NLnet Labs' Jaap Akkerhuis inducted in Internet Hall of Fame 2017/09/19

NLnet and Gartner to write vision for EC's Next Generation Internet initiative 2017/04/12

Dutch Ministry of Economic Affairs donates 0.5 million to "Internet Hardening Fund" 2016/12/16

Vietsch Foundation and NLnet cooperate in internet R&D for research and education 2016/09/28

RPKI-RTRlib contributes to secure interdomain routing 2016/02/15



[Format-Transforming Encryption -- concluded on 2015/01/01]

fteproxy provides transport-layer protection to resist keyword filtering, censorship and discriminatory routing policies. Its job is to relay datastreams, such as web browsing traffic, by encoding streams as messages that match a user-specified regular expression.

Network communications are increasingly becoming the target of surveillance and censorship. One natural defense is to use traditional cryptographic protocols &emdash; traditional encryption incurs low-overhead and does a good job of providing privacy. However, because encryption is so effective, many governments (e.g., Iran, Pakistan, and China) are willing to block state-of-the-art cryptographic protocols such as TLS and SSH.

Figure 1: A government can easily identify that a client and server are using an encryption protocol, and refuse the connection.

Our Solution: Format-Transforming Encryption

Format-Transforming Encryption (FTE) is a novel cryptographic primitive that extends traditional encryption. Traditional cryptographic primitives take a key and a message as input, and output an unformatted ciphertext. FTE takes a key, message and format (a compact set descriptor) as input and outputs a ciphertext in the format set. As an example, a format may describe the set of valid messages from an uncensored protocol, such as HTTP.

The software that realizes Format-Transforming Encryption, fteproxy, bootstraps FTE to relay arbitrary data streams. fteproxy uses regular expressions to describe and transmit messages from an uncensored protocol (e.g., HTTP), but may actually be relaying a censored protocol (e.g., Tor, TLS, SSH, etc.) To a government, traffic looks like HTTP, even though it may actually be a censored protocol.

Figure 2: fteproxy transparently encrypts communications such an uncensored protocols looks like a censored protocol.

Kevin P. Dyer


Send in your ideas.
Deadline October 1st, 2017.

Last update: 2014/04/12