Anonymous Connections and Onion Routing (cid:3) Paul F. Syverson, David M. Goldschlag, and Michael G. Reed Naval Research Laboratory Abstract formationfromthe connection (e.g.,byreading packet headers, tracking encrypted payloads,etc.). Any iden- Onion Routing provides anonymous connections tifying information must be passed as data through that are strongly resistant to both eavesdropping and the anonymous connections. Our implementation of tra(cid:14)c analysis. Unmodi(cid:12)ed Internet applications can anonymous connections, onion routing, provides pro- use these anonymous connections by means of prox- tection against eavesdropping as a side e(cid:11)ect. Onion ies. The proxiesmay alsomakecommunication anony- routing provides bidirectional and near real-time com- mous by removing identifying information from the munication similar to TCP/IP socket connections [6]. data stream. Onion routing has been implemented on The anonymousconnections can substitute for sockets Sun Solaris2.X withproxies for Web browsing, remote in a wide variety of unmodi(cid:12)ed Internet applications logins, and e-mail. This paper’s contribution is a de- by means of proxies. The proxies may also remove tailed speci(cid:12)cation of the implemented onion routing identifyinginformationfromthe data stream, to make system, a vulnerability analysis based on this speci(cid:12)ca- communicationanonymoustoo. tion, and performance results. Although onion routing may be used for anony- mous communication, it di(cid:11)ers from anonymous re- mailers [7, 11] in two ways: Communication is real- 1 Introduction timeandbidirectional,andtheanonymousconnections are application independent. Onion routing’s anony- mousconnections can support anonymousmailas well Privateelectroniccommunicationisbecominganin- as other applications. For example,onion routingmay creasingly important public issue. Encryption can ef- be used for anonymous Web browsing. A user may fectivelyhidethecontent ofaconversationfromeaves- wish to browse public Web sites without revealing his droppers, and this protection is being integrated into identity to those Web sites. That requires removing manysystems. But, hiding the identities of communi- information that identi(cid:12)es him from his requests to cating parties fromeavesdroppers, or fromeach other, Web servers, and removing information from the con- is usually not considered. nection itself that may identify him. Hence, anony- Who is communicating with whom, however, may mous Web browsing uses anonymized communication be sensitive too. E-mail users may wish to hide their overanonymousconnections. TheAnonymizer[1]only addresses. Anonymous cash is not anonymous if the anonymizesthe data stream,not the connection itself. communicationschannel identi(cid:12)es the purchaser. The Soitdoesnotpreventtra(cid:14)canalysisattacksliketrack- amount of information revealed through Web brows- ing data as it moves through the network. ing should be deliberate. Inter-company collaboration may be con(cid:12)dential. Revealing identities in a cellular A preliminary description of onion routing is found phone system reveals a user’s location, since the cellu- in [10, 13]. Those papers mainly present the goals of lar phone network must track handsets’ locations. onion routing, and some of the basic structure of our Apurpose oftra(cid:14)c analysisistoreveal whoistalk- solution. However, they do not give enough detail to ing to whom. The anonymous connections described properly evaluate the security of onion routing. The herearedesignedtoberesistanttotra(cid:14)canalysis,i.e., originalcontentofthispaperincludes: adetailedspec- tomakeitdi(cid:14)cultforobservers tolearnidentifyingin- i(cid:12)cation of the onion routing system; a description of (cid:3) implementation choices that were in(cid:13)uenced by con- Address: Naval ResearchLaboratory,Center For High As- siderations not apparent at a more abstract level; a suranceComputerSystems,Washington,D.C.20375-5337,USA, phone: +1 202.767.2389, fax: +1 202.404.7942, e-mail: flast vulnerability analysis based on the speci(cid:12)cation; and [email protected]. performance results for our prototype. The speci(cid:12)- Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 1997 2. REPORT TYPE 00-00-1997 to 00-00-1997 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Anonymous Connections and Onion Routing 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory,Center for High Assurance Computer REPORT NUMBER Systems,4555 Overlook Avenue, SW,Washington,DC,20375 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 11 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 cation presented here is su(cid:14)cient to guide both re- as an interface between machines behind the (cid:12)rewall implementations and new applications of onion rout- and the external network. Connections frommachines ing. behind the (cid:12)rewall to the onion router are protected This paper is organized in the following way. Sec- byother means(e.g.,physicalsecurity). Tocomplicate tion 2 presents an overview of onion routing. Section trackingoftra(cid:14)coriginatingorterminatingwithinthe 3 presents empirical data about our prototype. Sec- sensitive site, this onion router should also route data tion 4 de(cid:12)nes our threat model. Section 5 describes betweenotheronionrouters. Thisisthebasictopology onion routing and the application speci(cid:12)c proxies in that we willuse for the rest of this paper. more detail. Section 6 describes the system’s vulner- The use