| 摘要: |
| 随着网络技术的发展和广泛应用,在互联网环境下建立安全信道愈发显得重要。我们设计了一种采用TLSv1.3的握手协议框架的轻量级安全代理协议,在安全性的基础上提供了更好的隐蔽性和性能。代理程序的用户接口基于Socks5协议,保障了通用性。握手过程模拟TLS,将实际参数填充在TLSv1.3握手包内的随机区域和加密区域中来完成基于ECDHE密钥交换和挑战响应机制的握手。后续的代理转发过程中通过额外判断避免了加密数据的重复处理,大大提高了通信效率。针对主动检测,设计了基于TCP转发的主动对抗措施。健壮性方面,可作为服务器的反向代理,亦可作为基于TCP转发的反向代理服务器的后端,可灵活构建冗余信道。依据实现原理,命名为FTLSocks,意为Fake TLS Socks。使用了协程池、空间重用、最少拷贝和无锁的设计,实测高并发下资源消耗、吞吐量、响应时间等均优于现有流行工具。 |
| 关键词: 代理 流量整形 流量混淆 TLS Socks5 DPI |
| DOI:10.19363/J.cnki.cn10-1380/tn.2021.05.07 |
| 投稿时间:2020-08-02修订日期:2020-11-09 |
| 基金项目:本课题得到国家自然科学基金(No.61702212)资助。 |
|
| A novel lightweight protocol of secure proxy |
|
LV Yinghao, CHEN Jiageng
|
| (School of Computer, Central China Normal University, Wuhan 430079, China) |
| Abstract: |
| With the development and wide application of network technology, establishing a secure channel has been used in various application scenarios. In this paper, we have designed a lightweight security proxy protocol taking advantage of the handshake protocol framework of TLSv1.3, which provides better performance given strong security. The user interface of the agent is based on the Socks5 protocol, which guarantees the versatility. The handshake process simulates TLS, and the true parameters are filled in the random area and the encrypted area in the TLSv1.3 handshake packet to complete the handshake based on the ECDHE key exchange and challenge-response mechanism. The subsequent proxy forwarding process avoids the repeated processing of encrypted data through additional judgments, which greatly improves the communication efficiency. For active detection, an active countermeasure based on TCP forwarding is implemented. In terms of robustness, it can be used as a reverse proxy for the server, or as the back end of a reverse proxy server based on TCP forwarding that can flexibly be used to construct redundant channels. The scheme is named Fake TLS Socks (FLTSocks), which applies a coroutine pool, space reuse, minimal copy, and lock-free design. The measured resource consumption, throughput, and response time under high concurrency are better than the existing tools. |
| Key words: proxy traffic shaping traffic obfuscation TLS socks5 DPI |
