21 – 22 September 2007, BULGARIA                                                               19

                                                  Proceedings of the International Conference on
                                                      Information Technologies (InfoTech-2007)
                                                           21st – 22nd September, 2007, Bulgaria
                                                                                           vol. 2


                             Irina Noniska, Elina Assenova

                            Technical University - Sofia

     Abstract: The paper presents an approach of obtaining call trace-back and other rele-
     vant information applying steganography in Voice Over Internet Protocol (VoIP) sys-
     tems. The call trace-back schemes described here could be implemented to create a cov-
     ert channel without interrupting the normal call operation and not enlarging the packet
     Key words: VoIP, steganography, call trace-back


     Voice over IP communication technology is gaining a larger share of the IP
based communication area. With the development of the technology the attention is
mainly focused on the transmission standards and protocols that provide the provi-
sioning a greater variety of services. Yet recently proposals appeared that consider
the quality of service and security and some issues like call trace-back which can
provide important routing and origin information remain uncovered.
     Generally the transmission of any additional information within the transport
layer package implies the growth of the size of the package which at a given moment
may become unacceptable. At this point appears the necessity of transmitting addi-
tional data within the package, without changing, where possible, its size and here
the means of steganography can be used.
     As defined by the Greek origin of the word, steganography deals with ‘secret
writing’, the concealing of information within a standard or innocuous carrier in a
manner that in the ideal case should remain hidden except for the authorized or in-
20                                        PROCEEDINGS of the International Conference InfoTech-2007

tended reader. Thus the idea of storing useful information within optional or not used
fields within the transportation packet emerged and researches for the use of steg-
anography means for different purposes not yet covered by the standards appeared.


      The problem with the identification of the call route has evolved with the ex-
pansion of the IP-based communication services both voice or of mixed content. It
has both technical and business influences over an IP-based services provider. The
knowledge of through which providers the call has been transited could be used for
measuring the end-user quality parameters as well as for the appropriate choice of
interconnection partners and thus to force the VoIP providers for example to demand
higher quality not only for the services provided by their own company but from
their partners as well.
      At the current state of interconnection services provided between the operators,
no matter whether the one operator sustains the quality of their services, at the point
of which the call is terminated into another operators network or transited through
several other operators networks, some of the services that are obligatory to provide
such as CLIP could be lost in case of one of the transit operators not offering this
service. The information about the services provided by the intermediates of a call is
not possible to be gathered at real time or it is hard to be obtained by the direct part-
ners of the operator due to regulations etc.
      The call trace-back in the means of providing information about which are the
transit operators could also be used for any governmental or investigations of other

                 Fig. 1. Internet protocol header format with optional fields marked in italics

                                Fig. 2 User Datagram Protocol header format
21 – 22 September 2007, BULGARIA                                                        21

     Analogous to idea of the implementation of a Covert channel for improving
VoIP security (Zbigniew Kotulski, Wojciech Mazurczyk, 2006), the problem could
be solved with the use of the optional fields into the headers of the
IP(RFC0791)/UDP(RFC768)/RTP protocols, which could hold the information nec-
essary for the tracking of the call transit/termination route. Thus the relevant infor-
mation could be stored in those fields and later extracted by the receiver and/or the
interested parties as the services provider of the government and the operator inter-
connection path recovered. This way of tracking the call could be used when the ac-
tual network route of the call in the means of IP-address and gateway route is not so
relevant but the operator transit route is.
     Thus storing the additional information with the use of steganography, the nor-
mal operation is not interfered and when necessary it can be extracted from the op-
tional fields available for steganographic processing and used on its purpose and in
this manner another use of the Covert channel for improving VoIP security (Zbig-
niew Kotulski, Wojciech Mazurczyk, 2006) could be implemented.


      In case we use the IP-header format as an example, we could store the identifier
of the operator from whose network the call originates in the 16 bits of the Identifier
field of the IP-header. Because of the size-limitation of the field, it would be more
appropriate if we use a number as the origination operators identifier. Based on the
calling party’s Access Number Identifier, which at the current moment is definitely
bound with its possessing service provider, the identification of the originating net-
work could be gained and from this information it is possible to obtain the operator’s
identifier at a later stage when this information will be necessary.
      One easy to calculate and simple to implement method of storing all the net-
works’ identifiers in one and the same fields coping with the size limitations of the
Identification field of the IP-header is to XOR the current value of the field with the
one of the operator through whose network our package is transiting. If all the 16 bits
of the Identification field are used for the identifier then cannot be traced for more
than 1 transiting network, not counting the originator network. To solve this limita-
tion we can split the Identifier field into to parts: the first part to store the resulting
xor-value of the identifiers of all the operators through which the call has already
transited, and the second part to hold the identifier of the operator before the direct
interconnection partner who has terminated the call into the end-point network. In
this case up to 3 intermediate transitions could be performed between the origination
and the termination network of the call. Such transit limitations also apply in the
practice in order to maintain the quality of the call which may suffer in case of many
transits depending on the protocol used.
22                                       PROCEEDINGS of the International Conference InfoTech-2007

     Another possible implementation could use code-based method of representa-
tion of the size-critical operator identification data conveyed by the covert channel,
which could offer the identification of a larger number of transits. An appropriate
universal code is the Fibonacci code. The Fibonacci code is generated with the use of
Equation 1.
                                     (1) N =     ∑ d (i) F (i)
                                                 i =0

                                (2) d (i ) = 1 ⇒ d (i + 1) = 0
                             Equation 1 Formulae for generation Fibonacci code

        The Fibonacci code begins as shown in Table 1:
       1   = F(1)         11                     2      = F(2)           011
       3   = F(3)         0011                   4      = F(1)+F(3)      1011
       5   = F(4)         00011                  6      = F(1)+F(4)      10011
       7   = F(2)+F(4)    01011                  8      = F(5)           000011
                                Table 1 Starting sequence of Fibonacci code

     For the unambiguous definition of the transit route of the call only composite
functional representations of the numbers must be used, e.g. Z=F(X)+F(Y) where X,
Y are the transit operator identifiers. Thus the codes of the transit operators could be
regenerated from the sum of their values.


     The call trace-back method described in this article is trying to cope with the
VoIP specifics, creating a covert channel not enlarging the packet size and not inter-
rupting the normal call operation. A disadvantage is the need of maintaining a global
registrar of operator identifier codes, which acquire serious resources and invest-


Information Sciences Institute University of Southern California, (1981), RFC0791,
      Internet Protocol
Kotulski Z., Mazurczyk W. (2006), Covert channel for improving VoIP security.
Postel J., (1980), RFC768 ,User Datagram Protocol
Stakhov A.P. (1999), Introduction into Fibonacci Coding and Cryptography

To top