-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Notes on encryption
- Encrypt your traffic with AES-128-CBC.
- Protect data integrity by HMAC-SHA1 (or weaker MD5/CRC32).
- Defense replay attack with anti-replay window
The initial purpose and primay reason for udp2raw to have encryption is to against DPI(Deep Packet Inspection). FakeTCP may be seen as a way to fool the internet provider, you won't want to see udp2raw's protocol easily being detected (and blocked). Some DPI implement will inspect your packets silently, others may initiatively send packets to you to actively detect what protocol you are using. Some firewalls may replay packets to try to mess up your state machine in the protocol. Having encrption implemented can make the above bad attempts much harder.
The encryption of udp2raw is NOT designed to serve as a replacement of security mechanisms such as TLS/openssh/openvpn, although it provides a few similiar features. udp2raw doesn't support Forward Secrecy, and udp2raw is not backended by a security team. If you need serious security of your data, I recommand you to use TLS/openssh/openvpn.
why does udp2raw implement its own security mechanism, instead of using security protocols such as TLS?
Existing security mechanisms usualy only cares about the secuirty of your data, they typically make little attempt on hiding the protocol itself from DPI. When your are using TLS/openssh/openvpn, an attacker may never know the data transfered via TLS/openssh/openvpn, but a firewall can easly know you are using TLS/openssh/openvpn to transfer data.
In udp2raw, not only the data but also udp2raw protocol itself will be obsecured by encryption. The network traffics of udp2raw will look like a bunch of random junks and reduce the possibility of being detected by DPI.