Anonymous Connections and Onion Routing
Total Page:16
File Type:pdf, Size:1020Kb
Anonymous Connections and Onion Routing Michael G. Reed, Paul F. Syverson, and David M. Goldschlag Naval Research Lab oratory Abstract reveal who they are communicating with to the rest of the world. In certain cases anonymity may be desir- able also: anonymous e-cash is not very anonymous if Onion Routing is an infrastructure for private com- delivered with a return address. Web based shopping munication over a public network. It provides anony- or browsing of public databases should not require re- mous connections that are strongly resistant to both vealing one's identity. eavesdropping and trac analysis. Onion routing's anonymous connections are bidirectional and near real- This pap er describ es how a freely available system, time, and can be used anywhere a socket connection onion routing , can b e used to protect a varietyofIn- can be used. Any identifying information must be in ternet services against b oth eavesdropping and trac the data stream carried over an anonymous connec- analysis attacks, from b oth the network and outside ob- tion. An onion is a data structure that is treated as the servers. This pap er includes a sp eci cation sucientto destination address by onion routers; thus, it is used guide b oth re-implementations and new applications of to establish an anonymous connection. Onions them- onion routing. We also discuss con gurations of onion selves appear di erently to each onion router as wel l as routing networks and applications of onion routing, in- to network observers. The same goes for data carried cluding Virtual Private Networks VPN, Web brows- 1 over the connections they establish. Proxy aware ap- ing, e-mail, remote login, and electronic cash. plications, such as web browsing and e-mail, requireno A purp ose of trac analysis is to reveal who is talk- modi cation to use onion routing, and do so through ing to whom. The anonymous connections describ ed a series of proxies. Aprototype onion routing network here are designed to b e resistant to trac analysis, i.e., is running between our lab and other sites. This paper to make it dicult for observers to learn identifying in- describes anonymous connections and their implemen- formation from the connection e.g., by reading packet tation using onion routing. This paper also describes headers, tracking encrypted payloads, etc.. Any iden- several application proxies for onion routing, as wel l as tifying information must be passed as data through con gurations of onion routing networks. the anonymous connections. Our implementation of anonymous connections, onion routing, provides pro- tection against eavesdropping as a side e ect. Onion routing provides bidirectional and near real-time com- 1 Intro duction munication similar to TCP/IP so cket connections or ATM AAL5 [6]. The anonymous connections can sub- Is Internet communication private? Most security stitute for so ckets in a wide variety of unmo di ed Inter- concerns fo cus on preventing eavesdropping [18], i.e., net applications by means of proxies. Data may also b e outsiders listening in on electronic conversations. But passed through a privacy lter b efore b eing sentover encrypted messages can still b e tracked, revealing who an anonymous connection. This removes identifying is talking to whom. This tracking is called trac analy- information from the data stream, to make communi- sis and may reveal sensitive information. For example, cation anonymous to o. the existence of inter-company collab oration may be Although onion routing may be used for anony- con dential. Similarly, e-mail users may not wish to mous communication, it di ers from anonymous re- Address: For Reed and Syverson Naval Research Lab o- mailers [7, 16]intwoways: Communication is real-time ratory, Center For High Assurance Computer Systems, Wash- and bidirectional, and the anonymous connections are ington, D.C. 20375-5337, USA, phone: +1 202.767.2389, fax: application indep endent. Onion routing's anonymous +1 202.404.7942, e-mail: flast [email protected]. For Goldschlag Divx, 570 Herndon Parkway, Herndon, VA 20170, 1 USA, phone: +1 703-708-4028. fax: +1 703-708-4088, e-mail: Preliminary versions of p ortions of this pap er have app eared [email protected] in [28, 14 , 24 ]. 1 can supp ort anonymous mail as well as connections 2.1 Operational Overview other applications. For example, onion routing maybe used for anonymous Web browsing. A user may wish to The onion routing network is accessed via a series browse public Web sites without revealing his identity of proxies . An initiating application makes a so cket to those Web sites. That requires removing informa- connection to an application proxy . This proxy mas- tion that identi es him from his requests to Web servers sages connection message format and later data to a and removing information from the connection itself generic form that can b e passed through the onion rout- that may identify him. Hence, anonymous Web brows- ing network. It then connects to an onion proxy , which ing uses anonymized communication over anonymous de nes a route through the onion routing network by connections. The Anonymizer [1] only anonymizes the constructing a layered data structure called an onion . data stream, not the connection itself. So it do es not The onion is passed to the entry funnel , which o ccu- prevent trac analysis attacks like tracking data as it pies one of the longstanding connections to an onion moves through the network. router and multiplexes connections to the onion rout- This pap er is organized in the following way: Sec- ing network at that onion router. That onion router tion 2 presents an overview of onion routing. Section will be the one for whom the outermost layer of the 3 presents empirical data ab out our prototyp e. Sec- onion is intended. Eachlayer of the onion de nes the tion 4 de nes our threat mo del. Section 5 describ es next hop in a route. An onion router that receives an onion routing and the application sp eci c proxies in onion p eels o its layer, identi es the next hop, and more detail. Section 6 describ es the implementation sends the emb edded onion to that onion router. The choices that were made for security reasons. Section 7 last onion router forwards data to an exit funnel , whose describ es how onion routing may b e used in a wide va- job is to pass data b etween the onion routing network rietyofInternet applications. Section 8 contrasts onion and the resp onder. routing with related work, and section 9 presents con- In addition to carrying next hop information, each cluding remarks. onion layer contains key seed material from whichkeys 2 are generated for crypting data sent forward or back- ward along the anonymous connection. We de ne for- 2 Onion Routing Overview ward to b e the direction in which the onion travels and backward as the opp osite direction. Once the anonymous connection is established, it In onion routing, instead of making so cket connec- can carry data. Before sending data over an anony- tions directly to a resp onding machine, initiating ap- mous connection, the onion proxy adds a layer of en- plications make connections through a sequence of ma- cryption for each onion router in the route. As data chines called onion routers . The onion routing net- moves through the anonymous connection, each onion work allows the connection b etween the initiator and router removes one layer of encryption, so it arrives at responder to remain anonymous. Anonymous connec- the resp onder as plaintext. This layering o ccurs in the tions hide who is connected to whom, and for what reverse order for data moving back to the initiator. So purp ose, from b oth outside eavesdropp ers and com- data that has passed backward through the anonymous promised onion routers. If the initiator also wants to connection must b e rep eatedly p ost-crypted to obtain remain anonymous to the resp onder, then all identify- the plaintext. ing information must b e removed from the data stream By layering cryptographic op erations in this way, b efore b eing sentover the anonymous connection. we gain an advantage over link encryption. As data Onion routers in the network are connected by long- moves through the network it app ears di erent to each standing p ermanent so cket connections. Anonymous onion router. Therefore, an anonymous connection is connections through the network are multiplexed over as strong as its strongest link, and even one honest no de the longstanding connections. For any anonymous con- is enough to maintain the privacy of the route. In link nection, the sequence of onion routers in a route is encrypted systems, compromised no des can co op erate strictly de ned at connection setup. However, each to uncover route information. onion router can only identify the previous and next Onion routers keep track of received onions until hops along a route. Data passed along the anonymous they expire. Replayed or expired onions are not for- connection app ears di erent at each onion router, so warded, so they cannot be used to uncover route in- data cannot be tracked en route, and compromised formation, either by outsiders or compromised onion onion routers cannot co op erate by correlating the data 2 stream each sees. We will also see that they cannot We de ne the verb crypt to mean the application of a cryp- make use of replayed onions or replayed data. tographic op eration, b e it encryption or decryption.