BitTorrent protocol encryption
Encyclopedia
Protocol encryption message stream encryption (MSE), or protocol header encrypt (PHE) are related features of some peer-to-peer
file-sharing clients
, including BitTorrent client
s. They attempt to enhance privacy and confidentiality. In addition, they attempt to make traffic harder to identify by third parties including internet service provider
s (ISPs).
MSE/PE is implemented in aria2, BitComet
, BitTornado
, Deluge
, Flashget
, KTorrent
, Mainline
, rTorrent
, µTorrent, Transmission, and Vuze
. PHE was implemented in old versions of BitComet. Similar protocol obfuscation
is supported in up-to-date versions of some other (non-BitTorrent) systems including eMule
.
or confidentiality
, but became required in countries where Internet Service Providers were granted the power to throttle a bit-torrent user and even ban those they believed were guilty of illegal file sharing.
version 0.60 on 8 September 2005. Some software like IPP2P claims BitComet traffic is detectable even with PHE. PHE is detectable because only part of the stream is encrypted. Since there are no open specifications to this protocol implementation the only possibility to support it in other clients would have been via reverse engineering
.
, now known as Vuze, decided to design and simultaneously implement a new, open protocol obfuscation method, called message stream encryption (MSE). It was included in Azureus CVS snapshot 2307-B29 on 19 January 2006.
This first draft was heavily criticized since it lacked several key features. After negotiations between different BitTorrent developers a new proposal was written and then implemented into the Azureus
and µTorrent betas within days. In µTorrent, the new protocol was called protocol encryption (PE).
MSE/PE uses key exchange
combined with the infohash of the torrent to establish an RC4
encryption key. The key exchange helps to minimize the risk of passive listeners, and the infohash helps avoid man-in-the-middle attack
s. RC4 is chosen for its speed. The first kilobyte of the output is discarded to prevent the Fluhrer, Mantin and Shamir attack.
The specification allows the users to choose between encrypting the headers only or the full connection. Encrypting the full connection provides more obfuscation but uses more CPU time.
To ensure compatibility with other clients that don't support this specification, users may also choose whether unencrypted incoming or outgoing connections are still allowed.
Supported clients propagate the fact that they have MSE/PE enabled through PEX
and DHT
.
was proposed as the encryption method but not adopted because it consumed too much CPU time and the required Diffie–Hellman
keys to achieve a security equal to AES would have been much bigger or require elliptic curve cryptography
, making the handshake more expensive in terms of used CPU time.
Analysis of the BitTorrent protocol encryption (a.k.a. MSE) has shown that statistical measurements of packet sizes and packet directions of the first 100 packets in a TCP session can be used to identify the obfuscated protocol with over 96% accuracy.
application uses a different approach to disrupt BitTorrent traffic that makes seeding impossible. The Sandvine application intercepts peer-to-tracker communication to identify peers based on the IP address and port numbers in the peer list returned from the tracker. When Sandvine later sees connections to peers in the intercepted peer lists, it may (according to policy) break these connections by sending counterfeit TCP resets. Various solutions exist to protect against Sandvine's attack including encrypting both peer-to-tracker and peer-to-peer communication, using Microsoft's Teredo
so that TCP connections are tunneled within UDP packets, filtering TCP resets before they reach the TCP layer in the end-host, or switching entirely from a TCP-based transport to a UDP-based transport. Each solution has its trade-offs. Filtering out TCP resets typically requires kernel access, and the participation of the remote peer since Sandvine sent the reset packet to the local and remote peers. Teredo is not available on all BitTorrent clients. Rewriting TCP reliability, in-order delivery and congestion control in a new UDP protocol represents a substantial engineering effort and would require upgrading both ends of any peer-to-peer connection. Increasing robustness to TCP resets solves Sandvine's attack, but it does not prevent internet applications from using the peer lists to perform other attacks such as blocking peer-to-peer connections completely. Encryption also won't stop a traffic shaping system configured to universally slow down all encrypted, unidentifiable or unknown protocols using a method as simple as packet loss. Encrypting tracker communications prevents eavesdropping on peer lists and does not require upgrading both ends of peer-to-peer connections, but it requires imposing computational overhead on the tracker.
, the inventor of BitTorrent, opposed adding encryption to the BitTorrent protocol. Cohen stated he was worried that encryption could create incompatibility between clients. He also stressed the point that the majority of ISPs don't block the torrent protocol. Cohen wrote "I rather suspect that some developer has gotten rate limited by his ISP, and is more interested in trying to hack around his ISP's limitations than in the performance of the internet as a whole". Many BitTorrent community users responded strongly against Cohen's accusations.
