Closed jedisct1 closed 10 years ago
jedisct1
commented
10 years ago I take it back. Looks like your protocol doesn't use session keys, but always uses the same key derived from the password. Using a counter would not be a good idea in this scenario.
clowwindy
commented
10 years ago Glad that you have noticed these projects that help people in China. You're right. Using random nonces instead of counter will increase possibility of nonce collision from 1/2^64 to 1/2^32. ShadowVPN is designed to bypass GFW, so our primary goal is to make packets indistinguishable from random bytes. Using a counter would break this goal. One solution is to add some 16 extra random bytes and expand keys and nonces from the secret key and those extra bytes. Since recording 2^32 packets for GFW is not practical, and for performance consideration, I choose to not do this way.
Hi Clowwindy,
And congrats for ShadowVPN and ChinaDNS-C.
I noticed that you are generating a random nonce for each packet. This is fine, but using a simple counter would be perfectly fine as well. This also makes it practically impossible for a nonce to be reused.