KR101578613B1 - Method and System for to Mutual Security Ecosystem to Guarantee Anonymity and Censor Block Protect - Google Patents

Abstract

Disclosed are a method and a system for sensor blocking prevention and anonymity guarantee coexistence security ecosystem. The disclosed system comprises: a plurality of blocking ISPs for providing an anonymous service to a volunteer in a free ISP from a user in a blocking ISP; a plurality of free ISPs for providing a blocking prevention and anonymous service to the user in the blocking ISP from the volunteer of the free ISP; and a symbiosis server for processing a relay traffic transferred from a volunteer node, and transferring a web response to the user by assuming the volunteer node.

Description

[0001] The present invention relates to a method and a system for mutual security ecosystem,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an Internet bypassing technology and an online anonymity assurance system and method.

The initial blocking system was very simply blocking based on the IP address of the blocking web site, but it evolved intelligently due to the emergence of corresponding blocking bypassing techniques. Currently, the most advanced blocking system performs blocking functions in multiple angles by performing DNS hijacking, deep packet inspection, etc. in addition to IP address blocking. It also blocks all IP addresses that are suspected as blocked bypass routes, such as a proxy server providing a blocking bypass service and a relay node of Tor that performs anonymity service, instead of only blocking the IP address of the blocking Web site. The existing countermeasures against censoring and blocking systems are as follows.

Proxy - based techniques are the most widely used methods of censorship, blocking defense, and anonymity service, in which users fetch content from a web server through a proxy server. Since the proxy server accesses the web server on behalf of the user, the web server can not know the IP address of the actual user. In addition, since the user does not establish a direct connection with the web server (when encrypting the traffic between the proxy and the user), the user can prevent censoring and blocking of the Internet Service Provider (ISP). Typical proxy-based services include Anonymizer.com, UntraSurf, ZenMate, and ProVPN. VPN services can also be classified as a proxy-based service.

Network infrastructure-based techniques are also called decoy routing, which is a censorship and blocking defense scheme proposed by nearly three universities and research institutes in the US at the same time. The user tries to connect to the unblocked general web site to avoid the blocking of the ISP and the actual traffic is transmitted to the hidden proxy through the deflecting router strategically placed on the route. Unlike the existing proxy method, the proxy service can be bypassed because the proxy service is not exposed to the ISP. Also, the user can encrypt the traffic using the hidden proxy server and TLS (Transport Layer Security) You can defend.

The VoIP imitation technique is a censorship and blocking defense technique proposed by several university universities in the US Recently, traffic from blocked Web sites was manipulated as VoIP (Voice-over-IP) traffic like Skype, It is a way to avoid. Typically, the proposed VoIP imitation techniques are Censor Spoofer, FreeWave, SkypeMorph, and the like. The user sends an HTTP request to the proxy server through an indirect channel (via an email service such as MailMyWeb.com), and the proxy server sends the HTTP response received from the blocked site to the user as if it were VoIP traffic .

At this time, the proxy server does source IP spoofing and does not reveal its own IP address, thereby avoiding blocking of the ISP. In addition, reliability problems may arise because UDP is used instead of TCP to mimic VoIP traffic. Therefore, by adding an FEC (Forward Error Correction) code and transmitting it, it is possible to reduce the influence due to the reliability problem.

In order to compensate for the disadvantages of the proxy-based scheme, the user-based scheme is not directly connected to the proxy server but receives the service through the connection to the volunteer node acting as a relay. Typical volunteer-based techniques are Tor (anonymity service) and SafeWeb (blocking service). Because both of these techniques do not directly connect to the proxy, it is not easy for the ISP to block it if there are enough volunteers. In the case of Tor, after connecting a volunteer node in a chain manner, an onion routing method is used to transmit a packet, so that no node on a route other than a user can know which user is visiting a web site.

The problem with this proxy-based technique is that the user's proxy service usage is exposed to the ISP. Since the IP address of the proxy server is public, when the user accesses the proxy server, the ISP can judge whether or not to use the proxy service through packet inspection. In addition, the ISP can block the use of the user's proxy service. If your ISP includes the proxy server's IP address in the blacklist, you can block users from using the proxy service at all. Then, the user information may be exposed to the proxy server. Since the proxy server acts as the intermediary between the user and the web server, the proxy server can know which user visits which web site.