Cohen later added the ability to receive but not originate encrypted connections on his Mainline client. Notably, when µTorrent was purchased by BitTorrent, Inc. and then became the next mainline release, the ability to originate encrypted connections was retained, but it became turned off by default.
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
file-sharing clients
Comparison of file sharing applications
File sharing is a method of distributing electronically stored information such as computer programs and digital media. Below is a list of file sharing applications....
, including BitTorrent client
BitTorrent client
BitTorrent is a peer-to-peer program developed by Bram Cohen and BitTorrent, Inc. used for uploading and downloading files via the BitTorrent protocol. BitTorrent was the first client written for the protocol. It is often nicknamed Mainline by developers denoting its official origins. Since version...
s. They attempt to enhance privacy and confidentiality. In addition, they attempt to make traffic harder to identify by third parties including internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s (ISPs).
MSE/PE is implemented in aria2, BitComet
BitComet
BitComet is a cross-protocol BitTorrent, HTTP and FTP client written in C++ for Microsoft Windows and available in 52 different languages. Its first public release was version 0.28...
, BitTornado
BitTornado
BitTornado is a free BitTorrent client for transfer of computer files over networks, including the Internet. It is developed by John Hoffman, who also created its predecessor, Shad0w's Experimental Client...
, Deluge
Deluge (software)
- See also :* Comparison of BitTorrent clients* Usage share of BitTorrent clients-External links:* * * *...
, Flashget
FlashGet
FlashGet is a freeware download manager for Microsoft Windows...
, KTorrent
KTorrent
KTorrent is a BitTorrent client written in C++ for KDE using the Qt user interface toolkit. It is maintained in the KDE Extragear.- Features :*Upload and download speed capping / throttling & scheduling...
, Mainline
BitTorrent client
BitTorrent is a peer-to-peer program developed by Bram Cohen and BitTorrent, Inc. used for uploading and downloading files via the BitTorrent protocol. BitTorrent was the first client written for the protocol. It is often nicknamed Mainline by developers denoting its official origins. Since version...
, rTorrent
RTorrent
rTorrent is a text-based ncurses BitTorrent client written in C++, based on the libTorrent libraries for Unix, whose author's goal is “a focus on high performance and good code”...
, µTorrent, Transmission, and Vuze
Vuze
Vuze is a BitTorrent client used to transfer files via the BitTorrent protocol. Vuze is written in Java, and uses the Azureus Engine. In addition to downloading data linked to by .torrent files, Azureus allows users to view, publish and share original DVD and HD quality video content...
. PHE was implemented in old versions of BitComet. Similar protocol obfuscation
Obfuscation
Obfuscation is the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret.- Background :Obfuscation may be used for many purposes...
is supported in up-to-date versions of some other (non-BitTorrent) systems including eMule
EMule
eMule is a free peer-to-peer file sharing application for Microsoft Windows. Started in May 2002 as an alternative to eDonkey2000, eMule now connects to both the eDonkey network and the Kad network...
.
Purpose
As of January 2005, BitTorrent traffic made up more than a third of total residential internet traffic, although this is dropping to less than 20% as of 2009. Some ISPs deal with this traffic by increasing their capacity whilst others use specialised systems to slow peer-to-peer traffic. Obfuscation and encryption make traffic harder to detect and therefore harder to throttle. These systems were designed initially to provide anonymityAnonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...
or confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, but became required in countries where Internet Service Providers were granted the power to throttle a bit-torrent user and even ban those they believed were guilty of illegal file sharing.
Early approach
Protocol header encryption (PHE) was conceived by RnySmile and first implemented in BitCometBitComet
BitComet is a cross-protocol BitTorrent, HTTP and FTP client written in C++ for Microsoft Windows and available in 52 different languages. Its first public release was version 0.28...
version 0.60 on 8 September 2005. Some software like IPP2P claims BitComet traffic is detectable even with PHE. PHE is detectable because only part of the stream is encrypted. Since there are no open specifications to this protocol implementation the only possibility to support it in other clients would have been via reverse engineering
Reverse engineering
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
.
Development of MSE/PE
In late January 2006 the developers of AzureusVuze
Vuze is a BitTorrent client used to transfer files via the BitTorrent protocol. Vuze is written in Java, and uses the Azureus Engine. In addition to downloading data linked to by .torrent files, Azureus allows users to view, publish and share original DVD and HD quality video content...