of anonymousconnections by two sensitive abilities, and section 7 describes the implementation sites that both control onion routers e(cid:11)ectively hides choices that were made for security reasons. Section 8 their communication from outsiders. However, if the presents related work, and section 9 presents conclud- responder is not in a sensitive site (e.g., the responder ing remarks. is some arbitrary Web server) the data stream from the sensitive initiator must also be anonymized. Oth- erwise, even rudimentary analysis of the unprotected 2 Onion Routing Overview communication between the last onion router in the anonymous connection and the responder may reveal In onion routing, instead of making socket connec- the initiator’s identity. tions directly to a responding machine, initiating ap- Onionroutersinthenetworkareconnected bylong- plicationsmakeconnections throughasequence ofma- standing (permanent) socket connections. Anonymous chinescalledonionrouters. Theonion routingnetwork connections through the network are multiplexedover allowstheconnectionbetweentheinitiator andrespon- thelongstandingconnections. Foranyanonymouscon- der to remainanonymous. We call this an anonymous nection, the sequence of onion routers in a route is socket connection or anonymous connection. Anony- strictly de(cid:12)ned at connection setup. However, each mousconnections hidewhois connected towhom,and onion router can only identify the previous and next forwhatpurpose,frombothoutsideeavesdroppersand hops along a route. Data passed along the anony- compromised onion routers. If anonymity is also de- mousconnectionappearsdi(cid:11)erentateachonionrouter, sired,thenallidentifyinginformationmustberemoved so data cannot be tracked en route and compromised fromthe datastreambeforebeingsentovertheanony- onionrouters cannot cooperate bycorrelatingthe data mousconnection. stream each sees. Wecallthe onionrouting network topologythat we The onion routing network is accessed via proxies. use in this paper the basic con(cid:12)guration. This is illus- An initiatingapplicationmakesa socket connection to trated in (cid:12)gure 1. an application speci(cid:12)c proxy on some onion router. That proxy de(cid:12)nes a route through the onion rout- Secure Site Internet ing network by constructing a layered data structure called an onion and sending that onion through the network. Each layer of the onion de(cid:12)nes the next hop W is a Proxy/Routing W X U in a route. An onion router that receives an onion Node controlled by Secure Site peels o(cid:11) its layer, identi(cid:12)es the next hop, and sends the embedded onion to that onion router. After send- ingthe onion,the initiator’sproxysends datathrough Initiator Y Z Responder the anonymousconnection. Machine Machine Thelastonionrouter forwardsdatatoanother type Anonymous Connection from W to Z of proxy on the same machine, called the responder’s Link Encrypted Connection Between Onion Routers proxy, whose job is to pass data between the onion Onion Router network and the responder. An example onion rout- ing network and anonymous socket connection is also Proxy/Onion Router illustrated in (cid:12)gure 1. In addition to carrying next hop information, each Figure1.Routing Topology. onionlayercontainskey seed materialfromwhichkeys 1 are generated for crypting data sent forward or back- 1 In the basic con(cid:12)guration, an onion router sits on Wede(cid:12)netheverbcrypt tomeantheapplicationofacryp- the (cid:12)rewallofasensitive site. Thisonionrouter serves tographicoperation,beitencryptionordecryption. wardalongthe anonymousconnection. (Wede(cid:12)ne for- mously surf the Web, send anonymous e-mail, and ward tobethedirectioninwhichtheoniontravelsand do remote logins. For instructions please see backward as the opposite direction.) http://www.itd.nrl.navy.mil/ITD/5540/ Once the anonymous connection is established, it projects/onion-routing. can carry data. Before sending data over an anony- Be aware that accessing a remote onionrouter does mous connection, the initiator’s onion router adds a not really preserve anonymity,because the connection layer of encryption for each onion router in the route. between your machineand the (cid:12)rst onionrouter isnot As data moves through the anonymous connection, protected. Evenifthatconnection wereprotected, you each onion router removes one layer of encryption, so havenoreasontotrusttheremoteonionrouter. Ifyou itarrivesat thereceiver as plaintext. Thislayeringoc- hada secured connection to anonionrouter youtrust, curs in the reverse order for data moving back to the it could use our onion router as one of several inter- initiator. So data that has passed backward through mediate routers to further complicate tra(cid:14)c analysis. the anonymous connection must be repeatedly post- Remote use of our site provides no greater anonymity crypted to obtain the plaintext. than is provided by the Anonymizer [1]. By layering cryptographic operations in this way, In our experimental onion routing network, (cid:12)ve we gain an advantage over link encryption. As data onion routers run on a single Sun UltraSparc 2270. movesthroughthenetworkitappears di(cid:11)erent toeach This machinehas two processors, and 256MB ofmem- onion router. Therefore, an anonymous connection is ory. Anonymousconnectionsareroutedthrougharan- 2 asstrongasitsstrongestlink,andevenonehonestnode domsequence of(cid:12)veonionrouters. Connection setup is enough to maintainthe privacy ofthe route. In link