3 \documentclass[times,
10pt,twocolumn
]{article
}
13 \renewcommand\url{\begingroup \def\UrlLeft{<
}\def\UrlRight{>
}\urlstyle{tt
}\Url}
14 \newcommand\emailaddr{\begingroup \def\UrlLeft{<
}\def\UrlRight{>
}\urlstyle{tt
}\Url}
16 \newcommand{\workingnote}[1]{} % The version that hides the note.
17 %\newcommand{\workingnote}[1]{(**#1)} % The version that makes the note visible.
20 % If an URL ends up with '%'s in it, that's because the line *in the .bib/.tex
21 % file* is too long, so break it there (it doesn't matter if the next line is
22 % indented with spaces). -DH
25 %\ifx\pdfoutput\undefined
32 \newenvironment{tightlist
}{\begin{list
}{$
\bullet$
}{
33 \setlength{\itemsep}{0mm
}
34 \setlength{\parsep}{0mm
}
35 % \setlength{\labelsep}{0mm}
36 % \setlength{\labelwidth}{0mm}
37 % \setlength{\topsep}{0mm}
40 % Cut down on whitespace above and below figures displayed at head/foot of
42 \setlength{\textfloatsep}{3mm
}
43 % Cut down on whitespace above and below figures displayed in middle of page
44 \setlength{\intextsep}{3mm
}
48 %% Use dvipdfm instead. --DH
51 % \pdfpagewidth=\the\paperwidth
52 % \pdfpageheight=\the\paperheight
55 \title{Tor: The Second-Generation Onion Router
} %\\DRAFT VERSION}
56 % Putting the 'Private' back in 'Virtual Private Network'
58 \author{Roger Dingledine \\ The Free Haven Project \\ arma@freehaven.net
\and
59 Nick Mathewson \\ The Free Haven Project \\ nickm@freehaven.net
\and
60 Paul Syverson \\ Naval Research Lab \\ syverson@itd.nrl.navy.mil
}
66 We present Tor, a circuit-based low-latency anonymous communication
67 service. This second-generation Onion Routing system addresses limitations
68 in the original design. Tor adds perfect forward secrecy, congestion
69 control, directory servers, integrity checking, configurable exit policies,
70 and a practical design for rendezvous points. Tor works on the real-world
71 Internet, requires no special privileges or kernel modifications, requires
72 little synchronization or coordination between nodes, and provides a
73 reasonable tradeoff between anonymity, usability, and efficiency.
74 We briefly describe our experiences with an international network of
75 more than a dozen hosts.
% that has been running for several months.
76 We close with a list of open problems in anonymous communication.
80 %\textbf{Keywords:} anonymity, peer-to-peer, remailer, nymserver, reply block
83 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
88 Onion Routing is a distributed overlay network designed to anonymize
89 TCP-based applications like web browsing, secure shell,
90 and instant messaging. Clients choose a path through the network and
91 build a
\emph{circuit
}, in which each node (or ``onion router'' or ``OR'')
92 in the path knows its predecessor and successor, but no other nodes in
93 the circuit. Traffic flows down the circuit in fixed-size
94 \emph{cells
}, which are unwrapped by a symmetric key at each node
95 (like the layers of an onion) and relayed downstream. The
96 Onion Routing project published several design and analysis
97 papers
\cite{or-ih96,or-jsac98,or-discex00,or-pet00
}. While a wide area Onion
98 Routing network was deployed briefly, the only long-running
99 public implementation was a fragile
100 proof-of-concept that ran on a single machine. Even this simple deployment
101 processed connections from over sixty thousand distinct IP addresses from
102 all over the world at a rate of about fifty thousand per day.
103 But many critical design and deployment issues were never
104 resolved, and the design has not been updated in several years. Here
105 we describe Tor, a protocol for asynchronous, loosely federated onion
106 routers that provides the following improvements over the old Onion
109 \textbf{Perfect forward secrecy:
} Onion Routing
110 was originally vulnerable to a single hostile node recording traffic and
111 later compromising successive nodes in the circuit and forcing them
112 to decrypt it. Rather than using a single multiply encrypted data
113 structure (an
\emph{onion
}) to lay each circuit,
114 Tor now uses an incremental or
\emph{telescoping
} path-building design,
115 where the initiator negotiates session keys with each successive hop in
116 the circuit. Once these keys are deleted, subsequently compromised nodes
117 cannot decrypt old traffic. As a side benefit, onion replay detection
118 is no longer necessary, and the process of building circuits is more
119 reliable, since the initiator knows when a hop fails and can then try
120 extending to a new node.
122 \textbf{Separation of ``protocol cleaning'' from anonymity:
}
123 Onion Routing originally required a separate ``application
124 proxy'' for each supported application protocol---most of which were
125 never written, so many applications were never supported. Tor uses the
126 standard and near-ubiquitous SOCKS~
\cite{socks4
} proxy interface, allowing
127 us to support most TCP-based programs without modification. Tor now
128 relies on the filtering features of privacy-enhancing
129 application-level proxies such as Privoxy~
\cite{privoxy
}, without trying
130 to duplicate those features itself.
132 \textbf{No mixing, padding, or traffic shaping (yet):
} Onion
133 Routing originally called for batching and reordering cells as they arrived,
134 assumed padding between ORs, and in
135 later designs added padding between onion proxies (users) and
136 ORs~
\cite{or-ih96,or-jsac98
}. Tradeoffs between padding protection
137 and cost were discussed, and
\emph{traffic shaping
} algorithms were
138 theorized~
\cite{or-pet00
} to provide good security without expensive
139 padding, but no concrete padding scheme was suggested.
140 Recent research~
\cite{econymics
}
141 and deployment experience~
\cite{freedom21-security
} suggest that this
142 level of resource use is not practical or economical; and even full
143 link padding is still vulnerable~
\cite{defensive-dropping
}. Thus,
144 until we have a proven and convenient design for traffic shaping or
145 low-latency mixing that improves anonymity against a realistic
146 adversary, we leave these strategies out.
148 \textbf{Many TCP streams can share one circuit:
} Onion Routing originally
149 built a separate circuit for each
150 application-level request, but this required
151 multiple public key operations for every request, and also presented
152 a threat to anonymity from building so many circuits; see
153 Section~
\ref{sec:maintaining-anonymity
}. Tor multiplexes multiple TCP
154 streams along each circuit to improve efficiency and anonymity.
156 \textbf{Leaky-pipe circuit topology:
} Through in-band signaling
157 within the circuit, Tor initiators can direct traffic to nodes partway
158 down the circuit. This novel approach
159 allows traffic to exit the circuit from the middle---possibly
160 frustrating traffic shape and volume attacks based on observing the end
161 of the circuit. (It also allows for long-range padding if
162 future research shows this to be worthwhile.)
164 \textbf{Congestion control:
} Earlier anonymity designs do not
165 address traffic bottlenecks. Unfortunately, typical approaches to
166 load balancing and flow control in overlay networks involve inter-node
167 control communication and global views of traffic. Tor's decentralized
168 congestion control uses end-to-end acks to maintain anonymity
169 while allowing nodes at the edges of the network to detect congestion
170 or flooding and send less data until the congestion subsides.
172 \textbf{Directory servers:
} The earlier Onion Routing design
173 planned to flood state information through the network---an approach
174 that can be unreliable and complex.
% open to partitioning attacks.
175 Tor takes a simplified view toward distributing this
176 information. Certain more trusted nodes act as
\emph{directory
177 servers
}: they provide signed directories describing known
178 routers and their current state. Users periodically download them
181 \textbf{Variable exit policies:
} Tor provides a consistent mechanism
182 for each node to advertise a policy describing the hosts
183 and ports to which it will connect. These exit policies are critical
184 in a volunteer-based distributed infrastructure, because each operator
185 is comfortable with allowing different types of traffic to exit the Tor
186 network from his node.
188 \textbf{End-to-end integrity checking:
} The original Onion Routing
189 design did no integrity checking on data. Any node on the
190 circuit could change the contents of data cells as they passed by---for
191 example, to alter a connection request so it would connect
192 to a different webserver, or to `tag' encrypted traffic and look for
193 corresponding corrupted traffic at the network edges~
\cite{minion-design
}.
194 Tor hampers these attacks by verifying data integrity before it leaves
197 %\textbf{Improved robustness to failed nodes:} A failed node
198 %in the old design meant that circuit building failed, but thanks to
199 %Tor's step-by-step circuit building, users notice failed nodes
200 %while building circuits and route around them. Additionally, liveness
201 %information from directories allows users to avoid unreliable nodes in
203 %% Can't really claim this, now that we've found so many variants of
204 %% attack on partial-circuit-building. -RD
206 \textbf{Rendezvous points and hidden services:
}
207 Tor provides an integrated mechanism for responder anonymity via
208 location-protected servers. Previous Onion Routing designs included
209 long-lived ``reply onions'' that could be used to build circuits
210 to a hidden server, but these reply onions did not provide forward
211 security, and became useless if any node in the path went down
212 or rotated its keys. In Tor, clients negotiate
{\it rendezvous points
}
213 to connect with hidden servers; reply onions are no longer required.
216 Unlike Freedom~
\cite{freedom2-arch
}, Tor does not anonymize
217 non-TCP protocols---not requiring patches (or built-in support) in an
218 operating system's network stack has been valuable to Tor's
219 portability and deployability.
221 We have implemented all of the above features except rendezvous
222 points. Our source code is
223 available under a free license, and Tor
224 %, as far as we know, is unencumbered by patents.
225 is not covered by the patent that affected distribution and use of
226 earlier versions of Onion Routing.
227 We have deployed a wide-area alpha network
228 to test the design, to get more experience with usability
229 and users, and to provide a research platform for experimentation.
230 As of this writing, the network stands at sixteen nodes in thirteen
231 distinct administrative domains on two continents.
233 We review previous work in Section~
\ref{sec:related-work
}, describe
234 our goals and assumptions in Section~
\ref{sec:assumptions
},
235 and then address the above list of improvements in
236 Sections~
\ref{sec:design
} and~
\ref{sec:other-design
}. We summarize
237 in Section~
\ref{sec:attacks
} how our design stands up to
238 known attacks, and talk about our early deployment experiences in
239 Section~
\ref{sec:in-the-wild
}. We conclude with a list of open problems in
240 Section~
\ref{sec:maintaining-anonymity
} and future work for the Onion
241 Routing project in Section~
\ref{sec:conclusion
}.
243 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
245 \Section{Related work
}
246 \label{sec:related-work
}
248 Modern anonymity systems date to Chaum's
{\bf Mix-Net
}
249 design~
\cite{chaum-mix
}. Chaum
250 proposed hiding the correspondence between sender and recipient by
251 wrapping messages in layers of public-key cryptography, and relaying them
252 through a path composed of ``mixes.'' Each mix in turn
253 decrypts, delays, and re-orders messages, before relaying them
255 %toward their destinations.
257 Subsequent relay-based anonymity designs have diverged in two
258 main directions. Systems like
{\bf Babel
}~
\cite{babel
},
259 {\bf Mixmaster
}~
\cite{mixmaster-spec
},
260 and
{\bf Mixminion
}~
\cite{minion-design
} have tried
261 to maximize anonymity at the cost of introducing comparatively large and
262 variable latencies. Because of this decision, these
\emph{high-latency
}
263 networks resist strong global adversaries,
264 but introduce too much lag for interactive tasks like web browsing,
265 Internet chat, or SSH connections.
267 Tor belongs to the second category:
\emph{low-latency
} designs that
268 try to anonymize interactive network traffic. These systems handle
269 a variety of bidirectional protocols. They also provide more convenient
270 mail delivery than the high-latency anonymous email
271 networks, because the remote mail server provides explicit and timely
272 delivery confirmation. But because these designs typically
273 involve many packets that must be delivered quickly, it is
274 difficult for them to prevent an attacker who can eavesdrop both ends of the
275 communication from correlating the timing and volume
276 of traffic entering the anonymity network with traffic leaving it. These
277 protocols are similarly vulnerable to an active adversary who introduces
278 timing patterns into traffic entering the network and looks
279 for correlated patterns among exiting traffic.
280 Although some work has been done to frustrate
281 these attacks,
%\footnote{
282 % The most common approach is to pad and limit communication to a constant
284 % the variation in traffic shape. Doing so can have prohibitive bandwidth
285 % costs and/or performance limitations.
287 % Point in the footnote is covered above, yes? -PS
288 most designs protect primarily against traffic analysis rather than traffic
289 confirmation (see Section~
\ref{subsec:threat-model
}).
291 The simplest low-latency designs are single-hop proxies such as the
292 {\bf Anonymizer
}~
\cite{anonymizer
}: a single trusted server strips the
293 data's origin before relaying it. These designs are easy to
294 analyze, but users must trust the anonymizing proxy.
295 Concentrating the traffic to this single point increases the anonymity set
296 (the people a given user is hiding among), but it is vulnerable if the
297 adversary can observe all traffic going into and out of the proxy.
299 More complex are distributed-trust, circuit-based anonymizing systems.
300 In these designs, a user establishes one or more medium-term bidirectional
301 end-to-end circuits, and tunnels data in fixed-size cells.
302 Establishing circuits is computationally expensive and typically
304 cryptography, whereas relaying cells is comparatively inexpensive and
305 typically requires only symmetric encryption.
306 Because a circuit crosses several servers, and each server only knows
307 the adjacent servers in the circuit, no single server can link a
308 user to her communication partners.
310 The
{\bf Java Anon Proxy
} (also known as JAP or Web MIXes) uses fixed shared
311 routes known as
\emph{cascades
}. As with a single-hop proxy, this
312 approach aggregates users into larger anonymity sets, but again an
313 attacker only needs to observe both ends of the cascade to bridge all
314 the system's traffic. The Java Anon Proxy's design
315 calls for padding between end users and the head of the
316 cascade~
\cite{web-mix
}. However, it is not demonstrated whether the current
317 implementation's padding policy improves anonymity.
319 {\bf PipeNet
}~
\cite{back01, pipenet
}, another low-latency design proposed
320 around the same time as Onion Routing, gave
321 stronger anonymity but allowed a single user to shut
322 down the network by not sending. Systems like
{\bf ISDN
323 mixes
}~
\cite{isdn-mixes
} were designed for other environments with
324 different assumptions.
325 %XXX please can we fix this sentence to something less demeaning
327 In P2P designs like
{\bf Tarzan
}~
\cite{tarzan:ccs02
} and
328 {\bf MorphMix
}~
\cite{morphmix:fc04
}, all participants both generate
329 traffic and relay traffic for others. These systems aim to conceal
330 whether a given peer originated a request
331 or just relayed it from another peer. While Tarzan and MorphMix use
332 layered encryption as above,
{\bf Crowds
}~
\cite{crowds-tissec
} simply assumes
333 an adversary who cannot observe the initiator: it uses no public-key
334 encryption, so any node on a circuit can read the circuit's traffic.
336 {\bf Hordes
}~
\cite{hordes-jcs
} is based on Crowds but also uses multicast
337 responses to hide the initiator.
{\bf Herbivore
}~
\cite{herbivore
} and
338 $
\mbox{\bf P
}^
{\mathbf 5}$~
\cite{p5
} go even further, requiring broadcast.
339 These systems are designed primarily for communication between peers,
340 although Herbivore users can make external connections by
341 requesting a peer to serve as a proxy.
343 Systems like
{\bf Freedom
} and the original Onion Routing build circuits
344 all at once, using a layered ``onion'' of public-key encrypted messages,
345 each layer of which provides session keys and the address of the
346 next server in the circuit. Tor as described herein, Tarzan, MorphMix,
347 {\bf Cebolla
}~
\cite{cebolla
}, and Rennhard's
{\bf Anonymity Network
}~
\cite{anonnet
}
349 in stages, extending them one hop at a time.
350 Section~
\ref{subsubsec:constructing-a-circuit
} describes how this
351 approach enables perfect forward secrecy.
353 Circuit-based anonymity designs must choose which protocol layer
354 to anonymize. They may choose to intercept IP packets directly, and
355 relay them whole (stripping the source address) along the
356 circuit~
\cite{freedom2-arch,tarzan:ccs02
}. Alternatively, like
357 Tor, they may accept TCP streams and relay the data in those streams
358 along the circuit, ignoring the breakdown of that data into TCP
359 segments~
\cite{morphmix:fc04,anonnet
}. Finally, they may accept
360 application-level protocols (such as HTTP) and relay the application
361 requests themselves along the circuit.
362 Making this protocol-layer decision requires a compromise between flexibility
363 and anonymity. For example, a system that understands HTTP, such as Crowds,
365 identifying information from those requests, can take advantage of caching
366 to limit the number of requests that leave the network, and can batch
367 or encode those requests to minimize the number of connections.
368 On the other hand, an IP-level anonymizer can handle nearly any protocol,
369 even ones unforeseen by its designers (though these systems require
370 kernel-level modifications to some operating systems, and so are more
371 complex and less portable). TCP-level anonymity networks like Tor present
372 a middle approach: they are fairly application neutral (so long as the
373 application supports, or can be tunneled across, TCP), but by treating
374 application connections as data streams rather than raw TCP packets,
375 they avoid the well-known inefficiencies of tunneling TCP over
376 TCP~
\cite{tcp-over-tcp-is-bad
}.
378 Distributed-trust anonymizing systems need to prevent attackers from
379 adding too many servers and thus compromising user paths.
380 Tor relies on a small set of well-known directory servers, run by
381 independent parties, to decide which nodes can
382 join. Tarzan and MorphMix allow unknown users to run servers, and use
383 a limited resource (like IP addresses) to prevent an attacker from
384 controlling too much of the network. Crowds suggests requiring
385 written, notarized requests from potential crowd members.
387 Anonymous communication is essential for censorship-resistant
388 systems like Eternity~
\cite{eternity
}, Free~Haven~
\cite{freehaven-berk
},
389 Publius~
\cite{publius
}, and Tangler~
\cite{tangler
}. Tor's rendezvous
390 points enable connections between mutually anonymous entities; they
391 are a building block for location-hidden servers, which are needed by
392 Eternity and Free~Haven.
394 % didn't include rewebbers. No clear place to put them, so I'll leave
395 % them out for now. -RD
397 \Section{Design goals and assumptions
}
398 \label{sec:assumptions
}
400 \noindent{\large\bf Goals
}\\
401 Like other low-latency anonymity designs, Tor seeks to frustrate
402 attackers from linking communication partners, or from linking
403 multiple communications to or from a single user. Within this
404 main goal, however, several considerations have directed
407 \textbf{Deployability:
} The design must be deployed and used in the
409 must not be expensive to run (for example, by requiring more bandwidth
410 than volunteers are willing to provide); must not place a heavy
411 liability burden on operators (for example, by allowing attackers to
412 implicate onion routers in illegal activities); and must not be
413 difficult or expensive to implement (for example, by requiring kernel
414 patches, or separate proxies for every protocol). We also cannot
415 require non-anonymous parties (such as websites)
416 to run our software. (Our rendezvous point design does not meet
417 this goal for non-anonymous users talking to hidden servers,
418 however; see Section~
\ref{subsec:rendezvous
}.)
420 \textbf{Usability:
} A hard-to-use system has fewer users---and because
421 anonymity systems hide users among users, a system with fewer users
422 provides less anonymity. Usability is thus not only a convenience:
423 it is a security requirement~
\cite{econymics,back01
}. Tor should
425 require modifying applications; should not introduce prohibitive delays;
426 and should require users to make as few configuration decisions
427 as possible. Finally, Tor should be easily implemented on all common
428 platforms; we cannot require users to change their operating system
429 to be anonymous. (The current Tor implementation runs on Windows and
430 assorted Unix clones including Linux, FreeBSD, and MacOS X.)
432 \textbf{Flexibility:
} The protocol must be flexible and well-specified,
433 so Tor can serve as a test-bed for future research.
434 Many of the open problems in low-latency anonymity
435 networks, such as generating dummy traffic or preventing Sybil
436 attacks~
\cite{sybil
}, may be solvable independently from the issues
438 Tor. Hopefully future systems will not need to reinvent Tor's design.
439 %(But note that while a flexible design benefits researchers,
440 %there is a danger that differing choices of extensions will make users
441 %distinguishable. Experiments should be run on a separate network.)
443 \textbf{Simple design:
} The protocol's design and security
444 parameters must be well-understood. Additional features impose implementation
445 and complexity costs; adding unproven techniques to the design threatens
446 deployability, readability, and ease of security analysis. Tor aims to
447 deploy a simple and stable system that integrates the best accepted
448 approaches to protecting anonymity.\\
450 \noindent{\large\bf Non-goals
}\label{subsec:non-goals
}\\
451 In favoring simple, deployable designs, we have explicitly deferred
452 several possible goals, either because they are solved elsewhere, or because
453 they are not yet solved.
455 \textbf{Not peer-to-peer:
} Tarzan and MorphMix aim to scale to completely
456 decentralized peer-to-peer environments with thousands of short-lived
457 servers, many of which may be controlled by an adversary. This approach
458 is appealing, but still has many open
459 problems~
\cite{tarzan:ccs02,morphmix:fc04
}.
461 \textbf{Not secure against end-to-end attacks:
} Tor does not claim
462 to provide a definitive solution to end-to-end timing or intersection
463 attacks. Some approaches, such as having users run their own onion routers,
465 see Section~
\ref{sec:maintaining-anonymity
} for more discussion.
467 \textbf{No protocol normalization:
} Tor does not provide
\emph{protocol
468 normalization
} like Privoxy or the Anonymizer. If senders want anonymity from
469 responders while using complex and variable
470 protocols like HTTP, Tor must be layered with a filtering proxy such
471 as Privoxy to hide differences between clients, and expunge protocol
472 features that leak identity.
473 Note that by this separation Tor can also provide services that
474 are anonymous to the network yet authenticated to the responder, like
475 SSH. Similarly, Tor does not integrate
476 tunneling for non-stream-based protocols like UDP; this must be
477 provided by an external service if appropriate.
479 \textbf{Not steganographic:
} Tor does not try to conceal who is connected
482 \SubSection{Threat Model
}
483 \label{subsec:threat-model
}
485 A global passive adversary is the most commonly assumed threat when
486 analyzing theoretical anonymity designs. But like all practical
487 low-latency systems, Tor does not protect against such a strong
488 adversary. Instead, we assume an adversary who can observe some fraction
489 of network traffic; who can generate, modify, delete, or delay
490 traffic; who can operate onion routers of his own; and who can
491 compromise some fraction of the onion routers.
493 In low-latency anonymity systems that use layered encryption, the
494 adversary's typical goal is to observe both the initiator and the
495 responder. By observing both ends, passive attackers can confirm a
496 suspicion that Alice is
497 talking to Bob if the timing and volume patterns of the traffic on the
498 connection are distinct enough; active attackers can induce timing
499 signatures on the traffic to force distinct patterns. Rather
500 than focusing on these
\emph{traffic confirmation
} attacks,
501 we aim to prevent
\emph{traffic
502 analysis
} attacks, where the adversary uses traffic patterns to learn
503 which points in the network he should attack.
505 Our adversary might try to link an initiator Alice with her
506 communication partners, or try to build a profile of Alice's
507 behavior. He might mount passive attacks by observing the network edges
508 and correlating traffic entering and leaving the network---by
509 relationships in packet timing, volume, or externally visible
511 options. The adversary can also mount active attacks by compromising
512 routers or keys; by replaying traffic; by selectively denying service
513 to trustworthy routers to move users to
514 compromised routers, or denying service to users to see if traffic
516 network stops; or by introducing patterns into traffic that can later be
517 detected. The adversary might subvert the directory servers to give users
518 differing views of network state. Additionally, he can try to decrease
519 the network's reliability by attacking nodes or by performing antisocial
520 activities from reliable nodes and trying to get them taken down---making
521 the network unreliable flushes users to other less anonymous
522 systems, where they may be easier to attack. We summarize
523 in Section~
\ref{sec:attacks
} how well the Tor design defends against
524 each of these attacks.
526 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
528 \Section{The Tor Design
}
531 The Tor network is an overlay network; each onion router (OR)
533 user-level process without any special privileges.
534 Each onion router maintains a TLS~
\cite{TLS
}
535 connection to every other onion router.
536 %(We discuss alternatives to this clique-topology assumption in
537 %Section~\ref{sec:maintaining-anonymity}.)
538 % A subset of the ORs also act as
539 %directory servers, tracking which routers are in the network;
540 %see Section~\ref{subsec:dirservers} for directory server details.
542 runs local software called an onion proxy (OP) to fetch directories,
543 establish circuits across the network,
544 and handle connections from user applications. These onion proxies accept
545 TCP streams and multiplex them across the circuits. The onion
546 router on the other side
547 of the circuit connects to the destinations of
548 the TCP streams and relays data.
550 Each onion router maintains a long-term identity key and a short-term
551 onion key. The identity
552 key is used to sign TLS certificates, to sign the OR's
\emph{router
553 descriptor
} (a summary of its keys, address, bandwidth, exit policy,
554 and so on), and (by directory servers) to sign directories.
%Changing
555 %the identity key of a router is considered equivalent to creating a
557 The onion key is used to decrypt requests
558 from users to set up a circuit and negotiate ephemeral keys.
559 The TLS protocol also establishes a short-term link key when communicating
560 between ORs. Short-term keys are rotated periodically and
561 independently, to limit the impact of key compromise.
563 Section~
\ref{subsec:cells
} presents the fixed-size
564 \emph{cells
} that are the unit of communication in Tor. We describe
565 in Section~
\ref{subsec:circuits
} how circuits are
566 built, extended, truncated, and destroyed. Section~
\ref{subsec:tcp
}
567 describes how TCP streams are routed through the network. We address
568 integrity checking in Section~
\ref{subsec:integrity-checking
},
569 and resource limiting in Section~
\ref{subsec:rate-limit
}.
571 Section~
\ref{subsec:congestion
} talks about congestion control and
577 Onion routers communicate with one another, and with users' OPs, via
578 TLS connections with ephemeral keys. Using TLS conceals the data on
579 the connection with perfect forward secrecy, and prevents an attacker
580 from modifying data on the wire or impersonating an OR.
582 Traffic passes along these connections in fixed-size cells. Each cell
583 is
512 bytes,
%(but see Section~\ref{sec:conclusion} for a discussion of
584 %allowing large cells and small cells on the same network),
585 and consists of a header and a payload. The header includes a circuit
586 identifier (circID) that specifies which circuit the cell refers to
587 (many circuits can be multiplexed over the single TLS connection), and
588 a command to describe what to do with the cell's payload. (Circuit
589 identifiers are connection-specific: each single circuit has a different
590 circID on each OP/OR or OR/OR connection it traverses.)
591 Based on their command, cells are either
\emph{control
} cells, which are
592 always interpreted by the node that receives them, or
\emph{relay
} cells,
593 which carry end-to-end stream data. The control cell commands are:
594 \emph{padding
} (currently used for keepalive, but also usable for link
595 padding);
\emph{create
} or
\emph{created
} (used to set up a new circuit);
596 and
\emph{destroy
} (to tear down a circuit).
598 Relay cells have an additional header (the relay header) after the
599 cell header, containing a streamID (stream identifier: many streams can
600 be multiplexed over a circuit); an end-to-end checksum for integrity
601 checking; the length of the relay payload; and a relay command.
602 The entire contents of the relay header and the relay cell payload
603 are encrypted or decrypted together as the relay cell moves along the
604 circuit, using the
128-bit AES cipher in counter mode to generate a
605 cipher stream. The relay commands are:
\emph{relay
606 data
} (for data flowing down the stream),
\emph{relay begin
} (to open a
607 stream),
\emph{relay end
} (to close a stream cleanly),
\emph{relay
608 teardown
} (to close a broken stream),
\emph{relay connected
}
609 (to notify the OP that a relay begin has succeeded),
\emph{relay
610 extend
} and
\emph{relay extended
} (to extend the circuit by a hop,
611 and to acknowledge),
\emph{relay truncate
} and
\emph{relay truncated
}
612 (to tear down only part of the circuit, and to acknowledge),
\emph{relay
613 sendme
} (used for congestion control), and
\emph{relay drop
} (used to
614 implement long-range dummies).
615 We give a visual overview of cell structure plus the details of relay
616 cell structure, and then describe each of these cell types and commands
617 in more detail below.
622 \begin{picture
}(
8.0,
1.5)
623 \put(
4,
.5)
{\makebox(
0,
0)
[c
]{\epsfig{file=cell-struct,width=
7cm
}}}
627 \SubSection{Circuits and streams
}
628 \label{subsec:circuits
}
630 Onion Routing originally built one circuit for each
631 TCP stream. Because building a circuit can take several tenths of a
632 second (due to public-key cryptography and network latency),
633 this design imposed high costs on applications like web browsing that
634 open many TCP streams.
636 In Tor, each circuit can be shared by many TCP streams. To avoid
637 delays, users construct circuits preemptively. To limit linkability
638 among their streams, users' OPs build a new circuit
639 periodically if the previous one has been used,
640 and expire old used circuits that no longer have any open streams.
641 OPs consider making a new circuit once a minute: thus
642 even heavy users spend negligible time
643 building circuits, but a limited number of requests can be linked
644 to each other through a given exit node. Also, because circuits are built
645 in the background, OPs can recover from failed circuit creation
646 without delaying streams and thereby harming user experience.\\
650 \mbox{\epsfig{figure=interaction,width=
8.75cm
}}
651 \caption{Alice builds a two-hop circuit and begins fetching a web page.
}
652 \label{fig:interaction
}
655 \noindent{\large\bf Constructing a circuit
}\label{subsubsec:constructing-a-circuit
}\\
656 %\subsubsection{Constructing a circuit}
657 A user's OP constructs circuits incrementally, negotiating a
658 symmetric key with each OR on the circuit, one hop at a time. To begin
659 creating a new circuit, the OP (call her Alice) sends a
660 \emph{create
} cell to the first node in her chosen path (call him Bob).
662 circID $C_
{AB
}$ not currently used on the connection from her to Bob.)
663 The
\emph{create
} cell's
664 payload contains the first half of the Diffie-Hellman handshake
665 ($g^x$), encrypted to the onion key of the OR (call him Bob). Bob
666 responds with a
\emph{created
} cell containing the second half of the
667 DH handshake, along with a hash of the negotiated key $K=g^
{xy
}$.
669 Once the circuit has been established, Alice and Bob can send one
670 another relay cells encrypted with the negotiated
671 key.
\footnote{Actually, the negotiated key is used to derive two
672 symmetric keys: one for each direction.
} More detail is given in
675 To extend the circuit further, Alice sends a
\emph{relay extend
} cell
676 to Bob, specifying the address of the next OR (call her Carol), and
677 an encrypted $g^
{x_2
}$ for her. Bob copies the half-handshake into a
678 \emph{create
} cell, and passes it to Carol to extend the circuit.
679 (Bob chooses a new circID $C_
{BC
}$ not currently used on the connection
680 between him and Carol. Alice never needs to know this circID; only Bob
681 associates $C_
{AB
}$ on his connection with Alice to $C_
{BC
}$ on
682 his connection with Carol.)
683 When Carol responds with a
\emph{created
} cell, Bob wraps the payload
684 into a
\emph{relay extended
} cell and passes it back to Alice. Now
685 the circuit is extended to Carol, and Alice and Carol share a common key
688 To extend the circuit to a third node or beyond, Alice
689 proceeds as above, always telling the last node in the circuit to
690 extend one hop further.
692 This circuit-level handshake protocol achieves unilateral entity
693 authentication (Alice knows she's handshaking with the OR, but
694 the OR doesn't care who is opening the circuit---Alice uses no public key
695 and is trying to remain anonymous) and unilateral key authentication
696 (Alice and the OR agree on a key, and Alice knows only the OR learns
697 it). It also achieves forward
698 secrecy and key freshness. More formally, the protocol is as follows
699 (where $E_
{PK_
{Bob
}}(
\cdot)$ is encryption with Bob's public key,
700 $H$ is a secure hash function, and $|$ is concatenation):
703 \mathrm{Alice
} \rightarrow \mathrm{Bob
}&: E_
{PK_
{Bob
}}(g^x) \\
704 \mathrm{Bob
} \rightarrow \mathrm{Alice
}&: g^y, H(K |
\mathrm{``handshake"
}) \\
708 \noindent In the second step, Bob proves that it was he who received $g^x$,
709 and who chose $y$. We use PK encryption in the first step
710 (rather than, say, using the first two steps of STS, which has a
711 signature in the second step) because a single cell is too small to
712 hold both a public key and a signature. Preliminary analysis with the
713 NRL protocol analyzer~
\cite{meadows96
} shows this protocol to be
714 secure (including perfect forward secrecy) under the
715 traditional Dolev-Yao model.\\
717 \noindent{\large\bf Relay cells
}\\
718 %\subsubsection{Relay cells}
720 Once Alice has established the circuit (so she shares keys with each
721 OR on the circuit), she can send relay cells. Recall that every relay
722 cell has a streamID that indicates to which
723 stream the cell belongs.
%This streamID allows a relay cell to be
724 %addressed to any OR on the circuit.
725 Upon receiving a relay
726 cell, an OR looks up the corresponding circuit, and decrypts the relay
727 header and payload with the session key for that circuit.
728 If the cell is headed away from Alice the OR then checks
729 whether the decrypted streamID is recognized---either because it
730 corresponds to an open stream at this OR for the given circuit, or because
731 it is the control streamID (zero). If the OR recognizes the
732 streamID, it accepts the relay cell and processes it as described
734 the OR looks up the circID and OR for the
735 next step in the circuit, replaces the circID as appropriate, and
736 sends the decrypted relay cell to the next OR. (If the OR at the end
737 of the circuit receives an unrecognized relay cell, an error has
738 occurred, and the cell is discarded.)
740 OPs treat incoming relay cells similarly: they iteratively unwrap the
741 relay header and payload with the session keys shared with each
742 OR on the circuit, from the closest to farthest.
% (Because we use a
743 %stream cipher, encryption operations may be inverted in any order.)
744 If at any stage the OP recognizes the streamID, the cell must have
745 originated at the OR whose encryption has just been removed.
747 To construct a relay cell addressed to a given OR, Alice iteratively
748 encrypts the cell payload (that is, the relay header and payload) with
749 the symmetric key of each hop up to that OR. Because the streamID is
750 encrypted to a different value at each step, only at the targeted OR
751 will it have a meaningful value.
\footnote{
752 % Should we just say that 2^56 is itself negligible?
753 % Assuming 4-hop circuits with 10 streams per hop, there are 33
754 % possible bad streamIDs before the last circuit. This still
755 % gives an error only once every 2 million terabytes (approx).
756 With
48 bits of streamID per cell, the probability of an accidental
757 collision is far lower than the chance of hardware failure.
}
758 This
\emph{leaky pipe
} circuit topology
759 allows Alice's streams to exit at different ORs on a single circuit.
760 Alice may choose different exit points because of their exit policies,
761 or to keep the ORs from knowing that two streams
762 originate from the same person.