The problem with the network infrastructure based technique is that it is difficult to deploy the bypass router. Because the bypass router intercepts user traffic in the middle of the path but is not located inside the user's ISP, it is difficult to find a location on the network shared by many paths of many users. There is also a realistic difficulty in recruiting participating ISPs. In order to strategically locate the bypass router, it is necessary to assist the participating ISP, such as installing a bypass router inside the ISP which does not intercept. In other words, it is very difficult to obtain sufficient number of participating ISPs because there is no benefit for these participating ISPs, although they need to invest at the ISP level. Then, the user information may be exposed to the proxy server. Like the existing proxy technique, the proxy server of the network infrastructure based technique can also know which user visits which web site.

The problem of VoIP imitation technique is that HTTP traffic is transmitted through UDP, which can cause reliability problems. In the VoIP imitation technique, the lack of the reliability function of UDP is compensated by the FEC method. However, according to a recent study by a US university, real VoIP users are not significantly affected by ISP's selective destruction of 10-15% of VoIP traffic, but HTTP traffic mimicking VoIP is not guaranteed to be reliable with FEC And thus can not receive complete content from the blocked site. Also, the transmission speed is very slow due to VoIP imitation. Since the bandwidth of the VoIP codec is approximately 64 Kbps, the transmission rate of the HTTP response from the proxy to the user also maintains 64 Kbps. Compared with other censoring and blocking techniques, the user's web browsing satisfaction is significantly degraded due to the significantly slower transmission speed. Then, the user information may be exposed to the proxy server. Like the existing proxy technique, the proxy server of the VoIP mimic technique can know which user visits which website.

The problem with volunteer-based techniques is that they provide services unilaterally. The volunteer node unilaterally provides its bandwidth and CPU to the user in order to relay the user's traffic. Since volunteers do not have the benefit of providing these services, it is not easy to recruit more volunteers. In fact, securing sufficient volunteers is the hardest thing, and SafeWeb has declined due to lack of critical volunteers and is currently out of service. In addition, the ISP may block some volunteer nodes. In theory, if there are a very large number of volunteer nodes, it is impossible or extremely difficult for an ISP to block all these nodes. However, in a situation where it is not easy to recruit more than the number of good volunteers, the ISP can easily identify and block most volunteer nodes. According to a Swedish university study, Tor currently has about 5,000 volunteer nodes around the world, but most of them are blocked in China's censorship system (the Great Firewall of China). In the past, China has also succeeded in blocking SafeWeb, which has not secured the number of critical volunteers. And, the transmission speed is slow due to the long chain type connection structure. In the case of Tor, at least three volunteer nodes exist as a relay role in the path between the user and the web server to provide anonymity service. Since the relay node also decodes and encrypts the forwarding packet, the HTTP response time may be delayed by the number of the resource nodes on the path. Therefore, the user's web browsing satisfaction is degraded due to the slow transmission speed compared with other screening and blocking techniques.

SUMMARY OF THE INVENTION The present invention provides a method and system for solving the problems of the prior art in which an intention to use a censoring and blocking defense service by a user is exposed to an ISP. It is aimed to solve problems that are difficult to implement due to the need to invest in censorship and blocking defense tools at each ISP level. In addition, due to the reliability problem caused by UDP transmission, the problem of user satisfaction degradation, inability to block the bypass, and inability to block the bypass due to the fundamental limitation of good volunteer recruitment is solved. In addition, the problem of lowering the user satisfaction due to the lowered HTTP response speed is solved.

In one aspect, the method for inspecting blocking and anonymity proposed in the present invention is such that a volunteer node in a free ISP is provided with anonymity service from a user in a blocking ISP, and a user in the blocking ISP is notified from a volunteer node Blocking defense and anonymity service, and simultaneously performing a screening blocking defense and anonymity guarantee through the bidirectional service of the free ISP and the blocking ISP.

The provision of the anonymity service may be provided by the traffic of the volunteer node in the free ISP being sent to the user in the blocking ISP in which the volunteer node in the free ISP is serving.

A volunteer ecosystem of the number of volunteer nodes above the number of volunteer nodes can be secured by participating in a volunteer node in the free ISP.

