Anonymous Connections and Onion Routing
Michael G. Reed, Paul F. Syverson, and David M. Goldschlag
Naval Research Lab oratory
Abstract reveal who they are communicating with to the rest of
the world. In certain cases anonymity may be desir-
able also: anonymous e-cash is not very anonymous if
Onion Routing is an infrastructure for private com-
delivered with a return address. Web based shopping
munication over a public network. It provides anony-
or browsing of public databases should not require re-
mous connections that are strongly resistant to both
vealing one's identity.
eavesdropping and trac analysis. Onion routing's
anonymous connections are bidirectional and near real-
This pap er describ es how a freely available system,
time, and can be used anywhere a socket connection
onion routing , can b e used to protect a varietyofIn-
can be used. Any identifying information must be in
ternet services against b oth eavesdropping and trac
the data stream carried over an anonymous connec-
analysis attacks, from b oth the network and outside ob-
tion. An onion is a data structure that is treated as the
servers. This pap er includes a sp eci cation sucientto
destination address by onion routers; thus, it is used
guide b oth re-implementations and new applications of
to establish an anonymous connection. Onions them-
onion routing. We also discuss con gurations of onion
selves appear di erently to each onion router as wel l as
routing networks and applications of onion routing, in-
to network observers. The same goes for data carried
cluding Virtual Private Networks VPN, Web brows-
1
over the connections they establish. Proxy aware ap-
ing, e-mail, remote login, and electronic cash.
plications, such as web browsing and e-mail, requireno
A purp ose of trac analysis is to reveal who is talk-
modi cation to use onion routing, and do so through
ing to whom. The anonymous connections describ ed
a series of proxies. Aprototype onion routing network
here are designed to b e resistant to trac analysis, i.e.,
is running between our lab and other sites. This paper
to make it dicult for observers to learn identifying in-
describes anonymous connections and their implemen-
formation from the connection e.g., by reading packet
tation using onion routing. This paper also describes
headers, tracking encrypted payloads, etc.. Any iden-
several application proxies for onion routing, as wel l as
tifying information must be passed as data through
con gurations of onion routing networks.
the anonymous connections. Our implementation of
anonymous connections, onion routing, provides pro-
tection against eavesdropping as a side e ect. Onion
routing provides bidirectional and near real-time com-
1 Intro duction
munication similar to TCP/IP so cket connections or
ATM AAL5 [6]. The anonymous connections can sub-
Is Internet communication private? Most security
stitute for so ckets in a wide variety of unmo di ed Inter-
concerns fo cus on preventing eavesdropping [18], i.e.,
net applications by means of proxies. Data may also b e
outsiders listening in on electronic conversations. But
passed through a privacy lter b efore b eing sentover
encrypted messages can still b e tracked, revealing who
an anonymous connection. This removes identifying
is talking to whom. This tracking is called trac analy-
information from the data stream, to make communi-
sis and may reveal sensitive information. For example,
cation anonymous to o.
the existence of inter-company collab oration may be
Although onion routing may be used for anony-
con dential. Similarly, e-mail users may not wish to
mous communication, it di ers from anonymous re-
Address: For Reed and Syverson Naval Research Lab o-
mailers [7, 16]intwoways: Communication is real-time
ratory, Center For High Assurance Computer Systems, Wash-
and bidirectional, and the anonymous connections are
ington, D.C. 20375-5337, USA, phone: +1 202.767.2389, fax:
application indep endent. Onion routing's anonymous
+1 202.404.7942, e-mail: flast [email protected]. For
Goldschlag Divx, 570 Herndon Parkway, Herndon, VA 20170,
1
USA, phone: +1 703-708-4028. fax: +1 703-708-4088, e-mail: Preliminary versions of p ortions of this pap er have app eared
[email protected] in [28, 14 , 24 ]. 1
can supp ort anonymous mail as well as
connections 2.1 Operational Overview
other applications. For example, onion routing maybe
used for anonymous Web browsing. A user may wish to
The onion routing network is accessed via a series
browse public Web sites without revealing his identity
of proxies . An initiating application makes a so cket
to those Web sites. That requires removing informa-
connection to an application proxy . This proxy mas-
tion that identi es him from his requests to Web servers
sages connection message format and later data to a
and removing information from the connection itself
generic form that can b e passed through the onion rout-
that may identify him. Hence, anonymous Web brows-
ing network. It then connects to an onion proxy , which
ing uses anonymized communication over anonymous
de nes a route through the onion routing network by
connections. The Anonymizer [1] only anonymizes the
constructing a layered data structure called an onion .
data stream, not the connection itself. So it do es not
The onion is passed to the entry funnel , which o ccu-
prevent trac analysis attacks like tracking data as it
pies one of the longstanding connections to an onion
moves through the network.
router and multiplexes connections to the onion rout-
This pap er is organized in the following way: Sec-
ing network at that onion router. That onion router
tion 2 presents an overview of onion routing. Section
will be the one for whom the outermost layer of the
3 presents empirical data ab out our prototyp e. Sec-
onion is intended. Eachlayer of the onion de nes the
tion 4 de nes our threat mo del. Section 5 describ es
next hop in a route. An onion router that receives an
onion routing and the application sp eci c proxies in
onion p eels o its layer, identi es the next hop, and
more detail. Section 6 describ es the implementation
sends the emb edded onion to that onion router. The
choices that were made for security reasons. Section 7
last onion router forwards data to an exit funnel , whose
describ es how onion routing may b e used in a wide va-
job is to pass data b etween the onion routing network
rietyofInternet applications. Section 8 contrasts onion
and the resp onder.
routing with related work, and section 9 presents con-
In addition to carrying next hop information, each
cluding remarks.
onion layer contains key seed material from whichkeys
2
are generated for crypting data sent forward or back-
ward along the anonymous connection. We de ne for-
2 Onion Routing Overview
ward to b e the direction in which the onion travels and
backward as the opp osite direction.
Once the anonymous connection is established, it
In onion routing, instead of making so cket connec-
can carry data. Before sending data over an anony-
tions directly to a resp onding machine, initiating ap-
mous connection, the onion proxy adds a layer of en-
plications make connections through a sequence of ma-
cryption for each onion router in the route. As data
chines called onion routers . The onion routing net-
moves through the anonymous connection, each onion
work allows the connection b etween the initiator and
router removes one layer of encryption, so it arrives at
responder to remain anonymous. Anonymous connec-
the resp onder as plaintext. This layering o ccurs in the
tions hide who is connected to whom, and for what
reverse order for data moving back to the initiator. So
purp ose, from b oth outside eavesdropp ers and com-
data that has passed backward through the anonymous
promised onion routers. If the initiator also wants to
connection must b e rep eatedly p ost-crypted to obtain
remain anonymous to the resp onder, then all identify-
the plaintext.
ing information must b e removed from the data stream
By layering cryptographic op erations in this way,
b efore b eing sentover the anonymous connection.
we gain an advantage over link encryption. As data
Onion routers in the network are connected by long-
moves through the network it app ears di erent to each
standing p ermanent so cket connections. Anonymous
onion router. Therefore, an anonymous connection is
connections through the network are multiplexed over
as strong as its strongest link, and even one honest no de
the longstanding connections. For any anonymous con-
is enough to maintain the privacy of the route. In link
nection, the sequence of onion routers in a route is
encrypted systems, compromised no des can co op erate
strictly de ned at connection setup. However, each
to uncover route information.
onion router can only identify the previous and next
Onion routers keep track of received onions until
hops along a route. Data passed along the anonymous
they expire. Replayed or expired onions are not for-
connection app ears di erent at each onion router, so
warded, so they cannot be used to uncover route in-
data cannot be tracked en route, and compromised
formation, either by outsiders or compromised onion
onion routers cannot co op erate by correlating the data
2
stream each sees. We will also see that they cannot
We de ne the verb crypt to mean the application of a cryp-
make use of replayed onions or replayed data. tographic op eration, b e it encryption or decryption. 2
routers. Note that clo ck skew between onion routers tracking of trac originating or terminating within the
can only cause an onion router to reject a fresh onion sensitive site, this onion router should also route data
or to keep trackof pro cessed onions longer than nec- between other onion routers. This con guration might
essary. Also, since data is encrypted using stream ci- represent the system interface from a typical corp orate
phers, replayed data will lo ok di erent each time it or government site. Here the application proxies to-
passes through a prop erly op erating onion router. gether with any privacy lters, and the onion proxies
would typically live at the rewall as well. Typically,
Although we call this system onion routing, the
there might only b e one onion proxy.
routing that o ccurs here do es so at the application
There are three imp ortant features of this basic con-
layer of the proto col stack and not at the IP layer.
guration:
More sp eci cally,we rely up on IP routing to route data
passed through the longstanding so cket connections.
