Sonicwall Signatures

Go to All Categories list.
Go to All Applications list.

  Encrypted Key Exchange -- UDP Random Encryption (UltraSurf)

Category: PROXY-ACCESS      

Application: Encrypted Key Exchange      

Encrypted Key Exchange (also known as EKE) is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed, the surviving, refined, and enhanced forms of EKE effectively make this the first method to amplify a shared password into a shared key, where the shared key may subsequently be used to provide a zero-knowledge password proof or other functions.

This application identifies randomness in a TCP and UDP sessions between an application and a peer or server. Many applications that want to evade firewall detection, including Ultrasurf, Ammy Admin, Skype, Psiphon, eMule, and others use encrypted TCP and UDP sessions. By nature an encrypted session is just a bunch of seemingly random bytes within the transport layer payload--how the bytes are interpreted is a mystery that only the applications protocol designers know. For this reason, all encrypted sessions look alike at the firewall, and there is no way to identify from which application the encrypted TCP session is coming. Therefore, enabling prevention for these signatures--SID 5 for TCP, and SID 7 for UDP?will necessarily block all and any encrypted sessions emanating from these evasive applications. There is no way to distinguish between them.

Relevant Information