The provision of the anonymity service may allow the volunteer server to process the actual work and deliver the web response to the user by impersonating the volunteer node by passing the relay traffic to the symbiotic server without directly processing the relay traffic.

A user in the blocking ISP can be provided with a blocking defense and anonymity service from a volunteer in the free ISP by reaching the symbiosis server through a priority connection to the volunteer node in the free ISP in which the user acts as a relay.

Wherein the step of simultaneously performing the inspection blocking defense and the anonymity guarantee through the bidirectional service of the free ISP and the blocking ISP is performed by using a relay connection structure having a predetermined minimum length and a cryptographic technique according to the relay connection structure, Anonymity service can be provided.

According to another aspect of the present invention, there is provided a system for inspecting blocking and anonymity of a free ISP, comprising: a plurality of blocking ISPs for providing anonymity service from a user in a blocking ISP to a volunteer node in a free ISP; A plurality of free ISPs for providing blocking defense and anonymity services from volunteer nodes in the free ISP; a symbiosis server for processing relay traffic received from the volunteer node and delivering a web response to the user impersonating the volunteer node .

The plurality of blocking ISPs may provide traffic to the volunteer node in the free ISP to a user in the blocking ISP providing the service by the volunteer node in the free ISP to provide anonymity service.

A volunteer ecosystem of the number of volunteer nodes above the number of volunteer nodes can be secured by participating in a volunteer node in the free ISP.

The plurality of free ISPs can reach the symbiosis server through a priority connection to the volunteer node in the free ISP in which the user acts as a relay.

The symbiotic server can pass the web response to the user by processing the actual work and impersonating the volunteer node by passing the volunteer server to the symbiotic server without directly processing traffic to the relay.

The inspection block defense and anonymity assurance system may provide the inspection block defense and anonymity service using a relay connection structure having a predetermined minimum length and an encryption technique according to the relay connection structure.

According to another aspect of the present invention, there is provided a system for ensuring inspection and blocking protection and anonymity proposed in the present invention is a system for processing relay traffic received from a volunteer node in a free ISP and transmitting a web response to the user by impersonating the volunteer node An anonymity service is provided from a user in the blocking ISP to the volunteer node in the free ISP, and a user in the blocking ISP is provided with a blocking defense and anonymity service from the volunteer node in the free ISP .

Recently, Internet users are increasingly aware of the importance of personal information security and anonymity in their everyday lives, while getting to know about security incidents such as personal information leaks that have occurred in recent days. In addition, over 70% of the world's Internet users are censored and blocked, and most intelligent censorship systems are used to disable most of the blocking techniques. A huge number of Internet users are still censored, blocked, It is not able to browse the web freely from exposure.

The win-win security ecosystem proposed by the present invention is an innovative paradigm that goes beyond the limitations of the conventional block defense and anonymity techniques and makes all the Internet users around the world an actual (or potential) participant of the security ecosystem. Considering the fact that Tor, the most widely used anonymity technique, is disabled in the censored countries such as China due to the limitation of volunteer recruitment, if the win-win security ecosystem proposed in this study is successfully established, It is expected to be a security system with the largest participants in the world.

FIG. 1 is a diagram for explaining the configuration and overall operation of an inspection screening defense and anonymity security win-win security ecosystem system according to an embodiment of the present invention.
FIG. 2 is an exemplary diagram illustrating a web browser of a user in a blocking ISP according to an exemplary embodiment of the present invention. Referring to FIG.
3 is an exemplary diagram for explaining web browsing of volunteers in a free ISP according to an embodiment of the present invention.
FIG. 4 is a flowchart illustrating a method for securing screening blocking and anonymity-guaranteeing ecosystem security according to an embodiment of the present invention.
FIG. 5 is a view for explaining two TCP connections to BH1 from the perspective of a censor according to an embodiment of the present invention.
6 is a diagram for explaining an actual TCP connection to BH1 according to an embodiment of the present invention.
FIG. 7 is a measurement result of the operation of the censorship blocking defense and the anonymity guarantee win-win security ecosystem system according to the embodiment of the present invention.