Connections between machines b ehind onion
An anonymous connection is comprised of p ortions of
routers are protected against b oth eavesdropping
several linked longstanding multiplexed so cket connec-
and trac analysis. Since the data stream never
tions. Therefore, although the series of onion routers
app ears in the clear on the public network, this
in an anonymous connection is xed for the lifetime
data may carry identifying information, but com-
of that anonymous connection, the route that data ac-
munication is still private. This feature is used
tually travels between individual onion routers is de-
in section 7.1.
termined by the underlying IP network. Thus, onion
routing may b e compared to lo ose source routing.
The onion router at the originating protected site
Onion routing dep ends up on connection based ser-
knows b oth the source and destination of a con-
vices that deliver data uncorrupted and in-order. This
nection. This protects the anonymity of con-
simpli es the sp eci cation of the system. TCP so cket
nections from observers outside the rewall but
connections, which are layered on top of a connection-
also simpli es enforcement of and monitoring for
less service likeIP, provide these guarantees. Similarly,
compliance with corp orate or governmental usage
onion routing could easily be layered on top of other
p olicy.
connection based services, likeATM AAL5.
Our current prototyp e of onion routing considers the
The use of anonymous connections b etween two
network top ology to b e static and do es not have mecha-
sensitive sites that b oth control onion routers
nisms to automatically distribute or up date public keys
e ectively hides their communication from out-
or network top ology. These issues, though imp ortant,
siders. However, if the resp onder is not in a sen-
are not the key parts of onion routing and will b e ad-
sitive site e.g., the resp onder is some arbitrary
dressed in a later prototyp e.
Web server the data stream from the sensitive
must also be anonymized. If the con-
2.2 Configurations initiator
nection b etween the exit funnel and the resp ond-
ing server is unencrypted, the data stream might
As mentioned ab ove neighb oring onion routers are
otherwise identify the initiator. For example, an
neighb ors in virtue of having longstanding so cket con-
attacker could simply listen in on the connections
nections b etween them, and the network as a whole is
to a Web server and identify initiators of any con-
accessed from the outside through a series of proxies.
nection to it.
By adjusting where those proxies reside it is p ossible to
vary which elements of the system are trusted by users
2.2.2 Remote Proxy Con guration
and in what way. For some con gurations it may b e ef-
cienttocombine proxies that reside in the same place,
What happ ens if an initiator do es not control an onion
thus they may b e only conceptually distinct.
router? If the initiator can make encrypted connections
to some remote onion router, then he can function as
if he is in the rewall con guration just describ ed, ex-
2.2.1 Firewall Con guration
cept that b oth observers and the network can tell when
In the rewal l con guration , an onion router sits on he makes connections to the onion router. However, if
the rewall of a sensitive site. This onion router serves the initiator trusts the onion router to build onions, his
as an interface between machines b ehind the rewall asso ciation with the anonymous connection from that
and the external network. Connections from machines onion router to the resp onder is hidden from observers
b ehind the rewall to the onion router are protected and the network. In a similar way, an encrypted con-
by other means e.g., physical security. To complicate nection from an exit funnel to a resp onder hides the 3
3 Empirical Data asso ciation of the resp onder with the anonymous con-
nection .
We invite readers to exp eriment with our pro-
Therefore, if an initiator makes an anonymous con-
totyp e of onion routing by using it to anony-
nection to some resp onder, and layers end-to-end en-
mously surf the Web, send anonymous e-mail, and
cryption over that anonymous connection, the initia-
do remote logins. For instructions please see
tor and resp onder can identify themselves to one an-
http://www.itd.nrl.navy.mil/ITD/5540/projects/
other, yet hide their communication from the rest of
onion-routing/.
the world. So we can build virtual private networks
One should b e aware that accessing a remote onion
without protected sites.
router do es not completely preserve anonymity, be-
Notice, however, that the initiator trusts the remote
cause the connection between a remote machine and
onion router to conceal that the initiator wants to com-
the rst onion router is not protected. If that connec-
municate with the resp onder, and to build an anony-
tion were protected, one would b e in the remote proxy
mous connection through other onion routers. The
con guration, but there would would still be no rea-
next section describ es howto shift some of this trust
son to trust the remote onion router. If one had a
from the rst onion router to the initiator.
secured connection to an onion router one trusted, our
onion router could b e used as one of several intermedi-
ate routers to further complicate trac analysis.
Wehave recently set up a thirteen no de distributed
2.2.3 The Customer{ISP Con guration
network of government, academic, and private sites.
However, at press time wehave not yet gathered p er-
formance data for this network. The data we present
Supp ose, for example, an Internet Services Provider
are for a network running on a single machine. In our
ISP runs a funnel that accepts connections from
exp erimental onion routing network, ve onion routers
onion proxies running on subscrib ers' machines. In
run on a single Sun Ultra 2 2170. This machine has two
this con guration, users generate onions sp ecifying a
167 MHz pro cessors, and 256MB of memory. Anony-
path through the ISP to the destination. Although the
mous connections are routed through a random se-
ISP would know who initiates the connection, the ISP
quence of ve onion routers. Connection setup time
would not know with whom the customer is communi-
should be comparable to a more distributed top ol-
cating, nor would it b e able to see data content. So the
ogy. Data latency,however, is more dicult to judge.
customer need not trust the ISP to maintain her pri-
Clearly, data will travel faster over so cket connections
vacy. Furthermore, the ISP b ecomes a common carrier,
between onion routers on the same machine than over
who carries data for its customers. This may relieve the
so cket connections between di erent machines. How-
ISP of resp onsibility b oth for whom users are commu-
ever, on a single machine the removal or addition of
nicating with and the content of those conversations.
layers of encryption is not pip elined, so data latency
The ISP mayormay not b e running an onion router as
maybeworse.
well. If he is running an onion router, then it is more
Onion routing's overhead is mainly due to public
dicult to identify connections that terminate with his
key cryptography and is incurred while setting up an
customers; however, he is serving as a routing p oint for
anonymous connection. On our Ultra 2 running a fast
other trac. On the other hand, if he simply runs a
implementation of RSA [2], a single public key decryp-
funnel to an onion router elsewhere, it will b e p ossible
tion of a 1024 bit plaintext blo ck using a 1024 bit pri-
to identify connections terminating with him, but his
vate key and a 1024 bit mo dulus takes 90 milliseconds.
overall trac load will b e less. Which of these would b e
Encryption is much faster, b ecause the public keys are
the case for a given ISP would probably dep end on a va-
only 16 bits long. This is why RSA signature veri-
riety of service, cost, and pricing considerations. Note
cation is cheap er than signing. So, the public key
that in this con guration the entry funnel must havean
cryptographic overhead for routes spanning ve onion
established longstanding connection to an onion router
routers is just under 0.5 seconds. This overhead can
just likeany neighb oring onion router. Cf. section 5.6
be further reduced, either with sp ecialized hardware,
for a description of how these are established. But, in
or even simply on di erent hardware a 200 MHz Pen-
most other cases, where the funnel resides on the same
tium would b e almost twice as fast.
machine as the onion router, establishing an encrypted
longstanding connection should not b e necessary since In practice, our connection setup overhead do es not
the funnel can b e directly incorp orated into the onion app ear to add intolerably to the overhead of typical
router. so cket connections. Still, it can be further reduced. 4
There is no reason that the same anonymous connec- load on the system makes the network easier to analyze
tion could not be used to carry the trac for several and makes the system not uniformly busy.
