Anonymous Connections and Onion Routing



Michael G. Reed, Paul F. Syverson, and David M. Goldschlag

Naval Research Lab oratory

Abstract reveal who they are communicating with to the rest of

the world. In certain cases anonymity may be desir-

able also: anonymous e-cash is not very anonymous if

Onion Routing is an infrastructure for private com-

delivered with a return address. Web based shopping

munication over a public network. It provides anony-

or browsing of public databases should not require re-

mous connections that are strongly resistant to both

vealing one's identity.

eavesdropping and trac analysis. Onion routing's

anonymous connections are bidirectional and near real-

This pap er describ es how a freely available system,

time, and can be used anywhere a socket connection

onion routing , can b e used to protect a varietyofIn-

can be used. Any identifying information must be in

ternet services against b oth eavesdropping and trac

the data stream carried over an anonymous connec-

analysis attacks, from b oth the network and outside ob-

tion. An onion is a data structure that is treated as the

servers. This pap er includes a sp eci cation sucientto

destination address by onion routers; thus, it is used

guide b oth re-implementations and new applications of

to establish an anonymous connection. Onions them-

onion routing. We also discuss con gurations of onion

selves appear di erently to each onion router as wel l as

routing networks and applications of onion routing, in-

to network observers. The same goes for data carried

cluding Virtual Private Networks VPN, Web brows-

1

over the connections they establish. Proxy aware ap-

ing, e-mail, remote login, and electronic cash.

plications, such as web browsing and e-mail, requireno

A purp ose of trac analysis is to reveal who is talk-

modi cation to use onion routing, and do so through

ing to whom. The anonymous connections describ ed

a series of proxies. Aprototype onion routing network

here are designed to b e resistant to trac analysis, i.e.,

is running between our lab and other sites. This paper

to make it dicult for observers to learn identifying in-

describes anonymous connections and their implemen-

formation from the connection e.g., by reading packet

tation using onion routing. This paper also describes

headers, tracking encrypted payloads, etc.. Any iden-

several application proxies for onion routing, as wel l as

tifying information must be passed as data through

con gurations of onion routing networks.

the anonymous connections. Our implementation of

anonymous connections, onion routing, provides pro-

tection against eavesdropping as a side e ect. Onion

routing provides bidirectional and near real-time com-

1 Intro duction

munication similar to TCP/IP so cket connections or

ATM AAL5 [6]. The anonymous connections can sub-

Is Internet communication private? Most security

stitute for so ckets in a wide variety of unmo di ed Inter-

concerns fo cus on preventing eavesdropping [18], i.e.,

net applications by means of proxies. Data may also b e

outsiders listening in on electronic conversations. But

passed through a privacy lter b efore b eing sentover

encrypted messages can still b e tracked, revealing who

an anonymous connection. This removes identifying

is talking to whom. This tracking is called trac analy-

information from the data stream, to make communi-

sis and may reveal sensitive information. For example,

cation anonymous to o.

the existence of inter-company collab oration may be

Although onion routing may be used for anony-

con dential. Similarly, e-mail users may not wish to

mous communication, it di ers from anonymous re-



Address: For Reed and Syverson Naval Research Lab o-

mailers [7, 16]intwoways: Communication is real-time

ratory, Center For High Assurance Computer Systems, Wash-

and bidirectional, and the anonymous connections are

ington, D.C. 20375-5337, USA, phone: +1 202.767.2389, fax:

application indep endent. Onion routing's anonymous

+1 202.404.7942, e-mail: flast [email protected]. For

Goldschlag Divx, 570 Herndon Parkway, Herndon, VA 20170,

1

USA, phone: +1 703-708-4028. fax: +1 703-708-4088, e-mail: Preliminary versions of p ortions of this pap er have app eared

[email protected] in [28, 14 , 24 ]. 1

can supp ort anonymous mail as well as

connections 2.1 Operational Overview

other applications. For example, onion routing maybe

used for anonymous Web browsing. A user may wish to

The onion routing network is accessed via a series

browse public Web sites without revealing his identity

of proxies . An initiating application makes a so cket

to those Web sites. That requires removing informa-

connection to an application proxy . This proxy mas-

tion that identi es him from his requests to Web servers

sages connection message format and later data to a

and removing information from the connection itself

generic form that can b e passed through the onion rout-

that may identify him. Hence, anonymous Web brows-

ing network. It then connects to an onion proxy , which

ing uses anonymized communication over anonymous

de nes a route through the onion routing network by

connections. The Anonymizer [1] only anonymizes the

constructing a layered data structure called an onion .

data stream, not the connection itself. So it do es not

The onion is passed to the entry funnel , which o ccu-

prevent trac analysis attacks like tracking data as it

pies one of the longstanding connections to an onion

moves through the network.

router and multiplexes connections to the onion rout-

This pap er is organized in the following way: Sec-

ing network at that onion router. That onion router

tion 2 presents an overview of onion routing. Section

will be the one for whom the outermost layer of the

3 presents empirical data ab out our prototyp e. Sec-

onion is intended. Eachlayer of the onion de nes the

tion 4 de nes our threat mo del. Section 5 describ es

next hop in a route. An onion router that receives an

onion routing and the application sp eci c proxies in

onion p eels o its layer, identi es the next hop, and

more detail. Section 6 describ es the implementation

sends the emb edded onion to that onion router. The

choices that were made for security reasons. Section 7

last onion router forwards data to an exit funnel , whose

describ es how onion routing may b e used in a wide va-

job is to pass data b etween the onion routing network

rietyofInternet applications. Section 8 contrasts onion

and the resp onder.

routing with related work, and section 9 presents con-

In addition to carrying next hop information, each

cluding remarks.

onion layer contains key seed material from whichkeys

2

are generated for crypting data sent forward or back-

ward along the anonymous connection. We de ne for-

2 Onion Routing Overview

ward to b e the direction in which the onion travels and

backward as the opp osite direction.

Once the anonymous connection is established, it

In onion routing, instead of making so cket connec-

can carry data. Before sending data over an anony-

tions directly to a resp onding machine, initiating ap-

mous connection, the onion proxy adds a layer of en-

plications make connections through a sequence of ma-

cryption for each onion router in the route. As data

chines called onion routers . The onion routing net-

moves through the anonymous connection, each onion

work allows the connection b etween the initiator and

router removes one layer of encryption, so it arrives at

responder to remain anonymous. Anonymous connec-

the resp onder as plaintext. This layering o ccurs in the

tions hide who is connected to whom, and for what

reverse order for data moving back to the initiator. So

purp ose, from b oth outside eavesdropp ers and com-

data that has passed backward through the anonymous

promised onion routers. If the initiator also wants to

connection must b e rep eatedly p ost-crypted to obtain

remain anonymous to the resp onder, then all identify-

the plaintext.

ing information must b e removed from the data stream

By layering cryptographic op erations in this way,

b efore b eing sentover the anonymous connection.

we gain an advantage over link encryption. As data

Onion routers in the network are connected by long-

moves through the network it app ears di erent to each

standing p ermanent so cket connections. Anonymous

onion router. Therefore, an anonymous connection is

connections through the network are multiplexed over

as strong as its strongest link, and even one honest no de

the longstanding connections. For any anonymous con-

is enough to maintain the privacy of the route. In link

nection, the sequence of onion routers in a route is

encrypted systems, compromised no des can co op erate

strictly de ned at connection setup. However, each

to uncover route information.

onion router can only identify the previous and next

Onion routers keep track of received onions until

hops along a route. Data passed along the anonymous

they expire. Replayed or expired onions are not for-

connection app ears di erent at each onion router, so

warded, so they cannot be used to uncover route in-

data cannot be tracked en route, and compromised

formation, either by outsiders or compromised onion

onion routers cannot co op erate by correlating the data

2

stream each sees. We will also see that they cannot

We de ne the verb crypt to mean the application of a cryp-

make use of replayed onions or replayed data. tographic op eration, b e it encryption or decryption. 2

routers. Note that clo ck skew between onion routers tracking of trac originating or terminating within the

can only cause an onion router to reject a fresh onion sensitive site, this onion router should also route data

or to keep trackof pro cessed onions longer than nec- between other onion routers. This con guration might

essary. Also, since data is encrypted using stream ci- represent the system interface from a typical corp orate

phers, replayed data will lo ok di erent each time it or government site. Here the application proxies to-

passes through a prop erly op erating onion router. gether with any privacy lters, and the onion proxies

would typically live at the rewall as well. Typically,

Although we call this system onion routing, the

there might only b e one onion proxy.

routing that o ccurs here do es so at the application

There are three imp ortant features of this basic con-

layer of the proto col stack and not at the IP layer.

guration:

More sp eci cally,we rely up on IP routing to route data

passed through the longstanding so cket connections.

 Connections between machines b ehind onion

An anonymous connection is comprised of p ortions of

routers are protected against b oth eavesdropping

several linked longstanding multiplexed so cket connec-

and trac analysis. Since the data stream never

tions. Therefore, although the series of onion routers

app ears in the clear on the public network, this

in an anonymous connection is xed for the lifetime

data may carry identifying information, but com-

of that anonymous connection, the route that data ac-

munication is still private. This feature is used

tually travels between individual onion routers is de-

in section 7.1.

termined by the underlying IP network. Thus, onion

routing may b e compared to lo ose source routing.

 The onion router at the originating protected site

Onion routing dep ends up on connection based ser-

knows b oth the source and destination of a con-

vices that deliver data uncorrupted and in-order. This

nection. This protects the anonymity of con-

simpli es the sp eci cation of the system. TCP so cket

nections from observers outside the rewall but

connections, which are layered on top of a connection-

also simpli es enforcement of and monitoring for

less service likeIP, provide these guarantees. Similarly,

compliance with corp orate or governmental usage

onion routing could easily be layered on top of other

p olicy.

connection based services, likeATM AAL5.

Our current prototyp e of onion routing considers the

 The use of anonymous connections b etween two

network top ology to b e static and do es not have mecha-

sensitive sites that b oth control onion routers

nisms to automatically distribute or up date public keys

e ectively hides their communication from out-

or network top ology. These issues, though imp ortant,

siders. However, if the resp onder is not in a sen-

are not the key parts of onion routing and will b e ad-

sitive site e.g., the resp onder is some arbitrary

dressed in a later prototyp e.

Web server the data stream from the sensitive

must also be anonymized. If the con-

2.2 Configurations initiator

nection b etween the exit funnel and the resp ond-

ing server is unencrypted, the data stream might

As mentioned ab ove neighb oring onion routers are

otherwise identify the initiator. For example, an

neighb ors in virtue of having longstanding so cket con-

attacker could simply listen in on the connections

nections b etween them, and the network as a whole is

to a Web server and identify initiators of any con-

accessed from the outside through a series of proxies.

nection to it.

By adjusting where those proxies reside it is p ossible to

vary which elements of the system are trusted by users

2.2.2 Remote Proxy Con guration

and in what way. For some con gurations it may b e ef-

cienttocombine proxies that reside in the same place,

What happ ens if an initiator do es not control an onion

thus they may b e only conceptually distinct.

router? If the initiator can make encrypted connections

to some remote onion router, then he can function as

if he is in the rewall con guration just describ ed, ex-

2.2.1 Firewall Con guration

cept that b oth observers and the network can tell when

In the rewal l con guration , an onion router sits on he makes connections to the onion router. However, if

the rewall of a sensitive site. This onion router serves the initiator trusts the onion router to build onions, his

as an interface between machines b ehind the rewall asso ciation with the anonymous connection from that

and the external network. Connections from machines onion router to the resp onder is hidden from observers

b ehind the rewall to the onion router are protected and the network. In a similar way, an encrypted con-

by other means e.g., physical security. To complicate nection from an exit funnel to a resp onder hides the 3

3 Empirical Data asso ciation of the resp onder with the anonymous con-

nection .

We invite readers to exp eriment with our pro-

Therefore, if an initiator makes an anonymous con-

totyp e of onion routing by using it to anony-

nection to some resp onder, and layers end-to-end en-

mously surf the Web, send anonymous e-mail, and

cryption over that anonymous connection, the initia-

do remote logins. For instructions please see

tor and resp onder can identify themselves to one an-

http://www.itd.nrl.navy.mil/ITD/5540/projects/

other, yet hide their communication from the rest of

onion-routing/.

the world. So we can build virtual private networks

One should b e aware that accessing a remote onion

without protected sites.

router do es not completely preserve anonymity, be-

Notice, however, that the initiator trusts the remote

cause the connection between a remote machine and

onion router to conceal that the initiator wants to com-

the rst onion router is not protected. If that connec-

municate with the resp onder, and to build an anony-

tion were protected, one would b e in the remote proxy

mous connection through other onion routers. The

con guration, but there would would still be no rea-

next section describ es howto shift some of this trust

son to trust the remote onion router. If one had a

from the rst onion router to the initiator.

secured connection to an onion router one trusted, our

onion router could b e used as one of several intermedi-

ate routers to further complicate trac analysis.

Wehave recently set up a thirteen no de distributed

2.2.3 The Customer{ISP Con guration

network of government, academic, and private sites.

However, at press time wehave not yet gathered p er-

formance data for this network. The data we present

Supp ose, for example, an Internet Services Provider

are for a network running on a single machine. In our

ISP runs a funnel that accepts connections from

exp erimental onion routing network, ve onion routers

onion proxies running on subscrib ers' machines. In

run on a single Sun Ultra 2 2170. This machine has two

this con guration, users generate onions sp ecifying a

167 MHz pro cessors, and 256MB of memory. Anony-

path through the ISP to the destination. Although the

mous connections are routed through a random se-

ISP would know who initiates the connection, the ISP

quence of ve onion routers. Connection setup time

would not know with whom the customer is communi-

should be comparable to a more distributed top ol-

cating, nor would it b e able to see data content. So the

ogy. Data latency,however, is more dicult to judge.

customer need not trust the ISP to maintain her pri-

Clearly, data will travel faster over so cket connections

vacy. Furthermore, the ISP b ecomes a common carrier,

between onion routers on the same machine than over

who carries data for its customers. This may relieve the

so cket connections between di erent machines. How-

ISP of resp onsibility b oth for whom users are commu-

ever, on a single machine the removal or addition of

nicating with and the content of those conversations.

layers of encryption is not pip elined, so data latency

The ISP mayormay not b e running an onion router as

maybeworse.

well. If he is running an onion router, then it is more

Onion routing's overhead is mainly due to public

dicult to identify connections that terminate with his

key cryptography and is incurred while setting up an

customers; however, he is serving as a routing p oint for

anonymous connection. On our Ultra 2 running a fast

other trac. On the other hand, if he simply runs a

implementation of RSA [2], a single public key decryp-

funnel to an onion router elsewhere, it will b e p ossible

tion of a 1024 bit plaintext blo ck using a 1024 bit pri-

to identify connections terminating with him, but his

vate key and a 1024 bit mo dulus takes 90 milliseconds.

overall trac load will b e less. Which of these would b e

Encryption is much faster, b ecause the public keys are

the case for a given ISP would probably dep end on a va-

only 16 bits long. This is why RSA signature veri-

riety of service, cost, and pricing considerations. Note

cation is cheap er than signing. So, the public key

that in this con guration the entry funnel must havean

cryptographic overhead for routes spanning ve onion

established longstanding connection to an onion router

routers is just under 0.5 seconds. This overhead can

just likeany neighb oring onion router. Cf. section 5.6

be further reduced, either with sp ecialized hardware,

for a description of how these are established. But, in

or even simply on di erent hardware a 200 MHz Pen-

most other cases, where the funnel resides on the same

tium would b e almost twice as fast.

machine as the onion router, establishing an encrypted

longstanding connection should not b e necessary since In practice, our connection setup overhead do es not

the funnel can b e directly incorp orated into the onion app ear to add intolerably to the overhead of typical

router. so cket connections. Still, it can be further reduced. 4

There is no reason that the same anonymous connec- load on the system makes the network easier to analyze

tion could not be used to carry the trac for several and makes the system not uniformly busy.

`real' so cket connections, either sequentially or multi- Passive internal attacks require at least two com-

plexed. In fact, the sp eci cation for HTTP 1.1 de nes promised onion routers. Since onion routers can assign

pip elined connections to amortize the cost of so cket markers to a session, b oth the marker and timing at-

setup, and pip elined connections would also transpar- tacks are p ossible. Sp eci cally, timing signatures can

ently amortize the increased cost of anonymous connec- b e broadcast, and other compromised onion routers can

tion setup. We are currently up dating our Web proxy attempt to nd connections with matching timing sig-

to b e HTTP 1.1 compliant. natures.

Another attack that is only feasible as an internal at-

tack is the volume attack. Compromised onion routers

4 Threat Mo del

can keep track of the numb er of cells that have passed

over any given anonymous connection. They can then

This section outlines our threat mo del. It do es not

simply broadcast totals to other compromised onion

intend to quantify the cost of attacks, but to de ne

routers. Cell totals that are close to the same amount

p ossible attacks. Future work will quantify the threat.

at the same time at di erent onion routers are likely to

First some vo cabulary. A session is the data carried

3

b elong to the same anonymous connection.

over a single anonymous connection. Data is carried

Activeinternal attacks amplify these risks, since in-

in xed length cells. Since these cells are multiply en-

dividual onion routers can selectively limit trac on

crypted and change as they move through an anony-

particular connections. An onion router could, for ex-

mous connection, tracking cells is equivalent to track-

ample, force a particular timing signature on a connec-

ing markers that indicate when cells b egin. In a marker

tion, and advertise that signature.

attack, the attacker identi es the set of outb ound con-

nections that some distinguished marker may have

5 Onion Routing Sp eci cs

b een forwarded up on. By intersecting these sets for

a series of distinguished markers b elonging to the same

ker may determine, or at least narrow,

session, an attac 5.1 Onion Routing Proxies

the set of p ossible next hops. In a timing attack, the

A proxy is a transparent service b etween two appli-

attacker records a timing signature for a session that

cations that would usually make a direct so cket con-

correlates data rate over time. A session mayhavea

nection to each other but cannot. For example, a re-

very similar timing signature wherever it is measured

wall might prevent direct so cket connections between

over a route, so co op erating attackers may determine

internal and external machines. A proxy running on

if they carry a particular session.

the rewall may enable such connections. Proxy aware

We assume that the network is sub ject to b oth pas-

applications are b ecoming quite common.

sive and active attacks. Trac may b e monitored and

Our goal has b een to design an architecture for pri-

mo di ed by b oth external observers and internal net-

vate communication that would interface with unmodi-

work elements, including compromised onion routers.

ed applications, so wechose to use proxies as the inter-

Attackers may co op erate and share information and in-

face between applications and onion routing's anony-

ferences. We assume roving attackers that can monitor

mous connections. For applications that are designed

part, but not all, of the network at a time.

to be proxy aware, e.g., WWW browsers, we sim-

Our goal is to prevent trac analysis, not trac con-

ply design appropriate interface proxies. Surprisingly,

rmation. If an attacker wants to con rm that two end-

for certain applications that are not proxy aware e.g.,

p oints often communicate, and he observes that they

RLOGIN, wehave also b een able to design interface

each connect to an anonymous connection at roughly

proxies.

the same time, more often than is statistically ex-

Because it is necessary to bridge between applica-

p ected, it is reasonable to infer that the endp oints are

tions and the onion routing network, proxies must un-

indeed communicating. Notice that this attack is in-

derstand b oth application proto cols and onion routing

feasible if endp oints live in protected networks b ehind

proto cols. Therefore, we mo dularize the design into

trusted onion routers on rewalls.

comp onents: the application proxy, the onion proxy,

If the onion routing infrastructure is uniformly busy,

and the entry funnel. The application proxy bridges

then passive external attacks are ine ective. Sp eci -

between a so cket connection from an application and

cally, neither the marker nor timing attacks are feasi-

3

ble, since external observers cannot assign markers to

Thanks to Gene Tsudik for noting this attack and for helpful

sessions. Active attacks are p ossible since reducing the discussions. 5

The application proxy is listening for new requests. asocket connection to the onion proxy. It is the obli-

Once it obtains the GET request, it creates the standard gation of the application proxy to massage the data

structure and sends it along a new so cket connection stream so the onion proxy, the entry funnel and the exit

to the onion proxy, to inform the onion proxy of the funnel can b e application indep endent. Sp eci cally, the

service and destination of the anonymous connection. application proxy must prep end to the data stream a

The application proxy then mo di es the GET request standard structure that identi es the ultimate destina-

to GET /showcase/ HTTP/1.0 and sends it directly tion by either hostname/p ort or IP address/p ort. Ad-

through the anonymous connection to the HTTP ditionally,itmust pro cess a one byte return co de from

server www.domino.com, followed by the optional elds. the exit funnel and either continue if no error is re-

Notice that the server name and http:// are elimi- p orted or rep ort the onion routing error co de in some

nated from the GET request b ecause the connection is application sp eci c meaningful way. The application

made directly to the HTTP server. proxy may also contain an optional privacy lter for

sanitizing the data stream.

The application proxy essentially makes a connec-

tion to www.domino.com, and issues a request as if it

Up on receiving a new request, the onion proxy

were a client. Once this request is transmitted to the

builds an onion de ning the route of an anonymous

server, all proxies blindly forward data in b oth direc-

connection. It may use the destination address in

tions b etween the client and the server until the so cket

the prep ended structure to help de ne the route. It

is broken by either side.

then passes the onion to the funnel, and rep eatedly

For the anonymizing onion routing HTTP proxy, the

precrypts the standard structure. Finally, it passes

application proxy pro ceeds as outlined ab ove with one

the precrypted standard structure through the anony-

change: it is now necessary to sanitize the optional

mous connection to the exit funnel, thus sp ecifying the

elds that follow the GET command b ecause they may

ultimate destination. From this p oint on, the onion

contain identity information. Furthermore, the data

proxy blindly relays data back and forth b etween the

stream during a connection must b e monitored, to san-

application proxy and the onion routing network and

itize additional headers that might o ccur during the

thus the exit funnel at the other end of the anonymous

connection. For our current anonymizing HTTP proxy,

connection. Of course, it must apply the appropri-

op erations that store co okies on the user's browser to

ate keystreams to incoming and outgoing data when

track a user, for example are removed. This reduces

blindly relaying data.

function, so applications that dep end up on co okies

The entry funnel multiplexes connections from onion

like online shopping baskets may not work prop erly.

proxies to the onion routing network. For the services

wehave considered to date, a nearly generic exit funnel

5.2 Implementation

is adequate. Its function is to demultiplex connections

from the last onion router to the outside. When it

This section presents the interface sp eci cation b e-

reads a data stream from the terminating onion router

tween the comp onents in an onion routing system. To

the rst datum received will b e the standard structure

provide some structure to this sp eci cation, we will

sp ecifying the ultimate destination. The exit funnel

discuss comp onents in the order that data would move

makes a so cket connection to that IP address/p ort, re-

from an initiating client to a resp onding server.

p orts a one byte status message back to the onion rout-

There are four phases in an onion routing sys-

ing network and thus back to the onion proxy which

tem: network setup, which establishes the longstanding

in turn forwards it back to the application proxy, and

connections between onion routers; connection setup,

subsequently moves data between the onion routing

which establishes anonymous connections through the

network and the new so cket. For certain services,

onion router network; data movementover an anony-

like RLOGIN, the exit funnel also infers that the new

mous connection; and the destruction and cleanup of

so cket must originate from a trusted p ort. Entry and

anonymous connections. We will commingle the dis-

exit funnels are not application sp eci c but must un-

cussion of these b elow.

derstand the onion routing proto col, which de nes how

multiplexed connections are handled.

an example, consider the application proxy for

As 5.3 Application Proxy

HTTP. The user con gures his browser to use the

onion routing proxy. His browser may send the proxy The interface between an application and the ap-

a request like plication proxy is application sp eci c. The interface

GET http://www.domino.com/showcase/ HTTP/1.0 between the application proxy and the onion proxy is

followed by optional elds. de ned as follows. For each new proxy request, the 6

0 1 2 3

application proxy rst determines if it will handle or

01234567890123456789012345678901

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

deny the request. If rejected, it rep orts an application

|0| Version |Back F|Forw F| Destination Port |

sp eci c error message and then closes the so cket and

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Destination Address |

waits for the next request. If accepted, it creates a

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

so cket to the onion proxy's well known p ort. The ap-

| Expiration Time GMT |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

plication proxy then sends a standard structure to the

| |

onion proxy of the form:

+ +

| |

+ Key Seed Material +

0 1 2 3

| |

01234567890123456789012345678901

+ +

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| |

| Version | Protocol | Retry Count | Addr Format |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Version is currently de ned to be 1. Protocol is

As we will see b elow, the rst bit must b e zero for

either 1 for RLOGIN, 2 for HTTP, or 3 for SMTP.

RSA public key cryptography to succeed. Following

Retry Count sp eci es how many times the exit funnel

the zero bit is the Version Number of the onion routing

should attempt to retry connecting to the ultimate des-

system, currently de ned to b e 1.

tination. Finally, the Addr Format eld sp eci es the

The Back F eld denotes the cryptographic function

form of the ultimate destination address: 1 for a NULL

to b e applied to data moving in the backward direction

terminated ASCI I string with the hostname or IP ad-

de ned as data moving in the direction opp osite that

dress in ASCI I form immediately followed by another

which the onion traveled, usually toward the initiator's

NULL terminated ASCI I string with the destination

end of the anonymous so cket connection using key

2

p ort numb er, and all others currently unde ned. The

de ned b elow. The Forw F eld denotes the crypto-

ultimate destination address is sent after this standard

graphic function to be applied to data moving in the

structure, and the application proxy waits for a one

forward direction de ned as data moving in the same

byte error co de b efore sending data.

direction as that which the onion traveled, usually to-

ard the resp onder's end of the anonymous so cket con-

5.4 Onion Proxy w

nection using key de ned b elow. Currently de ned

3

cryptographic functions are: 0 for Identity no encryp-

Up on receiving the standard structure, the onion

tion, 1 for DES OFB output feedback mo de 56 bit

proxy can decide whether to accept or reject the re-

key, and 2 for RC4 128 bit key. The Destination

quest based on the proto col, destination host, desti-

Address and Destination Port indicate the next onion

nation p ort, or the identity of the application proxy.

router in network order and are b oth 0 for the exit fun-

If rejected, it sends an appropriate error co de backto

nel. The Expiration Time is given in network order in

the application proxy, closes the so cket, and waits for

seconds relative to 00:00:00 UTC January 1, 1970 i.e.,

the next request. If accepted, it pro ceeds to build the

standard UNIX time2 format and sp eci es how long

onion and connects to the entry funnel of the rst onion

the onion router at this hop in the anonymous connec-

router, through the network, and to the exit funnel of

tion must track the onion against replays b efore it ex-

the last. It next sends the standard structure to the

pires. Key Seed Material is 128 bits long and is hashed

exit funnel over the anonymous connection, and then

three times with SHA to pro duce three cryptographic

passes all future data to and from the application proxy

keys key , key , and key  of 128-bits each the rst

1 2 3

and anonymous connection. The rep eated pre and p ost

eightbytes of each SHA output are used for DES and

cryptions and packaging of the standard structure and

4

the rst 16 bytes for RC4 keys.

subsequent data is discussed later in section 5.6.

Since we use RSA public key cryptography with a

size of 1024-bits, the plaintext blo ck size is

5.5 Onions mo dulus

1024 bits and must be strictly less than the mo dulus

numerically. Toavoid problems, we force this relation

To build the anonymous connection to the exit fun-

by putting the most-signi cant bit rst and setting it

nel, the onion proxy creates an onion. An onion is

to 0 the leading 0 ab ove. Furthermore, the inner-

a multi-layered data structure that encapsulates the

most layer of the onion is padded on the end with an

route of the anonymous connection starting from the

additional 100 bytes prior to RSA encryption b eing

onion router for that exit funnel and working backward

4

to the onion router at the entry funnel.

Details on the cryptographic op erations used in this pap er

Eachlayer has the following structure: can b e found in [20, 26]. 7

p erformed. the multiplexing of b oth anonymous connections and

In version 1, an onion has velayers, but routes can control information over the longstanding connections.

b e shorter. An onion is formed iteratively, innermost Cell size was chosen to b e compliant with ATM. In

layer rst. At each iteration, the rst 128 bytes of the version 1 of the onion routing system, there are four

onion are encrypted with the public key of the onion typ es of cells: PADDING 0, CREATE 1, DATA

router that is intended to decrypt that layer. The re- 2, and DESTROY 3.

mainder of the onion is encrypted, using DES OFB Cel ls have the following structure:

with an IV initialization vector of 0 and key de-

1

0 1 2 3

rived from Key Seed Material in that layer as de ned

01234567890123456789012345678901

5

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ab ove.

| ACI | Command | Length |

Before discussing how onions and data are sentbe-

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| |

tween onion routers, we will de ne onion router inter-

...... Payload 44 bytes......

connection.

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

5.6 Onion Router Interconnection

The ACI anonymous connection identi er and

Command elds are always encrypted using the link

During onion network setup not to be confused

encryption between neighb oring no des. Additionally,

with anonymous connection setup, longstanding con-

the Length and Payload elds are encrypted using the

nections b etween neighb oring onion routers are estab-

link encryption b etween neighb oring no des if the com-

lished and keyed. The network top ology is prede ned

mand is either PADDING 0 or DESTROY 3. For

and each onion router knows its neighb ors.

CREATE 1 commands, the length is link encrypted,

To remain connected to each of its neighb ors, onion

but the payload is already encrypted b ecause it car-

routers must b oth listen for connections from neigh-

ries the onion. For DATA 2 commands, the length

b ors and attempt to initiate connections to neighb ors.

and entire payload are encrypted using the anonymous

Toavoid deadlo ck and collision issues b etween pairs of

connection's forward or backward cryptographic op er-

neighb ors, an onion router listens for connections from

ations.

neighb ors with \higher" IP/p ort addresses and initi-

Each anonymous connection is assigned an ACI at

ates connections to neighb ors with \lower" IP/p ort ad-

each onion router, which lab els an anonymous connec-

dresses. \Higher" and \Lower" are de ned with resp ect

tion when it is multiplexed over the longstanding con-

to network byte ordering. This was an exp edientway

nection to the next onion router. ACIs must b e unique

to break symmetry. Ultimately we will want a more

on their longstanding connection but need not b e glob-

exible solution. For example, when an onion router

ally unique.

go es down, it should contact its neighb ors up on com-

To move an onion through the system, an onion

ing back up. Requiring the neighb ors to try to contact

router p eels o the outermost layer, identifying the

the down router until it resp onds is less ecient. This

next hop. It checks the freshness not expired and

is not dicult to implement and we will do so in the

not replayed of the onion, computes the necessary

future.

cryptographic keys, initializes the forward and back-

The proto col has two phases: connection setup and

ward cryptographic engines, cho oses a new ACI for

keying. The initiating onion router op ens a so cket to

the next hop in the new connection, and then builds a

awell known p ort of its neighb oring onion router, and

data structure asso ciated with that connection which

sends its IP address and well known p ort the p ort is

maps incoming to outgoing ACIs and the cryptographic

included to allow multiple onion routers to run on a

engines asso ciated with forward and backward data.

single machine in network order to identify itself. The

Since neighb oring onion routers cho ose ACIs for each

keying phase ensues, using STS [9] which will gener-

other on the thick pip e that they share, each is assigned

ate two DES 56-bit keys. The link encryption over the

half of the naming space. The neighb oring onion router

longstanding connections is done by DES OFB with

with a \higher address" cho oses ACIs in the top half

IVs of 0 and these twokeys one for data in each di-

of that space, while its neighb or with the lower address

rection.

cho oses ACIs from the b ottom half of that space. After

Once keyed, communication b etween onion routers

the outermost layer of onion is p eeled o , the rest of the

is packaged into xed sized cel ls , which allows for

onion is padded randomly to its original length, placed

5

We use DES to encrypt the onion, and for link encryption

into CREATE cells, and then sent out in order to the

between onion routers, b ecause it has no licensing fees and can b e

appropriate neighb or. The payload of the last cell is

used as a pseudorandom numb er generator. However, wewould

padded with random bits to ll the cell if necessary to b e happy to use a stronger pseudorandom numb er generator. 8

avoid traceability. 6 Implementation Vulnerabilities

Data moves through an anonymous connection in

DATA cells. At each onion router b oth the length and

An implementation of a secure design can b e inse-

payload elds of a cell are crypted using the appro-

cure. In this section, we describ e several implementa-

priate cryptographic engine. The new cell is sent out

tion decisions that were made for security considera-

to the appropriate neighb or. The onion proxy must

tions.

rep eatedly crypt data to either add the appropriate

Onions are packaged in a sequence of cells that must

layers of cryption on outgoing data, or removelayers

b e pro cessed together. This onion pro cessing involves a

of cryption from incoming data. When constructing

public key decryption op eration which is relatively ex-

aDATA cell from a plaintext data stream, the cell is

p ensive. Therefore, it is p ossible to imagine an imple-

partially lled, its true length is set, and all 45 bytes

mentation that clears outgoing queues while an onion

of the length and payload elds are rep eatedly crypted

is b eing pro cessed, and then outputs the onion. There-

using the stream ciphers de ned by the onion. There-

fore, any p erio d of inactivity on the out-b ound queues

fore, when the cell arrives at the exit funnel, the length

is likely to b e followed by a sequence of onion cells b e-

eld re ects the length of the actual data carried in the

ing output on a single queue. Such an implementation

payload.

makes tracking easier and should b e avoided.

If a connection is broken, a DESTROY command

After pro cessing at each onion router, onions are

is sent to clean up state information. The ACI eld

padded at the end to comp ensate for the removed layer.

of the DESTROY command carries the ACI of the

This padding must be random, since onions are not

broken connection. The length and payload must be

link encrypted between onion routers. Similarly, the

random. Up on receipt of a DESTROY command, it

length and payload of a DESTROY command must b e

is the resp onsibility of an onion router to forward the

new random content at each onion router; otherwise,

DESTROY appropriately and to acknowledge receipt

compromised onion routers could track that payload.

by sending another DESTROY command back to the

In a multi-threaded implementation, there is a sig-

previous sender. After sending a DESTROY command

ni cant lure to rely up on apparent randomness in

ab out a particular ACI, an onion router may not send

scheduling to reorder events. If reordering is imp or-

any more cells along that anonymous connection. Once

tant to the secure op eration of the system, delib erate

an acknowledgment DESTROY message is received, an

reordering is crucial, since low level system randomness

onion routing no de considers the anonymous connec-

may in fact b e predictable.

tion destroyed and the ACI can b e used as a lab el for

There are two vulnerabilities for which we do not

a new anonymous connection.

have go o d solutions. If part of the onion routing net-

The PADDING command is used to inject data into

work is taken down, trac analysis may b e simpli ed.

a longstanding so cket to further confuse trac analysis.

Also, if a longstanding connection b etween two onion

PADDING cells are discarded up on receipt.

routers is broken, it will result in many DESTROY

Each onion router also reorders cells moving through

messages, one for each anonymous connection that was

it. All cells that arrive at an onion router within a xed

routed through that longstanding connection. There-

interval of time on any connection are mixed pseudo-

fore, a compromised onion router may infer from near

randomly, except that the order of cells in each anony-

simultaneous DESTROY messages that the asso ciated

mous connection is preserved.

anonymous connections had some common route. De-

laying DESTROY messages hurts p erformance, since

5.7 Exit Funnel

we require that a DESTROY message propagate to the

endp oints to takedown the connection that is visible

When a routing no de receives an onion with Des- to the user. Carrying the DESTROY message through

tination Address and Destination Port of 0, it knows the anonymous connection and garbage collecting dor-

it is the terminal onion router for the connection and mant anonymous connections later would b e ideal, but

passes the connection not to another onion router but we do not knowhow to eciently insert control infor-

to its own exit funnel. The funnel pro ceeds to read the mation into a raw data channel, esp ecially consider-

standard structure that will b e the rst data across the ing our layered encryption. One p ossibility is for the

anonymous so cket connection, establishes a connection onion router on the initiator side of a break to send

to the ultimate destination as indicated, and returns some large predetermined numb er of one bits backto

the status co de. After this, it will blindly forward data the initiator followed by a message that the connec-

between the anonymous connection and the connection tion is destroyed. The onion proxy could then check

to the resp onder's machine. for such a signal after it strips o each layer of each 9

ket, and notify the application proxy if it receives

pac 7.2 Anonymous Chatting

the signal. The initiator can contact the resp onder out

of band, presumably through another anonymous con-

Anonymous connections can be used in a service

nection, authenticate itself by some means as the initia-

similar to IRC, where many parties meet to chat at

tor of the broken connection, and notify the resp onder

some central server. The chat server may mate sev-

of the break. Onion routers can either b e noti ed di-

eral anonymous connections carrying matching tokens.

rectly by the onion proxy after some random delayor

Each party de nes the part of the connection lead-

p ossibly garbage collect least recently used ACIs. We

ing back to itself, so no party has to trust the other

will continue to explore the feasibility of this and other

to maintain its privacy. If the communicating parties

6

p ossibilities.

layer end-to-end encryption over the mated anonymous

connections, they also prevent the central server from

listening in on the conversation.

7 Applications

7.3 Anonymous Cash

We rst describ e how to use anonymous connection

in VPNs, anonymous chatting services, and anonymous

Certain forms of e-cash are designed to be anony-

cash. We then describ e onion routing proxies for three

mous and untraceable, unless they are double sp ent

Internet services: Web browsing, e-mail, and remote

or otherwise misused. However, if a customer can-

logins. These three onion routing proxies have b een

not contact a vendor without identifying himself, the

implemented. Anonymizing versions of these proxies

anonymity of e-cash is undermined. For transactions

that remove the identifying information that may be

where b oth payment and pro duct can b e conveyed elec-

presentin the headers of these services' data streams

tronically, anonymous connections can b e used to hide

have b een implemented as well.

the identities of the parties from one another [27].

How can the customer b e prevented from taking his

hase without paying for it e.g., by closing the con-

7.1 Virtual Private Networks purc

nection early or the vendor b e prevented from taking

the customer's e-cash without completing the transac-

If two sites wanted to collab orate, they could estab-

tion? This is a hard problem [12, 4]. In the case of

lish one or more long term tunnels that would multiplex

awell known vendor, a practical solution is to require

manysocket connections, or even rawIPpackets, over

customers to pay rst. The vendor is unlikely to delib-

a single anonymous connection. This would e ectively

erately cheat its customers since it may be caughtin

hide who is collab orating with whom and what they

an audit.

are working on, without requiring the construction of

ymous connection for each connec-

an individual anon 7.4 Remote Login

tion made. Such long term anonymous connections b e-

tween enclaves provide the analog of a leased line over

We proxy remote login requests by taking advan-

a public network. Note that the protection provided a

tage of the option -l username to rlogin. The usual

VPN by onion routing is broader than that provided by

rlogin command is of the form:

encrypting rewalls. Basic encrypting rewalls encrypt

rlogin -l username server

payloads only. Thus, they protect con dentiality, but

To use rlogin through an onion routing proxy, one

do nothing to protect against trac analysis. IPSEC

would typ e

will protect trac for individual connections by encap-

rlogin -l username@server proxy

sulating packets in encrypted packets from the rewall,

where proxy refers to the onion routing proxy to b e

but this will not protect against institutional level traf-

used and b oth username and server are the same as

c analysis. Communication b etween two such rewalls

sp eci ed ab ove. A normal rlogin request is transmitted

will still indicate a collab oration b etween the sites b e-

from a privileged p ort on the client to the well known

hind them. Constant padding may b e added, but this

p ort for rlogin 513 on the server as:

is very exp ensive. And, unless many unrelated sites

agree to do it, it still do es not hide the existence of

\0 username on client \0 username on server \0 terminal type \0

the VPN established between those sites that are so

padding.

where username on client is the username of the in-

6

dividual invoking the command on the client machine,

Thanks to Gene Tsudik for some of the fundamental ele-

username on server is either the -l eld if sp eci ed or ments of this prop osal. 10

client. Therefore, the request must be massaged to the username of the individual invoking the command

remove the server name and scheme, and transmit- on the client machine if no -l is sp eci ed, and the

ted to www.server.com over the anonymous connec- terminal type is a standard termcap/linesp eed sp eci -

tion. Once this request is transmitted to the server, cation. The server resp onds with a single zero byte if

the proxy blindly forwards data in b oth directions b e- it will accept the connection or breaks the so cket con-

tween the client and server until the so cket is broken nection if an error has o ccurred or the connection is

by either side. rejected. Our normal rlogin proxy therefore receives

For privacy ltering of HTTP, the proxy pro ceeds the initial request:

as outlined ab ove with one change. It is now neces-

sary to sanitize the optional elds that follow the GET \0 username on client \0 username@server \0 terminal type \0

command b ecause they may contain identity informa-

tion. Furthermore, the data stream during a connec-

The proxy creates an anonymous connection to the

tion must b e monitored, to sanitize additional headers RLOGIN p ort on the server machine and pro ceeds to

that might o ccur during the connection.

send it a massaged request of the form:

The Anonymizer [1] also provides anonymous Web

browsing. Users can connect to servers through the

\0 username \0 username \0 terminal type \0

Anonymizer and it strips o identifying headers. This

is essentially what our ltering HTTP proxy do es.

Once this request is transmitted to the server, the

But packets can still be tracked and monitored. The

proxy blindly forwards data in b oth directions b etween

Anonymizer could b e used as a front end to the onion

the client and server until the so cket is broken by either

routing network to provide e ective protection against

side.

trac analysis. We discuss this further in section 8.

Notice that the onion router do es not send the server

the client's username on the client, so communication

ymous, unless the data-stream subsequently re-

is anon 7.6 Electronic Mail

veals more information.

Electronic mail is proxied by utilizing the form of e-mail address instead of the

7.5 Web Browsing userhost@proxy

normal user@host form. This form should work with

most current and older mail systems. Under this form,

Proxying HTTP requests follows the IETF HTTP

the client contacts the proxy server's well known SMTP

V1.0 Sp eci cation [3]. An HTTP request from a client

p ort 25. Instead of the normal mail daemon listening

through an HTTP proxy is of the form:

to that p ort, the proxy listens and interprets what it re-

GET http://www.server.com/file.html HTTP/1.0

ceives following a strict state machine: wait for a valid

HELO command, wait for a valid MAIL From: command,

followed by optional elds. Notice that an HTTP

and then wait for a valid RCPT To: command. Each

request from a client to a server is of the form:

command argument is temp orarily bu ered. Once the

RCPT To: command has b een received, the proxy pro-

GET file.html HTTP/1.0

ceeds to create an anonymous connection to the des-

tination server and relays the HELO and MAIL From:

also followed by optional elds. The server name and

commands exactly as received. The RCPT To: com-

proto col scheme are missing, b ecause the connection is

mand is massaged and forwarded. Any subsequent

made directly to the server.

RCPT To: commands are rejected. Once the DATA

As an example, a complete request from Netscap e

request is transmitted to the server, the proxy for-

Navigator to an onion router HTTP proxy may lo ok

wards data in b oth directions from the client and

like this:

server. An example of e-mail from [email protected]

on the machine sender.com to [email protected]

GET http://www.server.com/file.html HTTP/1.0

via the onion.com onion router is given b elow. Jo e

Referer: http://www.server.com/index.htm l

Proxy-Connection: Keep-Alive

typ es mail mary[email protected]. First

User-Agent: Mozilla/3.0 X11; I; SunOS 5.4 sun4m

the communications from the clientonsender.com to

Host: www.server.com

the onion router SMTP proxy on onion.com is given,

Accept: image/gif, image/x-xbitmap, image/jpeg

followed by the communications from the exit funnel

to recipient.com:

The proxy must create an anonymous connection to

www.server.com, and issue a request as if it were a 220 onion.com SMTP Onion Routing Network. 11

8 Comparisons with Related Work HELO sender.com

250-onion.com -- Connection from

250 sender.com 2.0.0.1.

Chaum [5] de nes a layered ob ject that routes data

MAIL From: [email protected]

through intermediate no des, called mixes . These in-

250 Sender is [email protected].

termediate no des may reorder, delay, and pad trac to

RCPT To: mary[email protected]

complicate trac analysis. In mixes, the assumption is

The proxy massages the RCPT To: line to make the

that a single p erfect mix adequately complicates trac

address [email protected] and makes an anony-

analysis, but a sequence of multiple mixes is typically

mous connection to recipient.com. It then replays

used b ecause real mixes are not ideal. Because of this,

the massaged proto col to recipient.com:

mix applications can use mixes in xed order, and of-

ten do. Onion routers di er from mixes in at least two

220-recipient.com Sendmail 4.1/SMI-4.1 ready

220 at Wed, 28 Aug 96 15:15:00 EDT

ways: onion routers are more limited in the extentto

HELO Onion.Routing.Network

which they delay trac at each no de b ecause of the

250-recipient.com Hello Onion.Routing.Network

real-time exp ectations that the applications demand

250 [2.0.0.5], pleased to meet you

of so cket connections. Also, in a typical onion routing

MAIL From: [email protected]

con guration, onion routers are also entry p oints to the

250 [email protected]... Sender ok

onion routing network, and trac entering or exiting

RCPT To: [email protected]

at those no des may not b e visible. This makes it hard

250 [email protected]... Recipient ok

to track packets, b ecause they may drop out of the net-

DATA

work at any no de, and new packets maybeintro duced

354 Enter mail, end with "." on a line by itself

at each no de. While onion routing cannot delay traf-

At this p oint, the proxy forwards data in b oth di-

c to the extent that mixes can, trac b etween onion

rections, until a line containing only a p erio d is sent

routers is multiplexed over a single channel and is link

from the sender to the recipient:

encrypted with a stream cipher. This makes it hard to

parse the stream.

