[itu-sg16] 回复 :RE: RE: Q22 Question - SATC
zourong 52447
zou.rong at huawei.com
Sat Sep 27 03:02:03 EDT 2008
Paul,
you are a smart hacker, DPI can not stop you,:-).
DPI hardly can tackle encrypted communication now, but this do not prevent DPI from getting more and more market deployment. Maybe someday,most internet communications will be encrypted to circumvent such kind of inspection, then I think new techonolgies will be devised to face these embarrassment.
Anyway, I think content protection like copyright protection is a interesting area that worth doing something.
******************************************************************************************
This email and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained here in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this email in error, please notify the sender by phone or email
immediately and delete it!
*****************************************************************************************
----- 原邮件 -----
发件人: "Paul E. Jones" <paulej at packetizer.com>
日期: 星期五, 九月 26日, 2008 下午2:06
主题: RE: RE: [itu-sg16] Q22 Question - SATC
收件人: 'zourong 52447' <zou.rong at huawei.com>
抄送: ''Noah Luo ' ("罗忠")' <noah at huawei.com>
> Rong,
>
> You are right that current file sharing networks (mostly) do not use
> encryption. But, they would if necessary. In fact, I have a file
> sharingprogram on my machine that does offer encryption for file
> transfers. If
> such measures were employed to block traffic, I think all tools
> would simply
> encrypt contents by default. One could try to guess the contents
> of the
> encrypted file by looking at such things as the file length, etc., but
> nothing is perfect.
>
> I can accept that no solution is perfect, but I honestly believe
> that this
> one just will not work in practice. I used to be one of the kids
> in high
> school that would remove copy protection from software products by
> manuallyaltering machine code right on the disk. I even wrote my
> own utilities to
> allow me to modify code on disk -- and I wrote that in assembly
> language.
> Lawful intercept works for a few reasons:
> 1) Most criminals are stupid and use public communication
> 2) Almost everybody connects to a carrier network to carry voice --
> so
> carriers become a natural intercept point
>
> Lawful intercept does not work for smart criminals. They use secure
> communication channels.
>
> But, we can't really compare this to Lawful Intercept. Normal
> users just
> use the tools that are out on the Internet. If I were writing a file
> sharing program and encountered packet filtering issues, I would
> immediatelyemploy encryption. I could write the necessary code in
> an afternoon and
> effectively defeat systems employed to stop it. And, those systems
> are all
> very expensive hardware-based solutions that would be rendered
> useless.
> Honestly, I'm not trying to be an irritant :-) But, I'm quite
> doubtful that
> any DPI scheme can work to stop the proliferation of copyrighted
> material.It's simply too easy to devise a work-around in software
> and, while the DPI
> logic can get more complicated, the algorithms in a PC-based
> application can
> be revised and updated far more rapidly. Heck, I would even have
> the packet
> encoding algorithms written in such a way as to be downloadable
> when the
> program starts. That way, the newest encoding algorithms are always
> available every time the program starts.
>
> Paul
>
> > -----Original Message-----
> > From: zourong 52447 [mailto:zou.rong at huawei.com]
> > Sent: Thursday, September 25, 2008 11:48 PM
> > To: Paul E. Jones
> > Cc: 'Noah Luo ' ("罗忠")
> > Subject: 回复:RE: [itu-sg16] Q22 Question - SATC
> >
> > Paul,
> >
> > Sorry for taking so long to respond to your mail because I have
> taken a
> > long vacation and then followed by a busy business trip.
> >
> > I agree with you that the method proposed in my contribution AVD
> 3541> is not a perfect solution to the copy-right protection
> issue. It could
> > not handle the case that the communication is encrypted ?C as you
> > mentioned.
> > In fact, I think it is one of the limitations of DPI technology. The
> > signature-based DPI technology could not inspect the encrypted data
> > flow. But I still believe that it could work and do something
> useful in
> > a broad range of use cases, just like the lawful interception: it
> > hardly could handle the encrypted communication but it still can
> work> well.
> >
> > As to your suspicion whether it could work in a practical
> situation.> I hope it could work in some public file sharing
> scenarios especially
> > the P2P file sharing. Why I put my effort in study the P2P file
> sharing> scenario is that P2P file sharing is the most popular
> file sharing
> > tools nowadays and most of the files being shared are multimedia
> files> and many of them are pirated.
> >
> > P2P file sharing has one important character that could be
> exploited:> the file information is almost public. It should let
> people know what
> > the resource is, for example, the file name, file type, file
> size, file
> > hash value etc., these file describe information will be
> transmitted in
> > the file sharing control messages and could be intercepted by SATC.
