Obfuscation can be used in IT security to hide information in unique ways. In this video, you’ll learn about steganography, tokenization, and data masking.
Obfuscation is a process, where you take something that normally would be very easy to understand, and you make it much more difficult to understand. As we step through this video, you’ll get an idea of all of the different ways that you could take a bit of information or data and turn it into something that’s not quite as clear as it could be. One of the interesting aspects of obfuscation is that if you know how the obfuscation is done, you’re able to reverse the process and gain access to the original data. With obfuscation, you’re effectively hiding information, but it’s in plain sight. And only if you know how it was hidden, would you recognize that there’s actually data contained within that object.
One very popular kind of obfuscation is steganography, where we can hide information within an image. And somewhere in this image is some data that we would be able to recover if we knew how that data was originally stored. Steganography has its roots in the Greek language. And it stands for “concealed writing.” It’s a way to hide data in an image such as this one.
We often refer to steganography as a type of security through obscurity, which means that if the process that was used to hide the data, you can very easily recover the data. And that’s why we often mention that security through obscurity is not really security at all. So in this example, we’ve used a third party utility to take a bit of information and hide that information within the image itself. Obviously, looking at the image, you can’t see any of the data that’s stored within it. But it is really stored within the data containing this particular image.
Sometimes you’ll hear this image referred to as the covertext. The covertext is the document that contains the data that you’re hiding. Of course, hiding information within an image is only one type of steganography. You can use steganography in many different types of media and forms.
For example, you can hide information within network traffic and embed messages within TCP packets that you’re sending across the network. This data is obviously sent a few bits or bytes at a time. And if you know how the data is being sent, you can reconstruct that data on the other side.
We’ve already mentioned how easy it is to use steganography with an image to hide data. And one of the more interesting ways to hide information is by putting dots on a piece of paper. These are almost invisible watermarks that are included with laser printers and other types of printers. And if you look very closely at the printed page, you’ll start to see little yellow dots appear.
These yellow dots are referred to as machine identification codes. And if you know the format of these yellow dots, you can match that back to the printer that was used to print this output. This is a little bit difficult to see with the yellow dots on a white page. So let’s invert the image. And now, you’ll see blue dots on this black page. If you look closely at a laser printer output from your printer, you should be able to find those yellow dots somewhere on the printed page.
Well. If you can store information inside of an image, you could certainly store information in other types of media. For example, you can have audio steganography, where you’re hiding information within an audio file or an audio track. We can also use video steganography. So a video, such as this one can be used to hide a great deal of information within that particular file.
A very popular form of obfuscation that we use every day is tokenization. This is where we take something that is sensitive data, and we replace it with a token of that sensitive data. For example, we can take a Social Security number, which is relatively sensitive information, change it into a completely different number. But behind the scenes, we’re matching those two together.
This means we can transfer the modified number across the network. And on the other side, it will make that switch to what the actual number might be. If someone did happen to capture information containing that token, they would not be able to use it for anything practical, because it is not an actual Social Security number.
You may not realize it, but this is the same process that’s occurring when you pay for items at the store with your mobile phone or your smartwatch. There is a temporary token that is created from your credit card number. And that token is what’s sent across the network. This is a one-time use token, which means if somebody does capture that token during the transfer and then they try to use it again, that token will be denied because it can only be used once.
This means that we can transfer this data across the network without needing to encrypt any of the data. Since we’ve replaced the sensitive credit card information with a one-use token, we can send this information across the network without needing to encrypt or hash any information. If anyone got their hands on this data, they wouldn’t be able to do anything with it. And since it doesn’t have any mathematical relationship back to your credit card number, it’s completely safe to send across the network.
Here’s how this credit card tokenization process works behind the scenes. The first step is to register a credit card number on our mobile phone. When you perform that registration process, it reaches out to a remote token service server to register this credit card. At that time, this server is going to provide you with a series of tokens that will be stored on your local phone.
Notice that the token is a very different number than the actual credit card number that we’ve registered on our phone. In most cases, we usually don’t see this token at all. Although if you do look at a receipt, you may notice that the receipt is showing a credit card number that doesn’t match the actual credit card number. Now that we’ve received these tokens, our phone is ready to be used during checkout.
So we’ll go to a store. And during the checkout process, we’ll use near-field communication to transfer that token into the payment system. So instead of sending our actual credit card number, we are now paying with one of the tokens that we originally received from the token service server.
The merchant then sends that token to the token service server. And it does a reverse lookup to determine what the actual credit card number happens to be. Now that this system knows the actual credit card number, it can check to validate that you have the proper funds or credit to be able to perform this transaction. It validates the token and approves the transaction for the merchant.
Now that this token has been used, your phone is going to throw that token away. It can no longer be used for any future transactions. Your phone then readies the next token that’s in your list or it requests a new token from the token service server. And that’s the token that will be used for the next transaction.
When you get the receipt for your payment, you may notice there’s additional obfuscation that is used on the receipt itself. If you look at the credit card number on your receipt, you’ll usually see a string of asterisks and usually, the last four digits of the credit card. This is called data masking, where we are hiding parts of the original number and only showing you a portion of that number on the receipt. This is obviously preventing someone from gaining access to your receipts and being able to use those credit card numbers to make their own payments.
Obviously, the entire credit card number is known by your credit card company. But for the purposes of printing a receipt, only a portion of that number is shown. This type of data masking might also be used for a customer service representative.
So if you call in to your credit card company, they may tell you, we’re looking at the credit card with the last four digits of 2512. To protect the security of the entire number, it’s not uncommon for companies to limit who has access to that information. And the person you’re calling on the phone may only be able to see a portion of your credit card number.
There are a number of different ways to mask a number. You don’t have to use asterisks. We could simply rearrange the numbers or replace certain numbers with others that we could then reverse later on.