764 When an OR later replies to Alice with a relay cell, it
765 encrypts the cell's relay header and payload with the single key it
766 shares with Alice, and sends the cell back toward Alice along the
767 circuit. Subsequent ORs add further layers of encryption as they
768 relay the cell back to Alice.
770 To tear down a circuit, Alice sends a
\emph{destroy
} control
771 cell. Each OR in the circuit receives the
\emph{destroy
} cell, closes
772 all streams on that circuit, and passes a new
\emph{destroy
} cell
773 forward. But just as circuits are built incrementally, they can also
774 be torn down incrementally: Alice can send a
\emph{relay
775 truncate
} cell to a single OR on a circuit. That OR then sends a
776 \emph{destroy
} cell forward, and acknowledges with a
777 \emph{relay truncated
} cell. Alice can then extend the circuit to
778 different nodes, without signaling to the intermediate nodes (or
779 a limited observer) that she has changed her circuit.
780 Similarly, if a node on the circuit goes down, the adjacent
781 node can send a
\emph{relay truncated
} cell back to Alice. Thus the
782 ``break a node and see which circuits go down''
783 attack~
\cite{freedom21-security
} is weakened.
785 \SubSection{Opening and closing streams
}
788 When Alice's application wants a TCP connection to a given
789 address and port, it asks the OP (via SOCKS) to make the
790 connection. The OP chooses the newest open circuit (or creates one if
791 none is available), and chooses a suitable OR on that circuit to be the
792 exit node (usually the last node, but maybe others due to exit policy
793 conflicts; see Section~
\ref{subsec:exitpolicies
}.) The OP then opens
794 the stream by sending a
\emph{relay begin
} cell to the exit node,
795 using a streamID of zero (so the OR will recognize it), containing as
796 its relay payload a new random streamID, the destination
797 address, and the destination port. Once the
798 exit node connects to the remote host, it responds
799 with a
\emph{relay connected
} cell. Upon receipt, the OP sends a
800 SOCKS reply to notify the application of its success. The OP
801 now accepts data from the application's TCP stream, packaging it into
802 \emph{relay data
} cells and sending those cells along the circuit to
805 There's a catch to using SOCKS, however---some applications pass the
806 alphanumeric hostname to the Tor client, while others resolve it into
807 an IP address first and then pass the IP address to the Tor client. If
808 the application does DNS resolution first, Alice thereby reveals her
809 destination to the remote DNS server, rather than sending the hostname
810 through the Tor network to be resolved at the far end. Common applications
811 like Mozilla and SSH have this flaw.
813 With Mozilla, the flaw is easy to address: the filtering HTTP
814 proxy called Privoxy gives a hostname to the Tor client, so Alice's
815 computer never does DNS resolution.
816 But a portable general solution, such as is needed for
818 an open problem. Modifying or replacing the local nameserver
819 can be invasive, brittle, and unportable. Forcing the resolver
820 library to do resolution via TCP rather than UDP is
821 hard, and also has portability problems. We could also provide a
822 tool similar to
\emph{dig
} to perform a private lookup through the
823 Tor network. Currently, we encourage the use of
824 privacy-aware proxies like Privoxy wherever possible.
826 Closing a Tor stream is analogous to closing a TCP stream: it uses a
827 two-step handshake for normal operation, or a one-step handshake for
828 errors. If the stream closes abnormally, the adjacent node simply sends a
829 \emph{relay teardown
} cell. If the stream closes normally, the node sends
830 a
\emph{relay end
} cell down the circuit. When the other side has sent
831 back its own
\emph{relay end
} cell, the stream can be torn down. Because
832 all relay cells use layered encryption, only the destination OR knows
833 that a given relay cell is a request to close a stream. This two-step
834 handshake allows Tor to support TCP-based applications that use half-closed
836 % such as broken HTTP clients that close their side of the
837 %stream after writing but are still willing to read.
839 \SubSection{Integrity checking on streams
}
840 \label{subsec:integrity-checking
}
842 Because the old Onion Routing design used a stream cipher without integrity
843 checking, traffic was
844 vulnerable to a malleability attack: though the attacker could not
845 decrypt cells, any changes to encrypted data
846 would create corresponding changes to the data leaving the network.
847 This weakness allowed an adversary to change a padding cell to a destroy
848 cell; change the destination address in a
\emph{relay begin
} cell to the
849 adversary's webserver; or change an FTP command from
850 {\tt dir
} to
{\tt rm~*
}. Any adversary who could guess the encrypted
851 content could introduce such corruption in a stream. (Even an external
852 adversary could do this, because the link encryption similarly used a
855 Tor uses TLS on its links---its integrity checking
856 protects data from modification by external adversaries.
857 Addressing the insider malleability attack, however, is
860 We could do integrity checking of the relay cells at each hop, either
861 by including hashes or by using an authenticating cipher mode like
862 EAX~
\cite{eax
}, but there are some problems. First, these approaches
863 impose a message-expansion overhead at each hop, and so we would have to
864 either leak the path length or waste bytes by padding to a maximum
865 path length. Second, these solutions can only verify traffic coming
866 from Alice: ORs would not be able to produce suitable hashes for
867 the intermediate hops, since the ORs on a circuit do not know the
868 other ORs' session keys. Third, we have already accepted that our design
869 is vulnerable to end-to-end timing attacks; tagging attacks performed
870 within the circuit provide no additional information to the attacker.
872 Thus, we check integrity only at the edges of each stream. When Alice
873 negotiates a key with a new hop, they each initialize a SHA-
1
874 digest with a derivative of that key,
875 thus beginning with randomness that only the two of them know. From
876 then on they each incrementally add to the SHA-
1 digest the contents of
877 all relay cells they create, and include with each relay cell the
878 first four bytes of the current digest. Each also keeps a SHA-
1
879 digest of data received, to verify that the received hashes are correct.
881 To be sure of removing or modifying a cell, the attacker must be able
882 to deduce the current digest state (which depends on all
883 traffic between Alice and Bob, starting with their negotiated key).
884 Attacks on SHA-
1 where the adversary can incrementally add to a hash
885 to produce a new valid hash don't work, because all hashes are
886 end-to-end encrypted across the circuit. The computational overhead
887 of computing the digests is minimal compared to doing the AES
888 encryption performed at each hop of the circuit. We use only four
889 bytes per cell to minimize overhead; the chance that an adversary will
890 correctly guess a valid hash
891 %, plus the payload the current cell,
893 acceptably low, given that Alice or Bob tear down the circuit if they
896 \SubSection{Rate limiting and fairness
}
897 \label{subsec:rate-limit
}
899 Volunteers are more willing to run services that can limit
900 their bandwidth usage. To accommodate them, Tor servers use a
901 token bucket approach~
\cite{tannenbaum96
} to
902 enforce a long-term average rate of incoming bytes, while still
903 permitting short-term bursts above the allowed bandwidth.
904 % Current bucket sizes are set to ten seconds' worth of traffic.
906 %Further, we want to avoid starving any Tor streams. Entire circuits
907 %could starve if we read greedily from connections and one connection
908 %uses all the remaining bandwidth. We solve this by dividing the number
909 %of tokens in the bucket by the number of connections that want to read,
910 %and reading at most that number of bytes from each connection. We iterate
911 %this procedure until the number of tokens in the bucket is under some
912 %threshold (currently 10KB), at which point we greedily read from connections.
914 Because the Tor protocol generates roughly the same number of outgoing
915 bytes as incoming bytes, it is sufficient in practice to limit only
917 With TCP streams, however, the correspondence is not one-to-one:
918 relaying a single incoming byte can require an entire
512-byte cell.
919 (We can't just wait for more bytes, because the local application may
920 be waiting for a reply.) Therefore, we treat this case as if the entire
921 cell size had been read, regardless of the fullness of the cell.
923 Further, inspired by Rennhard et al's design in~
\cite{anonnet
}, a
924 circuit's edges can heuristically distinguish interactive streams from bulk
925 streams by comparing the frequency with which they supply cells. We can
926 provide good latency for interactive streams by giving them preferential
927 service, while still giving good overall throughput to the bulk
928 streams. Such preferential treatment presents a possible end-to-end
929 attack, but an adversary observing both
930 ends of the stream can already learn this information through timing
933 \SubSection{Congestion control
}
934 \label{subsec:congestion
}
936 Even with bandwidth rate limiting, we still need to worry about
937 congestion, either accidental or intentional. If enough users choose the
938 same OR-to-OR connection for their circuits, that connection can become
939 saturated. For example, an attacker could send a large file
940 through the Tor network to a webserver he runs, and then
941 refuse to read any of the bytes at the webserver end of the
942 circuit. Without some congestion control mechanism, these bottlenecks
943 can propagate back through the entire network. We don't need to
944 reimplement full TCP windows (with sequence numbers,
945 the ability to drop cells when we're full and retransmit later, and so
947 because TCP already guarantees in-order delivery of each
949 %But we need to investigate further the effects of the current
950 %parameters on throughput and latency, while also keeping privacy in mind;
951 %see Section~\ref{sec:maintaining-anonymity} for more discussion.
952 We describe our response below.
954 \textbf{Circuit-level throttling:
}
955 To control a circuit's bandwidth usage, each OR keeps track of two
956 windows. The
\emph{packaging window
} tracks how many relay data cells the OR is
957 allowed to package (from incoming TCP streams) for transmission back to the OP,
958 and the
\emph{delivery window
} tracks how many relay data cells it is willing
959 to deliver to TCP streams outside the network. Each window is initialized
960 (say, to
1000 data cells). When a data cell is packaged or delivered,
961 the appropriate window is decremented. When an OR has received enough
962 data cells (currently
100), it sends a
\emph{relay sendme
} cell towards the OP,
963 with streamID zero. When an OR receives a
\emph{relay sendme
} cell with
964 streamID zero, it increments its packaging window. Either of these cells
965 increments the corresponding window by
100. If the packaging window
966 reaches
0, the OR stops reading from TCP connections for all streams
967 on the corresponding circuit, and sends no more relay data cells until
968 receiving a
\emph{relay sendme
} cell.
970 The OP behaves identically, except that it must track a packaging window
971 and a delivery window for every OR in the circuit. If a packaging window
972 reaches
0, it stops reading from streams destined for that OR.
974 \textbf{Stream-level throttling
}:
975 The stream-level congestion control mechanism is similar to the
976 circuit-level mechanism. ORs and OPs use
\emph{relay sendme
} cells
977 to implement end-to-end flow control for individual streams across
978 circuits. Each stream begins with a packaging window (currently
500 cells),
979 and increments the window by a fixed value (
50) upon receiving a
\emph{relay
980 sendme
} cell. Rather than always returning a
\emph{relay sendme
} cell as soon
981 as enough cells have arrived, the stream-level congestion control also
982 has to check whether data has been successfully flushed onto the TCP
983 stream; it sends the
\emph{relay sendme
} cell only when the number of bytes pending
984 to be flushed is under some threshold (currently
10 cells' worth).
986 %% Maybe omit this next paragraph. -NM
987 %Currently, non-data relay cells do not affect the windows. Thus we
988 %avoid potential deadlock issues, for example, arising because a stream
989 %can't send a \emph{relay sendme} cell when its packaging window is empty.
991 These arbitrarily chosen parameters seem to give tolerable throughput
992 and delay; see Section~
\ref{sec:in-the-wild
}.
994 \SubSection{Rendezvous Points and hidden services
}
995 \label{subsec:rendezvous
}
997 Rendezvous points are a building block for
\emph{location-hidden
998 services
} (also known as
\emph{responder anonymity
}) in the Tor
999 network. Location-hidden services allow Bob to offer a TCP
1000 service, such as a webserver, without revealing his IP address.
1001 This type of anonymity protects against distributed DoS attacks:
1002 attackers are forced to attack the onion routing network
1003 because they do not know Bob's IP address.