> >
> > Another character of P2P file sharing is that it seldom uses
> encrypted> communication because that will bring burden to its
> efficiency and
> > affect its popularity.
> >
> > Then to the question of “good database” and “suspicious database”.
> What
> > I want to do is a multi-level inspection and filter. It maybe
> works as
> > following:
> >
> > Extracting_file_information();
> > Searching_good_database();
> > If(got matched item)
> > {
> > Compare_signature();
> > If(match)
> > {
> > It is copy-righted file and transmitted;
> > }
> > Else
> > {
> > Searching_suspecious_database();
> > If(match)
> > {
> > It is a known pirated version, stop it;
> > }
> > Else
> > {
> > It maybe a new pirated version, record it temporality
> > and notify the content provider to make sure and to update the
> > suspicious database ;
> > Transmit_flow();
> > }
> > }
> > }
> >
> > In this multi-level filtering, the first level ”good database”
> > filtering can be performed with the help of a reasonably small-
> sized> database and achieve rather fast processing speed, the
> second level
> > ”suspicious database” filtering may require a much bigger
> database. But
> > only searching only a part of them each time also could yield
> > reasonable processing speed.
> >
> > So that is what I want to do, only those truly pirated file sharing
> > will be stopped right now, other suspected file sharing will be
> > recorded and let the technicians to do further judgment.
> >
> >
> >
> ***********************************************************************> *******************
> > This email and its attachments contain confidential information
> from> HUAWEI, which is intended only for the person or entity
> whose address
> > is listed above. Any use of the information contained here in
> any way
> > (including, but not limited to, total or partial disclosure,
> > reproduction, or dissemination) by persons other than the intended
> > recipient(s) is prohibited. If you receive this email in error,
> please> notify the sender by phone or email
> > immediately and delete it!
> >
> >
> ***********************************************************************> ******************
> >
> > ----- 原邮件 -----
> > 发件人: "Paul E. Jones" <paulej at packetizer.com>
> > 日期: 星期五, 九月 12日, 2008 上午11:50
> > 主题: RE: [itu-sg16] Q22 Question - SATC
> > 收件人: 'Noah Luo(罗忠)' <noah at huawei.com>
> > 抄送: zou.rong at huawei.com
> >
> > > Noah,
> > >
> > > I have no objection to exploring the idea. But, I'm 100% certain
> > > it will
> > > not work :-) I am various serious about that. When I was a
> > > teenager, I
> > > spent a lot of time removing copy protection from software
> (actually> > modifying the machine code by hand), hacking computer
> systems,> > etc. Even
> > > when I was in college, I had a professor who called me an
> > unscrupulous
> > > hacker. He was only half joking. He had a real admiration
> for my
> > > technicalability, but wasn't very happy with some of the
> hacking I
> > > used to do.
> > > Still, he recognized that I was a good kid who just wanting to
> > > explore and
> > > learn as much as possible.
> > >
> > > I used to play with viruses. I would even write some that would
> > > not cause
> > > harm -- they would never replicate. Rather, they would just run
> > > in the
> > > background of machines that I placed them on, loading into the
> > > system at
> > > boot time. I still have a collection of probably 1,000 virus
> > > files, many
> > > with the assembly code.
> > >
> > > The short of it is that I have a lot of experience at this
> sort of
> > > thing.While I don't do the hacking I did when I was a kid, I can
> > > guarantee you
> > > that there will be some just ready to tackle the challenge of
> > > breaking any
> > > kind of defense like what this standard intends to provide. And,
> > > as I said,
> > > the simplest thing to do is simply use TLS. In fact, I could
> > exchange
> > > pirated music or video via e-mail between my server at home and
> > > anybody else
> > > who uses TLS -- my servers all use encryption. But, we can
> > > certainly employ
> > > simpler techniques. For example, I could do this:
> > >
> > > K = 256_bit_random_key;
> > > while(not_end_of_file)
> > > {
> > > M = read_file(16 octets of the file);
> > > Y = M XOR K;
> > > transmit_message(Y);
> > > K = rotate_right(K);
> > > }
> > > transmit_message(K);
> > >
> > > This is a very simple and extremely fast encryption algorithm that
> > > willactually transmit the session key at the end. So, there
> is no
> > > secrethidden, but it avoids the need of exchanging encryption keys
> > > some other way.
