The Three Obfuscation Techniques Compared
| Technique | What It Does | Is Data Encrypted? | Reversible? | Primary Use |
|---|---|---|---|---|
| Steganography | Hides data inside a carrier file (image, audio, video) | Not necessarily β the hidden data may be plaintext | Yes β requires knowledge of the method and any password | Covert communication, watermarking, malware C2 |
| Tokenization | Replaces sensitive value with a random token | No β the token has no algorithmic relationship to the original | Yes β only via the token vault (no algorithm to reverse) | PCI-DSS scope reduction, protecting SSNs, session tokens |
| Data Masking | Shows partial data; hides the rest | No β remaining visible data is plaintext | Static: No (permanent). Dynamic: Yes (original data unchanged) | Dev/test environments, role-based data visibility |
Steganography Methods by Carrier Type
Image Steganography
Most common technique. Modifies the least significant bits (LSBs) of pixel color values. The color change is imperceptible to the human eye.
Capacity: Large β a 10 MP photo can hide ~1 MB of data.
Detection: Statistical analysis can detect LSB patterns inconsistent with natural photography.
Audio Steganography
Hides data in inaudible frequency ranges, or uses LSB modification on audio samples. The audio sounds completely normal on playback.
Capacity: Moderate β depends on audio file length and quality.
Video Steganography
Hides data within individual video frames. Each frame is essentially an image, and video files have enormous carrier capacity.
Capacity: Very large β minutes of video can hide hundreds of megabytes.
Network Steganography
Hides data in network protocol fields β unused TCP header bits, DNS query subdomains, ICMP payload fields, HTTP headers. Malware C2 channels often use this technique.
Detection: Requires protocol analysis, not just content scanning.
Tokenization Flow: Credit Card Processing
Customer enters their 16-digit card number at checkout. The number is transmitted directly to the payment processor β it never touches the merchant's servers.
The payment processor stores the real card number securely in the token vault and generates a random token (e.g., 7f3a29b1-...). The token has no mathematical relationship to the card number.
The payment processor returns only the token to the merchant. The merchant stores the token in their database for future use (subscriptions, refunds, order history).
For a refund or recurring charge, the merchant sends the token to the payment processor. The processor looks up the real card number in the vault and processes the transaction. The merchant never needs the real number again.
If the merchant's database is stolen, the attacker gets tokens. Tokens cannot be used at other merchants, cannot be reversed to find card numbers, and are worthless to the attacker.
Static vs. Dynamic Data Masking
| Property | Static Data Masking | Dynamic Data Masking |
|---|---|---|
| When applied | Once, when creating a copy of the database | At query time, on every data retrieval |
| Original data | Original unchanged; masked copy is separate | Original data unchanged in storage |
| Who sees real data | No one using the masked copy | Users with appropriate permissions/role |
| Use case | Dev, test, analytics environments with real data structure | Production systems with role-based visibility |
| Example | Copy of customer DB with SSNs replaced by random numbers for dev team | Support agent sees last 4 digits; billing system sees full card number |
Tokenization vs. Encryption vs. Masking
Encryption
Data is mathematically transformed using an algorithm and key. Can be reversed with the correct key. The ciphertext has a fixed mathematical relationship to the plaintext.
Exam note: If the key is stolen, encrypted data is exposed. Key management is the critical vulnerability.
Tokenization
Data is replaced with a random token. No algorithm can reverse the token β only the vault can. The token has no mathematical relationship to the original.
Exam note: The vault is the critical vulnerability β if the vault is compromised, all tokenized data is exposed. No key to steal because there's no algorithm.
Data Masking
Only part of the data is shown. The hidden portion is simply not transmitted to the viewer. Not a secret β if you have access to the source system, you can see the full value.
Exam note: Masking limits exposure but does not protect against someone with database access. It protects the view, not the storage.