`real' so cket connections, either sequentially or multi- Passive internal attacks require at least two com-
plexed. In fact, the sp eci cation for HTTP 1.1 de nes promised onion routers. Since onion routers can assign
pip elined connections to amortize the cost of so cket markers to a session, b oth the marker and timing at-
setup, and pip elined connections would also transpar- tacks are p ossible. Sp eci cally, timing signatures can
ently amortize the increased cost of anonymous connec- b e broadcast, and other compromised onion routers can
tion setup. We are currently up dating our Web proxy attempt to nd connections with matching timing sig-
to b e HTTP 1.1 compliant. natures.
Another attack that is only feasible as an internal at-
tack is the volume attack. Compromised onion routers
4 Threat Mo del
can keep track of the numb er of cells that have passed
over any given anonymous connection. They can then
This section outlines our threat mo del. It do es not
simply broadcast totals to other compromised onion
intend to quantify the cost of attacks, but to de ne
routers. Cell totals that are close to the same amount
p ossible attacks. Future work will quantify the threat.
at the same time at di erent onion routers are likely to
First some vo cabulary. A session is the data carried
3
b elong to the same anonymous connection.
over a single anonymous connection. Data is carried
Activeinternal attacks amplify these risks, since in-
in xed length cells. Since these cells are multiply en-
dividual onion routers can selectively limit trac on
crypted and change as they move through an anony-
particular connections. An onion router could, for ex-
mous connection, tracking cells is equivalent to track-
ample, force a particular timing signature on a connec-
ing markers that indicate when cells b egin. In a marker
tion, and advertise that signature.
attack, the attacker identi es the set of outb ound con-
nections that some distinguished marker may have
5 Onion Routing Sp eci cs
b een forwarded up on. By intersecting these sets for
a series of distinguished markers b elonging to the same
ker may determine, or at least narrow,
session, an attac 5.1 Onion Routing Proxies
the set of p ossible next hops. In a timing attack, the
A proxy is a transparent service b etween two appli-
attacker records a timing signature for a session that
cations that would usually make a direct so cket con-
correlates data rate over time. A session mayhavea
nection to each other but cannot. For example, a re-
very similar timing signature wherever it is measured
wall might prevent direct so cket connections between
over a route, so co op erating attackers may determine
internal and external machines. A proxy running on
if they carry a particular session.
the rewall may enable such connections. Proxy aware
We assume that the network is sub ject to b oth pas-
applications are b ecoming quite common.
sive and active attacks. Trac may b e monitored and
Our goal has b een to design an architecture for pri-
mo di ed by b oth external observers and internal net-
vate communication that would interface with unmodi-
work elements, including compromised onion routers.
ed applications, so wechose to use proxies as the inter-
Attackers may co op erate and share information and in-
face between applications and onion routing's anony-
ferences. We assume roving attackers that can monitor
mous connections. For applications that are designed
part, but not all, of the network at a time.
to be proxy aware, e.g., WWW browsers, we sim-
Our goal is to prevent trac analysis, not trac con-
ply design appropriate interface proxies. Surprisingly,
rmation. If an attacker wants to con rm that two end-
for certain applications that are not proxy aware e.g.,
p oints often communicate, and he observes that they
RLOGIN, wehave also b een able to design interface
each connect to an anonymous connection at roughly
proxies.
the same time, more often than is statistically ex-
Because it is necessary to bridge between applica-
p ected, it is reasonable to infer that the endp oints are
tions and the onion routing network, proxies must un-
indeed communicating. Notice that this attack is in-
derstand b oth application proto cols and onion routing
feasible if endp oints live in protected networks b ehind
proto cols. Therefore, we mo dularize the design into
trusted onion routers on rewalls.
comp onents: the application proxy, the onion proxy,
If the onion routing infrastructure is uniformly busy,
and the entry funnel. The application proxy bridges
then passive external attacks are ine ective. Sp eci -
between a so cket connection from an application and
cally, neither the marker nor timing attacks are feasi-
3
ble, since external observers cannot assign markers to
Thanks to Gene Tsudik for noting this attack and for helpful
sessions. Active attacks are p ossible since reducing the discussions. 5
The application proxy is listening for new requests. asocket connection to the onion proxy. It is the obli-
Once it obtains the GET request, it creates the standard gation of the application proxy to massage the data
structure and sends it along a new so cket connection stream so the onion proxy, the entry funnel and the exit
to the onion proxy, to inform the onion proxy of the funnel can b e application indep endent. Sp eci cally, the
service and destination of the anonymous connection. application proxy must prep end to the data stream a
The application proxy then mo di es the GET request standard structure that identi es the ultimate destina-
to GET /showcase/ HTTP/1.0 and sends it directly tion by either hostname/p ort or IP address/p ort. Ad-
through the anonymous connection to the HTTP ditionally,itmust pro cess a one byte return co de from
server www.domino.com, followed by the optional elds. the exit funnel and either continue if no error is re-
Notice that the server name and http:// are elimi- p orted or rep ort the onion routing error co de in some
nated from the GET request b ecause the connection is application sp eci c meaningful way. The application
made directly to the HTTP server. proxy may also contain an optional privacy lter for
sanitizing the data stream.
The application proxy essentially makes a connec-
tion to www.domino.com, and issues a request as if it
Up on receiving a new request, the onion proxy
were a client. Once this request is transmitted to the
builds an onion de ning the route of an anonymous
server, all proxies blindly forward data in b oth direc-
connection. It may use the destination address in
tions b etween the client and the server until the so cket
the prep ended structure to help de ne the route. It
is broken by either side.
then passes the onion to the funnel, and rep eatedly
For the anonymizing onion routing HTTP proxy, the
precrypts the standard structure. Finally, it passes
application proxy pro ceeds as outlined ab ove with one
the precrypted standard structure through the anony-
change: it is now necessary to sanitize the optional
mous connection to the exit funnel, thus sp ecifying the
elds that follow the GET command b ecause they may
ultimate destination. From this p oint on, the onion
contain identity information. Furthermore, the data
proxy blindly relays data back and forth b etween the
stream during a connection must b e monitored, to san-
application proxy and the onion routing network and
itize additional headers that might o ccur during the
thus the exit funnel at the other end of the anonymous
connection. For our current anonymizing HTTP proxy,
connection. Of course, it must apply the appropri-
op erations that store co okies on the user's browser to
ate keystreams to incoming and outgoing data when
track a user, for example are removed. This reduces
blindly relaying data.
function, so applications that dep end up on co okies
The entry funnel multiplexes connections from onion
like online shopping baskets may not work prop erly.
proxies to the onion routing network. For the services
wehave considered to date, a nearly generic exit funnel
5.2 Implementation
is adequate. Its function is to demultiplex connections
from the last onion router to the outside. When it
This section presents the interface sp eci cation b e-
reads a data stream from the terminating onion router
tween the comp onents in an onion routing system. To
the rst datum received will b e the standard structure
provide some structure to this sp eci cation, we will
sp ecifying the ultimate destination. The exit funnel
discuss comp onents in the order that data would move
makes a so cket connection to that IP address/p ort, re-
from an initiating client to a resp onding server.
