Travis H. wrote:
Part of the problem is using a packet-switched network; if we had circuit-based, then thwarting traffic analysis is easy; you just fill the link with random garbage when not transmitting packets. I considered doing this with SLIP back before broadband (back when my friend was my ISP). There are two problems with this; one, getting enough random data, and two, distinguishing the padding from the real data in a computationally efficient manner on the remote side without giving away anything to someone analyzing your traffic. I guess both problems could be solved by using synchronized PRNGs on both ends to generate the chaff. The two sides getting desynchronzied would be problematic. Please CC me with any ideas you might have on doing something like this, perhaps it will become useful again one day.
But this is trivial. Since the traffic is encrypted, you just have a bit that says "this is garbage" or "this is traffic". OTOH, this can leave you open to traffic marking attacks. George Danezis and I wrote a paper on a protocol (Minx) designed to avoid marking attacks by making all packets meaningful. You can find it here: http://www.cl.cam.ac.uk/users/gd216/minx.pdf. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff