Onion Routing

R. Newman

Topics

Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

Vanilla traffic analysis easy Read src and dest from packet

Even if data are encrypted (e.g., using IPsec) Can see src, dest, since have to route packet

Other observations Amounts of data flowing Connections open/close timing

Traffic Analysis

Bi-directional socket connections Onions used to set up virtual circuits Setup is distinct from data flow over VC

Intermediate proxies only know predecessor and successor Like Chaum Mix-nets Onion = layered object Circuit traffic is encrypted Only initiator proxy knows whole path

Basis for TOR (The Onion Router) Used worldwide

Onion Routing

Uses proxy servers Well-established mechanism Used to accommodate firewalls Used for www and telnet

Data stream follows a path through proxies Path defined by initiating proxy Should be managed by source organization/user Initiating proxy should also be intermediate proxy for

other paths

Onion Routing

Example OR Topology

W

Y

XLink encrypted

between routingnodes

Proxy/Routercontrolled bySecure Site

Routing node

Secure Site

Initiatorhost

Z

U

Responderhost

Responder’sProxy/Router

Unsecured socket connection

Proxy can combine all traffic from enclave Further confounds traffic analysis

Data stream follows a path through proxies Data encrypted along path from proxy to exit router Data NOT encrypted between initiator host and proxy Or between exit router and responder

Goal is NOT anonymity per se End parties generally DO know each other But prevent third party from knowing endpoints

Onion Routing

Goal is NOT anonymity per se But prevent third party from knowing endpoints Data analytics can reveal interests/intentions from

observing history of web searches, e.g. Anonymous Remailers

Keep log of packets to prevent replays Not suitable for HTTP traffic

Too much data! Requires bi-directional, interactive traffic

Onion Routing

Establishes bidirectional communication End responder does not HAVE to know initiator Individual messages are not logged

Anonymous email supported Can include reply onion for responder Keeps initiator anonymous Can be used after current connection closed

Onion Routing

Encapsulate routes Initiator proxy determines a route Constructs onion – to set up virtual circuit Data sent after route is set up

Forward Onion Encrypt for responder’s proxy (Z) Encrypt for predecessor router (Y), with message for Z as payload Continue adding layers (similar to Chaum Mix-net) for entire route

(backwards)

Onions

Building a Forward Onion

W

Y

XLink encrypted

between routingnodes

Initiator’sProxy/Router

Z

U

Responder’sProxy/Router

ETz, NULL, Ffz, Kfz, Fbz, Kbz, pad

ETy, Z, Ffy, Kfy, Fby, Kby,

ETx, Y, Ffx, Kfx, Fbx, Kbx,

Route chosen by W

Route info for Z

Route info for Y

Route info for X

Initiator [Ffx, Kfx, Fbx, Kbx] VC-W17

[Ffy, Kfy, Fby, Kby]

[Ffz, Kfz, Fbz, Kbz]

Using a Forward Onion

W

Y

XLink encrypted

between routingnodes

Initiator’sProxy/Router

Z

U

Responder’sProxy/Router

ETz, NULL, Ffz, Kfz, Fbz, Kbz, pad

ETy, Z, Ffy, Kfy, Fby, Kby,

ETx, Y, Ffx, Kfx, Fbx, Kbx,

Route chosen by W

Route info for Z

Route info for Y

Route info for X

VC-W17[Ffx, Kfx, Fbx, Kbx] VC-Y3

VC-X3[Ffy, Kfy, Fby, Kby] VC-Z8 VC-Y8[Ffz, Kfz, Fbz, Kbz] Responder

Initiator [Ffx, Kfx, Fbx, Kbx] VC-W17

[Ffy, Kfy, Fby, Kby]

[Ffz, Kfz, Fbz, Kbz]

VC17

VC3

VC8

Forward Onion Layers of encryption using public key of successor Include Expiration Time for onion Include Next Hop address (except for last router) Include forward and backward functions and keys

Expiration Time Used to detect replays Copy of onion held until expiration time is up If duplicate arrives, discard If expired onion arrives, discard

Onions

Onion shrinkage Each router removes the plaintext it sees as it

processes the onion So onion shrinks as it traverses route Size of onion would reveal location in route!

