On Sat, Dec 13, 2014 at 08:54:29AM -0500, A. Johnson wrote: > There are even better solutions than this: > 1. Port knocking: <https://wiki.archlinux.org/index.php/Port_Knocking> > 2. Single-packet authorization: > <http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf> > > ScrambleSuit has implemented something like #2, and its paper > (http://www.cs.kau.se/philwint/pdf/wpes2013.pdf) describes its > authentication mechanisms as preventing detecting via network-wide > scanning. However, I can’t say how it actually got implemented.
You could describe ScrambleSuit as single-packet authorisation on the application layer. In the implementation, a client proves knowledge of a shared secret in the first stream of bytes (maybe in one packet, maybe in more), it sends to a bridge. If the client cannot prove knowledge of the secret, the bridge won't respond. obfs4 [0] continues this idea. [0] https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt Cheers, Philipp _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
