0.7 has no predictable or repeated bytes whatsoever. It can probably be identified by several more expensive, less reliable techiques at present: 1. Timing. 2. Packet size. 3. It's not a known protocol, therefore it must be bad. 4. Flow analysis.
On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote: > Matthew Toseland wrote: > >Well on the most trivial level, 0.5 doesn't work in china. > > > yo, > > beyond harvesting the connected IP addresses to raid their owner's > homes, one big concern with encrypted protocols is that they can be > filtered out by application-level scanning firewalls. I think this is > exactly what's happening in China. > > > Application-level scanning can be implemented via ASIC technology > directly in hardware thus being extremely fast, and we know this works > very well. > Public-key encrypted communications show constant patterns the moment a > public key is exchanged between hosts. > > Such system can work until there's enough processing power available to > make them run without compromising the overal network performance, so to > defeat them (they are intended to simply drop forbidden connections) you > have to design a protocol > which shows no recognisable patterns at any level. > Nested symmetric encryption of each packet with multiple randomly > selected pre-shared keys? > To decode each packet a firewall will have to: > 1) try at least half the known pre-shared keys on each packet > 2) do the above for each level of encryption used. > > given the number of keys n and the number of levels l the total number > of decryption passes k before you extract usable data (which may be > further asymmetrically encrypted) is k = (n/2)^l. This is true for > each packet and you cannot avoid doing this if you want to confirm the > contents. > While this might not be so demanding for a single CPU and few > connections, a core firewall won't be happy to discover that a simple > scan no longer suffices and you have to actually process a VERY large > number of packets coming from a number of sources with random ports > trough a custom designed and frequently updated cryptographic ASIC > multiple times. > > The idea is not to design a virtually unstopplable protocol: there > might come a day when only pure HTTP to port 80 is allowed, the idea > instead is to make it a bit more unstoppable in places like China, > probably France and EU and next in the US. > > Also, this won't be a solution in places that trace social network > connections (like the current US), this however will make the process > somewhat harder. > > Just a suggestion.. > > > > > _______________________________________________ > Support mailing list > Support at freenetproject.org > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:support-request at freenetproject.org?subject=unsubscribe > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/support/attachments/20060831/6b68e29f/attachment.pgp>