This is a note

.

Anonymous remailers like Penet [17] strip headers

from received mail and forward it to the intended re-

The proxy forwards the line containing only a p erio d

cipient. They may also replace the sender's address

to the recipient, and forwards the recipient's resp onse

with some alias, p ermitting replies. These sorts of re-

to the sender. At that p oint, the proxy sends QUIT to

mailers store sensitive state: the mapping b etween the

the recipient, reads the resp onse and closes the con-

alias and the true return address. Also, mail forwarded

nection to the recipient. The proxy then waits for a

through a chain of remailers may b e tracked b ecause it

command from the sender; if that command is QUIT,

app ears the same to each remailer.

the proxy sends a resp onse and closes its connection to

Mix based remailers like [7, 16] use mixes to provide

the sender:

anonymous e-mail services. Essentially, the mail mes-

250 Mail accepted

sage is carried in the innermost layer of the onion data

QUIT

structure. Another onion typ e structure, used for a re-

221 onion.com Service closing transmission channel.

turn address, can be contained in the message. This

makes the return path self contained, and the remailer If the command is not QUIT, then it is MAIL, and

essentially stateless. Onion routing shares many struc- the proto col rep eats. Anything else prompts an error

tures with Bab el [16] but it uses them to build p ossibly resp onse, and the proxy waits for the next correct com-

long lived application indep endent connections. This mand.

makes anonymous connections accessible to a wide va- For the privacy ltered proxying of electronic mail,

rietyof applications. For application to e-mail it has the proxy pro ceeds as outlined ab ove with a few

b oth advantages and disadvantages. Onion routing's changes. It is now necessary to sanitize b oth the

service makes an anonymous connection directly to the MAIL From: command and the header p ortion of the

recipient's sendmail daemon. A disadvantage is that, actual message b o dy. Sanitization of the MAIL From:

since the connection is made in real-time, there is less command is trivial with a simple substitution of

freedom in mixing, which therefore might not b e done anonymous for [email protected]. For the header san-

as well. An advantage is that the anonymous connec- itization, we have taken the conservative approachof

tion is separated from the application, so anonymous deleting all headers, but this may be mo di ed in the

e-mail systems are considerably simpli ed b ecause the future to only remove identifying information and leave

application sp eci c part do es not have to move data the remaining header information intact. 12

data. Most imp ortantly, the network top ology of the through the network. Furthermore, b ecause the onion

Internet is more akin to the network top ology of the routing network can carry manytyp es of data, it has

long distance network b etween switches, where capac- the p otential to be more heavily utilized than a net-

ity is a shared resource. In anonymous ISDN, the mixes work that is devoted only to e-mail. Heavy utilization

hide communication within the lo cal switch, but con- is the key to anonymity.

nections b etween switches are not hidden. This implies

In [10], a structure similar to an onion is used to

that all calls b etween two businesses, each large enough

forward individual IP packets through a network. By

to use an entire switch, reveal which businesses are

maintaining tracking information at each router, ICMP

communicating. In onion routing, mixing is disp ersed

error messages can be moved back along the hidden

throughout the Internet, which improves hiding.

route. Essentially, a connection is built for each packet

Pip e-net [8] is a prop osal similar to onion routing. It

in a connectionless service. Although a followup pap er

has not b een implemented, however. Pip e-net's threat

[11] suggests that p erformance will b e go o d, esp ecially

mo del is more paranoid than onion routing's: it at-

with hardware based public key cryptography, our ex-

tempts to resist active attacks by global observers. For

p erience suggests that b oth the cryptographic overhead

example, Pip e-net's connections carry constant traf-

of building onions and the tracking of onions against

c to resist timing signature attacks and disruptions

replay is not eciently done on a packet-by-packet ba-

to any connection are propagated throughout the net-

sis. However, it is easy to imagine an onion routing

work.

proxy that collects IP packets and forwards them over

some anonymous connection. In this way, communi-

The Anonymizer is a Web proxy that lters the

cation is anonymous at the IP layer, but connections

HTTP data stream to removea user's identifying in-

need not b e built for eachIPpacket. This anonymous

formation, essentially as our ltering HTTP proxy

IP communication may b e more robust than our cur-

do es. For example, the Anonymizer will \strip out

rent architecture: it could survive a broken anonymous

all references to your e-mail address, computer typ e,

connection, since IP do es not exp ect reliable delivery.

and previous page visited b efore forwarding your re-

quest" [1]. This makes Web browsing private in the

In [22], mixes are used to provide untraceable com-

absence of anyeavesdropping or trac analysis. The

munication in an ISDN network. Here is a summary

Anonymizer is vulnerable in three ways: First, it must

of that pap er. In a phone system, each telephone line

b e trusted. Second, trac b etween a browser and the

is assigned to a particular lo cal switch i.e., lo cal ex-

Anonymizer is sent in the clear, so that trac identi-

change, and switches are interconnected by a long

es the true destination of a query, and includes the

distance network. Anonymous calls in ISDN rely up on

identifying information that the Anonymizer would l-

an anonymous connection between the caller and the

ter. Third, even if trac b etween the browser and the

long distance network. These connections are made

Anonymizer were encrypted, passive external observers

anonymous by routing calls through a prede ned se-

could mount the volume attack mentioned in section 4.

ries of mixes within each switch. The long distance

The Anonymizer, however, is now readily available to

endp oints of the connection are then mated to com-

everyone on the Web.

plete the call. Notice that observers can tell which

NetAngels [21] is similar to the Anonymizer, ex-

lo cal switches are connected. Also, since each phone

cept that it builds p ersonal pro les of its subscrib ers

line has a control circuit connection to the switch, the

and targets advertisements to match the pro le. How-

switch can broadcast messages to each line using these

ever, the pro le is not released to the advertiser and

control circuits. So, within a switch a truly anonymous

is deleted when a subscription is canceled. Subscrib ers

connection can b e established: A phone line makes an

must trust NetAngels, and connections to the service

anonymous connection to some mix. That mix broad-

are sub ject to the same attacks as the Anonymizer.

casts a token identifying itself and the connection. A

recipient of that token can make another anonymous

LPWA [19, 13] formerly known as Janus is a

connection to the sp eci ed mix, which mates the two

\proxy server that generates consistent untraceable

connections to complete the call.

aliases for you that enable you to browse the Web,

register at web sites and op en accounts, and b e `recog-

Our goal of anonymous connections over the Inter-

nized' up on returning to your accounts, all while still

net di ers from anonymous remailers and anonymous

preserving your privacy." Like the previous two, the

ISDN. The data is di erent, with real-time constraints

LPWA proxy is at a server that is remote from the

more severe than mail, but somewhat lo oser than voice.

user application. It is thus sub ject to the same trust

Both HTTP and ISDN connections are bidirectional,

and vulnerability limitations.

but, unlike ISDN, HTTP connections are likely to b e

It is p ossible, however, to shift trusted elements to small requests followed by short bursts of returned 13

The onion routing network supp orting anonymous the user's machine or to a machine on the b oundary

connections can b e con gured in several ways, includ- between his trusted LAN and the Internet. Shifting

ing a rewall con guration and a customer-ISP con gu- trust in this way can improve the security of other

ration, whichmoves privacy to the user's computer and privacy services like the Anonymizer, NetAngels, and

may relieve the carrier of resp onsibility for the user's LPWA. Currently, those are centralized to provide an

connections. intermediary that masks the true source of a connec-

tion. If anonymous connections are used to hide the

Onion routing moves the anonymous communica-

source address instead, the other functions of these ser-

tions infrastructure b elow the application level, prop-

vices may run as a lo cal proxy on the user's desktop.

erly separating communication and applications. Since

Security is improved b ecause privacy ltering and other

the ecacy of mixes dep ends up on sucient network

services are done on a trusted machine and b ecause

trac, allowing di erent applications to share the same

communication is resistant to trac analysis. Also,

communications infrastructure increases the abilityof

there is no central p oint of failure.

the network to resist trac analysis.