> > > This is not a flawless procedure, though. In fact, this is very
> > > easy to
> > > "crack", since we're just XORing the bits of the input stream with
> > > the key
> > > and then rotating the key 1 bit after each message. If an input
> > > stream had
> > > a number of 0s, then the key would appear as repeated data blocks
> > > that can
> > > be easily identified by a cryptography person. Heck, even I would
> > > recognizethe pattern. But, this might still be complex enough to
> > > avoid real-time
> > > detection of pirated content. But, I could just as easily use AES
> > and
> > > *really* encrypt the media and place the 256-bit initialization
> > > vector and
> > > key at the end of the transmitted media stream :-)
> > >
> > > Anyway, like I said-- I have no objections to studying this. I
> > > just am just
> > > a firm believer that it will only stop the casual pirates: those
> > > who want to
> > > use gmail.com or something to send an e-mail containing music.
> It
> > > would not
> > > stop software designed for secure file exchange, either person-
> to-
> > > person or
> > > across file sharing networks.
> > >
> > > My primary concern now is with the wording in the report. Rong
> > > felt it was
> > > OK, but I still think it's wrong. It says:
> > > "... if SATC finds a data stream carrying content failing to match
> > > a known
> > > signature, it will block the stream or mark it as being
> suspicious.”> >
> > > Worded another way, this sentence says: "if the data stream
> > > contains an
> > > unknown data stream, block the data stream."
> > >
> > > Now that would actually work to block pirated content, because you
> > > essentially only let known data through the network. But, I don't
> > > thinkthat is the intent, and it's definite not what the AVD
> > > document said.
> > >
> > > Paul
> > >
> > > > -----Original Message-----
> > > > From: Noah Luo(罗忠) [mailto:noah at huawei.com]
> > > > Sent: Thursday, September 11, 2008 5:46 AM
> > > > To: 'Paul E. Jones'
> > > > Cc: zou.rong at huawei.com
> > > > Subject: 答复: [itu-sg16] Q22 Question - SATC
> > > >
> > > > Dear Paul
> > > > Thank u very much for your good analysis and insightful
> comments on
> > > > this
> > > > specific aspect SATC.I will work together with Rong and come up
> > > with a
> > > > solution as to how the Q22 meeting report will be appropriatedly
> > > > reworded.Based on C3541 itself,actually, Q22 meeting report just
> > > > faithfully
> > > > reflects the basic idea of the scheme described.But if we
> also take
> > > > into
> > > > account the supplementary information Rong provided in his mail
> > > to you,
> > > > then
> > > > Q22 report may need incorporate some more information.
> > > >
> > > > As for your questions regarding the feasibility of using
> signature> > > matching
> > > > to block pirated contents transmission.I agree that we need more
> > > > careful
> > > > consideration.I think it will be ideal if more contributions
> > > will be
> > > > submitted by Rong to the next SG16 meeting so that we can
> have more
> > > > extensive discussion.My personal feeling is that it is a rather
> > > > innovative
> > > > idea to use this kind of techniques to block illegally
> distributed> > > contents,
> > > > but there may still lack some feasible technical points to
> > > enable this
> > > > idea
> > > > to be transformed into a practical solution.
> > > >
> > > > Paul, do you think this arrangement will be okay?
> > > >
> > > > Best Regards
> > > >
> > > > Noah
> > > >
> > > >
> > > > 华为技术有限公司 huawei_logo
> > > >
> > > >
> > > > 地址:深圳市龙岗区坂田华为基地 邮编:518129
> > > > http://www.huawei.com
> > > > -------------------------------------------------------------
> ----
> > > ------
> > > > -----
> > > > ---------------------------------------------------------
> > > > 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人
> 或群
> > > > 组。禁
> > > > 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散
> 发)本
> > > 邮
> > > > 件中
> > > > 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
> > > > This e-mail and its attachments contain confidential information
> > > from> HUAWEI, which
> > > > is intended only for the person or entity whose address is
> listed> > > above. Any
> > > > use of the
> > > > information contained herein in any way (including, but not
> > > limited to,
> > > > total or partial
> > > > disclosure, reproduction, or dissemination) by persons other
> > > than the
> > > > intended
> > > > recipient(s) is prohibited. If you receive this e-mail in error,
> > > please> notify the sender by
> > > > phone or email immediately and delete it!
> > > >
> > > > -----邮件原件-----
> > > > 发件人: itu-sg16-bounces at lists.packetizer.com
> > > > [mailto:itu-sg16-bounces at lists.packetizer.com] 代表 Paul E. Jones
> > > > 发送时间: 2008年9月11日 10:48
> > > > 收件人: 'zourong 52447'
> > > > 抄送: itu-sg16 at lists.packetizer.com
> > > > 主题: Re: [itu-sg16] Q22 Question - SATC
> > > >
> > > > Rong,
> > > >
> > > > I think the meeting report is not exactly correct. The Q22
> meeting> > > report
> > > > said that SATC would block content that that failed to match a
> > > > signature.
