In information theory, a covert channel is a parasitic communications channel that draws bandwidth from another channel in order to transmit information without the authorization or knowledge of the latter channel's designer, owner, or operator.
A covert channel is so called because it is hidden within the medium of a legitimate communications channel. Covert channels typically manipulate certain properties of the communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information through the medium without detection by anyone other than the entities operating the covert channel.
All covert channels draw their bandwidth (information-carrying capacity) from a legitimate channel, thus reducing the capacity of the latter; however, the bandwidth drawn from the channel is often unused, anyway, and so the covert channel may still be well hidden.
For example, steganography is a form of covert channel in which very small details of images (or other multimedia files) are subtly altered in order to communicate information in a way not immediately obvious to anyone casually examining the images.
- One type of steganography uses the low-order bit of the data for each pixel in an image to carry the information of a covert channel: these bits carry the covert message, while the rest of the bits carry the legitimate image. The very slight change in the image caused by modification of the low-order bit in each pixel is imperceptible in most cases to anyone who isn't already looking for such a change.
- Background audio noise can hide signals like MT63, but other more complex audio watermarking technologies exist for the protection of mass marketed audio CDs.
Stealing usable bandwidth
Because any bandwidth used by the covert channel is “stolen” from the legitimate channel, the greater the bandwidth used by the covert channel, the more likely it is that it will be obvious to users of the legitimate channel.
- A steganography system that uses only the low-order bit of every pixel has a low bandwidth (compared to the bandwidth consumed by transmission of the image itself), but is very discreet.
- A steganography system that uses all but the highest-order bit of each pixel has very high bandwidth -- but will be instantly obvious to anyone looking at the image used to carry the covert channel.
The Trusted Computer Security Evaluation Criteria (TCSEC) is a set of criteria established by the National Computer Security Center, an agency managed by the United States' National Security Agency.
The term covert channel is defined in the TCSEC <ref>NCSC-TG-030, Covert Channel Analysis of Trusted Systems (Light Pink Book) from the United States Department of Defense (DoD) Rainbow Series publications.</ref> specifically to refer to ways of transferring information from a higher classification compartment to a lower classification. The TCSEC defines two kinds of covert channels:
- Storage channels - Communicate by modifying a stored object
- Timing channels - Transmit information by affecting the relative timing of events
The TCSEC, also known as the Orange Book, <ref>5200.28-STD, TCSEC from the DoD Rainbow Series publications</ref> requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.
Eliminating covert channels
The possibility of covert channels cannot be completely eliminated, although it can be significantly reduced by careful design and analysis. There will always be some unused portion of the bandwidth of a legitimate communications channel that can be diverted to provide a covert channel.
The detection of a covert channel can be made more difficult by using characteristics of the communications medium for the legitimate channel that are never controlled or examined by legitimate users. For example, a file can be opened and closed by a program in a specific, timed pattern that can be detected by another program, and the pattern can be interpreted as a string of bits, forming a covert channel. Since it is unlikely that legitimate users will check for patterns of file opening and closing operations, this type of covert channel can remain undetected for long periods.
A similar case is Port Knocking. In usual communications the timing of requests is irrelevant and unwatched. Port knocking makes it significant.