0.7 has no predictable or repeated bytes whatsoever. It can probably be
identified by several more expensive, less reliable techiques at present:
1. Timing.
2. Packet size.
3. It's not a known protocol, therefore it must be bad.
4. Flow analysis.

On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote:
> Matthew Toseland wrote:
> >Well on the most trivial level, 0.5 doesn't work in china.
> >  
> yo,
> beyond harvesting the connected IP addresses to raid their owner's 
> homes, one big concern with encrypted protocols is that they can be 
> filtered out by application-level scanning firewalls. I think this is 
> exactly what's happening in China.
> Application-level scanning can be implemented via ASIC technology 
> directly in hardware thus being extremely fast, and we know this works 
> very well.
> Public-key encrypted communications show constant patterns the moment a 
> public key is exchanged between hosts.
> Such system can work until there's enough processing power available to 
> make them run without compromising the overal network performance, so to 
> defeat them (they are intended to simply drop forbidden connections) you 
> have to design a protocol
> which shows no recognisable patterns at any level.
> Nested symmetric encryption of each packet with multiple randomly 
> selected pre-shared keys?
> To decode each packet a firewall will have to:
> 1) try at least half the known pre-shared keys on each packet
> 2) do the above for each level of encryption used.
> given the number of keys n and the number of levels l the total number 
> of decryption passes k before you extract usable data (which may be 
> further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
> each packet and you cannot avoid doing this if you want to confirm the 
> contents.
> While this might not be so demanding for a single CPU and few 
> connections, a core firewall won't be happy to discover that a simple 
> scan no longer suffices and you have to actually process a VERY large 
> number of packets coming from a number of sources with random ports 
> trough a custom designed and frequently updated cryptographic ASIC 
> multiple times.
> The idea is not to design a virtually unstopplable protocol:  there  
> might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
> instead is to make it a bit more unstoppable in places like China, 
> probably France and EU and next in the US.
> Also, this won't be a solution in places that trace social network 
> connections (like the current US), this  however will make  the process 
> somewhat harder.
> Just a suggestion..
> _______________________________________________
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at 
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe

Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature

Reply via email to