1005 Our design for location-hidden servers has the following goals.
1006 \textbf{Access-controlled:
} Bob needs a way to filter incoming requests,
1007 so an attacker cannot flood Bob simply by making many connections to him.
1008 \textbf{Robust:
} Bob should be able to maintain a long-term pseudonymous
1009 identity even in the presence of router failure. Bob's service must
1010 not be tied to a single OR, and Bob must be able to tie his service
1011 to new ORs.
\textbf{Smear-resistant:
}
1012 A social attacker who offers an illegal or disreputable location-hidden
1013 service should not be able to ``frame'' a rendezvous router by
1014 making observers believe the router created that service.
1015 \textbf{Application-transparent:
} Although we require users
1016 to run special software to access location-hidden servers, we must not
1017 require them to modify their applications.
1019 We provide location-hiding for Bob by allowing him to advertise
1020 several onion routers (his
\emph{introduction points
}) as contact
1021 points. He may do this on any robust efficient
1022 key-value lookup system with authenticated updates, such as a
1023 distributed hash table (DHT) like CFS~
\cite{cfs:sosp01
}\footnote{
1024 Rather than rely on an external infrastructure, the Onion Routing network
1025 can run the DHT itself. At first, we can run a simple lookup
1027 directory servers.
} Alice, the client, chooses an OR as her
1028 \emph{rendezvous point
}. She connects to one of Bob's introduction
1029 points, informs him of her rendezvous point, and then waits for him
1030 to connect to the rendezvous point. This extra level of indirection
1031 helps Bob's introduction points avoid problems associated with serving
1032 unpopular files directly (for example, if Bob serves
1033 material that the introduction point's community finds objectionable,
1034 or if Bob's service tends to get attacked by network vandals).
1035 The extra level of indirection also allows Bob to respond to some requests
1038 In Appendix~
\ref{sec:rendezvous-specifics
} we provide a more detailed
1039 description of the rendezvous protocol, integration issues, attacks,
1040 and related rendezvous work.
1042 \Section{Other design decisions
}
1043 \label{sec:other-design
}
1045 \SubSection{Resource management and denial-of-service
}
1048 Providing Tor as a public service creates many opportunities for
1049 denial-of-service attacks against the network. While
1050 flow control and rate limiting (discussed in
1051 Section~
\ref{subsec:congestion
}) prevent users from consuming more
1052 bandwidth than routers are willing to provide, opportunities remain for
1054 consume more network resources than their fair share, or to render the
1055 network unusable for others.
1057 First of all, there are several CPU-consuming denial-of-service
1058 attacks wherein an attacker can force an OR to perform expensive
1059 cryptographic operations. For example, an attacker who sends a
1060 \emph{create
} cell full of junk bytes can force an OR to perform an RSA
1061 decrypt. Similarly, an attacker can
1062 fake the start of a TLS handshake, forcing the OR to carry out its
1063 (comparatively expensive) half of the handshake at no real computational
1064 cost to the attacker.
1066 We have not yet implemented any defenses for these attacks, but several
1067 approaches are possible. First, ORs can
1068 require clients to solve a puzzle~
\cite{puzzles-tls
} while beginning new
1069 TLS handshakes or accepting
\emph{create
} cells. So long as these
1070 tokens are easy to verify and computationally expensive to produce, this
1071 approach limits the attack multiplier. Additionally, ORs can limit
1072 the rate at which they accept
\emph{create
} cells and TLS connections,
1074 the computational work of processing them does not drown out the
1075 symmetric cryptography operations that keep cells
1076 flowing. This rate limiting could, however, allow an attacker
1077 to slow down other users when they build new circuits.
1079 % What about link-to-link rate limiting?
1081 Adversaries can also attack the Tor network's hosts and network
1082 links. Disrupting a single circuit or link breaks all streams passing
1083 along that part of the circuit. Users similarly lose service
1084 when a router crashes or its operator restarts it. The current
1085 Tor design treats such attacks as intermittent network failures, and
1086 depends on users and applications to respond or recover as appropriate. A
1087 future design could use an end-to-end TCP-like acknowledgment protocol,
1088 so that no streams are lost unless the entry or exit point itself is
1089 disrupted. This solution would require more buffering at the network
1090 edges, however, and the performance and anonymity implications from this
1091 extra complexity still require investigation.
1093 \SubSection{Exit policies and abuse
}
1094 \label{subsec:exitpolicies
}
1096 % originally, we planned to put the "users only know the hostname,
1097 % not the IP, but exit policies are by IP" problem here too. Not
1098 % worth putting in the submission, but worth thinking about putting
1099 % in sometime somehow. -RD
1101 Exit abuse is a serious barrier to wide-scale Tor deployment. Anonymity
1102 presents would-be vandals and abusers with an opportunity to hide
1103 the origins of their activities. Attackers can harm the Tor network by
1104 implicating exit servers for their abuse. Also, applications that commonly
1105 use IP-based authentication (such as institutional mail or webservers)
1106 can be fooled by the fact that anonymous connections appear to originate
1109 We stress that Tor does not enable any new class of abuse. Spammers
1110 and other attackers already have access to thousands of misconfigured
1111 systems worldwide, and the Tor network is far from the easiest way
1113 %Indeed, because of its limited
1114 %anonymity, Tor is probably not a good way to commit crimes.
1116 onion routers can be mistaken for the originators of the abuse,
1117 and the volunteers who run them may not want to deal with the hassle of
1118 explaining anonymity networks to irate administrators, we must block or limit
1119 the abuse that travels through the Tor network.
1121 To mitigate abuse issues, in Tor, each onion router's
\emph{exit policy
}
1122 describes to which external addresses and ports the router will
1123 connect. On one end of the spectrum are
\emph{open exit
}
1124 nodes that will connect anywhere. On the other end are
\emph{middleman
}
1125 nodes that only relay traffic to other Tor nodes, and
\emph{private exit
}
1126 nodes that only connect to a local host or network. Using a private
1127 exit (if one exists) is a more secure way for a client to connect to a
1128 given host or network---an external adversary cannot eavesdrop traffic
1129 between the private exit and the final destination, and so is less sure of
1130 Alice's destination and activities. Most onion routers in the current
1132 \emph{restricted exits
} that permit connections to the world at large,
1133 but prevent access to certain abuse-prone addresses and services such
1135 Additionally, in some cases the OR can authenticate clients to
1136 prevent exit abuse without harming anonymity~
\cite{or-discex00
}.
1138 %The abuse issues on closed (e.g. military) networks are different
1139 %from the abuse on open networks like the Internet. While these IP-based
1140 %access controls are still commonplace on the Internet, on closed networks,
1141 %nearly all participants will be honest, and end-to-end authentication
1142 %can be assumed for important traffic.
1144 Many administrators use port restrictions to support only a
1145 limited set of services, such as HTTP, SSH, or AIM.
1146 This is not a complete solution, of course, since abuse opportunities for these
1147 protocols are still well known.
1149 We have not yet encountered any abuse in the deployed network, but if
1150 we do we should consider using proxies to clean traffic for certain
1151 protocols as it leaves the network. For example, much abusive HTTP
1152 behavior (such as exploiting buffer overflows or well-known script
1153 vulnerabilities) can be detected in a straightforward manner.
1154 Similarly, one could run automatic spam filtering software (such as
1155 SpamAssassin) on email exiting the OR network.
1157 ORs may also rewrite exiting traffic to append
1158 headers or other information indicating that the traffic has passed
1159 through an anonymity service. This approach is commonly used
1160 by email-only anonymity systems. ORs can also
1161 run on servers with hostnames like
{\tt anonymous
} to further
1162 alert abuse targets to the nature of the anonymous traffic.
1164 A mixture of open and restricted exit nodes allows the most
1165 flexibility for volunteers running servers. But while having many
1166 middleman nodes provides a large and robust network,
1167 having only a few exit nodes reduces the number of points
1168 an adversary needs to monitor for traffic analysis, and places a
1169 greater burden on the exit nodes. This tension can be seen in the
1171 cascade model, wherein only one node in each cascade needs to handle
1172 abuse complaints---but an adversary only needs to observe the entry
1173 and exit of a cascade to perform traffic analysis on all that
1174 cascade's users. The hydra model (many entries, few exits) presents a
1175 different compromise: only a few exit nodes are needed, but an
1176 adversary needs to work harder to watch all the clients; see
1177 Section~
\ref{sec:conclusion
}.
1179 Finally, we note that exit abuse must not be dismissed as a peripheral
1180 issue: when a system's public image suffers, it can reduce the number
1181 and diversity of that system's users, and thereby reduce the anonymity
1182 of the system itself. Like usability, public perception is a
1183 security parameter. Sadly, preventing abuse of open exit nodes is an
1184 unsolved problem, and will probably remain an arms race for the
1185 foreseeable future. The abuse problems faced by Princeton's CoDeeN
1186 project~
\cite{darkside
} give us a glimpse of likely issues.
1188 \SubSection{Directory Servers
}
1189 \label{subsec:dirservers
}
1191 First-generation Onion Routing designs~
\cite{freedom2-arch,or-jsac98
} used
1192 in-band network status updates: each router flooded a signed statement
1193 to its neighbors, which propagated it onward. But anonymizing networks
1194 have different security goals than typical link-state routing protocols.
1195 For example, delays (accidental or intentional)
1196 that can cause different parts of the network to have different views
1197 of link-state and topology are not only inconvenient: they give
1198 attackers an opportunity to exploit differences in client knowledge.
1199 We also worry about attacks to deceive a
1200 client about the router membership list, topology, or current network
1201 state. Such
\emph{partitioning attacks
} on client knowledge help an
1202 adversary to efficiently deploy resources
1203 against a target~
\cite{minion-design
}.
1205 Tor uses a small group of redundant, well-known onion routers to
1206 track changes in network topology and node state, including keys and
1207 exit policies. Each such
\emph{directory server
} acts as an HTTP
1208 server, so clients can fetch current network state
1209 and router lists, and so other ORs can upload
1210 state information. Onion routers periodically publish signed
1211 statements of their state to each directory server. The directory servers
1212 combine this information with their own views of network liveness,
1213 and generate a signed description (a
\emph{directory
}) of the entire
1214 network state. Client software is
1215 pre-loaded with a list of the directory servers and their keys,
1216 to bootstrap each client's view of the network.
1217 % XXX this means that clients will be forced to upgrade as the
1218 % XXX dirservers change or get compromised. argue that this is ok.
1220 When a directory server receives a signed statement for an OR, it
1221 checks whether the OR's identity key is recognized. Directory
1222 servers do not automatically advertise unrecognized ORs. (If they did,
1223 an adversary could take over the network by creating many
1224 servers~
\cite{sybil
}.) Instead, new nodes must be approved by the
1226 server administrator before they are included. Mechanisms for automated
1227 node approval are an area of active research, and are discussed more
1228 in Section~
\ref{sec:maintaining-anonymity
}.
1230 Of course, a variety of attacks remain. An adversary who controls
1231 a directory server can track clients by providing them different
1232 information---perhaps by listing only nodes under its control, or by
1233 informing only certain clients about a given node. Even an external
1234 adversary can exploit differences in client knowledge: clients who use
1235 a node listed on one directory server but not the others are vulnerable.
1237 Thus these directory servers must be synchronized and redundant, so
1238 that they can agree on a common directory. Clients should only trust
1239 this directory if it is signed by a threshold of the directory
1242 The directory servers in Tor are modeled after those in
1243 Mixminion~
\cite{minion-design
}, but our situation is easier. First,
1245 simplifying assumption that all participants agree on the set of
1246 directory servers. Second, while Mixminion needs to predict node
1247 behavior, Tor only needs a threshold consensus of the current
1248 state of the network.
1250 Tor directory servers build a consensus directory through a simple
1251 four-round broadcast protocol. In round one, each server dates and
1252 signs its current opinion, and broadcasts it to the other directory
1253 servers; then in round two, each server rebroadcasts all the signed
1254 opinions it has received. At this point all directory servers check
1255 to see whether any server has signed multiple opinions in the same
1256 period. Such a server is either broken or cheating, so the protocol
1257 stops and notifies the administrators, who either remove the cheater
1258 or wait for the broken server to be fixed. If there are no
1259 discrepancies, each directory server then locally computes an algorithm
1261 on the set of opinions, resulting in a uniform shared directory. In
1262 round three servers sign this directory and broadcast it; and finally
1263 in round four the servers rebroadcast the directory and all the
1264 signatures. If any directory server drops out of the network, its
1265 signature is not included on the final directory.
1267 The rebroadcast steps ensure that a directory server is heard by
1268 either all of the other servers or none of them, even when some links
1269 are down (assuming that any two directory servers can talk directly or
1270 via a third). Broadcasts are feasible because there are relatively few
1271 directory servers (currently
3, but we expect as many as
9 as the network
1272 scales). Computing the shared directory locally is a straightforward
1273 threshold voting process: we include an OR if a majority of directory
1274 servers believe it to be good.
1276 To avoid attacks where a router connects to all the directory servers
1277 but refuses to relay traffic from other routers, the directory servers
1278 must build circuits and use them to anonymously test router
1279 reliability~
\cite{mix-acc
}. Unfortunately, this defense is not yet
1283 Using directory servers is simpler and more flexible than flooding.
1284 Flooding is expensive, and complicates the analysis when we
1285 start experimenting with non-clique network topologies. Signed
1286 directories can be cached by other
1288 so directory servers are not a performance
1289 bottleneck when we have many users, and do not aid traffic analysis by
1290 forcing clients to periodically announce their existence to any
1294 \Section{Attacks and Defenses
}
1297 Below we summarize a variety of attacks, and discuss how well our
1298 design withstands them.\\
1300 \noindent{\large\bf Passive attacks
}\\
1301 \emph{Observing user traffic patterns.
} Observing a user's connection
1302 will not reveal her destination or data, but it will
1303 reveal traffic patterns (both sent and received). Profiling via user
1304 connection patterns requires further processing, because multiple
1305 application streams may be operating simultaneously or in series over
1308 \emph{Observing user content.
} While content at the user end is encrypted,
1309 connections to responders may not be (indeed, the responding website
1310 itself may be hostile). While filtering content is not a primary goal
1311 of Onion Routing, Tor can directly use Privoxy and related
1312 filtering services to anonymize application data streams.
1314 \emph{Option distinguishability.
} We allow clients to choose
1315 configuration options. For example, clients concerned about request
1316 linkability should rotate circuits more often than those concerned
1317 about traceability. Allowing choice may attract users with different
1318 %There is economic incentive to attract users by
1319 %allowing this choice;
1320 needs; but clients who are
1321 in the minority may lose more anonymity by appearing distinct than they
1322 gain by optimizing their behavior~
\cite{econymics
}.
1324 \emph{End-to-end timing correlation.
} Tor only minimally hides
1325 such correlations. An attacker watching patterns of
1326 traffic at the initiator and the responder will be
1327 able to confirm the correspondence with high probability. The
1328 greatest protection currently available against such confirmation is to hide
1329 the connection between the onion proxy and the first Tor node,
1330 by running the OP on the Tor node or behind a firewall. This approach
1331 requires an observer to separate traffic originating at the onion
1332 router from traffic passing through it: a global observer can do this,
1333 but it might be beyond a limited observer's capabilities.
1335 \emph{End-to-end size correlation.
} Simple packet counting
1336 will also be effective in confirming
1337 endpoints of a stream. However, even without padding, we have some
1338 limited protection: the leaky pipe topology means different numbers
1339 of packets may enter one end of a circuit than exit at the other.
1341 \emph{Website fingerprinting.
} All the effective passive
1342 attacks above are traffic confirmation attacks,
1343 which puts them outside our design goals. There is also
1344 a passive traffic analysis attack that is potentially effective.
1345 Rather than searching exit connections for timing and volume
1346 correlations, the adversary may build up a database of
1347 ``fingerprints'' containing file sizes and access patterns for
1348 targeted websites. He can later confirm a user's connection to a given
1349 site simply by consulting the database. This attack has
1350 been shown to be effective against SafeWeb~
\cite{hintz-pet02
}.
1351 It may be less effective against Tor, since
1352 streams are multiplexed within the same circuit, and
1353 fingerprinting will be limited to
1354 the granularity of cells (currently
512 bytes). Additional
1355 defenses could include
1356 larger cell sizes, padding schemes to group websites
1357 into large sets, and link
1358 padding or long-range dummies.
\footnote{Note that this fingerprinting
1359 attack should not be confused with the much more complicated latency
1360 attacks of~
\cite{back01
}, which require a fingerprint of the latencies
1361 of all circuits through the network, combined with those from the
1362 network edges to the target user and the responder website.
}\\
1364 \noindent{\large\bf Active attacks
}\\
1365 \emph{Compromise keys.
} An attacker who learns the TLS session key can
1366 see control cells and encrypted relay cells on every circuit on that
1367 connection; learning a circuit
1368 session key lets him unwrap one layer of the encryption. An attacker
1369 who learns an OR's TLS private key can impersonate that OR for the TLS
1370 key's lifetime, but he must
1371 also learn the onion key to decrypt
\emph{create
} cells (and because of
1372 perfect forward secrecy, he cannot hijack already established circuits
1373 without also compromising their session keys). Periodic key rotation
1374 limits the window of opportunity for these attacks. On the other hand,
1375 an attacker who learns a node's identity key can replace that node
1376 indefinitely by sending new forged descriptors to the directory servers.
1378 \emph{Iterated compromise.
} A roving adversary who can
1379 compromise ORs (by system intrusion, legal coercion, or extralegal
1380 coercion) could march down the circuit compromising the
1381 nodes until he reaches the end. Unless the adversary can complete
1382 this attack within the lifetime of the circuit, however, the ORs
1383 will have discarded the necessary information before the attack can
1384 be completed. (Thanks to the perfect forward secrecy of session
1385 keys, the attacker cannot force nodes to decrypt recorded
1386 traffic once the circuits have been closed.) Additionally, building
1387 circuits that cross jurisdictions can make legal coercion
1388 harder---this phenomenon is commonly called ``jurisdictional
1389 arbitrage.'' The Java Anon Proxy project recently experienced the
1390 need for this approach, when
1391 a German court forced them to add a backdoor to
1392 all of their nodes~
\cite{jap-backdoor
}.
1394 \emph{Run a recipient.
} An adversary running a webserver
1395 trivially learns the timing patterns of users connecting to it, and
1396 can introduce arbitrary patterns in its responses.
1397 End-to-end attacks become easier: if the adversary can induce
1398 users to connect to his webserver (perhaps by advertising
1399 content targeted to those users), she now holds one end of their
1400 connection. There is also a danger that application
1401 protocols and associated programs can be induced to reveal information
1402 about the initiator. Tor depends on Privoxy and similar protocol cleaners
1403 to solve this latter problem.
1405 \emph{Run an onion proxy.
} It is expected that end users will
1406 nearly always run their own local onion proxy. However, in some
1407 settings, it may be necessary for the proxy to run
1408 remotely---typically, in institutions that want
1409 to monitor the activity of those connecting to the proxy.
1410 Compromising an onion proxy compromises all future connections
1413 \emph{DoS non-observed nodes.
} An observer who can only watch some
1414 of the Tor network can increase the value of this traffic
1415 by attacking non-observed nodes to shut them down, reduce
1416 their reliability, or persuade users that they are not trustworthy.
1417 The best defense here is robustness.
1419 \emph{Run a hostile OR.
} In addition to being a local observer,
1420 an isolated hostile node can create circuits through itself, or alter
1421 traffic patterns to affect traffic at other nodes. Nonetheless, a hostile
1422 node must be immediately adjacent to both endpoints to compromise the
1423 anonymity of a circuit. If an adversary can
1424 run multiple ORs, and can persuade the directory servers
1425 that those ORs are trustworthy and independent, then occasionally
1426 some user will choose one of those ORs for the start and another
1427 as the end of a circuit. If an adversary
1428 controls $m>
1$ out of $N$ nodes, he can to correlate at most
1429 $
\left(
\frac{m
}{N
}\right)^
2$ of the traffic in this way---although an
1431 could possibly attract a disproportionately large amount of traffic
1432 by running an OR with a permissive exit policy, or by
1433 degrading the reliability of other routers.
1435 \emph{Introduce timing into messages.
} This is simply a stronger
1436 version of passive timing attacks already discussed earlier.
1438 \emph{Tagging attacks.
} A hostile node could ``tag'' a
1439 cell by altering it. If the
1440 stream were, for example, an unencrypted request to a Web site,
1441 the garbled content coming out at the appropriate time would confirm
1442 the association. However, integrity checks on cells prevent
1445 \emph{Replace contents of unauthenticated protocols.
} When
1446 relaying an unauthenticated protocol like HTTP, a hostile exit node
1447 can impersonate the target server. Clients
1448 should prefer protocols with end-to-end authentication.
1450 \emph{Replay attacks.
} Some anonymity protocols are vulnerable
1451 to replay attacks. Tor is not; replaying one side of a handshake
1452 will result in a different negotiated session key, and so the rest
1453 of the recorded session can't be used.
1455 \emph{Smear attacks.
} An attacker could use the Tor network for
1456 socially disapproved acts, to bring the
1457 network into disrepute and get its operators to shut it down.
1458 Exit policies reduce the possibilities for abuse, but
1459 ultimately the network requires volunteers who can tolerate
1460 some political heat.
1462 \emph{Distribute hostile code.
} An attacker could trick users
1463 into running subverted Tor software that did not, in fact, anonymize
1464 their connections---or worse, could trick ORs into running weakened
1465 software that provided users with less anonymity. We address this
1466 problem (but do not solve it completely) by signing all Tor releases
1467 with an official public key, and including an entry in the directory
1468 that lists which versions are currently believed to be secure. To
1469 prevent an attacker from subverting the official release itself
1470 (through threats, bribery, or insider attacks), we provide all
1471 releases in source code form, encourage source audits, and
1472 frequently warn our users never to trust any software (even from
1473 us) that comes without source.\\
1475 \noindent{\large\bf Directory attacks
}\\
1476 \emph{Destroy directory servers.
} If a few directory
1477 servers disappear, the others still decide on a valid
1478 directory. So long as any directory servers remain in operation,
1479 they will still broadcast their views of the network and generate a
1480 consensus directory. (If more than half are destroyed, this
1481 directory will not, however, have enough signatures for clients to
1482 use it automatically; human intervention will be necessary for
1483 clients to decide whether to trust the resulting directory.)
1485 \emph{Subvert a directory server.
} By taking over a directory server,
1486 an attacker can partially influence the final directory. Since ORs
1487 are included or excluded by majority vote, the corrupt directory can
1488 at worst cast a tie-breaking vote to decide whether to include
1489 marginal ORs. It remains to be seen how often such marginal cases
1492 \emph{Subvert a majority of directory servers.
} An adversary who controls
1493 more than half the directory servers can include as many compromised
1494 ORs in the final directory as he wishes. We must ensure that directory
1495 server operators are independent and attack-resistant.
1497 \emph{Encourage directory server dissent.
} The directory
1498 agreement protocol assumes that directory server operators agree on
1499 the set of directory servers. An adversary who can persuade some
1500 of the directory server operators to distrust one another could
1501 split the quorum into mutually hostile camps, thus partitioning
1502 users based on which directory they use. Tor does not address
1505 \emph{Trick the directory servers into listing a hostile OR.
}
1506 Our threat model explicitly assumes directory server operators will
1507 be able to filter out most hostile ORs.
1508 % If this is not true, an
1509 % attacker can flood the directory with compromised servers.
1511 \emph{Convince the directories that a malfunctioning OR is
1512 working.
} In the current Tor implementation, directory servers
1513 assume that an OR is running correctly if they can start a TLS
1514 connection to it. A hostile OR could easily subvert this test by
1515 accepting TLS connections from ORs but ignoring all cells. Directory
1516 servers must actively test ORs by building circuits and streams as
1517 appropriate. The tradeoffs of a similar approach are discussed
1518 in~
\cite{mix-acc
}.\\
1520 \Section{Early experiences: Tor in the Wild
}
1521 \label{sec:in-the-wild
}
1523 As of mid-January
2004, the Tor network consists of
17 nodes
1524 (
15 in the US,
2 in Europe), and more are joining each week as the code
1525 matures.
\footnote{For comparison, the current remailer network
1526 has about
30 reliable nodes. We haven't asked PlanetLab to provide
1527 Tor nodes, since their AUP wouldn't allow exit nodes (see
1528 also~
\cite{darkside
}) and because we aim to build a long-term community of
1529 node operators and developers.
} Each node has at least a
768Kb/
768Kb
1531 many have
10Mb. The number of users varies (and of course, it's hard to
1532 tell for sure), but we sometimes have several hundred users---administrators at
1533 several companies have begun sending their entire departments' web
1534 traffic through Tor, to block other divisions of
1535 their company from reading their traffic. Tor users have reported using
1536 the network for web browsing, FTP, IRC, AIM, Kazaa, and SSH.
1538 Each Tor node currently processes roughly
800,
000 relay
1539 cells (a bit under half a gigabyte) per week. On average, about
80\%
1540 of each
500-byte payload is full for cells going back to the client,
1541 whereas about
40\% is full for cells coming from the client. (The difference
1542 arises because most of the network's traffic is web browsing.) Interactive
1543 traffic like SSH brings down the average a lot---once we have more
1544 experience, and assuming we can resolve the anonymity issues, we may
1545 partition traffic into two relay cell sizes: one to handle
1546 bulk traffic and one for interactive traffic.
1548 Based in part on our restrictive default exit policy (we
1549 reject SMTP requests) and our low profile, we have had no abuse
1550 issues since the network was deployed in October
1551 2003. Our slow growth rate gives us time to add features,
1552 resolve bugs, and get a feel for what users actually want from an
1553 anonymity system. Even though having more users would bolster our
1554 anonymity sets, we are not eager to attract the Kazaa or warez
1555 communities---we feel that we must build a reputation for privacy, human
1556 rights, research, and other socially laudable activities.
1558 As for performance, profiling shows that Tor spends almost
1559 all its CPU time in AES, which is fast. Current latency is attributable
1560 to two factors. First, network latency is critical: we are
1561 intentionally bouncing traffic around the world several times. Second,
1562 our end-to-end congestion control algorithm focuses on protecting
1563 volunteer servers from accidental DoS rather than on optimizing
1564 performance.
% Right now the first $500 \times 500\mbox{B}=250\mbox{KB}$
1565 %of the stream arrives
1566 %quickly, and after that throughput depends on the rate that \emph{relay
1567 %sendme} acknowledgments arrive.
1568 To quantify these effects, we did some informal tests using a network of
4
1569 nodes on the same machine (a heavily loaded
1GHz Athlon). We downloaded a
60
1570 megabyte file from
{\tt debian.org
} every
30 minutes for
54 hours (
108 sample
1571 points). It arrived in about
300 seconds on average, compared to
210s for a
1572 direct download. We ran a similar test on the production Tor network,
1573 fetching the front page of
{\tt cnn.com
} (
55 kilobytes): while a direct
1574 download consistently took about
0.5s, the performance through Tor was highly
1575 variable. Some downloads were as fast as
0.6s, with a median at
2.7s, and
1576 80\% finishing within
5.7s. It seems that as the network expands, the chance
1577 of building a slow circuit (one that includes a slow or heavily loaded node
1578 or link) is increasing. On the other hand, as our users remain satisfied
1579 with this increased latency, we can address our performance incrementally as we
1580 proceed with development.
\footnote{For example, we have just begun pushing
1581 a pipelining patch to the production network that seems to
1582 decrease latency for medium-to-large files; we will present revised
1583 benchmarks as they become available.
}
1585 %With the current network's topology and load, users can typically get 1-2
1586 %megabits sustained transfer rate, which is good enough for now.
1588 design aims foremost to provide a security research platform; performance
1589 only needs to be sufficient to retain users~
\cite{econymics,back01
}.
1590 We can tweak the congestion control
1591 parameters to provide faster throughput at the cost of
1592 larger buffers at each node; adding the heuristics mentioned in
1593 Section~
\ref{subsec:rate-limit
} to favor low-volume
1594 streams may also help. More research remains to find the
1596 % We should say _HOW MUCH_ latency there is in these cases. -NM
1598 %performs badly on lossy networks. may need airhook or something else as
1599 %transport alternative?
1601 Although Tor's clique topology and full-visibility directories present
1602 scaling problems, we still expect the network to support a few hundred
1603 nodes and maybe
10,
000 users before we're forced to become
1604 more distributed. With luck, the experience we gain running the current
1605 topology will help us choose among alternatives when the time comes.
1607 \Section{Open Questions in Low-latency Anonymity
}
1608 \label{sec:maintaining-anonymity
}
1610 In addition to the non-goals in
1611 Section~
\ref{subsec:non-goals
}, many other questions must be solved
1612 before we can be confident of Tor's security.
1614 Many of these open issues are questions of balance. For example,
1615 how often should users rotate to fresh circuits? Frequent rotation
1616 is inefficient, expensive, and may lead to intersection attacks and
1617 predecessor attacks~
\cite{wright03
}, but infrequent rotation makes the
1618 user's traffic linkable. Besides opening fresh circuits, clients can
1619 also exit from the middle of the circuit,
1620 or truncate and re-extend the circuit. More analysis is
1621 needed to determine the proper tradeoff.
1623 %% Duplicated by 'Better directory distribution' in section 9.
1625 %A similar question surrounds timing of directory operations: how often
1626 %should directories be updated? Clients that update infrequently receive
1627 %an inaccurate picture of the network, but frequent updates can overload
1628 %the directory servers. More generally, we must find more
1629 %decentralized yet practical ways to distribute up-to-date snapshots of
1630 %network status without introducing new attacks.
1632 How should we choose path lengths? If Alice only ever uses two hops,
1633 then both ORs can be certain that by colluding they will learn about
1634 Alice and Bob. In our current approach, Alice always chooses at least
1635 three nodes unrelated to herself and her destination.
1636 %% This point is subtle, but not IMO necessary. Anybody who thinks
1637 %% about it will see that it's implied by the above sentence; anybody
1638 %% who doesn't think about it is safe in his ignorance.
1640 %Thus normally she chooses
1641 %three nodes, but if she is running an OR and her destination is on an OR,
1643 Should Alice choose a random path length (say,
1644 increasing it from a geometric distribution) to foil an attacker who
1645 uses timing to learn that he is the fifth hop and thus concludes that
1646 both Alice and the responder are on ORs?
1648 Throughout this paper, we have assumed that end-to-end traffic
1649 confirmation will immediately and automatically defeat a low-latency
1650 anonymity system. Even high-latency anonymity systems can be
1651 vulnerable to end-to-end traffic confirmation, if the traffic volumes
1652 are high enough, and if users' habits are sufficiently
1653 distinct~
\cite{statistical-disclosure,limits-open
}. Can anything be
1655 make low-latency systems resist these attacks as well as high-latency
1656 systems? Tor already makes some effort to conceal the starts and ends of
1657 streams by wrapping long-range control commands in identical-looking
1658 relay cells. Link padding could frustrate passive observers who count
1659 packets; long-range padding could work against observers who own the
1660 first hop in a circuit. But more research remains to find an efficient
1661 and practical approach. Volunteers prefer not to run constant-bandwidth
1662 padding; but no convincing traffic shaping approach has been
1663 specified. Recent work on long-range padding~
\cite{defensive-dropping
}
1664 shows promise. One could also try to reduce correlation in packet timing
1665 by batching and re-ordering packets, but it is unclear whether this could
1666 improve anonymity without introducing so much latency as to render the
1669 A cascade topology may better defend against traffic confirmation by
1670 aggregating users, and making padding and
1671 mixing more affordable. Does the hydra topology (many input nodes,
1672 few output nodes) work better against some adversaries? Are we going
1673 to get a hydra anyway because most nodes will be middleman nodes?
1675 Common wisdom suggests that Alice should run her own OR for best
1676 anonymity, because traffic coming from her node could plausibly have
1677 come from elsewhere. How much mixing does this approach need? Is it
1678 immediately beneficial because of real-world adversaries that can't
1679 observe Alice's router, but can run routers of their own?
1681 To scale to many users, and to prevent an attacker from observing the
1682 whole network, it may be necessary
1683 to support far more servers than Tor currently anticipates.
1684 This introduces several issues. First, if approval by a central set
1685 of directory servers is no longer feasible, what mechanism should be used
1686 to prevent adversaries from signing up many colluding servers? Second,
1687 if clients can no longer have a complete picture of the network,
1688 how can they perform discovery while preventing attackers from
1689 manipulating or exploiting gaps in their knowledge? Third, if there
1690 are too many servers for every server to constantly communicate with
1691 every other, which non-clique topology should the network use?
1692 (Restricted-route topologies promise comparable anonymity with better
1693 scalability~
\cite{danezis-pets03
}, but whatever topology we choose, we
1694 need some way to keep attackers from manipulating their position within
1695 it~
\cite{casc-rep
}.) Fourth, if no central authority is tracking
1696 server reliability, how do we stop unreliable servers from making
1697 the network unusable? Fifth, do clients receive so much anonymity
1698 from running their own ORs that we should expect them all to do
1699 so~
\cite{econymics
}, or do we need another incentive structure to
1700 motivate them? Tarzan and MorphMix present possible solutions.
1704 When a Tor node goes down, all its circuits (and thus streams) must break.
1705 Will users abandon the system because of this brittleness? How well
1706 does the method in Section~
\ref{subsec:dos
} allow streams to survive
1707 node failure? If affected users rebuild circuits immediately, how much
1708 anonymity is lost? It seems the problem is even worse in a peer-to-peer
1709 environment---such systems don't yet provide an incentive for peers to
1710 stay connected when they're done retrieving content, so we would expect
1711 a higher churn rate.
1713 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1715 \Section{Future Directions
}
1716 \label{sec:conclusion
}
1718 Tor brings together many innovations into a unified deployable system. The
1719 next immediate steps include:
1721 \emph{Scalability:
} Tor's emphasis on deployability and design simplicity
1722 has led us to adopt a clique topology, semi-centralized
1723 directories, and a full-network-visibility model for client
1724 knowledge. These properties will not scale past a few hundred servers.
1725 Section~
\ref{sec:maintaining-anonymity
} describes some promising
1726 approaches, but more deployment experience will be helpful in learning
1727 the relative importance of these bottlenecks.
1729 \emph{Bandwidth classes:
} This paper assumes that all ORs have
1730 good bandwidth and latency. We should instead adopt the MorphMix model,
1731 where nodes advertise their bandwidth level (DSL,
T1, T3), and
1732 Alice avoids bottlenecks by choosing nodes that match or
1733 exceed her bandwidth. In this way DSL users can usefully join the Tor
1736 \emph{Incentives:
} Volunteers who run nodes are rewarded with publicity
1737 and possibly better anonymity~
\cite{econymics
}. More nodes means increased
1738 scalability, and more users can mean more anonymity. We need to continue
1739 examining the incentive structures for participating in Tor. Further,
1740 we need to explore more approaches to limiting abuse, and understand
1741 why most people don't bother using privacy systems.
1743 \emph{Cover traffic:
} Currently Tor omits cover traffic---its costs
1744 in performance and bandwidth are clear but its security benefits are
1745 not well understood. We must pursue more research on link-level cover
1746 traffic and long-range cover traffic to determine whether some simple padding
1747 method offers provable protection against our chosen adversary.
1749 %%\emph{Offer two relay cell sizes:} Traffic on the Internet tends to be
1750 %%large for bulk transfers and small for interactive traffic. One cell
1751 %%size cannot be optimal for both types of traffic.
1752 % This should go in the spec and todo, but not the paper yet. -RD
1754 \emph{Caching at exit nodes:
} Perhaps each exit node should run a
1755 caching web proxy~
\cite{shsm03
}, to improve anonymity for cached pages
1756 (Alice's request never
1757 leaves the Tor network), to improve speed, and to reduce bandwidth cost.
1758 On the other hand, forward security is weakened because caches
1759 constitute a record of retrieved files. We must find the right
1760 balance between usability and security.
1762 \emph{Better directory distribution:
}
1763 Clients currently download a description of
1764 the entire network every
15 minutes. As the state grows larger
1765 and clients more numerous, we may need a solution in which
1766 clients receive incremental updates to directory state.
1767 More generally, we must find more
1768 scalable yet practical ways to distribute up-to-date snapshots of
1769 network status without introducing new attacks.
1771 \emph{Implement location-hidden services:
} The design in
1772 Appendix~
\ref{sec:rendezvous-specifics
} has not yet been implemented.
1774 so we are likely to encounter additional issues that must be resolved,
1775 both in terms of usability and anonymity.
1777 \emph{Further specification review:
} Our public
1778 byte-level specification~
\cite{tor-spec
} needs
1779 external review. We hope that as Tor
1780 is deployed, more people will examine its
1783 \emph{Multisystem interoperability:
} We are currently working with the
1784 designer of MorphMix to unify the specification and implementation of
1785 the common elements of our two systems. So far, this seems
1786 to be relatively straightforward. Interoperability will allow testing
1787 and direct comparison of the two designs for trust and scalability.
1789 \emph{Wider-scale deployment:
} The original goal of Tor was to
1790 gain experience in deploying an anonymizing overlay network, and
1791 learn from having actual users. We are now at a point in design
1792 and development where we can start deploying a wider network. Once
1793 we have many actual users, we will doubtlessly be better
1794 able to evaluate some of our design decisions, including our
1795 robustness/latency tradeoffs, our performance tradeoffs (including
1796 cell size), our abuse-prevention mechanisms, and
1797 our overall usability.
1799 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1801 %% commented out for anonymous submission
1802 \section*
{Acknowledgments
}
1803 We thank Peter Palfrader, Geoff Goodell, Adam Shostack, Joseph Sokol-Margolis,
1804 John Bashinski, and Zack Brown
1805 for editing and comments;
1806 Matej Pfajfar, Andrei Serjantov, Marc Rennhard for design discussions;
1807 Bram Cohen for congestion control discussions;
1808 Adam Back for suggesting telescoping circuits; and
1809 Cathy Meadows for formal analysis of the
\emph{extend
} protocol.
1810 This work has been supported by ONR and DARPA.
1812 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
1814 \bibliographystyle{latex8
}
1815 \bibliography{tor-design
}
1820 \Section{Rendezvous points and hidden services
}
1821 \label{sec:rendezvous-specifics
}
1823 In this appendix we provide specifics about the rendezvous points
1824 of Section~
\ref{subsec:rendezvous
}.
% We also describe integration
1825 %issues and related work.
1826 %, and how well the rendezvous point design
1827 %withstands various attacks.
1828 % (Not any more; it's currently commented out. -NM)
1830 %\SubSection{Rendezvous protocol overview}
1832 The following steps are
1833 %We give an overview of the steps of a rendezvous. These are
1834 performed on behalf of Alice and Bob by their local OPs;
1835 application integration is described more fully below.
1838 \item Bob chooses some introduction points, and advertises them on
1839 the DHT. He can add more later.
1840 \item Bob builds a circuit to each of his introduction points,
1841 and waits for requests.
1842 \item Alice learns about Bob's service out of band (perhaps Bob told her,
1843 or she found it on a website). She retrieves the details of Bob's
1844 service from the DHT.
1845 \item Alice chooses an OR as the rendezvous point (RP) for this
1846 transaction. She builds a circuit to the RP, and gives it a
1847 rendezvous cookie to recognize Bob.
1848 \item Alice opens an anonymous stream to one of Bob's introduction
1849 points, and gives it a message (encrypted to Bob's public key)
1850 telling it about herself,
1851 her RP and rendezvous cookie, and the
1853 handshake. The introduction point sends the message to Bob.
1854 \item If Bob wants to talk to Alice, he builds a circuit to Alice's
1855 RP and sends the rendezvous cookie, the second half of the DH
1856 handshake, and a hash of the session
1857 key they now share. By the same argument as in
1858 Section~
\ref{subsubsec:constructing-a-circuit
}, Alice knows she
1859 shares the key only with Bob.
1860 \item The RP connects Alice's circuit to Bob's. Note that RP can't
1861 recognize Alice, Bob, or the data they transmit.
1862 \item Alice sends a
\emph{relay begin
} cell along the circuit. It
1863 arrives at Bob's OP, which connects to Bob's
1865 \item An anonymous stream has been established, and Alice and Bob
1866 communicate as normal.
1869 When establishing an introduction point, Bob provides the onion router
1870 with a public ``introduction'' key. The hash of this public key
1871 identifies a unique service, and (since Bob signs his
1872 messages) prevents anybody else from usurping Bob's introduction point
1873 in the future. Bob uses the same public key to establish the other
1874 introduction points for his service, and periodically refreshes his
1877 The message that Alice gives
1878 the introduction point includes a hash of Bob's public key
% to identify
1879 %the service, along with
1880 and an optional initial authorization token (the
1881 introduction point can do prescreening, for example to block replays). Her
1882 message to Bob may include an end-to-end authorization token so Bob
1883 can choose whether to respond.
1884 The authorization tokens can be used to provide selective access:
1885 important users can get uninterrupted access.
1886 %important users get tokens to ensure uninterrupted access. %to the
1888 During normal situations, Bob's service might simply be offered
1889 directly from mirrors, while Bob gives out tokens to high-priority users. If
1890 the mirrors are knocked down,
1891 %by distributed DoS attacks or even
1893 those users can switch to accessing Bob's service via
1894 the Tor rendezvous system.
1896 Bob's introduction points are themselves subject to DoS---he must
1897 open many introduction points or risk such an attack.
1898 He can provide selected users with a current list or future schedule of
1899 unadvertised introduction points;
1900 this is most practical
1901 if there is a stable and large group of introduction points
1902 available. Bob could also give secret public keys
1903 for consulting the DHT\@. All of these approaches
1904 limit exposure even when
1905 some selected users collude in the DoS\@.
1907 \SubSection{Integration with user applications
}
1909 Bob configures his onion proxy to know the local IP address and port of his
1910 service, a strategy for authorizing clients, and a public key. Bob
1911 publishes the public key, an expiration time, and
1912 the current introduction points for his service into the DHT, indexed
1913 by the hash of the public key. Bob's webserver is unmodified,
1914 and doesn't even know that it's hidden behind the Tor network.
1916 Alice's applications also work unchanged---her client interface
1917 remains a SOCKS proxy. We encode all of the necessary information
1918 into the fully qualified domain name Alice uses when establishing her
1919 connection. Location-hidden services use a virtual top level domain
1920 called
{\tt .onion
}: thus hostnames take the form
{\tt x.y.onion
} where
1921 {\tt x
} is the authorization cookie and
{\tt y
} encodes the hash of
1922 the public key. Alice's onion proxy
1923 examines addresses; if they're destined for a hidden server, it decodes
1924 the key and starts the rendezvous as described above.
1926 \subsection{Previous rendezvous work
}
1928 Rendezvous points in low-latency anonymity systems were first
1929 described for use in ISDN telephony~
\cite{jerichow-jsac98,isdn-mixes
}.
1930 Later low-latency designs used rendezvous points for hiding location
1931 of mobile phones and low-power location
1932 trackers~
\cite{federrath-ih96,reed-protocols97
}. Rendezvous for
1934 Internet connections was suggested in early Onion Routing
1935 work~
\cite{or-ih96
}, but the first published design was by Ian
1936 Goldberg~
\cite{ian-thesis
}. His design differs from
1937 ours in three ways. First, Goldberg suggests that Alice should manually
1938 hunt down a current location of the service via Gnutella; our approach
1939 makes lookup transparent to the user, as well as faster and more robust.
1940 Second, in Tor the client and server negotiate session keys
1941 via Diffie-Hellman, so plaintext is not exposed even at the rendezvous point. Third,
1942 our design minimizes the exposure from running the
1943 service, to encourage volunteers to offer introduction and rendezvous
1944 services. Tor's introduction points do not output any bytes to the
1945 clients; the rendezvous points don't know the client or the server,
1946 and can't read the data being transmitted. The indirection scheme is
1947 also designed to include authentication/authorization---if Alice doesn't
1948 include the right cookie with her request for service, Bob need not even
1949 acknowledge his existence.
1951 %\SubSection{Attacks against rendezvous points}
1953 %We describe here attacks against rendezvous points and how well
1954 %the system protects against them.
1956 %\emph{Make many introduction requests.} An attacker could
1957 %try to deny Bob service by flooding his introduction points with
1958 %requests. Because the introduction points can block requests that
1959 %lack authorization tokens, however, Bob can restrict the volume of
1960 %requests he receives, or require a certain amount of computation for
1961 %every request he receives.
1963 %\emph{Attack an introduction point.} An attacker could
1964 %disrupt a location-hidden service by disabling its introduction
1965 %points. But because a service's identity is attached to its public
1966 %key, the service can simply re-advertise
1967 %itself at a different introduction point. Advertisements can also be
1968 %done secretly so that only high-priority clients know the address of
1969 %Bob's introduction points or so that different clients know of different
1970 %introduction points. This forces the attacker to disable all possible
1971 %introduction points.
1973 %\emph{Compromise an introduction point.} An attacker who controls
1974 %Bob's introduction point can flood Bob with
1975 %introduction requests, or prevent valid introduction requests from
1976 %reaching him. Bob can notice a flood, and close the circuit. To notice
1977 %blocking of valid requests, however, he should periodically test the
1978 %introduction point by sending rendezvous requests and making
1979 %sure he receives them.
1981 %\emph{Compromise a rendezvous point.} A rendezvous
1982 %point is no more sensitive than any other OR on
1983 %a circuit, since all data passing through the rendezvous is encrypted
1984 %with a session key shared by Alice and Bob.
1990 % avoid contractions (it's, can't, etc.)
1991 % prefer ``for example'' or ``such as'' to e.g.
1992 % prefer ``that is'' to i.e.
1993 % 'mix', 'mixes' (as noun)
1995 % 'mix', 'mixing' (as verb)
1996 % 'middleman' [Not with a hyphen; the hyphen has been optional
1997 % since Middle English.]
1999 % 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer'
2000 % 'Onion Routing design', 'onion router' [note capitalization]
2002 % Try not to use \cite as a noun.
2003 % 'Authorizating' sounds great, but it isn't a word.
2004 % 'First, second, third', not 'Firstly, secondly, thirdly'.
2005 % 'circuit', not 'channel'
2006 % Typography: no space on either side of an em dash---ever.
2007 % Hyphens are for multi-part words; en dashs imply movement or
2008 % opposition (The Alice--Bob connection); and em dashes are
2009 % for punctuation---like that.
2010 % A relay cell; a control cell; a \emph{create} cell; a
2011 % \emph{relay truncated} cell. Never ``a \emph{relay truncated}.''
2013 % 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
2014 % editor will delete it and the writing will be just as it should be.'