Network communications are increasingly becoming the target of surveillance and censorship. One natural defense is to use a traditional cryptographic protocols --- traditional encryption incurs low-overhead and does a good job of providing privacy. However, because encryption is so effective, many governments (e.g., Iran , Pakistan , and China ) are willing to block state-of-the-art cryptographic protocols such as TLS  and SSH .
Figure 1: A government can easily identify that a client and server are using an encryption protocol, and refuse the connection.
Format-Transforming Encryption (FTE) is a novel cryptographic primitive that extends traditional encryption. Traditional cryptographic primitives take a key and a message as input, and output an unformatted ciphertext. FTE takes a key, message and format (a compact set descriptor) as input and outputs a ciphertext in the format set. As an example, a format may describe the set of valid messages from an uncensored protocol, such as HTTP.
The software that realizes Format-Transforming Encryption, fteproxy, bootstraps FTE to relay arbitrary data streams. fteproxy uses regular expressions to describe and transmit messages from an uncensored protocol (e.g., HTTP), but may actually be relaying a censored protocol (e.g., Tor, TLS, SSH, etc.) To a government, traffic looks like HTTP, even though it may actually be a censored protocol.
Figure 2: fteproxy transparently encrypts communications such an uncensored protocols looks like a censored protocol.
fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro , YAF , nProbe , l7-filter , and appid , as well as closed-source commercial DPI systems. For more details, please see .
Format-Transforming Encryption , the foundation for fteproxy, was developed in a collaboration between Portland State University, University of Wisconsin-Madison and RedJack LLC.
The paper Protocol Misidentification Made Easy with Format-Transforming Encryption  was presented in November 2013 at CCS 2013 in Berlin, Germany.
The fteproxy application is authored and maintained by Kevin P. Dyer. ([email protected])
 Protocol Misidentification Made Easy with Format-Transforming Encryption,
Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart and Thomas Shrimpton,
In the proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.
 Iran Blocks 'Illegal' VPNs, Google, and Yahoo. Slashdot. March 2013.
 Pakistan Bans Encryption. Slashdot. August 2011.
 VPN Providers Say China Blocks Encryption Using Machine Learning Algorithms. Slashdot. December 2012.
 Transport Layer Security. Wikipedia.
 Secure Shell. Wikipedia.
 The Bro Network Security Monitor
 Yet Another Flowmeter