Onion routing

The idea of ​​onion routing is to preserve the anonymity of the sender and receiver of the message and to protect the contents of the message during its transmission over the network.

Onion routing works according to the principle of Chaum’s mixed connections: messages are transmitted from the source to the destination through a sequence of proxies (“onion routers”) that redirect the message in an unpredictable direction. To avoid “listening” to messages by an attacker, they are transmitted in encrypted form between routers. The advantage of onion routing (and mixed connections in general) is that there is no need for trust for each participating router. Even if one or more of them is hacked, an anonymous connection can still be established. This is achieved due to the fact that each router in the LM network receives messages, encrypts them again, and sends them to another onion router. An attacker who can monitor all onion routers on a network can theoretically trace the path of a message through a network. But the task is greatly complicated, even if the attacker has access to one or more routers in the message path.

Onion routing does not provide guaranteed anonymity for the sender or recipient from all potential listeners - the local listener can view everything that was sent or received from this computer. It provides a high degree of incoherence, making it difficult for the eavesdropper to determine the addresses of the one who sends the message and the one who receives these messages. Onion routing does not provide an absolute guarantee of secrecy, but rather is a continuum where the degree of secrecy is mainly a function of the number of participating routers versus the number of dangerous, compromised or malicious routers.

The router at the beginning of the transmission selects a random number of intermediate routers and generates a message for each, encrypting them with a symmetric key and indicating for each router which router will be next on the way. To obtain a symmetric key (“session key”) with each of the intermediate routers, an initial connection is established using the public key of this router through routers preceding it in the chain. As a result, messages transmitted along the chain have a “layered” structure in which it is necessary to decipher the outer layers in order to access the inner layer.

Each router that receives the message “strips” the layer from the bow — decrypts the message contents with its session key: the routing instructions for this router and the encrypted message for routers located further down the chain. The last router removes the last encryption layer and sends a message to the addressee. The established chain remains available for two-way data transmission over a period of time.

The recipient of the request can send a response along the same chain without prejudice to the anonymity of each party. At the same time, the encryption layers, on the contrary, “grow” on each router until the response reaches the sender of the request. The sender owns all the session keys used in the chain, and therefore can decrypt all layers: from the external encrypted by the router closest to the sender in the chain to the internal encrypted router closest to the request recipient.

Onion routing has several weaknesses. On the one hand, it does not provide protection against synchronization analysis. If an attacker monitors a relatively lightly loaded onion router, he can connect incoming / outgoing messages by looking at how close in time they were received and forwarded. However, this can be overcome by buffering several messages and transmitting them using a pseudo-random time algorithm.

Onion routing networks are also vulnerable to overlapping and prior attacks. Crossover attacks are based on the fact that onion routers periodically stop working or disconnect from the network, while new routers connect to the network. Any transmission path that continues to function cannot go either through disconnected routers or through routers that have recently joined the network. In the preceding attack, an attacker who controls the onion router monitors sessions while they go through several path changes. If an attacker observes how the path changes during several rebuilds, he will be able to see the first router in the chain more clearly.

Onion routing is not able to protect data passing through the output nodes, giving the operator full access to the transmitted content (via sniffing ), and therefore onion networks should not be used to transmit personal information without the use of end-to-end cryptography, such as TLS . Swedish researcher Dan Egerstad managed to collect about a hundred passwords from mailboxes of foreign embassies using sniffing ^[1] .

Tor

On August 13, 2004, at the 13th USENIX Security Symposium, Roger Dingleday, Nick Mathewson and Paul Siverson introduced Tor , the second-generation onion router.

Tor is free of patents for the original onion routing, as it uses telescopic designs. Tor provides excellent forwarding secrecy and uses protocol cleanup outside the onion routing layer, creating mostly TCP transmission. It also provides low ping, server catalogs, final integrity checks, and variable exit policies for routers. Response bulbs have been replaced by a docking system, allowing you to have hidden services and websites. .onion , a pseudo top-level domain , is used for addressing on the Tor network.

Tor source code is published under the BSD license ^[2] . As of September 2014, there are more than 6,000 public onion routers ^[3] .

• Garlic Routing

• Michael G. Reed, Paul F. Syverson, David M. Goldschlag. Anonymous Connections and Onion Routing . - USA : Naval Research Laboratory . - 15 p.
• Paul Syverson, Gene Tsudik, Michael Reed, Carl Landwehr. Towards an Analysis of Onion Routing Security . - USA : Naval Research Laboratory . - 19 p.

• Email Security , Bruce Schneier ( ISBN 0-471-05318-X )
• Computer Privacy Handbook , Andre Bacard ( ISBN 1-56609-171-3 )

• Onion routing publications
• Tor source code, design documents, and publications