p orts a one byte status message back to the onion rout-
There are four phases in an onion routing sys-
ing network and thus back to the onion proxy which
tem: network setup, which establishes the longstanding
in turn forwards it back to the application proxy, and
connections between onion routers; connection setup,
subsequently moves data between the onion routing
which establishes anonymous connections through the
network and the new so cket. For certain services,
onion router network; data movementover an anony-
like RLOGIN, the exit funnel also infers that the new
mous connection; and the destruction and cleanup of
so cket must originate from a trusted p ort. Entry and
anonymous connections. We will commingle the dis-
exit funnels are not application sp eci c but must un-
cussion of these b elow.
derstand the onion routing proto col, which de nes how
multiplexed connections are handled.
an example, consider the application proxy for
As 5.3 Application Proxy
HTTP. The user con gures his browser to use the
onion routing proxy. His browser may send the proxy The interface between an application and the ap-
a request like plication proxy is application sp eci c. The interface
GET http://www.domino.com/showcase/ HTTP/1.0 between the application proxy and the onion proxy is
followed by optional elds. de ned as follows. For each new proxy request, the 6
0 1 2 3
application proxy rst determines if it will handle or
01234567890123456789012345678901
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
deny the request. If rejected, it rep orts an application
|0| Version |Back F|Forw F| Destination Port |
sp eci c error message and then closes the so cket and
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
waits for the next request. If accepted, it creates a
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
so cket to the onion proxy's well known p ort. The ap-
| Expiration Time GMT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
plication proxy then sends a standard structure to the
| |
onion proxy of the form:
+ +
| |
+ Key Seed Material +
0 1 2 3
| |
01234567890123456789012345678901
+ +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Version | Protocol | Retry Count | Addr Format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Version is currently de ned to be 1. Protocol is
As we will see b elow, the rst bit must b e zero for
either 1 for RLOGIN, 2 for HTTP, or 3 for SMTP.
RSA public key cryptography to succeed. Following
Retry Count sp eci es how many times the exit funnel
the zero bit is the Version Number of the onion routing
should attempt to retry connecting to the ultimate des-
system, currently de ned to b e 1.
tination. Finally, the Addr Format eld sp eci es the
The Back F eld denotes the cryptographic function
form of the ultimate destination address: 1 for a NULL
to b e applied to data moving in the backward direction
terminated ASCI I string with the hostname or IP ad-
de ned as data moving in the direction opp osite that
dress in ASCI I form immediately followed by another
which the onion traveled, usually toward the initiator's
NULL terminated ASCI I string with the destination
end of the anonymous so cket connection using key
2
p ort numb er, and all others currently unde ned. The
de ned b elow. The Forw F eld denotes the crypto-
ultimate destination address is sent after this standard
graphic function to be applied to data moving in the
structure, and the application proxy waits for a one
forward direction de ned as data moving in the same
byte error co de b efore sending data.
direction as that which the onion traveled, usually to-
ard the resp onder's end of the anonymous so cket con-
5.4 Onion Proxy w
nection using key de ned b elow. Currently de ned
3
cryptographic functions are: 0 for Identity no encryp-
Up on receiving the standard structure, the onion
tion, 1 for DES OFB output feedback mo de 56 bit
proxy can decide whether to accept or reject the re-
key, and 2 for RC4 128 bit key. The Destination
quest based on the proto col, destination host, desti-
Address and Destination Port indicate the next onion
nation p ort, or the identity of the application proxy.
router in network order and are b oth 0 for the exit fun-
If rejected, it sends an appropriate error co de backto
nel. The Expiration Time is given in network order in
the application proxy, closes the so cket, and waits for
seconds relative to 00:00:00 UTC January 1, 1970 i.e.,
the next request. If accepted, it pro ceeds to build the
standard UNIX time2 format and sp eci es how long
onion and connects to the entry funnel of the rst onion
the onion router at this hop in the anonymous connec-
router, through the network, and to the exit funnel of
tion must track the onion against replays b efore it ex-
the last. It next sends the standard structure to the
pires. Key Seed Material is 128 bits long and is hashed
exit funnel over the anonymous connection, and then
three times with SHA to pro duce three cryptographic
passes all future data to and from the application proxy
keys key , key , and key of 128-bits each the rst
1 2 3
and anonymous connection. The rep eated pre and p ost
eightbytes of each SHA output are used for DES and
cryptions and packaging of the standard structure and
4
the rst 16 bytes for RC4 keys.
subsequent data is discussed later in section 5.6.
Since we use RSA public key cryptography with a
size of 1024-bits, the plaintext blo ck size is
5.5 Onions mo dulus
1024 bits and must be strictly less than the mo dulus
numerically. Toavoid problems, we force this relation
To build the anonymous connection to the exit fun-
by putting the most-signi cant bit rst and setting it
nel, the onion proxy creates an onion. An onion is
to 0 the leading 0 ab ove. Furthermore, the inner-
a multi-layered data structure that encapsulates the
most layer of the onion is padded on the end with an
route of the anonymous connection starting from the
additional 100 bytes prior to RSA encryption b eing
onion router for that exit funnel and working backward
4
to the onion router at the entry funnel.
Details on the cryptographic op erations used in this pap er
Eachlayer has the following structure: can b e found in [20, 26]. 7
p erformed. the multiplexing of b oth anonymous connections and
In version 1, an onion has velayers, but routes can control information over the longstanding connections.
b e shorter. An onion is formed iteratively, innermost Cell size was chosen to b e compliant with ATM. In
layer rst. At each iteration, the rst 128 bytes of the version 1 of the onion routing system, there are four
onion are encrypted with the public key of the onion typ es of cells: PADDING 0, CREATE 1, DATA
router that is intended to decrypt that layer. The re- 2, and DESTROY 3.
mainder of the onion is encrypted, using DES OFB Cel ls have the following structure:
with an IV initialization vector of 0 and key de-
1
0 1 2 3
rived from Key Seed Material in that layer as de ned
01234567890123456789012345678901
5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ab ove.
| ACI | Command | Length |
Before discussing how onions and data are sentbe-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
tween onion routers, we will de ne onion router inter-
...... Payload 44 bytes......
connection.
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5.6 Onion Router Interconnection
The ACI anonymous connection identi er and
Command elds are always encrypted using the link
During onion network setup not to be confused
encryption between neighb oring no des. Additionally,
with anonymous connection setup, longstanding con-
the Length and Payload elds are encrypted using the
nections b etween neighb oring onion routers are estab-
link encryption b etween neighb oring no des if the com-
lished and keyed. The network top ology is prede ned
mand is either PADDING 0 or DESTROY 3. For
and each onion router knows its neighb ors.
