Matthew Toseland wrote:
> Well on the most trivial level, 0.5 doesn't work in china.

beyond harvesting the connected IP addresses to raid their owner's 
homes, one big concern with encrypted protocols is that they can be 
filtered out by application-level scanning firewalls. I think this is 
exactly what's happening in China.

Application-level scanning can be implemented via ASIC technology 
directly in hardware thus being extremely fast, and we know this works 
very well.
Public-key encrypted communications show constant patterns the moment a 
public key is exchanged between hosts.

Such system can work until there's enough processing power available to 
make them run without compromising the overal network performance, so to 
defeat them (they are intended to simply drop forbidden connections) you 
have to design a protocol
which shows no recognisable patterns at any level.
Nested symmetric encryption of each packet with multiple randomly 
selected pre-shared keys?
To decode each packet a firewall will have to:
1) try at least half the known pre-shared keys on each packet
2) do the above for each level of encryption used.

given the number of keys n and the number of levels l the total number 
of decryption passes k before you extract usable data (which may be 
further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
each packet and you cannot avoid doing this if you want to confirm the 
While this might not be so demanding for a single CPU and few 
connections, a core firewall won't be happy to discover that a simple 
scan no longer suffices and you have to actually process a VERY large 
number of packets coming from a number of sources with random ports 
trough a custom designed and frequently updated cryptographic ASIC 
multiple times.

The idea is not to design a virtually unstopplable protocol:  there  
might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
instead is to make it a bit more unstoppable in places like China, 
probably France and EU and next in the US.

Also, this won't be a solution in places that trace social network 
connections (like the current US), this  however will make  the process 
somewhat harder.

Just a suggestion..

Reply via email to