Obfuscated TCP (ObsTCP) was a proposal for a

transport layer In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end c ...

protocol which implements

opportunistic encryption Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two ...

over

Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main communications protocol, protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, th ...

(TCP). It was designed to prevent mass

wiretapping Wiretapping, also known as wire tapping or telephone tapping, is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connecti ...

and malicious corruption of TCP traffic on the

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

, with lower implementation cost and complexity than

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over ...

(TLS). In August 2008,

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

rejected the proposal for a TCP option, suggesting it be done on the application layer instead. The project has been inactive since a few months later. In 2010 June, a separate proposal called tcpcrypt has been submitted, which shares many of the goals of ObsTCP: being transparent to applications, opportunistic and low overhead. It requires even less configuration (no DNS entries or HTTP headers). Unlike ObsTCP, tcpcrypt also provides primitives down to the application to implement authentication and prevent

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...

s (MITM).

Historical origin

ObsTCP was created by Adam Langley. The concept of obfuscating TCP communications using opportunistic encryption evolved through several iterations. The experimental iterations of ObsTCP used TCP options in 'SYN' packets to advertise support for ObsTCP, the server responding with a public key in the 'SYNACK'. An

draft protocol was first published in July 2008. Packets were encrypted with Salsa20/8, and signed packets with MD5 checksums. The present (third) iteration uses special DNS records (or out of band methods) to advertise support and keys, without modifying the operation of the underlying TCP protocol.

Encryption features

ObsTCP is a low cost protocol intended to protect TCP traffic, without requiring

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...

s, the services of

Certificate Authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

, or a complex

Public Key Infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...

. It is intended to suppress the use of undirected surveillance to trawl unencrypted traffic, rather than protect against man in the middle attack. The software presently supports the Salsa20/8 stream cipher and Curve25519 elliptic-curve Diffie Hellman function.

Comparison with TLS/SSL/HTTPS

Connection establishment

A server using ObsTCP advertises a public key and a port number. A DNS 'A record' may be used to advertise server support for ObsTCP (with a DNS 'CNAME record' providing a 'friendly' name). HTTP header records, or cached/out of band keyset information may also be used instead. A client connecting to an ObsTCP server parses the DNS entries, uses HTTP header records, or uses cached/out of band data to obtain the public key and port number, before connecting to the server and encrypting traffic.

References

{{DEFAULTSORT:Obfuscated Tcp TCP extensions

Historical origin

Encryption features

Comparison with TLS/SSL/HTTPS

Connection establishment

See also

References