In the prior art, there may be a security problem due to the absence of a comprehensive solution of inspection, blocking defense and anonymity guarantee. In particular, all of these techniques have their own limitations in terms of blocking protection and are currently being disabled by the blocking system. The present invention aims at the worldwide practical use of a large-scale security win-win ecosystem as an integrated solution for censoring, blocking and anonymity of a new paradigm. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In the prior art, the censorship, blocking defense, and anonymity assurance are designed as independent targets, and only one of them is designed. However, using these techniques as two blended goals of censorship, blocking defense and anonymity assurance can present security problems. As a practical example, in the case of Tor, the technique is originally aimed at guaranteeing anonymity, but at present it is also used for the purpose of avoiding censorship and blocking.

(For example, exposing user information to a proxy server), and all of these techniques can be used in the viewpoint of censorship and blocking defense. It has limitations.

The present invention proposes an integrated solution for censoring, blocking, and anonymity for web browsing by setting censorship, blocking defense, and anonymity as a common goal.

FIG. 1 is a diagram for explaining the configuration and overall operation of a censoring, blocking defense, and anonymity-guaranteeing co-existence security ecosystem system according to an embodiment of the present invention.

The proposed censorship, blocking defense and anonymity guarantee The ecosystem of the win-win security ecosystem may not be exposed to the ISP's intention to use the user's censorship and blocking defense service. In order to prevent users from being exposed to the intention of using the censoring and blocking defense service, the method of reaching the proxy server through the priority connection to the volunteer node acting as a relay, rather than a method in which the user directly accesses the proxy server Structure. Because users do not connect directly to the proxy server, it is impossible for an ISP to block all these nodes if there are a large enough number of volunteer nodes.

In addition, anonymity can be guaranteed by not revealing which users visit which websites. The present invention seeks to ensure anonymity by preventing any participant or proxy server from knowing information about which user visits a website. To do this, we propose a minimum length relay connection structure and its cryptographic scheme.

The proposed censorship, blocking defense and anonymity assurance win-win security ecosystem system can include blocking ISPs (BHs) 110, free ISPs (FHs) 120 and a symbiosis server (SS)

The traffic of the volunteer node in the free ISPs (FHs) 120 is transmitted to the users in the blocking ISPs (BHs) 110 serving the volunteer nodes in the free ISPs (FHs) 120, Lt; RTI ID = 0.0 > 110 < / RTI > The volunteer ecosystem of the free ISP (FHs) 120 can be secured by participating in the system by the number of the volunteer nodes.

A free ISP (FHs) 120 may reach a symbiotic server through a first connection to a volunteer node in a free ISP (FHs) 120 in which the user acts as a relay.

A symbiosis server (SS) 130 may allow the volunteer node to pass the traffic to the symbiosis server without directly processing the traffic to the relay. Accordingly, the symbiosis server (SS) 130 may process the actual work and impersonate the volunteer node to deliver the web response to the user.

Such an inspection screening defense and anonymity screening system can provide an inspection screening defense and anonymity service using a relay connection structure having a predetermined minimum length and an encryption technique according to the relay connection structure.

Referring to FIG. 1, BH1 111, BH2 112, BH3 113, BH4 114 ... indicate web browsing users residing in blocked ISPs 110. These plurality of BHs (Bee-hosts) 111, 112, 113 and 114 are intended to make unobservable communication with an anonymous target website.

FH1 121, FH2 122, FH3 123 ... indicate web browsing volunteers of free ISPs 120 wishing to connect to an anonymous target web site. The plurality of FHs (Flower-hosts) 121, 122, and 123 may be externally connected.

A symbiosis server (SS) 130 is a component of a symbiosis system having a spoofing IP source. A symbiosis server (SS) 130 interacts with FHs and BHs and proxies can communicate with the target web sites 150 via HTTP 140.

In the symbiosis server (SS) 130, all participants, that is, BHs and FHs, perform two rules. First, a suitable service for the web client can be performed for other users (i.e., other users who are in proxy communication with the target website to the symbiosis server). In addition, the symbiosis server (SS) 130 has two interesting features. For example, there may be a one-way directive (117) session between a particular pair of BH1 111 and FH2 122, as in FIG. This relationship is hidden in a symbiosis server (SS) 130. Second, the client function and transit service operate only between such a pair of participants (not for arbitrary ones), thereby sending and receiving their own web tra_c via each other. In addition, the client function and the sending service operate between the pair of participants, so that they can transmit and receive their web traffic through each session. For example, there may be a two-way Symbiotic 115 session between a particular pair of BH1 111 and FH1 121, and between a particular pair of BH4 114 and FH2 122 There may be a two-way Symbiotic 116 session. Since these particular pairs are interconnected, they can be called symbiotic relationships.

