Tearing Down China's Great Firewall

quadsoft writes to tell us The Toronto Star has a look at three University Toronto computer geeks who are working hard to circumvent the internet censorship problems like those found in China. From the article: "But the computer smarts of Ron Deibert, Nart Villeneuve, and Michael Hull, combined with their passion for politics and free expression, have led them to develop a highly anticipated software program that allows Internet users inside China and other countries, such as Iran, Saudi Arabia and Burma, to get around repressive censorship and not get caught."

Re:Article full of holes

[TubeSteak]

Like you, I thought they were either talking out their ass, or the reporter misunderstood. A quick Google search remedied that confusion.

An elegant wrinkle is that the data will enter users' machines through computer port 443. Relied on for the secure transfer of data, this port is the one through which reams of financial data stream constantly around the world.

"Unless a country wanted to cut off all connections for any financial transactions they wouldn't be able to cut off these transmissions," said Professor Ronald Deibert, the director of Citizen Lab.

So it runs over SSL. The author kinda mentions that earlier on.

They talk about "routers" and "nodes" and "secure socket layers" like they were saying, "Hello," or "How are you?"

Maybe TFA's author is too much of an idiot to understand WTF they were talking about, so they dumbed it down for him.

Re:Sure, because it's different things

[The+MAZZTer]

That's not how public/private key cryptography works. If it did, any script kiddie could grab the private key in transmission.

The reason the private key is called so is becasuse it is never transmitted. It stays on the machine that came up with it.

Here's how it works, and we can assume both machines do the same thing for each other. One comp comes up with a private key and public key pair, where things encrypted with the public key can only be decrypted with the private key (and not with the public). Then, the machine can send the public key plaintext (or with some other form of encryption, which we can assume can be cracked much easier than the key pair cryptosystem we're using for the bulk of the data). The receiving machine uses the public key to encrypt it's data and sends the encrypted data.

Now if we assume any transmitted data can be evesdropped upon, the hacker has our public encryption key and the encrypted data... but he doesn't have the private encryption key! The data is useless to him! (Unless the key pair is weak, the data is weak, or the hacker has the hardware to brute force keys, but we'll assume the users are smart enough to avoid the first two and the cryptosystem uses a long enough key to make the last one futile.) The first computer gets the encrypted data and decrypts it with the private key.

A similar process, reversed, is used in certificates. They are encrypted with a private key, and the public key is made available. Assuming sufficient mechanisms are in place to assure that the public key does in fact belong to the original computer, any message decryptable with the public key shows that the message must have originated from the only legitimate computer with the private key.

Nitpick of the nitpick

[Paul+Crowley]

I think you're blowing up a terminological inexactitude into more than it is. They used "private key" where they meant "shared symmetric secret key".

Also you shouldn't refer to signing and verification as "encryption" and "decryption" because they're semantically very different things. Both RSA encryption and RSA verification use the RSA public-key operation, but to be secure they must also use padding and the padding system for an encryption scheme will be different than that for a signature scheme. It's also bad to use the same key as an encryption and as a signing key.

As a last nitpick, AFAIK there are no PK systems for which brute force is the most effective attack. If such a scheme existed it could use really short keys, like the 128-bit keys used in symmetric cryptosystems. Every PK system I know of uses keys at least twice that length.