HidingRoutingInformationvidMGoldschlagMichaelGReedandPaulFSyvalResearchLaboratoryCenterForHighAssuranceComputerSystemsashingtonDC203755337USAphone12024042389fax12024047942lastna ID: 290172
Download Pdf The PPT/PDF document "vidM.Goldschlag,MichaelG.Reed,andPaulF.S..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. HidingRoutingInformationvidM.Goldschlag,MichaelG.Reed,andPaulF.SyvalResearchLaboratory,CenterForHighAssuranceComputerSystems,ashington,D.C.20375-5337,USA,phone:+1202.404.2389,fax:+1202.404.7942,lastnameThispaperdescribesanarcOnionR,thatlimitsanetork'svulnerabilitytotracanalysis.Thearchitecturepro-videsanonymoussocetconnectionsbymeansofproxyservers.Itpro-videsreal-time,bi-directional,anonymouscommunicationforanyproto-colthatcanbeadaptedtouseaproxyservice.Specically,thearctureprovidesforbi-directionalcommunicationeventhoughno-onebuttheinitiator'sproxyserverknowsanythingbutpreviousandnexthopsinthecommunicationchain.Thisimpliesthatneithertherespondennorhisproxyservernoranyexternalobserverneedknowtheidenoftheinitiatororhisproxyserver.AprototypeofOnionRbeenimplemented.ThisprototypeworkswithHTTP(WorldWideWxies.Inaddition,ananalogousproxyforTELNEThasbeenimple-ted.ProxiesforFTPandSMTPareunderdevtroductionThispaperpresentsanarchitecturethatlimitsanetork'svulnerabilitytotraf-canalysis.WecallthisapproacOnionR,becauseitreliesuponalaeredobjecttodirecttheconstructionofananonymous,bi-directional,real-timevirtualcircuitbeteentocommunicatingparties,anBecauseindividualoutingnoineachcircuitonlyknowtheidentitiesofadja-tnodes(asin[1]),andbecausethenodesfurtherencryptmultiplexedvirtualcircuits,studyingtracpatternsdoesnotyieldmhinformationaboutthepathsofmessages.Thismakesitdiculttousetracanalysistodeterminewhoiscommunicatingwithwhom.OnionRoutingprovidesananonymoussocetconnectionthroughaproer.Sinceproxiesareawelldenedinterfaceattheapplicationlaer[12,11],andmanyprotocolshaebeenadaptedtoworkwithproxyserversinordertoaccommodaterewalls,OnionRoutingcanbeeasilyusedbymanyapplications.OurprototypeworkswithHTTP(WorldWideWeb)proxies.Inaddition,axyforTELNEThasbeenimplemenracanalysiscanbeusedtohelpdeducewhoiscommunicatingwithwhomyanalyzingtracpatternsinsteadofthedatathatissent.Forexample,inmostnetorks,itisrelativelyeasytodeterminewhichpairsofmachinesarengbhingtheroutinginformationthatispartofeachpacenifdataisencrypted,routinginformationisstillsentintheclearbecauseroutersneedtoknowpacets'destinations,inordertoroutethemintherigh vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. direction.Tracanalysiscanalsobedonebhingparticulardatamothroughanetork,bymatchingamountsofdata,orbyexaminingcoincidences,hasconnectionsopeningandclosingataboutthesametime.OnionRoutinghidesroutinginformationbymakingadatastreamfollopaththroughseveralnodesenroutetoitsdestination.Thepathisdenedbtherstnode,whichisalsoaproxyfortheservicebeingrequested(e.g.,HTTPrequests).Therefore,thisProxy/RoutingNodeisthemostsensitiveone,sositesthatareconcernedabouttracanalysisshouldalsomanageaProNode.WewillseelaterthatitisimportantthatthisProxy/RoutingNodealsobeusedasanintermediateroutingnodeinothervirtualcircuits.Althoughthecompromiseofallroutingnodescompromisesthehiding,oneuncompromisedroutingnodeissucienttocomplicatetracanalysis.Figure1illustratesthetopologyofanOnionRoutingnetorkwithvenodes,oneofwhic)isthexy/Routingnodefortheinitiator'ssite. XUYZ Fig.1.RoutingTopologyThegoalofOnionRoutingisnottoprovideanonymouscommartiesarefreeto(andusuallyshould)identifythemselveswithinamessage.Buttheuseofapublicnetorkshouldnotautomaticallygivytheidentitiesandlocationsofthecommcatingparties.Forexample,imaginearesearcherwhousestheWorldWideWebtocollectdatafromavyofsources.Althougheac vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. pieceofinformationthatheretrievesispubliclyknown,itmaybepossibleforanoutsideobservertodeterminehissensitiveinterestsbystudyingthepatternsinhisrequests.OnionRoutingmakesitverydiculttomatchhisHTTPrequeststohissite.ymousre-mailers[5]attempttolimitthefeasibilityoftracanalysisyprovidingananonymousstoreandforwardarchitecture.Toprevtreplaks,re-mailerskeepalogofsentmessages.Thesetharacteristicsmaktheanonymousre-mailerapproachunsuitableforHTTPapplications,asHTTPrequestswouldbothgenerateanenormouslogandrequirebi-directionalcommnication.AnonymousISDN[8]hasevenmoreseverereal-timeandbi-directionaltsthanHTTP,but,thearchitectureofanISDNnetorkisconsider-ablydierentfromthearchitectureoftheInternet[4OnionRoutingprovidesbi-directionalcommn,withoutrequiringthattheresponderknowtheinitiator'sidenyorlocation.Individualmessagesarenotlogged.Inaddition,OnionRoutingiseasilyadaptedtoelectronicmail.MessagescanincludeeplyOnionsthatpermitalaterreplytothesenderwithoutknowinghisaddressandwithoutkeepingtheoriginalvirtualcircuitopen.Therestofthepaperisorganizedinthefollowingwy:Section2presenkgroundinformation.Section3describesthe,theobjectthatdirectstheconstructionofthevirtualcircuit.Section4describestheconstructionanduseofthesevirtualcircuits.Section5describesthevulnerabilitiesintheOnionRoutingarchitecture.Section6presentssomeconcludingremarks.Chaum[1]denesalaeredobjectthatroutesdatathroughintermediatenodes,.Theseintermediatenodesmayreorder,dela,andpadtractocomplicatetracanalysis.SomeworkhasbeendoneusingmixesinATMnet-orks[3ymousRemailerslike[5,6]usemixestoprovideanonymouse-mailservicesandalsotointanaddressthroughwhichmailcanbeforwardedbactotheoriginalsender.Remailersworkinastoreandforwardmanneratthemailapplicationlaer,bystrippingoheadersateachmix,andforwardingthemailmessagetothenextmix.TheseremailersprovideconrmationofdelivIn[8],mixesareusedtoprovideuntraceablecommunicationinanISDNork.Inaphonesystem,eachtelephonelineisassignedtoaparticularlocalh(i.e.,localexchange),andswitchesareinterconnectedbya(longdistance)ork.AnonymouscallsinISDNrelyuponananonymousconnectionwithinhswitchbeteenthecallerandthelongdistancenetork,whichisobtainedyroutingcallsthroughapredenedseriesofmixes.Thelongdistanceendpoinoftheconnectionarethenmatedtocompletethecall.