In other words, all FHs can be potential symbionts to BHs, and vice versa. For example, to join the system, BH can first make a TLS connection with the symbiont FH. This FH is essentially one of the FHs available in the system. This proper connection can be used for both symbiotic traffic. In other words, certain FHs can make SS and TLS connections exclusively for the symbiotic BH. At this time, the symbiotic relationship between BH and FH does not appear for SS. Similarly, BH can create a covert TLS connection with the SS to arrange the circuit for the symbiotic FH. For this reason, the BH may initiate a fake connection for another FH. In this case, we can simply change direction towards the SS, which we call a deflector. The SS responds directly to the BH by impersonating the IP of the deflector, not the IP address of the SS.

In the conventional voluntary scheme, the nodes participating in the censorship, blocking defense, and anonymity systems form unidirectional unidirectional relationships that provide or are unilaterally served. For example, a user always receives a service, and a volunteer node provides a relay function for inspecting, blocking, and anonymizing the user without any cost. Because of this unidirectional one-sided unbalance relationship, it is very difficult to obtain enough volunteer nodes beyond the number of good volunteer nodes. In fact, SafeWeb is declining because it can not secure the number of critical volunteer nodes and is not currently being serviced. Most of the current volunteer nodes in Tor are also blocked by China's censorship system. In the present invention, the user and the volunteer node provide bidirectional services to each other so that all of the participants form a balanced relationship and propose a mutually beneficial security ecosystem that benefits each other.

In other words, the volunteer node can be provided with anonymity service to the user. In the present invention, a bidirectional service between a user and a volunteer node is pursued in order to balance a participant and motivate a volunteer node. For example, a volunteer node belonging to an ISP that is free from censorship and blocking receives anonymity service from the user instead of providing the user with the blocking protection and anonymity service to the blocking ISP. In other words, the traffic of the volunteer node is sent to the user who provides the service, and the system is guaranteed anonymity. A volunteer node is a structure in which a large-scale volunteer ecosystem is constructed that exceeds the number of good volunteer nodes or corresponds to the number of users because the service is provided by participating in the system.

In addition, the user may be provided with a blocking defense and anonymity service to the volunteer node. A user inside the blocking ISP can provide anonymity service to the volunteer node instead of receiving blocking and anonymity services from the volunteer node outside the ISP free from blocking. A user relays traffic of a volunteer node and receives a service from a volunteer node, so that a participant can form a mutually beneficial ecosystem.

In other words, the censorship blocking defense and anonymity security win-win security ecosystem system proposed in the present invention processes a relay traffic received from a volunteer node in a free ISP and sends a web response to the user by impersonating the volunteer node . Anonymity service may be provided from the user in the blocking ISP to the volunteer node in the free ISP. In addition, a user in the blocking ISP is provided with a blocking defense and anonymity service from the volunteer node in the free ISP.

2 is an exemplary diagram illustrating web browsing of a user BH1 211 within a blocking ISP 210 according to an embodiment of the present invention.

For example, a BH1 211 with two appropriate TLS / TCP connections can be set up. One can be connected to the symbiosis FH1 220 and the other can have a covert connection with the symbiosis server 230 via the current transformer FH2 250. [ In the case of the BH Web transaction of Figure 2, the BH1 211 may use a connection with the symbian FH1 220 and may be used on a circuit that is fundamentally a SS (Symbiosis server) 230. This BH1-FH1-SS circuit can be said to be a BH1 circuit because it can be designed exclusively for BH1 (211). By using a circuit with an IP of FH1 220 that is appropriate for this inspection, BH1 211 can communicate with any target web sites 240 despite the censorship.

In other words, the BH1 211 establishes a Forward 261 connection with the FH1 220 through the HTTP request and the FH1 220 requests the SS (Symbiosis server) 230 and the relay connection 262 . The SS (Symbiosis server) 230 may communicate with the Web sites 240 via HTTP 263. The SS (Symbiosis server) 230 establishes a connection between the FH1 220 and the response relay 264 and the FH1 220 forms the connection with the BH1 211 and the response relay 265.