timeshouldbecomparabletoamoredistributedtopol- encrypted systems, compromised nodes can cooperate ogy. Data latency, however, is more di(cid:14)cult to judge. to uncover route information. Clearly, data will travel faster over socket connections Although we call this system onion routing, the between onion routers on the same machine than over routing that occurs here does so at the application socket connections between di(cid:11)erent machines. How- layer of the protocol stack and not at the IP layer. ever, the removalor additionof layers of encryption is Morespeci(cid:12)cally,werelyuponIProutingtoroutedata notpipelined,sodatalatencymaybeworseonasingle passed through longstanding socket connections. An machine. anonymous connection is comprised of several linked Onion routing’s overhead is mainly due to public longstanding socket connections. Therefore, although key cryptography and is incurred while setting up an theseries ofonionrouters inananonymousconnection anonymous connection. On an UltraSparc running a is (cid:12)xed for the lifetimeof that anonymousconnection, fastimplementationofRSA [2],asinglepublickey de- the routethatdataactuallytravels between individual cryption of a 1024 bit plaintext block using a 1024 bit onion routers is determined by the underlying IP net- private key and a 1024 bit modulus takes 90 millisec- work. Thus, onion routing may be compared to loose onds. Encryption is much faster, because the public source routing. keys areonly16bitslong. (This iswhyRSAsignature Onion routing depends upon connection based ser- veri(cid:12)cationischeaper thansigning). So,thepublickey vices that deliver data uncorrupted and in-order. This cryptographic overhead for routes spanning (cid:12)ve onion simpli(cid:12)es the speci(cid:12)cation of the system. TCP socket routers is just under 0.5 seconds. This overhead can connections, which are layered on top of a connection- be further reduced, either with specialized hardware, lessservicelikeIP,providetheseguarantees. Similarly, oreven on PCs (a200Mhz Pentiumwouldbe twice as onion routing could easily be layered on top of other fast). connection based services, like ATM. Relatively large connection setup overhead may be Ourcurrentprototypeofonionroutingconsidersthe tolerable in some applications. For example, socket networktopologytobestaticanddoesnothavemecha- connection setup maybe slow anyway. If a connection nismstoautomaticallydistributeorupdatepublickeys is long lived, setup overhead may be reasonable. For or network topology. These issues, though important, example, in WWW requests, a single document may are not the key parts of onion routing and will be ad- require several requests to the same host to retrieve dressed in a later prototype. di(cid:11)erent componentsofthe samedocument. Although eachindividualrequestandresponsepairmaybeshort, 3 Empirical Data the combination of all request/response pairs may be lengthy. There is no reason that the same anonymous 2 We invite readers to experiment with our pro- Fiveonionroutinghopsperconnectionprovidesreasonable totype of onion routing by using it to anony- securityatreasonablecost. Seesection6. connection could not be used to carry the tra(cid:14)c for and uncorrupted. A compromised onion router can each of the real socket connections, either sequentially easily violate this assumption; however, the result is or multiplexed. In fact, the preliminary speci(cid:12)cation unpredictable and unreadable data emerging from the for HTTP 1.1 de(cid:12)nes pipelined connections to amor- system rather than the direct release of any informa- tizethe costofsocket setup, andpipelinedconnections tion. Since replay of an onion will cause the same wouldalsotransparentlyamortizetheincreased costof embedded onions to appear downstream, onion replay anonymous connection setup. Our Web proxy will be may reveal connection information. However, onions madeHTTP1.1compliantwhenHTTP1.1isadopted. themselvescannotbereplayedthroughanhonestnode. Onion routers remember onions they have passed by storingahashofpreviouslypassedonions. Ifareplayis 4 Threat Model detected, theonionissimplydropped. Tocontrolstor- age requirements, onions are equipped with expiration Weassume that the network is subject to both pas- times. Here too, denial-of-service supersedes compro- sive and active eavesdropping. That is: mise. If clocks are far enough out of synchronization (cid:15) one way, the only possible result is for a fresh onion All tra(cid:14)c is visible. to be viewed as expired and ignored. If they are far (cid:15) All tra(cid:14)c can be modi(cid:12)ed. enough out of synchronization the other way,the only possibleresultisforapassedoniontobestoredbeyond (cid:15) Onion routers maybe compromised. its expiration. (cid:15) Compromisedonion routers maycooperate. 