Chapter 15 Β· Concepts

Obfuscation β€” Core Concepts

Comparison tables and visual guides for steganography, tokenization, and data masking.

The Three Obfuscation Techniques Compared

TechniqueWhat It DoesIs Data Encrypted?Reversible?Primary Use
SteganographyHides data inside a carrier file (image, audio, video)Not necessarily β€” the hidden data may be plaintextYes β€” requires knowledge of the method and any passwordCovert communication, watermarking, malware C2
TokenizationReplaces sensitive value with a random tokenNo β€” the token has no algorithmic relationship to the originalYes β€” only via the token vault (no algorithm to reverse)PCI-DSS scope reduction, protecting SSNs, session tokens
Data MaskingShows partial data; hides the restNo β€” remaining visible data is plaintextStatic: No (permanent). Dynamic: Yes (original data unchanged)Dev/test environments, role-based data visibility

Steganography Methods by Carrier Type

Image Steganography

Most common technique. Modifies the least significant bits (LSBs) of pixel color values. The color change is imperceptible to the human eye.

Capacity: Large β€” a 10 MP photo can hide ~1 MB of data.

Detection: Statistical analysis can detect LSB patterns inconsistent with natural photography.

Audio Steganography

Hides data in inaudible frequency ranges, or uses LSB modification on audio samples. The audio sounds completely normal on playback.

Capacity: Moderate β€” depends on audio file length and quality.

Video Steganography

Hides data within individual video frames. Each frame is essentially an image, and video files have enormous carrier capacity.

Capacity: Very large β€” minutes of video can hide hundreds of megabytes.

Network Steganography

Hides data in network protocol fields β€” unused TCP header bits, DNS query subdomains, ICMP payload fields, HTTP headers. Malware C2 channels often use this technique.

Detection: Requires protocol analysis, not just content scanning.

Tokenization Flow: Credit Card Processing

1
Customer enters card number
Customer enters their 16-digit card number at checkout. The number is transmitted directly to the payment processor β€” it never touches the merchant's servers.
↓
2
Payment processor generates token
The payment processor stores the real card number securely in the token vault and generates a random token (e.g., 7f3a29b1-...). The token has no mathematical relationship to the card number.
↓
3
Token returned to merchant
The payment processor returns only the token to the merchant. The merchant stores the token in their database for future use (subscriptions, refunds, order history).
↓
4
Future transactions use token
For a refund or recurring charge, the merchant sends the token to the payment processor. The processor looks up the real card number in the vault and processes the transaction. The merchant never needs the real number again.
↓
5
Merchant database breach = no card numbers exposed
If the merchant's database is stolen, the attacker gets tokens. Tokens cannot be used at other merchants, cannot be reversed to find card numbers, and are worthless to the attacker.

Static vs. Dynamic Data Masking

PropertyStatic Data MaskingDynamic Data Masking
When appliedOnce, when creating a copy of the databaseAt query time, on every data retrieval
Original dataOriginal unchanged; masked copy is separateOriginal data unchanged in storage
Who sees real dataNo one using the masked copyUsers with appropriate permissions/role
Use caseDev, test, analytics environments with real data structureProduction systems with role-based visibility
ExampleCopy of customer DB with SSNs replaced by random numbers for dev teamSupport agent sees last 4 digits; billing system sees full card number

Tokenization vs. Encryption vs. Masking

Encryption

Data is mathematically transformed using an algorithm and key. Can be reversed with the correct key. The ciphertext has a fixed mathematical relationship to the plaintext.

Exam note: If the key is stolen, encrypted data is exposed. Key management is the critical vulnerability.

Tokenization

Data is replaced with a random token. No algorithm can reverse the token β€” only the vault can. The token has no mathematical relationship to the original.

Exam note: The vault is the critical vulnerability β€” if the vault is compromised, all tokenized data is exposed. No key to steal because there's no algorithm.

Data Masking

Only part of the data is shown. The hidden portion is simply not transmitted to the viewer. Not a secret β€” if you have access to the source system, you can see the full value.

Exam note: Masking limits exposure but does not protect against someone with database access. It protects the view, not the storage.