Also, for anonymity, the message may be encrypted with a key shared between the BH1 211 and the SS (Symbiosis server) 230 before being transmitted. This shared key can be obtained using the Diffie-Hellman key exchange through the BH1 circuit. Therefore, the identifier of the BH1 211 may not be revealed to the SS (Symbiosis server)

3 is an exemplary diagram for explaining web browsing of volunteer nodes FH1 and FH2 in a free ISP according to an embodiment of the present invention.

FH1 320 has two TLS connections: one with a connection to the symbian BH1, and the other with a connection with the SS 340. In this case, FH1 320 may use a connection with symbiotic BH1 that arranges a secret TLS session exclusively with SS 340 for FH1 320. [ Therefore it can be called FH1- circuit (FH1-BH1-SS). To provide anonymity, the messages can likewise be encrypted with keys shared between FH1 320 and SS 340 using Diffie-Hellman key exchange via FH1- circuitry. Therefore, BH1 or SS 340 can not be identified at both ends of the source (FH1 320) and destination (website 350) communications.

In other words, FH1 320 forms a forward (361) connection with BH1 via an HTTP request, and BH1 can request a relay connection (362) with FH2 330. [ FH2 330 may request the SS (Symbiosis server) 340 to deflect 363. The SS (Symbiosis server) 340 may communicate with the Web sites 350 via the HTTP 364. The SS (Symbiosis server) 340 may then spoof the IP of FH2 to form an answering relay 365 connection. And BH1 may form a connection between FH1 320 and an answering relay 366. [

The present invention seeks censorship, blocking and anonymity systems that are network infrastructure independent and compliant with prior art network protocols. In the case of network infrastructure based censorship and blocking defense techniques, other ISPs have been assisted by participating ISPs to strategically locate bypass routers. In other words, it is necessary to invest in each ISP. However, it is very difficult to obtain sufficient number of participating ISPs and there is a problem in practicality because a large cost is required. The system proposed in the present invention is intended to pursue a network infrastructure independent system that can be practically used globally after implementing the system by avoiding intervention by an ISP unit.

In addition, in the VoIP mimic method according to the related art, since the HTTP traffic is transmitted using UDP in order to imitate the VoIP, a reliability problem may arise. Also, if the ISP selectively destroys the traffic, it could cause a vulnerability in the blocking defense. According to the present invention, since the UDP transmission is avoided and SSL / TLS (Secure Socket Layer / Transport Layer Security) is used for transmission, censoring, blocking defense and anonymity transmission using TCP according to the HTTP protocol standard, We want to minimize modifications.

FIG. 4 is a flowchart illustrating a method for securing screening blocking and anonymity-guaranteeing ecosystem security according to an embodiment of the present invention.

(410) an anonymity service is provided from a user in a blocking ISP to a volunteer node in a free ISP, and the user in the blocking ISP protects the blocking node from the volunteer node in the free ISP, An anonymity service is provided 420, and a step 430 of simultaneously performing an inspecting blocking defense and anonymity guarantee through the bidirectional service of the free ISP and the blocking ISP is performed.

At step 410, the censorship blocking defense and anonymity security win-win security ecosystem method allows the volunteer node in the free ISP to receive anonymity service from the user in the blocking ISP. At this time, the provision of the anonymity service may be provided by the traffic of the volunteer node in the free ISP being sent to the user in the blocking ISP in which the volunteer node in the free ISP is providing service. The volunteer ecosystem of the free ISP can be secured by participating in the system so that the volunteer ecosystem is more than the number of the volunteer nodes. And, the volunteer node can pass the relay traffic to the symbiotic server without directly processing it. Thus, the symbiotic server may process the actual work and impersonate the volunteer node to deliver the web response to the user.

In step 420, a user in the blocking ISP can be provided with blocking protection and anonymity services from the volunteer node in the free ISP. At this time, the user can reach the symbiosis server through the priority connection to the volunteer node in the free ISP serving as the relay.

At step 430, both the free ISP and the intercepting ISP can perform both the inspecting blocking and the anonymity assurance through the bidirectional service. At this time, the censorship blocking defense and anonymity service can be provided using a relay connection structure having a predetermined minimum length and an encryption technique according to the relay connection structure.

