Paper 2023/1362
Comments on certain past cryptographic flaws affecting fully encrypted censorship circumvention protocols
Abstract
This article presents three retrospective case studies of cryptography-related flaws in censorship circumvention protocols: a decryption oracle in Shadowsocks “stream cipher” methods, non-uniform Elligator public key representatives in obfs4, and a replay-based active distinguishing attack exploiting malleability in VMess. These three protocols come from the family of “fully encrypted” circumvention protocols: their traffic in both directions is indistinguishable from a uniformly random stream of bytes (or at least, is supposed to be). Some of the flaws are fixable implementation errors; others are rooted in more fundamental design errors. Their consequences range from enabling passive probabilistic detection to complete loss of confidentiality. All have been fixed, mitigated, or superseded since their discovery. My primary purpose is to provide an introduction of circumvention threat models to specialists in cryptography, and to make the point that while cryptography is a necessary tool in circumvention, it is not the sole or even most important consideration. Secondarily, I want to furnish a few instructive examples of cryptographic design and implementation errors in uncontrived, deployed protocols. While the flaws I discuss affected systems of significant social importance with millions of collective users, they are not well-known outside a small circle of specialists in circumvention.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Preprint.
- Keywords
- fully encrypted protocolscensorship circumventionShadowsocksobfs4VMessElligator
- Contact author(s)
- david @ bamsoftware com
- History
- 2023-09-13: approved
- 2023-09-12: received
- See all versions
- Short URL
- https://ia.cr/2023/1362
- License
-
CC0
BibTeX
@misc{cryptoeprint:2023/1362, author = {David Fifield}, title = {Comments on certain past cryptographic flaws affecting fully encrypted censorship circumvention protocols}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1362}, year = {2023}, url = {https://eprint.iacr.org/2023/1362} }