CREATE 1 commands, the length is link encrypted,
To remain connected to each of its neighb ors, onion
but the payload is already encrypted b ecause it car-
routers must b oth listen for connections from neigh-
ries the onion. For DATA 2 commands, the length
b ors and attempt to initiate connections to neighb ors.
and entire payload are encrypted using the anonymous
Toavoid deadlo ck and collision issues b etween pairs of
connection's forward or backward cryptographic op er-
neighb ors, an onion router listens for connections from
ations.
neighb ors with \higher" IP/p ort addresses and initi-
Each anonymous connection is assigned an ACI at
ates connections to neighb ors with \lower" IP/p ort ad-
each onion router, which lab els an anonymous connec-
dresses. \Higher" and \Lower" are de ned with resp ect
tion when it is multiplexed over the longstanding con-
to network byte ordering. This was an exp edientway
nection to the next onion router. ACIs must b e unique
to break symmetry. Ultimately we will want a more
on their longstanding connection but need not b e glob-
exible solution. For example, when an onion router
ally unique.
go es down, it should contact its neighb ors up on com-
To move an onion through the system, an onion
ing back up. Requiring the neighb ors to try to contact
router p eels o the outermost layer, identifying the
the down router until it resp onds is less ecient. This
next hop. It checks the freshness not expired and
is not dicult to implement and we will do so in the
not replayed of the onion, computes the necessary
future.
cryptographic keys, initializes the forward and back-
The proto col has two phases: connection setup and
ward cryptographic engines, cho oses a new ACI for
keying. The initiating onion router op ens a so cket to
the next hop in the new connection, and then builds a
awell known p ort of its neighb oring onion router, and
data structure asso ciated with that connection which
sends its IP address and well known p ort the p ort is
maps incoming to outgoing ACIs and the cryptographic
included to allow multiple onion routers to run on a
engines asso ciated with forward and backward data.
single machine in network order to identify itself. The
Since neighb oring onion routers cho ose ACIs for each
keying phase ensues, using STS [9] which will gener-
other on the thick pip e that they share, each is assigned
ate two DES 56-bit keys. The link encryption over the
half of the naming space. The neighb oring onion router
longstanding connections is done by DES OFB with
with a \higher address" cho oses ACIs in the top half
IVs of 0 and these twokeys one for data in each di-
of that space, while its neighb or with the lower address
rection.
cho oses ACIs from the b ottom half of that space. After
Once keyed, communication b etween onion routers
the outermost layer of onion is p eeled o , the rest of the
is packaged into xed sized cel ls , which allows for
onion is padded randomly to its original length, placed
5
We use DES to encrypt the onion, and for link encryption
into CREATE cells, and then sent out in order to the
between onion routers, b ecause it has no licensing fees and can b e
appropriate neighb or. The payload of the last cell is
used as a pseudorandom numb er generator. However, wewould
padded with random bits to ll the cell if necessary to b e happy to use a stronger pseudorandom numb er generator. 8
avoid traceability. 6 Implementation Vulnerabilities
Data moves through an anonymous connection in
DATA cells. At each onion router b oth the length and
An implementation of a secure design can b e inse-
payload elds of a cell are crypted using the appro-
cure. In this section, we describ e several implementa-
priate cryptographic engine. The new cell is sent out
tion decisions that were made for security considera-
to the appropriate neighb or. The onion proxy must
tions.
rep eatedly crypt data to either add the appropriate
Onions are packaged in a sequence of cells that must
layers of cryption on outgoing data, or removelayers
b e pro cessed together. This onion pro cessing involves a
of cryption from incoming data. When constructing
public key decryption op eration which is relatively ex-
aDATA cell from a plaintext data stream, the cell is
p ensive. Therefore, it is p ossible to imagine an imple-
partially lled, its true length is set, and all 45 bytes
mentation that clears outgoing queues while an onion
of the length and payload elds are rep eatedly crypted
is b eing pro cessed, and then outputs the onion. There-
using the stream ciphers de ned by the onion. There-
fore, any p erio d of inactivity on the out-b ound queues
fore, when the cell arrives at the exit funnel, the length
is likely to b e followed by a sequence of onion cells b e-
eld re ects the length of the actual data carried in the
ing output on a single queue. Such an implementation
payload.
makes tracking easier and should b e avoided.
If a connection is broken, a DESTROY command
After pro cessing at each onion router, onions are
is sent to clean up state information. The ACI eld
padded at the end to comp ensate for the removed layer.
of the DESTROY command carries the ACI of the
This padding must be random, since onions are not
broken connection. The length and payload must be
link encrypted between onion routers. Similarly, the
random. Up on receipt of a DESTROY command, it
length and payload of a DESTROY command must b e
is the resp onsibility of an onion router to forward the
new random content at each onion router; otherwise,
DESTROY appropriately and to acknowledge receipt
compromised onion routers could track that payload.
by sending another DESTROY command back to the
In a multi-threaded implementation, there is a sig-
previous sender. After sending a DESTROY command
ni cant lure to rely up on apparent randomness in
ab out a particular ACI, an onion router may not send
scheduling to reorder events. If reordering is imp or-
any more cells along that anonymous connection. Once
tant to the secure op eration of the system, delib erate
an acknowledgment DESTROY message is received, an
reordering is crucial, since low level system randomness
onion routing no de considers the anonymous connec-
may in fact b e predictable.
tion destroyed and the ACI can b e used as a lab el for
There are two vulnerabilities for which we do not
a new anonymous connection.
have go o d solutions. If part of the onion routing net-
The PADDING command is used to inject data into
work is taken down, trac analysis may b e simpli ed.
a longstanding so cket to further confuse trac analysis.
Also, if a longstanding connection b etween two onion
PADDING cells are discarded up on receipt.
routers is broken, it will result in many DESTROY
Each onion router also reorders cells moving through
messages, one for each anonymous connection that was
it. All cells that arrive at an onion router within a xed
routed through that longstanding connection. There-
interval of time on any connection are mixed pseudo-
fore, a compromised onion router may infer from near
randomly, except that the order of cells in each anony-
simultaneous DESTROY messages that the asso ciated
mous connection is preserved.
anonymous connections had some common route. De-
laying DESTROY messages hurts p erformance, since
5.7 Exit Funnel
we require that a DESTROY message propagate to the
endp oints to takedown the connection that is visible
When a routing no de receives an onion with Des- to the user. Carrying the DESTROY message through
tination Address and Destination Port of 0, it knows the anonymous connection and garbage collecting dor-
it is the terminal onion router for the connection and mant anonymous connections later would b e ideal, but
passes the connection not to another onion router but we do not knowhow to eciently insert control infor-
to its own exit funnel. The funnel pro ceeds to read the mation into a raw data channel, esp ecially consider-
standard structure that will b e the rst data across the ing our layered encryption. One p ossibility is for the
anonymous so cket connection, establishes a connection onion router on the initiator side of a break to send
to the ultimate destination as indicated, and returns some large predetermined numb er of one bits backto
the status co de. After this, it will blindly forward data the initiator followed by a message that the connec-
between the anonymous connection and the connection tion is destroyed. The onion proxy could then check
to the resp onder's machine. for such a signal after it strips o each layer of each 9
ket, and notify the application proxy if it receives
pac 7.2 Anonymous Chatting
the signal. The initiator can contact the resp onder out
of band, presumably through another anonymous con-
Anonymous connections can be used in a service
nection, authenticate itself by some means as the initia-
similar to IRC, where many parties meet to chat at
tor of the broken connection, and notify the resp onder
some central server. The chat server may mate sev-
of the break. Onion routers can either b e noti ed di-
eral anonymous connections carrying matching tokens.
rectly by the onion proxy after some random delayor
Each party de nes the part of the connection lead-
p ossibly garbage collect least recently used ACIs. We
ing back to itself, so no party has to trust the other
will continue to explore the feasibility of this and other
to maintain its privacy. If the communicating parties
6
p ossibilities.
layer end-to-end encryption over the mated anonymous
connections, they also prevent the central server from
listening in on the conversation.
7 Applications
7.3 Anonymous Cash
We rst describ e how to use anonymous connection
in VPNs, anonymous chatting services, and anonymous
Certain forms of e-cash are designed to be anony-
cash. We then describ e onion routing proxies for three
mous and untraceable, unless they are double sp ent
Internet services: Web browsing, e-mail, and remote
or otherwise misused. However, if a customer can-
logins. These three onion routing proxies have b een
not contact a vendor without identifying himself, the
implemented. Anonymizing versions of these proxies
anonymity of e-cash is undermined. For transactions
that remove the identifying information that may be
where b oth payment and pro duct can b e conveyed elec-
presentin the headers of these services' data streams
tronically, anonymous connections can b e used to hide
have b een implemented as well.
the identities of the parties from one another [27].
