Onion Routing
R. Newman
Topics
Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology
Vanilla traffic analysis easy Read src and dest from packet
Even if data are encrypted (e.g., using IPsec) Can see src, dest, since have to route packet
Other observations Amounts of data flowing Connections open/close timing
Traffic Analysis
Bi-directional socket connections Onions used to set up virtual circuits Setup is distinct from data flow over VC
Intermediate proxies only know predecessor and successor Like Chaum Mix-nets Onion = layered object Circuit traffic is encrypted Only initiator proxy knows whole path
Basis for TOR (The Onion Router) Used worldwide
Onion Routing
Uses proxy servers Well-established mechanism Used to accommodate firewalls Used for www and telnet
Data stream follows a path through proxies Path defined by initiating proxy Should be managed by source organization/user Initiating proxy should also be intermediate proxy for
other paths
Onion Routing
Example OR Topology
W
Y
XLink encrypted
between routingnodes
Proxy/Routercontrolled bySecure Site
Routing node
Secure Site
Initiatorhost
Z
U
Responderhost
Responder’sProxy/Router
Unsecured socket connection
Proxy can combine all traffic from enclave Further confounds traffic analysis
Data stream follows a path through proxies Data encrypted along path from proxy to exit router Data NOT encrypted between initiator host and proxy Or between exit router and responder
Goal is NOT anonymity per se End parties generally DO know each other But prevent third party from knowing endpoints
Onion Routing
Goal is NOT anonymity per se But prevent third party from knowing endpoints Data analytics can reveal interests/intentions from
observing history of web searches, e.g. Anonymous Remailers
Keep log of packets to prevent replays Not suitable for HTTP traffic
Too much data! Requires bi-directional, interactive traffic
Onion Routing
Establishes bidirectional communication End responder does not HAVE to know initiator Individual messages are not logged
Anonymous email supported Can include reply onion for responder Keeps initiator anonymous Can be used after current connection closed
Onion Routing
Encapsulate routes Initiator proxy determines a route Constructs onion – to set up virtual circuit Data sent after route is set up
Forward Onion Encrypt for responder’s proxy (Z) Encrypt for predecessor router (Y), with message for Z as payload Continue adding layers (similar to Chaum Mix-net) for entire route
(backwards)
Onions
Building a Forward Onion
W
Y
XLink encrypted
between routingnodes
Initiator’sProxy/Router
Z
U
Responder’sProxy/Router
ETz, NULL, Ffz, Kfz, Fbz, Kbz, pad
ETy, Z, Ffy, Kfy, Fby, Kby,
ETx, Y, Ffx, Kfx, Fbx, Kbx,
Route chosen by W
Route info for Z
Route info for Y
Route info for X
Initiator [Ffx, Kfx, Fbx, Kbx] VC-W17
[Ffy, Kfy, Fby, Kby]
[Ffz, Kfz, Fbz, Kbz]
Using a Forward Onion
W
Y
XLink encrypted
between routingnodes
Initiator’sProxy/Router
Z
U
Responder’sProxy/Router
ETz, NULL, Ffz, Kfz, Fbz, Kbz, pad
ETy, Z, Ffy, Kfy, Fby, Kby,
ETx, Y, Ffx, Kfx, Fbx, Kbx,
Route chosen by W
Route info for Z
Route info for Y
Route info for X
VC-W17[Ffx, Kfx, Fbx, Kbx] VC-Y3
VC-X3[Ffy, Kfy, Fby, Kby] VC-Z8 VC-Y8[Ffz, Kfz, Fbz, Kbz] Responder
Initiator [Ffx, Kfx, Fbx, Kbx] VC-W17
[Ffy, Kfy, Fby, Kby]
[Ffz, Kfz, Fbz, Kbz]
VC17
VC3
VC8
Forward Onion Layers of encryption using public key of successor Include Expiration Time for onion Include Next Hop address (except for last router) Include forward and backward functions and keys
Expiration Time Used to detect replays Copy of onion held until expiration time is up If duplicate arrives, discard If expired onion arrives, discard
Onions
Onion shrinkage Each router removes the plaintext it sees as it
processes the onion So onion shrinks as it traverses route Size of onion would reveal location in route!
Padding Each router adds random bitstring to end of payload Equal in length to the information it strips from header Router cannot tell how much of payload is padding
Except last router Initiator proxy pads central payload to fixed onion size
So onions all look the same
Onions
Processing a Forward Onion
W
Y
XLink encrypted
between routingnodes
Initiator’sProxy/Router
Z
U
Responder’sProxy/Router
ETx, Y, Ffx, Kfz, Fbz, Kbz,
Route chosen by W
Onion for X
Onion for Y
Onion for Z
PayloadETy, Z, Ffz, Kfz, Fbz, Kbz,
PADPayloadETz, NULL, Ffz,
Kfz, Fbz, Kbz
PAD PADpad
Strip header Add padding
Messages sent on VC Message format
VCID – identifies virtual circuit Command – identifies message type Data – payload of message
Message types Create – to set up Destroy – to tear down Data – to send data (fwd or bkwd)
Setting up Virtual Circuits
Create Command Accompanies an onion Recipient selects VCID Sends create command with massaged onion and VCID to next router Stores VCID pair along with VCID info
Fwd and bkwd functions and keys
Data Command Intermediate nodes convert VCID Apply appropriate function with key
Destroy Remove VCID entry
Setting up Virtual Circuits
Crypting Each node applies forward function with forward key to data moving in forward
direction Applies backward function with backward key to data moving in backward direction Initiator proxy ”precrypts” ultimate forward msg by applying inverse functions in
reverse order Intermediate nodes ”peel off” transforms applied by initiator proxy as data traverses
route Data sent in backward direction is ”crypted” by routers along backward route Initiator proxy peels off these layers by applying inverse of backward transforms in
forward route order
Data Encryption
Route length is limited Size of onion restricts number of intermediates Can allow intermediates to add to route! But must not overwrite needed info!
Loose Routing Initiator can add padding to end of onion, set maximum loose count values for
intermediate nodes Intermediate can insert addtional hops on the way to the next prescribed node Intermediate must also crypt data as it passes through Can be used to repair route damage, or when initiator does not know a complete
route
Loose Routing
Loose Routing
W
Y
XLoose route
link
Initiator’sProxy/Router
Z
U
Responder’sProxy/Router
ETx, Y, Ffx, Kfx, Fbx, Kbx,
Route chosen by W
Onion for XOnion for Y
Onion for Z
PayloadETy, Z, Ffy, Kfy, Fby, Kby,
PADPayload
Add header No extra padding
ETu, Y, Ffu, Kfu, Fbu, Kbu,
PayloadOnion for UOnion for Y
Onion for ZOnion for Y
ETy, Z, Ffy, Kfy, Fby, Kby,
PayloadPAD
ET’z, Y, F’fz, K’fz, F’bz, K’bz,
PayloadETy, Z, Ffy, Kfy, Fby, Kby,
PayloadPAD
PADETz, NULL, Ffz, Kfz, Fbz, Kbz,
PAD PAD
Useful to allow recipient to reply after original circuit has been broken down VC no longer available for data transmission Allows responder to remain anonymous also
Reply Onion Sent by initiator to responder Can be used as a ”preformed” onion by responder to set up a VC to initiator
later Multiple can be sent to allow multiple such VCs Does not need to use the same path as the original VC used
Reply Onions
Looks like a forward onion Has same format, header information
Treated the same as a forward onion by intermediates Here is where ”crypting” comes in handy! Forward and backward functions are indistinguishable
Difference is that the payload tells the original initiator’s proxy all it needs to use the VC All the forward and backward functions along path Also indentifier for VC so the initiator can bind it to the reply onion it came
from
Reply Onions
Data are treated in the same way as in a VC set up by the original initiator in the forward direction Just use the functions given Original responder just sends data Intermediates apply ”forward” function given Original initiator applies all ”backward” functions
Multiple reply onions can be set Multiple can even be broadcast! Just have to use an unused onion Onions expire, and duplicates are ignored
Reply Onions
GPA can observe message flows No delays introduced, so timing matters! Near simultaneous opening of sockets a give-away
Compromised nodes Initiator proxy bad – then all is revealed! One good intermediate complicates TA One bad intermediate can effect DOS Bad responder proxy – if can detect corrupted data, then earlier node can
experimentally damage data Clock Synchronization
Can result in DOS – onion expiry
Attacks