-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments on certain past cryptographic flaws affecting fully encrypted censorship circumvention protocols #287
Comments
感谢 @wkrp 的 post,这一段让我想起了 Shadowsocks 的 Cloak 插件,它的 Client Hello 是:
这样的设计似乎存在类似的问题(包括 Sever Hello),在此邀请作者进行评论 @cbeuw Thanks for @wkrp's post. This section reminds me of the Cloak plugin for Shadowsocks, whose Client Hello is:
This design seems to have similar problems (including Server Hello), and the author is invited to comment here @cbeuw 当然会有人问 REALITY 有没有类似的问题,
注意我只是简单地列出了区别,这些东西我没写过就写一下给有需要的人参考, Of course, someone will ask if there is a similar problem with REALITY.
Note that I simply listed the differences, just write a reference for those who need it, |
You're right. I have realised this a while back and now looking at it it's a rather silly oversight: the data Cloak put in It's fixable, but requires some backwards compatibility measures on the server side. |
关于 fully encrypted protocols 的设计问题,补充一些我在 AEAD 时代的研究: Shadowsocks AEAD 和 Brook 的加密设计存在“响应未关联请求”等问题(这些问题也存在于 Shadowsocks 的流加密中) Shadowsocks、VMess 等协议为了避免握手成为特征,不预先进行握手,为了防重放攻击导致了可被“拒绝服务攻击”的问题 VMess AEAD 未认证 packet length(未默认修复)、结尾发空包(已修复)、客户端没有 drain(已修复)的问题 Shadowsocks 系列还一直有一个独特的特征是 TCP、UDP 同端口, 以及这些协议普遍缺乏前向安全等高级安全特性,当然我觉得虽然这些协议多次被爆出存在设计上的问题,但大多数问题并非不可解决。它们最大的问题还是长得像全随机数,主要是因为目前没有正经的流量长成这样,审查者可以闭着眼封。即使不封,若审查者设置了协议白名单,只允许一些常见的协议通过,亦可以简单地过滤掉 fully encrypted protocols。 On the subject of the design of fully encrypted protocols, I'd like to add some of my research during the AEAD era: Shadowsocks AEAD and Brook's encryption design suffers from issues such as "responding to unrelated requests" (these issues are also present in Shadowsocks's stream encryption) Shadowsocks, VMess, and other protocols don't do handshakes in advance, to avoid handshaking becoming a feature, which leads to "denial of service attacks" in order to prevent replay attacks VMess AEAD does not authenticate packet length (not fixed by default), sends empty packets at the end (fixed), no drain on the client (fixed) The Shadowsocks series has also always had a unique feature of TCP and UDP being on the same port, And the general lack of advanced security features such as forward security for these protocols, but of course I think that while these protocols have been exposed many times as having design problems, most of the problems are not insurmountable. The biggest problem with them is still that they look like full random numbers, mainly because there is no real traffic that looks like that at the moment, and censors can block them with their eyes closed. Even if they don't, if the censor sets up a protocol whitelist that allows only common protocols to pass, they can simply filter out fully encrypted protocols. |
There was a previous attempt in Shadowsocks in addressing the decryption oracle, known as ota mode, which is not working and we could try to learn from it: https://prinsss.github.io/why-do-shadowsocks-deprecate-ota/. Shadowsocks AEAD also and still have issue of having anti-replay attack for IV without a time window or other design to limited the amount of IV need to be remembered, |
I wrote an English summary of that post and the OTA active probing vulnerability: https://groups.google.com/d/msg/traffic-obf/CWO0peBJLGc/Py-clLSTBwAJ
The OTA vuln is fairly reminiscent of the VMess one in the paper. In both cases, the data encoding required parsing untrusted data in order to locate an authenticator for that data. |
I've posted an article that takes a historical look at some crypto bugs that have affected circumvention protocols.
The article was originally a talk proposal for the Real World Crypto symposium. As such, it's targeted more at an audience of cryptographers than circumvention developers. Some of the concepts and motivation will already be well-known to people here. The crypto bugs in the article have already been discussed here or on related forums:
The term "fully encrypted protocol (FEP)" comes from a paper at this year's FOCI workshop, "Security Notions for Fully Encrypted Protocols". The same concept has formerly been called "look-like-nothing" or "randomized". It's good to have a clear and unambiguous name for these kinds of protocols, so I've started using the "fully encrypted" label as well. You can also see it used in the title of the recent "How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic".
The text was updated successfully, but these errors were encountered: