fbpx
Wikipedia

Onion routing

January 01, 1970

Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series of network nodes called "onion routers," each of which "peels" away a single layer, revealing the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes.[1] While onion routing provides a high level of security and anonymity, there are methods to break the anonymity of this technique, such as timing analysis.[2]

In this example onion, the source of the data sends the onion to Router A, which removes a layer of encryption to learn only where to send it next and where it came from (though it does not know if the sender is the origin or just another node). Router A sends it to Router B, which decrypts another layer to learn its next destination. Router B sends it to Router C, which removes the final layer of encryption and transmits the original message to its destination.

History edit

Onion routing was developed in the mid-1990s at the U.S. Naval Research Laboratory by employees Paul Syverson, Michael G. Reed, and David Goldschlag[3][4] to protect U.S. intelligence communications online.[5] It was then refined by the Defense Advanced Research Projects Agency (DARPA) and patented by the Navy in 1998.[4][6][7]

This method was publicly released by the same employees through publishing an article in the IEEE Journal on Selected Areas in Communications the same year. It depicted the use of the method to protect the user from the network and outside observers who eavesdrop and conduct traffic analysis attacks. The most important part of this research is the configurations and applications of onion routing on the existing e-services, such as Virtual private network, Web-browsing, Email, Remote login, and Electronic cash.[8]

Based on the existing onion routing technology, computer scientists Roger Dingledine and Nick Mathewson joined Paul Syverson in 2002 to develop what has become the largest and best-known implementation of onion routing, then called The Onion Routing project (Tor project).

After the Naval Research Laboratory released the code for Tor under a free license,[5][9][10] Dingledine, Mathewson and five others founded The Tor Project as a non-profit organization in 2006, with the financial support of the Electronic Frontier Foundation and several other organizations.[11][12]

Data structure edit

Metaphorically, an onion is the data structure formed by "wrapping" a message with successive layers of encryption to be decrypted ("peeled" or "unwrapped") by as many intermediary computers as there are layers before arriving at its destination. The original message remains hidden as it is transferred from one node to the next, and no intermediary knows both the origin and final destination of the data, allowing the sender to remain anonymous.[13]

Onion creation and transmission edit

To create and transmit an onion, the originator selects a set of nodes from a list provided by a "directory node". The chosen nodes are arranged into a path, called a "chain" or "circuit", through which the message will be transmitted. To preserve the anonymity of the sender, no node in the circuit is able to tell whether the node before it is the originator or another intermediary like itself. Likewise, no node in the circuit is able to tell how many other nodes are in the circuit and only the final node, the "exit node", is able to determine its own location in the chain.[13]

Using asymmetric key cryptography, the originator obtains a public key from the directory node to send an encrypted message to the first ("entry") node, establishing a connection and a shared secret ("session key"). Using the established encrypted link to the entry node, the originator can then relay a message through the first node to a second node in the chain using encryption that only the second node, and not the first, can decrypt. When the second node receives the message, it establishes a connection with the first node. While this extends the encrypted link from the originator, the second node cannot determine whether the first node is the originator or just another node in the circuit. The originator can then send a message through the first and second nodes to a third node, encrypted such that only the third node is able to decrypt it. The third, as with the second, becomes linked to the originator but connects only with the second. This process can be repeated to build larger and larger chains but is typically limited to preserve performance.[13]

When the chain is complete, the originator can send data over the Internet anonymously. When the final recipient of the data sends data back, the intermediary nodes maintain the same link back to the originator, with data again layered, but in reverse such that the final node this time adds the first layer of encryption and the first node adds the last layer of encryption before sending the data, for example a web page, to the originator, who is able to decrypt all layers.[13]

Weaknesses edit

See also: Tor (network) § Weaknesses

Timing analysis edit

See also: Traffic analysis

One of the reasons why the typical Internet connections are not considered anonymous is the ability of Internet service providers to trace and log connections between computers. For example, when a person accesses a particular website, the data itself may be secured through a connection like HTTPS such that the user's password, emails, or other content is not visible to an outside party, but there is a record of the connection itself, what time it occurred, and the amount of data transferred. Onion routing creates and obscures a path between two computers such that there is no discernible connection directly from a person to a website, but there still exist records of connections between computers. Traffic analysis searches those records of connections made by a potential originator and tries to match the timing and data transfers to connections made to a potential recipient. If an attacker has compromised both ends of a route, a sender may be seen to have transferred an amount of data to an unknown computer a specified amount of seconds before a different unknown computer transferred data of the same exact size to a particular destination.[14][15] Factors that may facilitate traffic analysis include nodes failing or leaving the network[15] and a compromised node keeping track of a session as it occurs when chains are periodically rebuilt.[16]

Garlic routing is a variant of onion routing associated with the I2P network that encrypts multiple messages together, which both increases the speed of data transfer and makes it more difficult[17] for attackers to perform traffic analysis.[18]

Exit node vulnerability edit

Although the message being sent is transmitted inside several layers of encryption, the job of the exit node, as the final node in the chain, is to decrypt the final layer and deliver the message to the recipient. A compromised exit node is thus able to acquire the raw data being transmitted, potentially including passwords, private messages, bank account numbers, and other forms of personal information. Dan Egerstad, a Swedish researcher, used such an attack to collect the passwords of over 100 email accounts related to foreign embassies.[19]

Exit node vulnerabilities are similar to those on unsecured wireless networks, where the data being transmitted by a user on the network may be intercepted by another user or by the router operator. Both issues are solved by using a secure end-to-end connection like SSL/TLS or secure HTTP (S-HTTP). If there is end-to-end encryption between the sender and the recipient, and the sender isn't lured into trusting a false SSL certificate offered by the exit node, then not even the last intermediary can view the original message.

See also edit

References edit

  1. ^ Goldschlag D., Reed M., Syverson P. (1999.) Onion Routing for Anonymous and Private Internet Connections, Onion Router.
  2. ^ Soltani, Ramin; Goeckel, Dennis; Towsley, Don; Houmansadr, Amir (2017-11-27). "Towards Provably Invisible Network Flow Fingerprints". 2017 51st Asilomar Conference on Signals, Systems, and Computers. pp. 258–262. arXiv:1711.10079. doi:10.1109/ACSSC.2017.8335179. ISBN 978-1-5386-1823-3. S2CID 4943955.
  3. ^ Reed M. G., Syverson P. F., Goldschlag D. M. (1998) "Anonymous connections and onion routing", IEEE Journal on Selected Areas in Communications, 16(4):482–494.
  4. ^ a b US patent 6266704, Reed; Michael G. (Bethesda, MD), Syverson; Paul F. (Silver Spring, MD), Goldschlag; David M. (Silver Spring, MD), "Onion routing network for securely moving data through communication networks", assigned to The United States of America as represented by the Secretary of the Navy (Washington, DC) 
  5. ^ a b Levine, Yasha (16 July 2014). "Almost everyone involved in developing Tor was (or is) funded by the US government". Pando Daily. Retrieved 30 August 2014.
  6. ^ Fagoyinbo, Joseph Babatunde (2013-05-24). The Armed Forces: Instrument of Peace, Strength, Development and Prosperity. AuthorHouse. ISBN 9781477226476. Retrieved August 29, 2014.
  7. ^ Leigh, David; Harding, Luke (2011-02-08). WikiLeaks: Inside Julian Assange's War on Secrecy. PublicAffairs. ISBN 978-1610390620. Retrieved August 29, 2014.
  8. ^ Reed, M. G.; Syverson, P. F.; Goldschlag, D. M. (May 1998). "Anonymous connections and onion routing". IEEE Journal on Selected Areas in Communications. 16 (4): 482–494. doi:10.1109/49.668972. ISSN 1558-0008.
  9. ^ Dingledine, Roger (20 September 2002). "pre-alpha: run an onion proxy now!". or-dev (Mailing list). Retrieved 17 July 2008.
  10. ^ "Tor FAQ: Why is it called Tor?". Tor Project. Retrieved 1 July 2011.
  11. ^ "Tor: Sponsors". Tor Project. Retrieved 11 December 2010.
  12. ^ Krebs, Brian (8 August 2007). "Attacks Prompt Update for 'Tor' Anonymity Network". Washington Post. Retrieved 27 October 2007.
  13. ^ a b c d Roger Dingledine; Nick Mathewson; Paul Syverson. "Tor: The Second-Generation Onion Router" (PDF). Retrieved 26 February 2011.
  14. ^ Shmatikov, Wang; Ming-Hsiu Vitaly (2006). "Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses". Computer Security – ESORICS 2006. ESORICS'06. Vol. 4189. pp. 18–33. CiteSeerX 10.1.1.64.8818. doi:10.1007/11863908_2. ISBN 978-3-540-44601-9. {{cite book}}: |journal= ignored (help)
  15. ^ a b Dingledine, Roger; Mathewson, Nick; Syverson, Paul (August 2004). "Tor: The Second-Generation Onion Router". San Diego, CA: USENIX Association. Retrieved 24 October 2012.
  16. ^ Wright, Matthew. K.; Adler, Micah; Levine, Brian Neil; Shields, Clay (November 2004). (PDF). ACM Transactions on Information and System Security. 7 (4): 489–522. doi:10.1145/1042031.1042032. S2CID 7711031. Archived from the original (PDF) on 2016-03-04. Retrieved 2012-07-04.
  17. ^ "Common Darknet Weaknesses: An Overview of Attack Strategies". 27 January 2014.
  18. ^ Zantour, Bassam; Haraty, Ramzi A. (2011). "I2P Data Communication System". Proceedings of ICN 2011: The Tenth International Conference on Networks: 401–409.
  19. ^ Bangeman, Eric (2007-08-30). "Security researcher stumbles across embassy e-mail log-ins". Arstechnica.com. Retrieved 2010-03-17.

External links edit

  • Onion-Router.net – site formerly hosted at the Center for High Assurance Computer Systems of the U.S. Naval Research Laboratory
  • Syverson, P.F.; Goldschlag, D.M.; Reed, M.G. (1997). "Anonymous connections and onion routing" (PDF). Proceedings. 1997 IEEE Symposium on Security and Privacy. pp. 44–54. doi:10.1109/SECPRI.1997.601314. ISBN 0-8186-7828-3. S2CID 1793921.

January 01, 1970
onion, routing, this, article, factual, accuracy, compromised, date, information, please, help, update, this, article, reflect, recent, events, newly, available, information, march, 2017, technique, anonymous, communication, over, computer, network, onion, net. This article s factual accuracy may be compromised due to out of date information Please help update this article to reflect recent events or newly available information March 2017 Onion routing is a technique for anonymous communication over a computer network In an onion network messages are encapsulated in layers of encryption analogous to the layers of an onion The encrypted data is transmitted through a series of network nodes called onion routers each of which peels away a single layer revealing the data s next destination When the final layer is decrypted the message arrives at its destination The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes 1 While onion routing provides a high level of security and anonymity there are methods to break the anonymity of this technique such as timing analysis 2 In this example onion the source of the data sends the onion to Router A which removes a layer of encryption to learn only where to send it next and where it came from though it does not know if the sender is the origin or just another node Router A sends it to Router B which decrypts another layer to learn its next destination Router B sends it to Router C which removes the final layer of encryption and transmits the original message to its destination Contents 1 History 2 Data structure 2 1 Onion creation and transmission 3 Weaknesses 3 1 Timing analysis 3 2 Exit node vulnerability 4 See also 5 References 6 External linksHistory editOnion routing was developed in the mid 1990s at the U S Naval Research Laboratory by employees Paul Syverson Michael G Reed and David Goldschlag 3 4 to protect U S intelligence communications online 5 It was then refined by the Defense Advanced Research Projects Agency DARPA and patented by the Navy in 1998 4 6 7 This method was publicly released by the same employees through publishing an article in the IEEE Journal on Selected Areas in Communications the same year It depicted the use of the method to protect the user from the network and outside observers who eavesdrop and conduct traffic analysis attacks The most important part of this research is the configurations and applications of onion routing on the existing e services such as Virtual private network Web browsing Email Remote login and Electronic cash 8 Based on the existing onion routing technology computer scientists Roger Dingledine and Nick Mathewson joined Paul Syverson in 2002 to develop what has become the largest and best known implementation of onion routing then called The Onion Routing project Tor project After the Naval Research Laboratory released the code for Tor under a free license 5 9 10 Dingledine Mathewson and five others founded The Tor Project as a non profit organization in 2006 with the financial support of the Electronic Frontier Foundation and several other organizations 11 12 Data structure editMetaphorically an onion is the data structure formed by wrapping a message with successive layers of encryption to be decrypted peeled or unwrapped by as many intermediary computers as there are layers before arriving at its destination The original message remains hidden as it is transferred from one node to the next and no intermediary knows both the origin and final destination of the data allowing the sender to remain anonymous 13 Onion creation and transmission edit To create and transmit an onion the originator selects a set of nodes from a list provided by a directory node The chosen nodes are arranged into a path called a chain or circuit through which the message will be transmitted To preserve the