In the prior art, when a plurality of volunteer nodes exist as a relay role in a path between a user and a web server, a delay in HTTP response time occurs, or the HTTP traffic is transmitted at a very low transmission rate of 64 Kbps, which is the bandwidth of the VoIP codec, Web browsing satisfaction was very poor. The present invention proposes a participant node connection structure that minimizes web response time.

In the present invention, a relay connection structure of a minimum length for anonymity between a user (or a participant) web browser and a web server and an encryption technique according to the connection structure are proposed to balance the satisfaction of the user's web browsing with the guarantee of the blocking defense and the anonymity have.

In addition, we seek to minimize the use of volunteer node resources within the scope of ensuring censorship, blocking protection and anonymity. To this end, the volunteer node, if possible, can pass the relay traffic to the proxy server without processing it directly. Thus, the proxy server can handle the actual work and impersonate the volunteer node (IP spoofing) to give the user a web response. In this case, from the point of view of the censor ISP, it seems that the user simply interacts with a legitimate volunteer node, thus minimizing the use of volunteer node resources while achieving the goal of blocking defenses.

FIG. 5 is a view for explaining two TCP connections to BH1 from the perspective of a censor according to an embodiment of the present invention.

Referring to FIG. 5, a censor may view a single TLS / TCP session between BH1 510 and FH1 520 (541). The inspector can then view a single TLS ' TCP session between BH1 510 and FH2 530 (542). At this time, the FH1 and FH2 IPs may be appropriate (ie, legitimate) to the inspector.

6 is a diagram for explaining an actual TCP connection to BH1 according to an embodiment of the present invention.

Referring to FIG. 6, a single TLS / TCP session shared for web traffic of BH1 610 and web traffic of FH1 620 can be confirmed (651). Then, the TLS / TCP session maintained in the BH1 610 and the SS 640 can be confirmed (652). At this time, the BH1 610 can request the relay connection with the FH2 630 and the FH2 630 can request the SS 640 to deflect. The SS 640 may communicate with Web sites. The SS 640 may then spoof the IP of the FH2 630 and form a relay connection with the BH1 610. [

FIG. 7 is a measurement result of the operation of the censorship blocking defense and the anonymity guarantee win-win security ecosystem system according to the embodiment of the present invention.

7 (a) shows the result of measuring the download time based on the HTML of the BH for each of SymBiosis 710a, Tor 720a and direct access 730a. FIG. 7 (b) BH's pull page download time is measured for SymBiosis 710b, Tor 720b, and direct access 730b. Referring to FIGS. 7 (a) and 7 (b), it can be confirmed that the download time of HTML and full page of the proposed method is faster than Tor and has a low delay time. Also, it can be seen that there is not a large difference between SymBiosis and direct access. The difference is about 1 to 2 seconds.

Next, BH (in China) and FH (in the state of Kentucky, USA) show the measurement result of download time when performing a web transaction. The main purpose of this experiment is to verify whether BH and FH affect the performance of each other by sharing the same TLS session. 7 (c) shows the results obtained by measuring the download times based on HTML of BH and FH by SymBiosis 710c, Tor 720c, and direct access 730c, ) Is a result of measuring the pull page download times of BH and FH by SymBiosis 710d, Tor 720d, and direct access 730d. The results are quite similar to the case of a single BH and we can see that BH and FH share the same TLS session so that the interactions do not affect each other's performance.

Next, we show the measurement result of download time when four BHs perform all web transactions through the same FH. 7E shows the results obtained by measuring the download time based on the HTML of the four BH and FH for each of SymBiosis 710e, Tor 720e and direct access 730e, (f) is a result of measuring the download times of four BH and FH pull pages by SymBiosis 710f, Tor 720f, and direct access 730f. When four BHs perform all Web transactions over the same FH, the download time is still similar to that of the single BH. This can explain that participants sharing the same FH do not interfere with each other's web performance.

The apparatus described above may be implemented as a hardware component, a software component, and / or a combination of hardware components and software components. For example, the apparatus and components described in the embodiments may be implemented within a computer system, such as, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA) A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For ease of understanding, the processing apparatus may be described as being used singly, but those skilled in the art will recognize that the processing apparatus may have a plurality of processing elements and / As shown in FIG. For example, the processing unit may comprise a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as a parallel processor.