Another approach to anonymous Web connections

is Crowds [25]. Crowds is essentially a distributed

Acknowledgments

and chained Anonymizer, with encrypted links b etween

crowd memb ers. Web trac is forwarded to a crowd

Wehave had helpful comments from and discussion

memb er, who ips a weighted coin and, dep ending on

with p eople to o numerous to mention. We note esp e-

the result, forwards it either to some other crowd mem-

cially the help of Birgit P tzmann, Gene Tsudik, and

b er or to the destination. This makes communication

James Washington. We also thank the anonymous ref-

resistant to lo cal observers.

erees, the Levien family for hosting the onion dinner,

and the Isaac Newton Institute for hosting one of the

9 Conclusion

authors while some of this work was done. The fast

UltraSparc implementation of RSA was done byTolga

This pap er describ es anonymous connections, their

Acar and C etin Kaya Koc. This work was supp orted

realization in onion routing, and some of their appli-

by ONR and DARPA.

cations. Anonymous connections are resistanttoboth

eavesdropping and trac analysis. They separate the

References

anonymity of the connection from the anonymity of

communication over that connection. For example,

[1] The Anonymizer. http://www.anonymizer.com

two parties controlling onion routers can identify them-

selves to each other without revealing the existence of

[2] T. Acar, B. S. Kaliski, Jr., and C . Koc. \Analyzing

a connection b etween them. This pap er demonstrates

and Comparing Montgomery Multiplication Algo-

the versatility of anonymous connections by exploring

rithms", IEEE Micro , 163:26-33, June 1996.

their use in a varietyofInternet applications. These ap-

plications include standard Internet services likeWeb

[3] T. Berners-Lee, R. Fielding, and H. Frystyk. Hy-

browsing, remote login, and electronic mail. Anony-

pertext Transfer Protocol { HTTP/1.0,

mous connections can also b e used to supp ort virtual

ftp://ds.internic.net/rfc/rfc1945.txt

private networks with connections that are resistantto

trac analysis and that can carry connectionless traf-

[4] L. J. Camp, M. Harkavey, B. Yee, J. D. Ty-

c.

gar, \Anonymous Atomic Transactions", Sec-

Anonymous connections may b e used as a new prim-

ond USENIX Workshop on Electronic Commerce ,

itive that enables novel applications in addition to facil-

1996.

itating secure versions of existing services [24]. Besides

exploring other novel applications, future work includes

[5] D. Chaum. \Untraceable Electronic Mail, Return

a system redesign to improve throughput and an im-

Addresses, and Digital Pseudonyms", Communi-

plementation of reply onions [15, 23]. Reply onions

cations of the ACM , v. 24, n. 2, Feb. 1981, pp.

are basically reply addresses that enable connections

84-88.

to b e established back to an anonymous party. We will

[6] D. E. Comer. Internetworking with TCP/IP, be implementing other mechanisms for resp onding to

Volume 1: Principles, Protocols, and Architec- anonymous connections as well. We are also b eginning

ture, Prentice{Hall, Engelwo o d Cli s, New Jersey, a detailed analysis of onion routing to enable a quan-

1995. titative assessment of resistance to trac analysis. 14

[22] A. P tzmann, B. P tzmann, and M. Waidner. [7] L. Cottrell. Mixmaster and Remailer Attacks,

\ISDN-Mixes: Untraceable Communication with http://obscura.obscura.com/~loki/remailer

Very Small Bandwidth Overhead", GI/ITG Con- /remailer-essay.html

ference: Communication in Distributed Systems ,

[8] W. Dai. Pip e-net, February 1995, p ost to the

Mannheim Feb, 1991, Informatik-Fachb erichte

cypherpunks mailing list.

267, Springer-Verlag, Heidelb erg 1991, pp. 451-

463.

[9] Whit eld Die, Paul C. van Oorschot, and

Michael J. Wiener. \Authentication and Authenti-

[23] M. G. Reed, P. F. Syverson, and D. M. Goldschlag.

th

cated Key Exchanges". Designs, Codes, and Cryp-

\Proxies for Anonymous Routing", Proc. 12 An-

tography, 2:107{125, 1992.

nual Computer Security Applications Conference ,

San Diego, CA, IEEE CS Press, Decemb er, 1996,

[10] A. Fasb ender, D. Kesdogan, O. Kubitz. \Vari-

pp. 95{104.

able and Scalable Security: Protection of Lo ca-

th

tion Information in Mobile IP", 46 IEEE Ve-

[24] M. Reed, P. Syverson, and D. Goldschlag. \Proto-

hicular Technology Society Conference , Atlanta,

cols using Anonymous Connections: Mobile Ap-

March 1996.

plications", 1997 Security Protocols Workshop ,

Paris, April 1997, nal pro ceedings to app ear.

[11] A. Fasb ender, D. Kesdogan, O. Kubitz. \Analysis

th

of Security and Privacy in Mobile IP", 4 Interna-

[25] M. Reiter and A. Rubin. Crowds: Anonymity for

tional ConferenceonTelecommunication Systems

Web Transactions preliminary announcement,

Modeling and Analysis , Nashville, March 1996.

DIMACS Technical Rep orts 97-15, April 1997.

[12] M. Franklin and M. Reiter, \Fair Exchange with a

[26] B. Schneier. Applied Cryptography: Protocols, Al-

Semi-Trusted Third Party", Fourth ACM Confer-

gorithms and Source Code in C, John Wiley and

ence on Computer and Communications Security ,

Sons, 1994.

Zurich, April 1997.

[27] D. Simon, \Anonymous Communication and

[13] E. Gabb er, P. Gibb ons, Y. Matias, and A. Mayer.

Anonymous Cash", in Advances in Cryptology{

\HowtoMakePersonalized Web Browsing Simple,

CRYPTO`96 , N. Koblitz, ed., LNCS vol. 1109,

Secure, and Anonymous", Financial Cryptography

Springer-Verlag, 1996, pp. 61{73.

'97 ,February 1997, nal pro ceedings to app ear.

[28] P. Syverson, D. Goldschlag, and M. Reed.

[14] D. Goldschlag, M. Reed, and P. Syverson. \Pri-

\Anonymous Connections and Onion Routing",

vacy on the Internet", INET '97, Kuala Lumpur,

Proceedings of the 1997 IEEE Symposium on Se-

June 1997.

curity and Privacy , Oakland, CA, IEEE CS Press,

May 1997, pp. 44{54.

[15] D. Goldschlag, M. Reed, P. Syverson. \Hiding

Routing Information", in Information Hiding ,R.

Anderson, ed., LNCS vol. 1174, Springer-Verlag,

1996, pp. 137{150.

[16] C. Gulc  u  and G. Tsudik. \Mixing Email with Ba-

bel ", 1996 Symposium on Network and Distributed

System Security , San Diego, February 1996.

[17] J. Helsingius. www.p enet. .

[18] Internet Engineering Task Force.

http://www.ietf.org/

[19] http://lpwa.com:8000/

[20] A. Menezes, P. van Oorschot, and S. Vanstone.

Handbook of Applied Cryptography , CRC Press,

1997.

[21] http://www.netangels.com 15