anonymity of the sender no node in the circuit is able to tell whether the node before it is the originator or another intermediary like itself Likewise no node in the circuit is able to tell how many other nodes are in the circuit and only the final node the exit node is able to determine its own location in the chain 13 Using asymmetric key cryptography the originator obtains a public key from the directory node to send an encrypted message to the first entry node establishing a connection and a shared secret session key Using the established encrypted link to the entry node the originator can then relay a message through the first node to a second node in the chain using encryption that only the second node and not the first can decrypt When the second node receives the message it establishes a connection with the first node While this extends the encrypted link from the originator the second node cannot determine whether the first node is the originator or just another node in the circuit The originator can then send a message through the first and second nodes to a third node encrypted such that only the third node is able to decrypt it The third as with the second becomes linked to the originator but connects only with the second This process can be repeated to build larger and larger chains but is typically limited to preserve performance 13 When the chain is complete the originator can send data over the Internet anonymously When the final recipient of the data sends data back the intermediary nodes maintain the same link back to the originator with data again layered but in reverse such that the final node this time adds the first layer of encryption and the first node adds the last layer of encryption before sending the data for example a web page to the originator who is able to decrypt all layers 13 Weaknesses editSee also Tor network Weaknesses Timing analysis edit See also Traffic analysis One of the reasons why the typical Internet connections are not considered anonymous is the ability of Internet service providers to trace and log connections between computers For example when a person accesses a particular website the data itself may be secured through a connection like HTTPS such that the user s password emails or other content is not visible to an outside party but there is a record of the connection itself what time it occurred and the amount of data transferred Onion routing creates and obscures a path between two computers such that there is no discernible connection directly from a person to a website but there still exist records of connections between computers Traffic analysis searches those records of connections made by a potential originator and tries to match the timing and data transfers to connections made to a potential recipient If an attacker has compromised both ends of a route a sender may be seen to have transferred an amount of data to an unknown computer a specified amount of seconds before a different unknown computer transferred data of the same exact size to a particular destination 14 15 Factors that may facilitate traffic analysis include nodes failing or leaving the network 15 and a compromised node keeping track of a session as it occurs when chains are periodically rebuilt 16 Garlic routing is a variant of onion routing associated with the I2P network that encrypts multiple messages together which both increases the speed of data transfer and makes it more difficult 17 for attackers to perform traffic analysis 18 Exit node vulnerability edit Although the message being sent is transmitted inside several layers of encryption the job of the exit node as the final node in the chain is to decrypt the final layer and deliver the message to the recipient A compromised exit node is thus able to acquire the raw data being transmitted potentially including passwords private messages bank account numbers and other forms of personal information Dan Egerstad a Swedish researcher used such an attack to collect the passwords of over 100 email accounts related to foreign embassies 19 Exit node vulnerabilities are similar to those on unsecured wireless networks where the data being transmitted by a user on the network may be intercepted by another user or by