must be talking in Celsius because it’s quite nice outside!”
Alice: “Oh, yes it’s magnificent outside!”
Bob: “You know it.”
Alice: “Oh, I’m golfing this weekend, do you want to come?”
Bob: “Sure, see you then!”

Did you figure out the message? The secret message that Alice sent bob was “November 15th, 2007″ which is when they’ll have their secret meeting.

Carol was listening to this conversation and recognized it as two people having a normal conversation in English. What they did was exchange the message through the allowed protocol using obfuscation with plausible deniability. Essentially, Alice and Bob build a new protocol over the existing allowed protocol which was “Allow any normal English conversations.” This leads me to believe that without very careful observation (i.e. computing power) stacking protocols will always work for using one protocol to do something it was not meant to do.