Matthew Toseland wrote: > Well on the most trivial level, 0.5 doesn't work in china. > yo,
beyond harvesting the connected IP addresses to raid their owner's homes, one big concern with encrypted protocols is that they can be filtered out by application-level scanning firewalls. I think this is exactly what's happening in China. Application-level scanning can be implemented via ASIC technology directly in hardware thus being extremely fast, and we know this works very well. Public-key encrypted communications show constant patterns the moment a public key is exchanged between hosts. Such system can work until there's enough processing power available to make them run without compromising the overal network performance, so to defeat them (they are intended to simply drop forbidden connections) you have to design a protocol which shows no recognisable patterns at any level. Nested symmetric encryption of each packet with multiple randomly selected pre-shared keys? To decode each packet a firewall will have to: 1) try at least half the known pre-shared keys on each packet 2) do the above for each level of encryption used. given the number of keys n and the number of levels l the total number of decryption passes k before you extract usable data (which may be further asymmetrically encrypted) is k = (n/2)^l. This is true for each packet and you cannot avoid doing this if you want to confirm the contents. While this might not be so demanding for a single CPU and few connections, a core firewall won't be happy to discover that a simple scan no longer suffices and you have to actually process a VERY large number of packets coming from a number of sources with random ports trough a custom designed and frequently updated cryptographic ASIC multiple times. The idea is not to design a virtually unstopplable protocol: there might come a day when only pure HTTP to port 80 is allowed, the idea instead is to make it a bit more unstoppable in places like China, probably France and EU and next in the US. Also, this won't be a solution in places that trace social network connections (like the current US), this however will make the process somewhat harder. Just a suggestion..