Padding Each router adds random bitstring to end of payload Equal in length to the information it strips from header Router cannot tell how much of payload is padding

Except last router Initiator proxy pads central payload to fixed onion size

So onions all look the same

Onions

Processing a Forward Onion

W

Y

XLink encrypted

between routingnodes

Initiator’sProxy/Router

Z

U

Responder’sProxy/Router

ETx, Y, Ffx, Kfz, Fbz, Kbz,

Route chosen by W

Onion for X

Onion for Y

Onion for Z

PayloadETy, Z, Ffz, Kfz, Fbz, Kbz,

PADPayloadETz, NULL, Ffz,

Kfz, Fbz, Kbz

PAD PADpad

Strip header Add padding

Messages sent on VC Message format

VCID – identifies virtual circuit Command – identifies message type Data – payload of message

Message types Create – to set up Destroy – to tear down Data – to send data (fwd or bkwd)

Setting up Virtual Circuits

Create Command Accompanies an onion Recipient selects VCID Sends create command with massaged onion and VCID to next router Stores VCID pair along with VCID info

Fwd and bkwd functions and keys

Data Command Intermediate nodes convert VCID Apply appropriate function with key

Destroy Remove VCID entry

Setting up Virtual Circuits

Crypting Each node applies forward function with forward key to data moving in forward

direction Applies backward function with backward key to data moving in backward direction Initiator proxy ”precrypts” ultimate forward msg by applying inverse functions in

reverse order Intermediate nodes ”peel off” transforms applied by initiator proxy as data traverses

route Data sent in backward direction is ”crypted” by routers along backward route Initiator proxy peels off these layers by applying inverse of backward transforms in

forward route order

Data Encryption

Route length is limited Size of onion restricts number of intermediates Can allow intermediates to add to route! But must not overwrite needed info!

Loose Routing Initiator can add padding to end of onion, set maximum loose count values for

intermediate nodes Intermediate can insert addtional hops on the way to the next prescribed node Intermediate must also crypt data as it passes through Can be used to repair route damage, or when initiator does not know a complete

route

Loose Routing

Loose Routing

W

Y

XLoose route

link

Initiator’sProxy/Router

Z

U

Responder’sProxy/Router

ETx, Y, Ffx, Kfx, Fbx, Kbx,

Route chosen by W

Onion for XOnion for Y

Onion for Z

PayloadETy, Z, Ffy, Kfy, Fby, Kby,

PADPayload

Add header No extra padding

ETu, Y, Ffu, Kfu, Fbu, Kbu,

PayloadOnion for UOnion for Y

Onion for ZOnion for Y

ETy, Z, Ffy, Kfy, Fby, Kby,

PayloadPAD

ET’z, Y, F’fz, K’fz, F’bz, K’bz,

PayloadETy, Z, Ffy, Kfy, Fby, Kby,

PayloadPAD

PADETz, NULL, Ffz, Kfz, Fbz, Kbz,

PAD PAD

Useful to allow recipient to reply after original circuit has been broken down VC no longer available for data transmission Allows responder to remain anonymous also

Reply Onion Sent by initiator to responder Can be used as a ”preformed” onion by responder to set up a VC to initiator

later Multiple can be sent to allow multiple such VCs Does not need to use the same path as the original VC used

Reply Onions

Looks like a forward onion Has same format, header information

Treated the same as a forward onion by intermediates Here is where ”crypting” comes in handy! Forward and backward functions are indistinguishable

Difference is that the payload tells the original initiator’s proxy all it needs to use the VC All the forward and backward functions along path Also indentifier for VC so the initiator can bind it to the reply onion it came

from

Reply Onions

Data are treated in the same way as in a VC set up by the original initiator in the forward direction Just use the functions given Original responder just sends data Intermediates apply ”forward” function given Original initiator applies all ”backward” functions

Multiple reply onions can be set Multiple can even be broadcast! Just have to use an unused onion Onions expire, and duplicates are ignored

Reply Onions

GPA can observe message flows No delays introduced, so timing matters! Near simultaneous opening of sockets a give-away

Compromised nodes Initiator proxy bad – then all is revealed! One good intermediate complicates TA One bad intermediate can effect DOS Bad responder proxy – if can detect corrupted data, then earlier node can

experimentally damage data Clock Synchronization

Can result in DOS – onion expiry

Attacks