Fully Encrypted Protocols (FEPs) have arisen in practice as a technique to avoid network censorship. Such protocols are designed to produce messages that appear completely random. This design hides communications metadata, such as version and length fields, and makes it difficult to even determine what protocol is being used. Moreover, these protocols frequently support padding to hide the length of protocol fields and the contained message. These techniques have relevance well beyond censorship circumvention, as protecting protocol metadata has security and privacy benefits for all Internet communications. The security of FEP designs depends on cryptographic assumptions, but neither security definitions nor proofs exist for them. We provide novel security definitions that capture the metadata-protection goals of FEPs. Our definitions are given in both the datastream and datagram settings, which model the ubiquitous TCP and UDP interfaces available to protocol designers. We prove relations among these new notions and existing security definitions. We further present new FEP constructions and prove their security. Finally, we survey existing FEP candidates and characterize the extent to which they satisfy FEP security. We identify novel ways in which these protocols are identifiable, including their responses to the introduction of data errors and the sizes of their smallest protocol messages.
翻译:全加密协议(FEPs)在实践中已成为规避网络审查的技术手段。此类协议被设计为生成完全随机的消息,从而隐藏通信元数据(如版本号和长度字段),甚至难以识别所使用的协议类型。此外,这些协议通常支持填充机制以隐藏协议字段及所承载消息的长度。这些技术不仅适用于规避审查,保护协议元数据对所有互联网通信的安全性与隐私性都具有重要意义。FEP设计的安全性依赖于密码学假设,但目前既缺乏相应的安全定义,也缺少形式化证明。我们提出了能准确刻画FEP元数据保护目标的新型安全定义,并在数据流和数据报两种场景下给出形式化描述——这两种场景分别对应协议设计者普遍使用的TCP和UDP接口。我们证明了这些新安全概念与现有安全定义之间的关联关系,进一步提出了新的FEP构造方案并给出安全性证明。最后,我们对现有FEP候选方案进行系统性评估,分析其满足FEP安全性的程度。研究发现这些协议存在新的可识别特征,包括对数据错误的响应机制以及最小协议消息的尺寸特征。