> > > > What you said is that SATC would block media content that
> > > matches a
> > > > "good"
> > > > signature, but is apparently altered in some way. That is, it
> > would
> > > > block
> > > > media that it can clearly identify as pirated content.
> > > >
> > > > So, perhaps we should revise the wording that is presently in
> > > the Q22
> > > > meeting report related to AVD-3541. Can you consult Noah on
> > > what the
> > > > correct statement should be?
> > > >
> > > > As for whether this will work, I still have doubts. Even
> storing> > > signatures
> > > > of all current media could be a massive database and, quite
> > > likely, one
> > > > that
> > > > would need to be in memory, as you need real-time (and likely
> > > wire-
> > > > speed)
> > > > access to the signatures.
> > > >
> > > > I have no objection to doing work on this: if you can meet a
> > > particular> business requirement, great. But, I personally think
> > > that trying to
> > > > match
> > > > against signatures will not stop any serious pirate. It might
> > > stop the
> > > > casual pirate, though.
> > > >
> > > > A data stream of pirated content can be altered in so many ways
> > > that it
> > > > would be easy for somebody to create a program to stream pirated
> > > > content
> > > > that does not match a signature in the database. I could run
> > > the media
> > > > stream through a cipher algorithm, for example. And, I
> could even
> > > > transmit
> > > > the cipher key as the last payload of the message: after
> all, the
> > > > entire
> > > > file has been delivered! Secrecy wasn't the purpose of the
> > > encryption,> but
> > > > merely to disguise what is being transmitted until we've
> > > successfully> bypassed the SATC "detectors".
> > > >
> > > > Perhaps the simplest thing to do, actually, given the wide
> > > > proliferation of
> > > > tools like OpenSSL, is to just use TLS between nodes that
> want to
> > > > transmit
> > > > pirated content. That provide more-than-acceptable level of
> > > > encryption.
> > > >
> > > > In any case, I did not intend to bring the work to a halt,
> by any
> > > > means.
> > > > But, be cognizant of the fact that this is a very complex
> > > problem and I
> > > > seriously doubt you can devise a method that would prevent a
> good> > > hacker
> > > > from getting around the system. At best, you will only stop the
> > > casual> "pirates". You would not stop serious pirates or popular
> > > "file> sharing"
> > > > software. Such software would definitely employ techniques
> to get
> > > > around
> > > > any detection/blocking logic in the router/switch.
> > > >
> > > > What's more important right now is understanding what should
> > > have been
> > > > stated in the meeting report. I do not think this sentence is
> > > > accurate:
> > > >
> > > > “... if SATC finds a data stream carrying content failing to
> > > match a
> > > > known
> > > > signature, it will block the stream or mark it as being
> > suspicious.”
> > > >
> > > > Paul
> > > >
> > > > > -----Original Message-----
> > > > > From: zourong 52447 [mailto:zou.rong at huawei.com]
> > > > > Sent: Wednesday, September 10, 2008 4:05 AM
> > > > > To: paulej at packetizer.com
> > > > > Cc: itu-sg16 at lists.packetizer.com
> > > > > Subject: [itu-sg16] Q22 Question - SATC
> > > > >
> > > > > Paul,
> > > > > really thanks your's comments, here is the clarification.
> > > > > 1) As to the circumventing problem, I really could not say
> > > their is
> > > > > a perfect way that could not be circumvented. But I don’t
> > > think it is
> > > > > easy to do so. This scenario is attempted to provide a
> tool for
> > > > content
> > > > > provider to prevent their “specially processed” content, i.e.
> > > copy-
> > > > > righted content from being pirated. It is assumed the
> “specially> > > > processed” content have some characteristic
> information that
> > > would be
> > > > > destroyed by any piratical actio
> > > > > n such as using a different decoding method, and these
> > > characteristic> > information or “signature” would be provided to
> > > SATC system by
> > > > content
> > > > > provider. As to the compress scheme to circumvent, I think the
> > > SATC> > could handle most of the common compress schemes such as
> > > winzar,> > winzip, tar etc., but I also think it is impossible the
> > > SATC could
> > > > > handle all compress schemes.
> > > > > 2) The method mentioned in AVD-3541 is not attempted to create
> > a
> > > > > database of all pirated media, it’s a database that store the
> > > > > signature of good media especially those most popular
> video or
> > > audio> > recently, so the database will keep in a state of
> > > acceptable size.