5 Onion Routing In addition, a sophisticated adversary may be able 5.1 OnionRoutingProxies to detect timing coincidences such as the near simul- taneous opening of connections. Timing coincidences are verydi(cid:14)culttoovercomewithoutwastingnetwork A proxy is a transparent service between two appli- capacity, especially when real-time communication is cations that would usually make a direct socket con- important. nection to each other but cannot. For example, a (cid:12)re- The initiator’s proxy and the (cid:12)rst onion router are wall might prevent direct socket connections between themosttrusted elementsofthe onionroutingsystem. internal and external machines. A proxy running on Thatisonereasonwhy,inourbasiccon(cid:12)guration,both the (cid:12)rewallmayenable such connections. Proxyaware theproxyandonionrouterareplacedunderthecontrol applications are becoming quite common. of the sensitive site. Our goalhas been to design an architecture for pri- This threat model directly motivatescertain design vatecommunicationthatwouldinterfacewithunmodi- decisions in onion routing. Because tra(cid:14)c is visible, (cid:12)ed applications,sowechosetouseproxiesastheinter- the headers and payload of all tra(cid:14)c are essentially face between applications and onion routing’s anony- linkencrypted between onionrouters so the samedata mous connections. For applications that are designed looks di(cid:11)erent when traveling between onion routers. to be proxy aware, (e.g., WWW browsers), we sim- Because tra(cid:14)c can be modi(cid:12)ed, stream ciphers [14] ply design appropriate interface proxies. Surprisingly, are used for encryption. Inserting, deleting, modify- for certain applicationsthat are not proxy aware (e.g., ing,or replayingtra(cid:14)c anywhere en route willdisrupt RLOGIN), we have also been able to design interface the stream and will result in persistent unrecogniz- proxies. In this paper, we will focus on the HTTP ablechangesdownstream;thus,datacannotbetracked proxy for Web browsing. moving through the system. However, the plaintext In the basic con(cid:12)guration where a (cid:12)rewall lives be- willbe unreadable by the responder, causing a denial- tween a trusted and untrusted network, the onion of-service attack. Because onion routers may be com- router and its proxies live on the (cid:12)rewall. There are promised, anonymous connections span several onion two classes of proxies: one that bridges connections routers. Because compromised onion routers may co- frominitiatingapplicationsintothe onionroutingnet- operate,dataisencrypted inalayeredfashionsoitap- work (the application proxy), and another that com- pears di(cid:11)erent to each onion router, not only between pletes the connection from the onion routing network onion routers. to responders (the responder proxy). In general, our design chooses denial-of-service over Because the application proxy bridges between ap- the compromise of private information. For example, plications and the onion routing network, it must un- we assume that data moves through sockets in order derstand both application protocols and onion rout- ing protocols. Therefore, to simplifythe design of ap- lowed by the optional (cid:12)elds. Notice that the server plication speci(cid:12)c proxies, we partition the proxy into nameandhttp://are eliminatedbecause the connec- two components: the client proxy and the core proxy. tion is made directly to the HTTP server. The client proxy bridges between a socket connection The client proxy essentially makes a connection to fromanapplicationandasocketconnectiontothecore www.domino.com, and issues a request as if it were a proxy. Itistheobligationoftheclientproxytomassage client. Once this request is transmitted to the server, thedatastreamsoboththecoreproxyandtherespon- all proxies blindly forward data in both directions be- derproxycanbeapplicationindependent. Speci(cid:12)cally, tween the client and the server until the socket is bro- the client proxy must prepend to the data stream a ken by either side. standard structure that identi(cid:12)es the ultimatedestina- For the anonymizing onion routing HTTP proxy, tion by either hostname/port or IP address/port. Ad- the client proxy proceeds as outlined above with one ditionally,itmustprocess a one byte return code from change: it is now necessary to sanitize the optional the responder proxy and either continue if no error is (cid:12)elds that followthe GET commandbecause they may reportedorreporttheonionroutingerrorcodeinsome contain identity information. Furthermore, the data applicationspeci(cid:12)c meaningfulway. streamduringaconnectionmustbemonitored,tosan- Upon receiving a new request, the core proxy uses itize additional headers that might occur during the the prepended standard structure as a hint in build- connection. For our anonymizingHTTP proxy,opera- ing an onion de(cid:12)ning the route of an anonymous con- tionsthat store cookies onthe user’s browser (to track nection to that destination. It then passes the onion a user, for example) are removed. This reduces func- to the onion routing network building the anonymous tion, so applications that depend upon cookies (like connectiontotheresponder proxy,andthenpasses the online shopping baskets) maynot work properly. prepended standard structure to the responder proxy The core proxy’s function is to pass data between specifying the ultimate destination. From this point multiplesocket connectionsfromclientproxiesandthe on, the core proxy blindly relays data back and forth (cid:12)rst onion router. Therefore, the core proxy is not ap- betweentheclientproxyandtheonionroutingnetwork plicationspeci(cid:12)c but mustunderstand the onion rout- (and thus the responder proxy at the other end of the ing protocol, which de(cid:12)nes how multiplexed connec- anonymousconnection). tions are handled. The core proxy must repeatedly Fortheservices wehaveconsidered todate,anearly pre-crypt the data stream before passing it along the generic responder proxy is adequate. Its function is onionroutingnetwork. The repeated pre-cryptions are to read the data stream from the terminating onion the inverses ofthe cryptographic functionsthatwillbe router. The (cid:12)rst datum received will be the stan- applied by the onion routers as the data moves along dardstructurespecifyingtheultimatedestination. The the anonymous connection. Similarly, the core proxy responder proxy makes a socket connection to that must repeatedly post-crypt data from the anonymous IP/port,reports aonebyte statusmessageback tothe connectionwiththeinverses ofthecryptographicfunc- onionroutingnetwork(andthusbacktothecoreproxy tions that were applied by the onion routers, before which in turn forwards it back to the client proxy), passing the plaintext to the client proxy. and subsequently moves data between the onion rout- 5.2 Implementation ing network and the new socket. (For certain services, likeRLOGIN,the responder proxy alsoinfers that the new socket must originate froma trusted port.) As anexample,consider the client proxyforHTTP. This section presents the interface speci(cid:12)cation be- The user con(cid:12)gures his browser to use the onion rout- tween the components in an onion routing system. To ing proxy. His browser may send the proxy a re- provide some structure to this speci(cid:12)cation, we will quests like GET http://www.domino.com/showcase/ discuss componentsinthe order that datawouldmove HTTP/1.0 followedby optional(cid:12)elds. froman initiatingclient to a responding server. The client proxy is listening for new requests. Once There are four phases in an onion routing sys- it obtains the GET request, it creates the standard tem: networksetup,whichestablishesthelongstanding structure and sends it (along a new socket connec- connections between onion routers; connection setup, tion)tothe core proxy,toinformthe core proxyofthe which establishes anonymous connections through the service and destination of the anonymous connection. onion router network; data movement over a anony- The client proxy then modi(cid:12)es the GET request to GET mous connection; and the destruction and cleanup of /showcase/ HTTP/1.0 and sends it directly (through anonymous connections. We will commingle the dis- the anonymous connection) to the HTTP server, fol- cussion of these below. 5.3 ClientProxy is a multi-layereddata structure that encapsulates the route of the anonymous connection starting from the The interface between an applicationand the client responder proxy and working backward to the core proxyisapplicationspeci(cid:12)c. Theinterfacebetweenthe proxy. client proxy and the core proxy is de(cid:12)ned as follows. Each layer has the followingstructure: Foreachnewproxyrequest,theclientproxy(cid:12)rstdeter- 0 1 2 3 minesifitwillhandleordenytherequest. Ifrejected,it 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 reports an applicationspeci(cid:12)c error message and then +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Version |Back F|Forw F| Destination Port | closes the socket and waits for the next request. If +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ accepted, it creates a socket to the core proxy’s well | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ known port. The client proxy then sends a standard | Expiration Time (GMT) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ structure to the core proxy of the form: | | + + 0 1 2 3 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + Key Seed Material + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Version | Protocol | Retry Count | Addr Format | + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version is currently de(cid:12)ned to be 1. Protocol is either 1 for RLOGIN, 2 for HTTP, or 3 for SMTP. As we will see below, the (cid:12)rst bit must be zero for Retry Count speci(cid:12)es how many times the responder RSA public key cryptography to succeed. Following proxy should attempt to retry connecting to the ulti- thezerobitistheVersionNumber oftheonionrouting matedestination. Finally,the Addr Format (cid:12)eld spec- system, currently de(cid:12)ned to be 1. i(cid:12)es the form of the ultimate destination address: 1 TheBack F (cid:12)elddenotesthecryptographicfunction for a NULL terminated ASCII string with the host- to be applied to data moving in the backward direc- name immediately followed by another NULL termi- tion (de(cid:12)ned as data movingin the opposite direction nated ASCII string with the destination port number, that the onion traveled, usually toward the initiator’s or a 2 for sockaddr in data structure specifying both end of the anonymous socket connection) using key2 the internet address and the destination port. The ul- de(cid:12)ned below. The Forw F (cid:12)eld denotes the crypto- timate destination address is sent after this standard graphic function to be applied to data moving in the structure, and the client proxy waits for a one byte forward direction (de(cid:12)ned as data movingin the same error code before sending data. direction that the onion traveled, usually toward the 5.4 CoreProxy responder’s end of the anonymous socket connection) using key3 de(cid:12)ned below. Currently de(cid:12)ned crypto- graphicfunctionsare: 0forIdentity(no encryption), 1 Upon receiving the standard structure, the core forDESOFB(outputfeedbackmode)(56bitkey),and proxy can decide whether to accept or reject the re- 2 for RC4(128 bit key). The Destination Address and quest based on the protocol, anonymity, destination Destination Port indicatethenextonionrouter innet- host, destination port, or the identity of the client workorderandareboth0fortheresponderproxy. The proxy. If rejected, it sends an appropriate error code Expiration Time is given in network order in