, now known as Vuze, decided to design and simultaneously implement a new, open protocol obfuscation method, called message stream encryption (MSE). It was included in Azureus CVS snapshot 2307-B29 on 19 January 2006.
This first draft was heavily criticized since it lacked several key features. After negotiations between different BitTorrent developers a new proposal was written and then implemented into the Azureus
Vuze
Vuze is a BitTorrent client used to transfer files via the BitTorrent protocol. Vuze is written in Java, and uses the Azureus Engine. In addition to downloading data linked to by .torrent files, Azureus allows users to view, publish and share original DVD and HD quality video content...
and µTorrent betas within days. In µTorrent, the new protocol was called protocol encryption (PE).
MSE/PE in BitTorrent client versions
- aria2 supports MSE/PE as of aria2-0.13.0.
- BitComet version 0.63 was released 7 March 2006. It removed the old protocol header encryption and implemented the new MSE/PE to be compatible with Azureus and µTorrent.
- BitTornadoBitTornadoBitTornado is a free BitTorrent client for transfer of computer files over networks, including the Internet. It is developed by John Hoffman, who also created its predecessor, Shad0w's Experimental Client...
supports MSE/PE as of build T-0.3.18. As of January 5, 2007, this build is still marked "experimental" on the Download page. - BitTorrentBitTorrent clientBitTorrent is a peer-to-peer program developed by Bram Cohen and BitTorrent, Inc. used for uploading and downloading files via the BitTorrent protocol. BitTorrent was the first client written for the protocol. It is often nicknamed Mainline by developers denoting its official origins. Since version...
(Mainline) supports MSE/PE since version 4.9.2-beta on May 2, 2006. - Deluge supports MSE/PE as of Deluge-0.5.1.
- KTorrentKTorrentKTorrent is a BitTorrent client written in C++ for KDE using the Qt user interface toolkit. It is maintained in the KDE Extragear.- Features :*Upload and download speed capping / throttling & scheduling...
implemented MSE/PE in SVN version 535386 on April 29, 2006. - rTorrentRTorrentrTorrent is a text-based ncurses BitTorrent client written in C++, based on the libTorrent libraries for Unix, whose author's goal is “a focus on high performance and good code”...
supports MSE/PE as of rTorrent-0.7.0. - Transmission supports MSE/PE as of Transmission-0.90.
- VuzeVuzeVuze is a BitTorrent client used to transfer files via the BitTorrent protocol. Vuze is written in Java, and uses the Azureus Engine. In addition to downloading data linked to by .torrent files, Azureus allows users to view, publish and share original DVD and HD quality video content...
(formerly Azureus) supports the final spec since 25 January 2006 (CVS snapshot 2307-B33). Azureus version 2.4.0.0 was released 10 February 2006, and was the first stable version of a client to support MSE/PE. However, glitches in Azureus' implementation resulted in improperly encrypted pieces that failed hash checking. The glitches were rectified as of version 2.4.0.2. - µTorrent premiered MSE/PE 4 days after Azureus with beta 1.4.1 build 407. µTorrent version 1.5 (build 436) was released on 7 March 2006; it was the first stable version of µTorrent with PE.
Operation
The BitComet PHE method used in versions 0.60 to 0.62 is neither published, nor is it compatible with MSE/PE.MSE/PE uses key exchange
Diffie-Hellman key exchange
Diffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...
combined with the infohash of the torrent to establish an RC4
RC4
In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
encryption key. The key exchange helps to minimize the risk of passive listeners, and the infohash helps avoid man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
s. RC4 is chosen for its speed. The first kilobyte of the output is discarded to prevent the Fluhrer, Mantin and Shamir attack.
The specification allows the users to choose between encrypting the headers only or the full connection. Encrypting the full connection provides more obfuscation but uses more CPU time.
To ensure compatibility with other clients that don't support this specification, users may also choose whether unencrypted incoming or outgoing connections are still allowed.
Supported clients propagate the fact that they have MSE/PE enabled through PEX
Peer exchange
Peer exchange or PEX is a communications protocol that augments the BitTorrent file sharing protocol. It allows a group of users that are collaborating to share a given file to do so more swiftly and efficiently....
and DHT
Distributed hash table
A distributed hash table is a class of a decentralized distributed system that provides a lookup service similar to a hash table; pairs are stored in a DHT, and any participating node can efficiently retrieve the value associated with a given key...
.