How can the customer b e prevented from taking his
hase without paying for it e.g., by closing the con-
7.1 Virtual Private Networks purc
nection early or the vendor b e prevented from taking
the customer's e-cash without completing the transac-
If two sites wanted to collab orate, they could estab-
tion? This is a hard problem [12, 4]. In the case of
lish one or more long term tunnels that would multiplex
awell known vendor, a practical solution is to require
manysocket connections, or even rawIPpackets, over
customers to pay rst. The vendor is unlikely to delib-
a single anonymous connection. This would e ectively
erately cheat its customers since it may be caughtin
hide who is collab orating with whom and what they
an audit.
are working on, without requiring the construction of
ymous connection for each connec-
an individual anon 7.4 Remote Login
tion made. Such long term anonymous connections b e-
tween enclaves provide the analog of a leased line over
We proxy remote login requests by taking advan-
a public network. Note that the protection provided a
tage of the option -l username to rlogin. The usual
VPN by onion routing is broader than that provided by
rlogin command is of the form:
encrypting rewalls. Basic encrypting rewalls encrypt
rlogin -l username server
payloads only. Thus, they protect con dentiality, but
To use rlogin through an onion routing proxy, one
do nothing to protect against trac analysis. IPSEC
would typ e
will protect trac for individual connections by encap-
rlogin -l username@server proxy
sulating packets in encrypted packets from the rewall,
where proxy refers to the onion routing proxy to b e
but this will not protect against institutional level traf-
used and b oth username and server are the same as
c analysis. Communication b etween two such rewalls
sp eci ed ab ove. A normal rlogin request is transmitted
will still indicate a collab oration b etween the sites b e-
from a privileged p ort on the client to the well known
hind them. Constant padding may b e added, but this
p ort for rlogin 513 on the server as:
is very exp ensive. And, unless many unrelated sites
agree to do it, it still do es not hide the existence of
\0 username on client \0 username on server \0 terminal type \0
the VPN established between those sites that are so
padding.
where username on client is the username of the in-
6
dividual invoking the command on the client machine,
Thanks to Gene Tsudik for some of the fundamental ele-
username on server is either the -l eld if sp eci ed or ments of this prop osal. 10
client. Therefore, the request must be massaged to the username of the individual invoking the command
remove the server name and scheme, and transmit- on the client machine if no -l is sp eci ed, and the
ted to www.server.com over the anonymous connec- terminal type is a standard termcap/linesp eed sp eci -
tion. Once this request is transmitted to the server, cation. The server resp onds with a single zero byte if
the proxy blindly forwards data in b oth directions b e- it will accept the connection or breaks the so cket con-
tween the client and server until the so cket is broken nection if an error has o ccurred or the connection is
by either side. rejected. Our normal rlogin proxy therefore receives
For privacy ltering of HTTP, the proxy pro ceeds the initial request:
as outlined ab ove with one change. It is now neces-
sary to sanitize the optional elds that follow the GET \0 username on client \0 username@server \0 terminal type \0
command b ecause they may contain identity informa-
tion. Furthermore, the data stream during a connec-
The proxy creates an anonymous connection to the
tion must b e monitored, to sanitize additional headers RLOGIN p ort on the server machine and pro ceeds to
that might o ccur during the connection.
send it a massaged request of the form:
The Anonymizer [1] also provides anonymous Web
browsing. Users can connect to servers through the
\0 username \0 username \0 terminal type \0
Anonymizer and it strips o identifying headers. This
is essentially what our ltering HTTP proxy do es.
Once this request is transmitted to the server, the
But packets can still be tracked and monitored. The
proxy blindly forwards data in b oth directions b etween
Anonymizer could b e used as a front end to the onion
the client and server until the so cket is broken by either
routing network to provide e ective protection against
side.
trac analysis. We discuss this further in section 8.
Notice that the onion router do es not send the server
the client's username on the client, so communication
ymous, unless the data-stream subsequently re-
is anon 7.6 Electronic Mail
veals more information.
Electronic mail is proxied by utilizing the form of e-mail address instead of the
7.5 Web Browsing userhost@proxy
normal user@host form. This form should work with
most current and older mail systems. Under this form,
Proxying HTTP requests follows the IETF HTTP
the client contacts the proxy server's well known SMTP
V1.0 Sp eci cation [3]. An HTTP request from a client
p ort 25. Instead of the normal mail daemon listening
through an HTTP proxy is of the form:
to that p ort, the proxy listens and interprets what it re-
GET http://www.server.com/file.html HTTP/1.0
ceives following a strict state machine: wait for a valid
HELO command, wait for a valid MAIL From: command,
followed by optional elds. Notice that an HTTP
and then wait for a valid RCPT To: command. Each
request from a client to a server is of the form:
command argument is temp orarily bu ered. Once the
RCPT To: command has b een received, the proxy pro-
GET file.html HTTP/1.0
ceeds to create an anonymous connection to the des-
tination server and relays the HELO and MAIL From:
also followed by optional elds. The server name and
commands exactly as received. The RCPT To: com-
proto col scheme are missing, b ecause the connection is
mand is massaged and forwarded. Any subsequent
made directly to the server.
RCPT To: commands are rejected. Once the DATA
As an example, a complete request from Netscap e
request is transmitted to the server, the proxy for-
Navigator to an onion router HTTP proxy may lo ok
wards data in b oth directions from the client and
like this:
server. An example of e-mail from [email protected]
on the machine sender.com to [email protected]
GET http://www.server.com/file.html HTTP/1.0
via the onion.com onion router is given b elow. Jo e
Referer: http://www.server.com/index.htm l
Proxy-Connection: Keep-Alive
typ es mail mary[email protected]. First
User-Agent: Mozilla/3.0 X11; I; SunOS 5.4 sun4m
the communications from the clientonsender.com to
Host: www.server.com
the onion router SMTP proxy on onion.com is given,
Accept: image/gif, image/x-xbitmap, image/jpeg
followed by the communications from the exit funnel
to recipient.com:
The proxy must create an anonymous connection to
www.server.com, and issue a request as if it were a 220 onion.com SMTP Onion Routing Network. 11
8 Comparisons with Related Work HELO sender.com
250-onion.com -- Connection from
250 sender.com 2.0.0.1.
Chaum [5] de nes a layered ob ject that routes data
MAIL From: [email protected]
through intermediate no des, called mixes . These in-
250 Sender is [email protected].
termediate no des may reorder, delay, and pad trac to
RCPT To: mary[email protected]
complicate trac analysis. In mixes, the assumption is
The proxy massages the RCPT To: line to make the
that a single p erfect mix adequately complicates trac
address [email protected] and makes an anony-
analysis, but a sequence of multiple mixes is typically
mous connection to recipient.com. It then replays
used b ecause real mixes are not ideal. Because of this,
the massaged proto col to recipient.com:
mix applications can use mixes in xed order, and of-
ten do. Onion routers di er from mixes in at least two
220-recipient.com Sendmail 4.1/SMI-4.1 ready
220 at Wed, 28 Aug 96 15:15:00 EDT
ways: onion routers are more limited in the extentto
HELO Onion.Routing.Network
which they delay trac at each no de b ecause of the
250-recipient.com Hello Onion.Routing.Network
real-time exp ectations that the applications demand
250 [2.0.0.5], pleased to meet you
of so cket connections. Also, in a typical onion routing
MAIL From: [email protected]
con guration, onion routers are also entry p oints to the
250 [email protected]... Sender ok
onion routing network, and trac entering or exiting
RCPT To: [email protected]
at those no des may not b e visible. This makes it hard
250 [email protected]... Recipient ok
to track packets, b ecause they may drop out of the net-
DATA
work at any no de, and new packets maybeintro duced
354 Enter mail, end with "." on a line by itself
at each no de. While onion routing cannot delay traf-
At this p oint, the proxy forwards data in b oth di-
c to the extent that mixes can, trac b etween onion
rections, until a line containing only a p erio d is sent
routers is multiplexed over a single channel and is link
from the sender to the recipient:
encrypted with a stream cipher. This makes it hard to
parse the stream.
