Matthew Toseland wrote:
Well on the most trivial level, 0.5 doesn't work in china.
yo,
beyond harvesting the connected IP addresses to raid their owner's
homes, one big concern with encrypted protocols is that they can be
filtered out by application-level scanning firewalls. I think this is
exactly what's happening in China.
Application-level scanning can be implemented via ASIC technology
directly in hardware thus being extremely fast, and we know this works
very well.
Public-key encrypted communications show constant patterns the moment a
public key is exchanged between hosts.
Such system can work until there's enough processing power available to
make them run without compromising the overal network performance, so to
defeat them (they are intended to simply drop forbidden connections) you
have to design a protocol
which shows no recognisable patterns at any level.
Nested symmetric encryption of each packet with multiple randomly
selected pre-shared keys?
To decode each packet a firewall will have to:
1) try at least half the known pre-shared keys on each packet
2) do the above for each level of encryption used.
given the number of keys n and the number of levels l the total number
of decryption passes k before you extract usable data (which may be
further asymmetrically encrypted) is k = (n/2)^l. This is true for
each packet and you cannot avoid doing this if you want to confirm the
contents.
While this might not be so demanding for a single CPU and few
connections, a core firewall won't be happy to discover that a simple
scan no longer suffices and you have to actually process a VERY large
number of packets coming from a number of sources with random ports
trough a custom designed and frequently updated cryptographic ASIC
multiple times.
The idea is not to design a virtually unstopplable protocol: there
might come a day when only pure HTTP to port 80 is allowed, the idea
instead is to make it a bit more unstoppable in places like China,
probably France and EU and next in the US.
Also, this won't be a solution in places that trace social network
connections (like the current US), this however will make the process
somewhat harder.
Just a suggestion..
_______________________________________________
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]