seconds backtotheclientproxy,closesthesocket,andwaitsfor relative to 00:00:00 UTC January 1, 1970 (i.e. stan- the next request. If accepted, it proceeds to build the dard UNIX time(2)format)and speci(cid:12)es howlongthe anonymous connection to the responder proxy using onion router at this hop in the anonymous connection the standard structure, sends the standard structure must track the onion against replays before it expires. to the responder proxy over the anonymous connec- Key Seed Material is 128bits long andis hashed three tion, and then passes all future data to and from the times with SHA to produce three cryptographic keys clientproxy andanonymousconnection. The repeated (key1, key2, and key3) of 128-bits each (the (cid:12)rst eight pre and post cryptions and packaging of the data is bytes of each SHA output are used for DES and the 3 discussed later in section 5.6. (cid:12)rst 16 bytes for RC4 keys). Since we use RSA public key cryptography with a 5.5 Onions modulus size of 1024-bits, the plaintext block size is 1024 bits and must be strictly less than the modulus 3 To build the anonymous connection to the respon- Details on the cryptographicoperationsused in this paper der proxy, the core proxy creates an onion. An onion canbefoundin[14]. numerically. To avoid problems, we force this relation version 1 of the onion routing system, there are four by putting the most-signi(cid:12)cant bit (cid:12)rst and setting it types of cells: PADDING (0), CREATE (1), DATA to 0 (the leading 0 above). Furthermore, the inner- (2), and DESTROY (3). most layer of the onion is padded on the end with an Cells have the followingstructure: additional 100 bytes prior to RSA encryption being 0 1 2 3 performed. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ In version 1, an onion has (cid:12)ve layers. An onion | ACI | Command | Length | is formed iteratively, innermost layer (cid:12)rst. At each +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | iteration,the (cid:12)rst128bytesofthe onionareencrypted .......................Payload (44 bytes)....................... withthepublickeyoftheonionrouterthatisintended | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ to decrypt that layer. The remainder of the onion is encrypted, using DES OFB with an IV (initialization The ACI (anonymous connection identi(cid:12)er) and vector) of0 and key1 (derived fromKey Seed Material 4 Command (cid:12)elds are always encrypted using the link in that layer as de(cid:12)ned above). encryption between neighboring nodes. Additionally, Before discussing how onions and data are sent be- the Length and Payload (cid:12)elds are encrypted using the tween onion routers, we will de(cid:12)ne onion router inter- linkencryption between neighboringnodes if the com- connection. mand is either PADDING (0) or DESTROY (3). For 5.6 OnionRouterInterconnection CREATE (1) commands,the length is link encrypted, but the payload is already encrypted because it car- ries the onion. For DATA (2) commands, the length During onion network setup (not to be confused andentire payloadare encrypted usingthe anonymous with anonymous connection setup), longstanding con- connection’s forward or backward cryptographic oper- nections between neighboring onion routers are estab- ations. lished and keyed. The network topology is prede(cid:12)ned Each anonymous connection is assigned an ACI at andeachonionrouterknowsitsneighborsandtheRSA each onionrouter, which labels an anonymousconnec- public keys of all nodes in the network. tion when it is multiplexedover the longstanding con- Toremainconnected to each of its neighbors, onion nectiontothe nextonionrouter. ACIs mustbeunique routers must both listen for connections from neigh- ontheirlongstandingconnectionbutneed notbeglob- bors and attempt to initiate connections to neighbors. ally unique. To move an onion through the system, To avoid deadlock and collision issues between pairs an onion router peels o(cid:11) the outermost layer,identify- of neighbors, an onion router listens for connections ing the next hop. It checks the freshness (not expired from neighbors with \higher" IP/port addresses and and not replayed) of the onion, computes the neces- initiatesconnectionstoneighborswith\lower"IP/port sary cryptographic keys, seeds the forward and back- addresses. \Higher" and \Lower" are de(cid:12)ned with re- wardcryptographicengines, choosesanewACIforthe spect to network byte ordering. nexthopinthenewconnection,andthenbuildsadata The protocol has two phases: connection setup and structure associated with that connection which maps keying. The initiating onion router opens a socket to incoming to outgoing ACIs and the cryptographic en- a well knownport of its neighboring onionrouter, and gines associated with forward and backward data. sends its IP address and well known port (the port is Therestoftheonionispaddedrandomlytoitsorig- included to allow multiple onion routers to run on a inal length, placed into CREATE cells, and then sent singlemachine)innetworkorder toidentifyitself. The out in order tothe appropriate neighbor. The payload keying phase ensues, using STS [8] which will gener- of the last cell is padded with random bits to (cid:12)ll the ate two DES56-bitkeys. The linkencryption over the cell if necessary (to avoidtraceability). longstanding connections is done by DES OFB with Data moves through an anonymous connection in IVs of 0 and these two keys (one for data in each di- DATA cells. At each onion router, except for the