This is a note
.
Anonymous remailers like Penet [17] strip headers
from received mail and forward it to the intended re-
The proxy forwards the line containing only a p erio d
cipient. They may also replace the sender's address
to the recipient, and forwards the recipient's resp onse
with some alias, p ermitting replies. These sorts of re-
to the sender. At that p oint, the proxy sends QUIT to
mailers store sensitive state: the mapping b etween the
the recipient, reads the resp onse and closes the con-
alias and the true return address. Also, mail forwarded
nection to the recipient. The proxy then waits for a
through a chain of remailers may b e tracked b ecause it
command from the sender; if that command is QUIT,
app ears the same to each remailer.
the proxy sends a resp onse and closes its connection to
Mix based remailers like [7, 16] use mixes to provide
the sender:
anonymous e-mail services. Essentially, the mail mes-
250 Mail accepted
sage is carried in the innermost layer of the onion data
QUIT
structure. Another onion typ e structure, used for a re-
221 onion.com Service closing transmission channel.
turn address, can be contained in the message. This
makes the return path self contained, and the remailer If the command is not QUIT, then it is MAIL, and
essentially stateless. Onion routing shares many struc- the proto col rep eats. Anything else prompts an error
tures with Bab el [16] but it uses them to build p ossibly resp onse, and the proxy waits for the next correct com-
long lived application indep endent connections. This mand.
makes anonymous connections accessible to a wide va- For the privacy ltered proxying of electronic mail,
rietyof applications. For application to e-mail it has the proxy pro ceeds as outlined ab ove with a few
b oth advantages and disadvantages. Onion routing's changes. It is now necessary to sanitize b oth the
service makes an anonymous connection directly to the MAIL From: command and the header p ortion of the
recipient's sendmail daemon. A disadvantage is that, actual message b o dy. Sanitization of the MAIL From:
since the connection is made in real-time, there is less command is trivial with a simple substitution of
freedom in mixing, which therefore might not b e done anonymous for [email protected]. For the header san-
as well. An advantage is that the anonymous connec- itization, we have taken the conservative approachof
tion is separated from the application, so anonymous deleting all headers, but this may be mo di ed in the
e-mail systems are considerably simpli ed b ecause the future to only remove identifying information and leave
application sp eci c part do es not have to move data the remaining header information intact. 12
data. Most imp ortantly, the network top ology of the through the network. Furthermore, b ecause the onion
Internet is more akin to the network top ology of the routing network can carry manytyp es of data, it has
long distance network b etween switches, where capac- the p otential to be more heavily utilized than a net-
ity is a shared resource. In anonymous ISDN, the mixes work that is devoted only to e-mail. Heavy utilization
hide communication within the lo cal switch, but con- is the key to anonymity.
nections b etween switches are not hidden. This implies
In [10], a structure similar to an onion is used to
that all calls b etween two businesses, each large enough
forward individual IP packets through a network. By
to use an entire switch, reveal which businesses are
maintaining tracking information at each router, ICMP
communicating. In onion routing, mixing is disp ersed
error messages can be moved back along the hidden
throughout the Internet, which improves hiding.
route. Essentially, a connection is built for each packet
Pip e-net [8] is a prop osal similar to onion routing. It
in a connectionless service. Although a followup pap er
has not b een implemented, however. Pip e-net's threat
[11] suggests that p erformance will b e go o d, esp ecially
mo del is more paranoid than onion routing's: it at-
with hardware based public key cryptography, our ex-
tempts to resist active attacks by global observers. For
p erience suggests that b oth the cryptographic overhead
example, Pip e-net's connections carry constant traf-
of building onions and the tracking of onions against
c to resist timing signature attacks and disruptions
replay is not eciently done on a packet-by-packet ba-
to any connection are propagated throughout the net-
sis. However, it is easy to imagine an onion routing
work.
proxy that collects IP packets and forwards them over
some anonymous connection. In this way, communi-
The Anonymizer is a Web proxy that lters the
cation is anonymous at the IP layer, but connections
HTTP data stream to removea user's identifying in-
need not b e built for eachIPpacket. This anonymous
formation, essentially as our ltering HTTP proxy
IP communication may b e more robust than our cur-
do es. For example, the Anonymizer will \strip out
rent architecture: it could survive a broken anonymous
all references to your e-mail address, computer typ e,
connection, since IP do es not exp ect reliable delivery.
and previous page visited b efore forwarding your re-
quest" [1]. This makes Web browsing private in the
In [22], mixes are used to provide untraceable com-
absence of anyeavesdropping or trac analysis. The
munication in an ISDN network. Here is a summary
Anonymizer is vulnerable in three ways: First, it must
of that pap er. In a phone system, each telephone line
b e trusted. Second, trac b etween a browser and the
is assigned to a particular lo cal switch i.e., lo cal ex-
Anonymizer is sent in the clear, so that trac identi-
change, and switches are interconnected by a long
es the true destination of a query, and includes the
distance network. Anonymous calls in ISDN rely up on
identifying information that the Anonymizer would l-
an anonymous connection between the caller and the
ter. Third, even if trac b etween the browser and the
long distance network. These connections are made
Anonymizer were encrypted, passive external observers
anonymous by routing calls through a prede ned se-
could mount the volume attack mentioned in section 4.
ries of mixes within each switch. The long distance
The Anonymizer, however, is now readily available to
endp oints of the connection are then mated to com-
everyone on the Web.
plete the call. Notice that observers can tell which
NetAngels [21] is similar to the Anonymizer, ex-
lo cal switches are connected. Also, since each phone
cept that it builds p ersonal pro les of its subscrib ers
line has a control circuit connection to the switch, the
and targets advertisements to match the pro le. How-
switch can broadcast messages to each line using these
ever, the pro le is not released to the advertiser and
control circuits. So, within a switch a truly anonymous
is deleted when a subscription is canceled. Subscrib ers
connection can b e established: A phone line makes an
must trust NetAngels, and connections to the service
anonymous connection to some mix. That mix broad-
are sub ject to the same attacks as the Anonymizer.
casts a token identifying itself and the connection. A
recipient of that token can make another anonymous
LPWA [19, 13] formerly known as Janus is a
connection to the sp eci ed mix, which mates the two
\proxy server that generates consistent untraceable
connections to complete the call.
aliases for you that enable you to browse the Web,
register at web sites and op en accounts, and b e `recog-
Our goal of anonymous connections over the Inter-
nized' up on returning to your accounts, all while still
net di ers from anonymous remailers and anonymous
preserving your privacy." Like the previous two, the
ISDN. The data is di erent, with real-time constraints
LPWA proxy is at a server that is remote from the
more severe than mail, but somewhat lo oser than voice.
user application. It is thus sub ject to the same trust
Both HTTP and ISDN connections are bidirectional,
and vulnerability limitations.
but, unlike ISDN, HTTP connections are likely to b e
It is p ossible, however, to shift trusted elements to small requests followed by short bursts of returned 13
The onion routing network supp orting anonymous the user's machine or to a machine on the b oundary
connections can b e con gured in several ways, includ- between his trusted LAN and the Internet. Shifting
ing a rewall con guration and a customer-ISP con gu- trust in this way can improve the security of other
ration, whichmoves privacy to the user's computer and privacy services like the Anonymizer, NetAngels, and
may relieve the carrier of resp onsibility for the user's LPWA. Currently, those are centralized to provide an
connections. intermediary that masks the true source of a connec-
tion. If anonymous connections are used to hide the
Onion routing moves the anonymous communica-
source address instead, the other functions of these ser-
tions infrastructure b elow the application level, prop-
vices may run as a lo cal proxy on the user's desktop.
erly separating communication and applications. Since
Security is improved b ecause privacy ltering and other
the ecacy of mixes dep ends up on sucient network
services are done on a trusted machine and b ecause
trac, allowing di erent applications to share the same
communication is resistant to trac analysis. Also,
communications infrastructure increases the abilityof
there is no central p oint of failure.
the network to resist trac analysis.