> > > > The
> > > > > periodical updating of the database is necessary just like the
> > > IDS do
> > > > > to update the anti-virus database.
> > > > > 3) The pirated media database could exist as an subsidiary
> > > database.> > This was not mentioned in the AVD-3541 because I
> > > think it maybe too
> > > > > detail to describe it in a scenario. The file transmitted
> will be
> > > > > suspected as pirated file when satisfied following two points:
> > (1)
> > > > > There is a item in the “good media database” that means the
> > > file is a
> > > > > target of protecting. (2)the signature of the file transmitted
> > > do not
> > > > > match with that stored in the data
> > > > > base. Then the suspected file could be blocked directly,
> or in
> > > a more
> > > > > prudent way, it could be just marked as suspicious and search
> > > in a
> > > > > subsidiary “pirated media database” to make sure it is a
> existing> > > > pirated version or it maybe a new pirated version
> and need more
> > > > manual
> > > > > analytical works of content provider.
> > > > > 4) As to the performance problem, I think this kind of
> > inspection
> > > > > may have some negative impact on the packet transmission but
> > > may not
> > > > as
> > > > > terrible as thought, in fact, many DPI product in market can
> > > achieve> > 10G to 40G, even 80G throughput, their process
> > > capability is
> > > > > remarkable.
> > > > > >
> > > > > > 发件人: Paul E. Jones
> > > > > > 发送时间: 2008-09-05 10:59:38
> > > > > > 收件人: itu-sg16 at lists.packetizer.com
> > > > > > 抄送:
> > > > > > 主题: [itu-sg16] Q22 Question - SATC
> > > > > >
> > > > > > Q22 Experts,
> > > > > >
> > > > > > While reviewing the Q22 meeting report, I was intrigued
> by a
> > > > > > comment related to AVD-3541. This contribution proposes
> > > that SATC
> > > > > > can be used to block illegal content from being transmitted
> > over
> > > > > > the Internet by examining the media flow and comparing that
> > > media> > > flow (or some signature thereof) against a database.
> > > SATC would
> > > > > > then block content as appropriate.
> > > > > >
> > > > > > I would like to comment:
> > > > > > 1) I could easily circumvent any such measure, so
> any such
> > > > > > system would prove to work only temporarily; and
> > > > > > 2) While a given copy of a digital copy of some
> > > content, such
> > > > > > as music or a movie, will have a clearly recognizable
> > signature,
> > > > > > the same media can be “substantially” altered by merely
> > > using a
> > > > > > different encoding method (e.g., a different video codec or
> > > > > > compression scheme); and
> > > > > > 3) Actually attempting to create a database of all
> known> > > > > pirated media, including all variations, would
> result in the
> > > > > > creation of a massively huge database; and
> > > > > > 4) Maintenance of such a database would be a never-
> ending> > > > > chore; and
> > > > > > 5) Notwithstanding the foregoing, while such a database
> > > could> > > be constructed and flows could be examined, inspecting
> > > flows in
> > > > > > real-time and trying to positively identify a given flow
> is a
> > > > > > monumental task that will result in significantly negative
> > > impact> > > on packet transmission performance, even if a bank of
> > > specialized> > > network processors were employed per router or
> > switch
> > > > > >
> > > > > > In short: do we really want to attempt this? While it’s all
> > > > > > technically possible (at the risk of turning a 1Gbps pipe
> > > into a
> > > > > > 1Kbps pipe), I would argue that it’s not going to work. I
> > would
> > > > > > be happy to be first in line to write the software
> necessary to
> > > > > > circumvent such a system. And I would do it just
> because I
> > > can ;-)
> > > > > >
> > > > > > Having said that, the meeting report said that, the meeting
> > > report> > > said that “if SATC finds a data stream carrying
> > > content failing to
> > > > > > match a known signature, it will block the stream or
> mark it as
> > > > > > being suspicious.”
> > > > > >
> > > > > > I underlined the text of significance. This suggests
> that the
> > > > > > database would only be populated with signatures of
> known good
> > > > > > media flows and would only block unrecognized flows. This
> > seems
> > > > > > different than what I read and understood from AVD-3541.
> > > What the
> > > > > > meeting report suggests would be a simpler problem with a
> > > > > > substantially smaller database. So, what was actually
> > discussed
> > > > > > and decided for SATC? A system that blocks unrecognized
> > > flows or
> > > > > > a system that blocks recognized flows?
> > > > > >
> > > > > > Thanks,
> > > > > > Paul
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
>
>
>
More information about the sg16-avd
mailing list