ini- rection). tiator’s,boththe lengthandpayload(cid:12)eldsofacellare Once keyed, communication between onion routers crypted using the appropriate cryptographic engine. is packaged into (cid:12)xed sized cells, which allows for the The new cell is sent out to the appropriate neighbor. multiplexingof both anonymousconnections and con- Theinitiator’sonionroutermustrepeatedlycryptdata trol informationover the longstandingconnections. In 4 toeither addtheappropriatelayersofcryptiononout- We use DES to encryptthe onion, andfor linkencryption goingdata,orremovelayersofcryptionfromincoming betweenonionrouters,becauseithasnolicensingfeesandcanbe usedasapseudorandomnumbergenerator. Wewouldbehappy data. WhenconstructingaDATAcellfromaplaintext touseastrongerpseudorandomnumbergenerator,however. datastream,the cellis(partially)(cid:12)lled,itstrue length 56 is set, and all45bytes of the length and payload(cid:12)elds oncryptographicalgorithms(e.g.,2 )isunreasonable. arerepeatedlycryptedusingthestreamciphersde(cid:12)ned Furthermore, the cost of tra(cid:14)c analysis searches may by the onion. Therefore, when the cell arrives at the be higher, since a network must be monitored. responder proxy, the length (cid:12)eld re(cid:13)ects the length of Assume that each onion router has connections to 3 the actual data carried in the payload. eight (2 ) other onion routers, and that each onion If a connection is broken, a DESTROY command router has a secured connection toa sensitive site. As- is sent to clean up state information. The ACI (cid:12)eld sumethatallanonymousconnectionspassthrough(cid:12)ve of the DESTROY command carries the ACI of the onion routers. Assume furthermore that since all cells broken connection. The length and payload must be movingthrough an onion routing network are of (cid:12)xed random. Upon receipt of a DESTROY command, it length (48 bytes) it is possible to identify when cells is the responsibility of an onion router to forward the begin and end. So we reduce the problem to track- DESTROY appropriately and to acknowledge receipt ingmarkers,where markersindicatethe beginningofa by sending another DESTROY command back to the cell. Assume further, that an attacker can start mon- previoussender. AftersendingaDESTROYcommand itoring the system when an onion router’s incoming about a particular ACI, an onion router maynot send queues andoutgoingqueues are empty,so the attacker anymorecellsalongthatanonymousconnection. Once can determine the order in which markers arrive at an anacknowledgmentDESTROYmessageisreceived,an onion router. onion routing node considers the anonymous connec- Under these assumptions,trackingmarkersthrough tion destroyed and the ACI can be used as a label for the network depends on the reordering done at each a new anonymousconnection. onion router. If no reordering is done (i.e., cells move ThePADDINGcommandisusedtoinjectdatainto fromincomingto outgoingqueues using a FIFO strat- alongstandingsockettofurtherconfusetra(cid:14)canalysis. egy), then it appears easy to track markers. The (cid:12)rst PADDING cells are discarded upon receipt. marker to reach on onion router will be the (cid:12)rst to Eachonionrouteralsoreorderscellsmovingthrough leave, and its route through the network can be fol- it,accordingtoaschemethatwecalllayeredreordering lowed. But analysis is not that simple. Since each (see section 6) that both preserves the order of cells in onionrouter is bothan onionroutingproxyandan in- each anonymous connection and caps how long cells termediate onion router, a new marker may enter the maybe delayed by an onion router. network at any time, and it is impossible for an ob- 5.7 Responder Proxy server to determine whether the new marker arrived before orafterthe (cid:12)rst markeronthe incomingqueues (since a sensitive site’s connection to its onion router When a routing node receives an onion with Desti- is protected). If the onion routing proxy is busy, the nation Address and Destination Port of 0, it knows it markercouldendupononeoftwooutgoingqueues. (If is to act as a responder proxy. It proceeds to read the the onionroutingproxy is not busy,onlyone outgoing standardstructure thatwillbethe(cid:12)rstdataacross the queue will be active.) Under the most complicating anonymoussocketconnection,establishes aconnection conditions,a markercould ultimatelyend up in one of 5 to the ultimate destination as indicated, and returns 2 outgoing queues. thestatus code. After this,itwillblindlyforwarddata To further complicatetra(cid:14)c analysis,onion routers betweentheanonymousconnectionandtheconnection reorder incoming markers, so data does not move to the responder’s machine. through the network in a simple FIFO manner. The optimalgoalwouldbetomakeitequallylikelythatan incomingmarkeris output on any of an onionrouter’s 6 Vulnerabilities 8 outgoing queues. In that case, a single markercould 3 5 end up at one of (2 ) outgoing queues. Notice that Onion routing is not invulnerable to tra(cid:14)c analysis we cannot improve on this number, since it de(cid:12)nes all attacks. We now de(cid:12)ne an attack approach based on 5 possible reachable queues. several simplifying assumptions. We characterize the Sinceonionroutingismeantforreal-timecommuni- complexity of an attack based on these assumptions, cation, we use a limitedamount of reordering. At any and note that real attacks will be moreexpensive. We 5 15 also note that any scheme resistant to tra(cid:14)c analysis This does not imply that one can only reach 2 sites via cannot increase