Another approach to anonymous Web connections
is Crowds [25]. Crowds is essentially a distributed
Acknowledgments
and chained Anonymizer, with encrypted links b etween
crowd memb ers. Web trac is forwarded to a crowd
Wehave had helpful comments from and discussion
memb er, who ips a weighted coin and, dep ending on
with p eople to o numerous to mention. We note esp e-
the result, forwards it either to some other crowd mem-
cially the help of Birgit P tzmann, Gene Tsudik, and
b er or to the destination. This makes communication
James Washington. We also thank the anonymous ref-
resistant to lo cal observers.
erees, the Levien family for hosting the onion dinner,
and the Isaac Newton Institute for hosting one of the
9 Conclusion
authors while some of this work was done. The fast
UltraSparc implementation of RSA was done byTolga
This pap er describ es anonymous connections, their
Acar and C etin Kaya Koc. This work was supp orted
realization in onion routing, and some of their appli-
by ONR and DARPA.
cations. Anonymous connections are resistanttoboth
eavesdropping and trac analysis. They separate the
References
anonymity of the connection from the anonymity of
communication over that connection. For example,
[1] The Anonymizer. http://www.anonymizer.com
two parties controlling onion routers can identify them-
selves to each other without revealing the existence of
[2] T. Acar, B. S. Kaliski, Jr., and C . Koc. \Analyzing
a connection b etween them. This pap er demonstrates
and Comparing Montgomery Multiplication Algo-
the versatility of anonymous connections by exploring
rithms", IEEE Micro , 163:26-33, June 1996.
their use in a varietyofInternet applications. These ap-
plications include standard Internet services likeWeb
[3] T. Berners-Lee, R. Fielding, and H. Frystyk. Hy-
browsing, remote login, and electronic mail. Anony-
pertext Transfer Protocol { HTTP/1.0,
mous connections can also b e used to supp ort virtual
ftp://ds.internic.net/rfc/rfc1945.txt
private networks with connections that are resistantto
trac analysis and that can carry connectionless traf-
[4] L. J. Camp, M. Harkavey, B. Yee, J. D. Ty-
c.
gar, \Anonymous Atomic Transactions", Sec-
Anonymous connections may b e used as a new prim-
ond USENIX Workshop on Electronic Commerce ,
itive that enables novel applications in addition to facil-
1996.
itating secure versions of existing services [24]. Besides
exploring other novel applications, future work includes
[5] D. Chaum. \Untraceable Electronic Mail, Return
a system redesign to improve throughput and an im-
Addresses, and Digital Pseudonyms", Communi-
plementation of reply onions [15, 23]. Reply onions
cations of the ACM , v. 24, n. 2, Feb. 1981, pp.
are basically reply addresses that enable connections
84-88.
to b e established back to an anonymous party. We will
[6] D. E. Comer. Internetworking with TCP/IP, be implementing other mechanisms for resp onding to
Volume 1: Principles, Protocols, and Architec- anonymous connections as well. We are also b eginning
ture, Prentice{Hall, Engelwo o d Cli s, New Jersey, a detailed analysis of onion routing to enable a quan-
1995. titative assessment of resistance to trac analysis. 14
[22] A. P tzmann, B. P tzmann, and M. Waidner. [7] L. Cottrell. Mixmaster and Remailer Attacks,
\ISDN-Mixes: Untraceable Communication with http://obscura.obscura.com/~loki/remailer
Very Small Bandwidth Overhead", GI/ITG Con- /remailer-essay.html
ference: Communication in Distributed Systems ,
[8] W. Dai. Pip e-net, February 1995, p ost to the
Mannheim Feb, 1991, Informatik-Fachb erichte
cypherpunks mailing list.
267, Springer-Verlag, Heidelb erg 1991, pp. 451-
463.
[9] Whit eld Die, Paul C. van Oorschot, and
Michael J. Wiener. \Authentication and Authenti-
[23] M. G. Reed, P. F. Syverson, and D. M. Goldschlag.
th
cated Key Exchanges". Designs, Codes, and Cryp-
\Proxies for Anonymous Routing", Proc. 12 An-
tography, 2:107{125, 1992.
nual Computer Security Applications Conference ,
San Diego, CA, IEEE CS Press, Decemb er, 1996,
[10] A. Fasb ender, D. Kesdogan, O. Kubitz. \Vari-
pp. 95{104.
able and Scalable Security: Protection of Lo ca-
th
tion Information in Mobile IP", 46 IEEE Ve-
[24] M. Reed, P. Syverson, and D. Goldschlag. \Proto-
hicular Technology Society Conference , Atlanta,
cols using Anonymous Connections: Mobile Ap-
March 1996.
plications", 1997 Security Protocols Workshop ,
Paris, April 1997, nal pro ceedings to app ear.
[11] A. Fasb ender, D. Kesdogan, O. Kubitz. \Analysis
th
of Security and Privacy in Mobile IP", 4 Interna-
[25] M. Reiter and A. Rubin. Crowds: Anonymity for
tional ConferenceonTelecommunication Systems
Web Transactions preliminary announcement,
Modeling and Analysis , Nashville, March 1996.
DIMACS Technical Rep orts 97-15, April 1997.
[12] M. Franklin and M. Reiter, \Fair Exchange with a
[26] B. Schneier. Applied Cryptography: Protocols, Al-
Semi-Trusted Third Party", Fourth ACM Confer-
gorithms and Source Code in C, John Wiley and
ence on Computer and Communications Security ,
Sons, 1994.
Zurich, April 1997.
[27] D. Simon, \Anonymous Communication and
[13] E. Gabb er, P. Gibb ons, Y. Matias, and A. Mayer.
Anonymous Cash", in Advances in Cryptology{
\HowtoMakePersonalized Web Browsing Simple,
CRYPTO`96 , N. Koblitz, ed., LNCS vol. 1109,
Secure, and Anonymous", Financial Cryptography
Springer-Verlag, 1996, pp. 61{73.
'97 ,February 1997, nal pro ceedings to app ear.
[28] P. Syverson, D. Goldschlag, and M. Reed.
[14] D. Goldschlag, M. Reed, and P. Syverson. \Pri-
\Anonymous Connections and Onion Routing",
vacy on the Internet", INET '97, Kuala Lumpur,
Proceedings of the 1997 IEEE Symposium on Se-
June 1997.
curity and Privacy , Oakland, CA, IEEE CS Press,
May 1997, pp. 44{54.
[15] D. Goldschlag, M. Reed, P. Syverson. \Hiding
Routing Information", in Information Hiding ,R.
Anderson, ed., LNCS vol. 1174, Springer-Verlag,
1996, pp. 137{150.
[16] C. Gulc u and G. Tsudik. \Mixing Email with Ba-
bel ", 1996 Symposium on Network and Distributed
System Security , San Diego, February 1996.
[17] J. Helsingius. www.p enet. .
[18] Internet Engineering Task Force.
http://www.ietf.org/
[19] http://lpwa.com:8000/
[20] A. Menezes, P. van Oorschot, and S. Vanstone.
Handbook of Applied Cryptography , CRC Press,
1997.
[21] http://www.netangels.com 15