The software may include a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired or to process it collectively or collectively Device can be commanded. The software and / or data may be in the form of any type of machine, component, physical device, virtual equipment, computer storage media, or device , Or may be permanently or temporarily embodied in a transmitted signal wave. The software may be distributed over a networked computer system and stored or executed in a distributed manner. The software and data may be stored on one or more computer readable recording media.

The method according to an embodiment may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI > or equivalents, even if it is replaced or replaced.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (13)

In the method for inspecting blocking and anonymity,
The volunteer node in the free ISP receives anonymity service from the user in the blocking ISP,
The user in the blocking ISP is provided with blocking protection and anonymity service from the volunteer node in the free ISP,
And simultaneously performing a screening blocking defense and anonymity guarantee through the bidirectional service of the free ISP and the blocking ISP
Lt; / RTI >
A user in the blocking ISP is provided with blocking defense and anonymity services from volunteers in the free ISP,
The user arrives at the symbiosis server through a priority connection to a volunteer node in the free ISP serving as a relay
And a method for assuring anonymity. The method according to claim 1,
The provision of the anonymity service,
The traffic of the volunteer node in the free ISP is provided by being sent to the user in the blocking ISP providing the service by the volunteer node in the free ISP
How to defend against censorship and ensure anonymity. 3. The method of claim 2,
A volunteer ecosystem of the number of volunteer nodes is secured by participating in the system by the volunteer node in the free ISP
How to defend against censorship and ensure anonymity. The method according to claim 1,
The provision of the anonymity service,
The volunteer server processes the actual work by sending the relay traffic to the symbiotic server without directly processing the relay traffic, and transmits the web response to the user by impersonating the volunteer node
How to defend against censorship and ensure anonymity. delete The method according to claim 1,
The step of simultaneously performing the screening blocking defense and the anonymity guarantee through the bidirectional service of the free ISP and the blocking ISP,
The relay connection structure having a predetermined minimum length and the cryptographic technique according to the relay connection structure to provide the censoring blocking defense and anonymity service
How to defend against censorship and ensure anonymity.
In an inspection screening defensive and anonymity assurance system,
A plurality of blocking ISPs that provide volunteer nodes in the free ISP to provide anonymity services from users in the blocking ISP;
A plurality of free ISPs for providing a user in the blocking ISP with blocking and anonymity services from volunteer nodes in the free ISP; And
A symmetric server for processing relay traffic received from the volunteer node and for transmitting a web response to the user by impersonating the volunteer node
Lt; / RTI >
The plurality of free ISPs
The user arriving at the symbiosis server through a first connection to a volunteer node in the free ISP serving as a relay
Screening protection and anonymity guarantee system. 8. The method of claim 7,
The plurality of blocking ISPs
The traffic of the volunteer node in the free ISP is delivered to the user in the blocking ISP providing the service by the volunteer node in the free ISP to provide anonymity service
Inspection blocking defense and anonymity guarantee system. 9. The method of claim 8,
A volunteer ecosystem of the number of volunteer nodes is secured by participating in the system by the volunteer node in the free ISP
Inspection blocking defense and anonymity guarantee system. delete 8. The method of claim 7,
The symbiosis server comprises:
The volunteer node handles the actual work by delivering the traffic to the symbiosis server without directly processing the traffic to the relay, thereby conveying the web response to the user by impersonating the volunteer node
Inspection blocking defense and anonymity guarantee system. 8. The method of claim 7,
The inspecting blocking defense and anonymity assurance system includes:
Providing a censorship blocking defense and anonymity service using a relay connection structure of a predetermined minimum length and an encryption technique according to the relay connection structure
Inspection blocking defense and anonymity guarantee system. In an inspection screening defensive and anonymity assurance system,
A symbiosis server that processes relay traffic received from a volunteer node in a free ISP and transmits a web response to the user by impersonating the volunteer node
Lt; / RTI >
Anonymity service is provided from the user in the blocking ISP to the volunteer node in the free ISP,
The user in the blocking ISP is provided with blocking defense and anonymity services from volunteer nodes in the free ISP,
The user arriving at the symbiosis server through a first connection to a volunteer node in the free ISP serving as a relay
Screening protection and anonymity guarantee system.

Images