Paper 2023/1362

Comments on certain past cryptographic flaws affecting fully encrypted censorship circumvention protocols

David Fifield
Abstract

This article presents three retrospective case studies of cryptography-related flaws in censorship circumvention protocols: a decryption oracle in Shadowsocks “stream cipher” methods, non-uniform Elligator public key representatives in obfs4, and a replay-based active distinguishing attack exploiting malleability in VMess. These three protocols come from the family of “fully encrypted” circumvention protocols: their traffic in both directions is indistinguishable from a uniformly random stream of bytes (or at least, is supposed to be). Some of the flaws are fixable implementation errors; others are rooted in more fundamental design errors. Their consequences range from enabling passive probabilistic detection to complete loss of confidentiality. All have been fixed, mitigated, or superseded since their discovery. My primary purpose is to provide an introduction of circumvention threat models to specialists in cryptography, and to make the point that while cryptography is a necessary tool in circumvention, it is not the sole or even most important consideration. Secondarily, I want to furnish a few instructive examples of cryptographic design and implementation errors in uncontrived, deployed protocols. While the flaws I discuss affected systems of significant social importance with millions of collective users, they are not well-known outside a small circle of specialists in circumvention.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
fully encrypted protocolscensorship circumventionShadowsocksobfs4VMessElligator
Contact author(s)
david @ bamsoftware com
History
2023-09-13: approved
2023-09-12: received
See all versions
Short URL
https://ia.cr/2023/1362
License
No rights reserved
CC0

BibTeX

@misc{cryptoeprint:2023/1362,
      author = {David Fifield},
      title = {Comments on certain past cryptographic flaws affecting fully encrypted censorship circumvention protocols},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1362},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1362}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.