the space of potential recipients of a onion routing. Since the responder’s proxy can make connec- tionstoanyInternetsite,onecananonymouslybrowseanyWeb messagetomorethanthenumberofpossiblerecipients site. Ifthegoalistohaveanonymousconnectionsbetweentwo onthe network. So,expecting the complexityoftra(cid:14)c sensitivesites,thenanyonesitecancommunicatewithatmost 12 analysis to be similarto the cost of brute force attack 2 othersensitivesites. pointintime,markersonseveralincomingqueues may Onionsarepackagedinasequence ofcellsthatmust be considered toarrive at the sametime. These mark- beprocessedtogether. Thisonionprocessinginvolvesa ers maybe movedto outgoingqueues in any arbitrary public key decryption operation which is relatively ex- order that both maintains fairness of data movement pensive. Therefore, it is possible to imaginean imple- for every anonymousconnection and preserves the or- mentation that clears outgoing queues while an onion der of data on each anonymousconnection. isbeingprocessed, andthenoutputsthe onion. There- We de(cid:12)ne n-layered reordering as moving the (cid:12)rst fore, any period of inactivity on the out-bound queues n markers on each incomingqueue to outgoing queues is likelyto be followedby a sequence of onioncells be- in any arbitrary order subject to the order preserv- ing output on a single queue. Such an implementation ing restriction just described. If an incoming queue makes tracking easier and should be avoided. has fewer than n markers, all markers on the queue After processing at each onion router, onions are aremoved. (In1-layerreordering,the order preserving paddedattheendtocompensatefortheremovedlayer. restriction is trivially satis(cid:12)ed.) Notice that although This padding must be random, since onions are not markersmaybedelayedatanyparticularonionrouter, link encrypted between onion routers. Similarly, the on average data latency is not hurt since markers are lengthandpayloadofaDESTROYcommandmustbe equally likelyto be forwarded early. new random content at each onion router; otherwise, Using layered reordering, tra(cid:14)c analysis becomes compromisedonion routers could track that payload. morecomplicated,since a markercould end up on one In a multi-threaded implementation, there is a sig- of several output queues. However, imagine that we ni(cid:12)cant lure to rely upon the apparent scheduling ran- knowthattwomarkersbelongtothe sameanonymous domness to reorder events. If reordering is important connection. So, if we know which outgoing queues are to the secure operation of the system, deliberate re- possible for each of the markers, the intersection of ordering is crucial, since low level system randomness thosesetsde(cid:12)neswhichqueuesarepossibleforthenext mayin fact be predictable. hopintheanonymousconnection. Thegoal,therefore, There are two vulnerabilities that we do not yet is to choose a layered reordering depth that makes it know how to address. If part of the onionrouting net- very likely that all possible outgoing queues will be workistakendown,tra(cid:14)canalysisisgreatlysimpli(cid:12)ed. present in each set most of the time. Also, if a longstanding connection between two onion Since data latency is not hurt by layered reorder- routers is broken, it will result in many DESTROY ingit ispossible topredict the windowduring whicha messages,oneforeachanonymousconnectionthatwas markerislikelytoexittheonionroutingnetwork. This routed through that longstanding connection. There- 6 invites another kind of tra(cid:14)c analysis. It should be fore, a compromisedonion router may infer from near possible to identify the near simultaneous opening of simultaneousDESTROYmessages that the associated endpoint connections. More speci(cid:12)cally, if an attacker anonymousconnections had some commonroute. De- wishes to con(cid:12)rm that two parties are communicating laying DESTROY messages hurts performance, since frequently,ifthey happen to have manymoresimulta- werequirethataDESTROYmessagepropagatetothe neous connectionopenings thanisexpected bychance, endpoints to take down the connection that is visible they are probably communicating. This attack, how- tothe user. Carryingthe DESTROYmessagethrough ever, is not possible if the onion routing basic con(cid:12)g- the anonymousconnection and garbage collectingdor- uration is only used for communication between sites mantanonymousconnections laterwouldbe ideal,but thatcontrolonionroutingproxies,sincetheconnection we do not know how to e(cid:14)ciently insert control infor- between the site and its onionrouter is assumed to be mationinto a raw data channel, especially considering 7 protected. But, the basic con(cid:12)guration is not appro- our layered encryption. priateeverywhere, sothisattackmaypersistincertain scenarios. 8 Related Work Chaum[3] de(cid:12)nes a layered object that routes data 7 Implementation Vulnerabilities through intermediate nodes, called mixes. These in- 7 One could imagine sending control information by insert- An implementation of a secure design can be inse- ingsomerandomcellintothedatastream. The applicationor cure. In this section, we describe several implementa- itsproxycoulddetectcorrupteddata,andterminateattheap- tion decisions that were made for security considera- plication level, without destroying the anonymous connection. tions. However,thisisriskyfortworeasons: itmaynotalwaysbepos- sibleto detectcorrupteddata,and arandominsertedcell may 6 ThankstoJohnKelseyforhelpfulcommentsonthispoint. appearuncorrupted.