the router operator Both issues are solved by using a secure end to end connection like SSL TLS or secure HTTP S HTTP If there is end to end encryption between the sender and the recipient and the sender isn t lured into trusting a false SSL certificate offered by the exit node then not even the last intermediary can view the original message See also editAnonymous remailer Bitblinder Chaum mixes Cryptography Degree of anonymity Diffie Hellman key exchange Java Anon Proxy Key based routing Matryoshka doll Mix network Mixmaster anonymous remailer Public key cryptography Proxy server Tox implements onion routing Tribler implements onion routingReferences edit Goldschlag D Reed M Syverson P 1999 Onion Routing for Anonymous and Private Internet Connections Onion Router Soltani Ramin Goeckel Dennis Towsley Don Houmansadr Amir 2017 11 27 Towards Provably Invisible Network Flow Fingerprints 2017 51st Asilomar Conference on Signals Systems and Computers pp 258 262 arXiv 1711 10079 doi 10 1109 ACSSC 2017 8335179 ISBN 978 1 5386 1823 3 S2CID 4943955 Reed M G Syverson P F Goldschlag D M 1998 Anonymous connections and onion routing IEEE Journal on Selected Areas in Communications 16 4 482 494 a b US patent 6266704 Reed Michael G Bethesda MD Syverson Paul F Silver Spring MD Goldschlag David M Silver Spring MD Onion routing network for securely moving data through communication networks assigned to The United States of America as represented by the Secretary of the Navy Washington DC a b Levine Yasha 16 July 2014 Almost everyone involved in developing Tor was or is funded by the US government Pando Daily Retrieved 30 August 2014 Fagoyinbo Joseph Babatunde 2013 05 24 The Armed Forces Instrument of Peace Strength Development and Prosperity AuthorHouse ISBN 9781477226476 Retrieved August 29 2014 Leigh David Harding Luke 2011 02 08 WikiLeaks Inside Julian Assange s War on Secrecy PublicAffairs ISBN 978 1610390620 Retrieved August 29 2014 Reed M G Syverson P F Goldschlag D M May 1998 Anonymous connections and onion routing IEEE Journal on Selected Areas in Communications 16 4 482 494 doi 10 1109 49 668972 ISSN 1558 0008 Dingledine Roger 20 September 2002 pre alpha run an onion proxy now or dev Mailing list Retrieved 17 July 2008 Tor FAQ Why is it called Tor Tor Project Retrieved 1 July 2011 Tor Sponsors Tor Project Retrieved 11 December 2010 Krebs Brian 8 August 2007 Attacks Prompt Update for Tor Anonymity Network Washington Post Retrieved 27 October 2007 a b c d Roger Dingledine Nick Mathewson Paul Syverson Tor The Second Generation Onion Router PDF Retrieved 26 February 2011 Shmatikov Wang Ming Hsiu Vitaly 2006 Timing Analysis in Low Latency Mix Networks Attacks and Defenses Computer Security ESORICS 2006 ESORICS 06 Vol 4189 pp 18 33 CiteSeerX 10 1 1 64 8818 doi 10 1007 11863908 2 ISBN 978 3 540 44601 9 a href Template Cite book html title Template Cite book cite book a journal ignored help a b Dingledine Roger Mathewson Nick Syverson Paul August 2004 Tor The Second Generation Onion Router San Diego CA USENIX Association Retrieved 24 October 2012 Wright Matthew K Adler Micah Levine Brian Neil Shields Clay November 2004 The Predecessor Attack An Analysis of a Threat to Anonymous Communications Systems PDF ACM Transactions on Information and System Security 7 4 489 522 doi 10 1145 1042031 1042032 S2CID 7711031 Archived from the original PDF on 2016 03 04 Retrieved 2012 07 04 Common Darknet Weaknesses An Overview of Attack Strategies 27 January 2014 Zantour Bassam Haraty Ramzi A 2011 I2P Data Communication System Proceedings of ICN 2011 The Tenth International Conference on Networks 401 409 Bangeman Eric 2007 08 30 Security researcher stumbles across embassy e mail log ins Arstechnica com Retrieved 2010 03 17 External links editOnion Router net site formerly hosted at the Center for High Assurance Computer Systems of the U S Naval Research Laboratory Syverson P F Goldschlag D M Reed M G 1997 Anonymous connections and onion routing PDF Proceedings 1997 IEEE Symposium on Security and Privacy pp 44 54 doi 10 1109 SECPRI 1997 601314 ISBN 0 8186 7828 3 S2CID 1793921 Retrieved from https en wikipedia org w index php title Onion routing amp oldid 1213512219, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.