On Sat, Dec 13, 2014 at 08:54:29AM -0500, A. Johnson wrote:
There are even better solutions than this:
- Port knocking: https://wiki.archlinux.org/index.php/Port_Knocking
- Single-packet authorization: http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf
ScrambleSuit has implemented something like #2, and its paper (http://www.cs.kau.se/philwint/pdf/wpes2013.pdf) describes its authentication mechanisms as preventing detecting via network-wide scanning. However, I can’t say how it actually got implemented.
You could describe ScrambleSuit as single-packet authorisation on the application layer. In the implementation, a client proves knowledge of a shared secret in the first stream of bytes (maybe in one packet, maybe in more), it sends to a bridge. If the client cannot prove knowledge of the secret, the bridge won't respond.
obfs4 [0] continues this idea.
[0] https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-...
Cheers, Philipp