Security
The estimated strength of the encryption corresponds to about 60–80 bits for common symmetrical ciphers. Cryptographically, this effective keylength is quite low, but appropriate in that the protocol was not designed as a secure transport protocol but rather as a fast and efficient obfuscation method. AESAdvanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
was proposed as the encryption method but not adopted because it consumed too much CPU time and the required Diffie–Hellman
Diffie-Hellman key exchange
Diffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...
keys to achieve a security equal to AES would have been much bigger or require elliptic curve cryptography
Elliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
, making the handshake more expensive in terms of used CPU time.
Effectiveness
Some ISPs are now using more sophisticated measures (e.g. pattern/timing analysis or categorizing ports based on side-channel data) to detect BitTorrent traffic. This means that even encrypted BitTorrent traffic can be throttled. However, with ISPs that continue to use simpler, less costly methods to identify and throttle BitTorrent, the current solution remains effective.Analysis of the BitTorrent protocol encryption (a.k.a. MSE) has shown that statistical measurements of packet sizes and packet directions of the first 100 packets in a TCP session can be used to identify the obfuscated protocol with over 96% accuracy.
Remains vulnerable to disrupted peer traffic
The SandvineSandvine
Sandvine Incorporated , in Waterloo, Ontario, Canada.Sandvine network policy control products are designed to implement broad network policies, ranging from service creation, billing, congestion management, and security...
application uses a different approach to disrupt BitTorrent traffic that makes seeding impossible. The Sandvine application intercepts peer-to-tracker communication to identify peers based on the IP address and port numbers in the peer list returned from the tracker. When Sandvine later sees connections to peers in the intercepted peer lists, it may (according to policy) break these connections by sending counterfeit TCP resets. Various solutions exist to protect against Sandvine's attack including encrypting both peer-to-tracker and peer-to-peer communication, using Microsoft's Teredo
Teredo tunneling
In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network...
so that TCP connections are tunneled within UDP packets, filtering TCP resets before they reach the TCP layer in the end-host, or switching entirely from a TCP-based transport to a UDP-based transport. Each solution has its trade-offs. Filtering out TCP resets typically requires kernel access, and the participation of the remote peer since Sandvine sent the reset packet to the local and remote peers. Teredo is not available on all BitTorrent clients. Rewriting TCP reliability, in-order delivery and congestion control in a new UDP protocol represents a substantial engineering effort and would require upgrading both ends of any peer-to-peer connection. Increasing robustness to TCP resets solves Sandvine's attack, but it does not prevent internet applications from using the peer lists to perform other attacks such as blocking peer-to-peer connections completely. Encryption also won't stop a traffic shaping system configured to universally slow down all encrypted, unidentifiable or unknown protocols using a method as simple as packet loss. Encrypting tracker communications prevents eavesdropping on peer lists and does not require upgrading both ends of peer-to-peer connections, but it requires imposing computational overhead on the tracker.
Criticism
Bram CohenBram Cohen
Bram Cohen is an American computer programmer, best known as the author of the peer-to-peer BitTorrent protocol, as well as the first file sharing program to use the protocol, also known as BitTorrent...
, the inventor of BitTorrent, opposed adding encryption to the BitTorrent protocol. Cohen stated he was worried that encryption could create incompatibility between clients. He also stressed the point that the majority of ISPs don't block the torrent protocol. Cohen wrote "I rather suspect that some developer has gotten rate limited by his ISP, and is more interested in trying to hack around his ISP's limitations than in the performance of the internet as a whole". Many BitTorrent community users responded strongly against Cohen's accusations.
Cohen later added the ability to receive but not originate encrypted connections on his Mainline client. Notably, when µTorrent was purchased by BitTorrent, Inc. and then became the next mainline release, the ability to originate encrypted connections was retained, but it became turned off by default.
External links
- Description on the official Azureus wiki
- ISPs that shape BitTorrent on the official Azureus wiki
- "BitTorrent End to End Encryption and Bandwidth Throttling - Part I" (Interview with µTorrent developers by Slyck News)
- "BitTorrent End to End Encryption and Bandwidth Throttling - Part II" -(Interview with Azureus developers)
- "BitTorrent and End to End Encryption" -(SlashdotSlashdotSlashdot is a technology-related news website owned by Geeknet, Inc. The site, which bills itself as "News for Nerds. Stuff that Matters", features user-submitted and ‑evaluated current affairs news stories about science- and technology-related topics. Each story has a comments section...
) - "Tracker Peer Obfuscation" - (BitTorrent)
- Identifying the Message Stream Encryption (MSE) protocol
- Block P2P Traffic on a Cisco IOS Router using NBAR Configuration Example, Cisco.