(Noticethatobserverscantellwhichlocalswitchesareconnected.)ThisapproachreliesupontouniquefeaturesofISDNswitches.Sinceeachphonelinehasasubsetoftheswitctotalcapacitypre-allocatedtoit,thereisno(real)costassociatedwithk vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. aphonelineactiveallthetime,eitherbymakingcallstoitself,tootherphonelinesonthesameswitch,ortothelongdistancenetork.Keepingphonelinesecomplicatestracanalysisbecauseanobservercannottrackcoincidences.Also,sinceeachphonelinehasacontrolcircuitconnectiontotheswitctheswitchcanbroadcastmessagestoeachlineusingthesecontrolcircuits.So,withinaswitchatrulyanonymousconnectioncanbeestablished:Aphonelineesananonymousconnectiontosomemix.Thatmixbroadcastsatoktifyingitselfandtheconnection.Arecipientofthattokencanmakeanotherymousconnectiontothespeciedmix,whichmatesthetoconnectionstocompletethecall.OurgoalofanonymoussocetconnectionsoertheInternetdiersfromymousremailersandanonymousISDN.Thedataisdierent,withreal-timetsmoreseverethanmail,butsomewhatlooserthanvoice.BothHTTPandISDNconnectionsarebidirectional,but,unlikeISDN,HTTPconnectionsarelikelytobesmallrequestsfolloedbyshortburstsofreturneddata.Inalocalswitchcapacityispre-allocatedtoeachphoneline,andbroadcastingist.ButbroadcastingoertheInternetisnotfree,anddeningbroadcastsdomainsisnottrivial.Mostimportan,thenetorktopologyoftheInismoreakintothenetorktopologyofthelongdistancenetorkbethes,wherecapacityisasharedresource.InanonymousISDN,themixeshidecommnwithinthelocalswitch,butconnectionsbeteenswitcarenothidden.Thisimpliesthatallcallsbeteentobusinesses,eachlargeenoughtouseanentireswitch,revealwhichbusinessesarecomm.InOnionRouting,mixingisdispersedthroughouttheInternet,whichimproobeginasessionbeteenaninitiatorandaresponder,theinitiator'sprotiesaseriesofroutingnodesformingaroutethroughthenetorkandconstructsanhencapsulatesthatroute.Figure2illustratesanonionconstructedbytheinitiator'sProxy/RoutingNodeforananonymousroutetotheresponder'sProxy/RoutingNodethroughintermediateroutingnodes.Theinitiator'sproxythensendstheonionalongthatroutetoestablishavirtualcircuitbeteenhimselfandtheresponder'sproTheoniondatastructureiscomposedoflaeruponlaerofencryptionwrappedaroundapayload.Leavingasidetheshapeofthepayloadatthevter,thebasicstructureoftheonionisbasedontheroutetotheresponderthatischosenbytheinitiator'spro.Basedonthisroute,theinitiator'sproencryptsrstfortheresponder'spro,thenfortheprecedingnodeontheroute,andsoonbacktotherstroutingnodetowhomhewillsendtheonion.Whentheonionisreceived,eachnodeknowswhosenthimtheonionandtowhomheshouldpasstheonion.But,heknowsnothingabouttheothernodes,noraboutwmanythereareinthechainorhisplaceinit(unlessheislast).Whata vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. Fig.2.ardOnion.nodeeslookslikethis time;next isapublicencryptionkeyforroutingnode,whoisassumedtohaethecorrespondingdecryptionkThedecryptedmessagecontainsanexpirationtimefortheonion,thenextroutingnodetowhichthepayloadistobesent,thepayload,andtofunction/keypairsspecifyingthecryptographicoperationsandkeystobeappliedtodatathatwillbesentalongthevirtualcircuit.Theforwardpair()isappliedtodatamovingintheforwdirection(alongtheroutethattheonionistraeling)thebacardpair(isappliedtodatamovingintheoppositedirection(alongtheonion'srev(Ifthereceivingnodeistheresponder'spro,thenthe null.)Foranyintermediateroutingnodethepayloadwillbeanotheronion.Theexpirationtimeisusedtodetectreplays,whichpairsofcompromisednodescouldusetotrytocorrelatemessages.Eachnodeholdsacopyoftheonion .Ifhereceivesanothercopyofthesameonionwithinthattimehesimplyignoresit.And,ifhereceivesanonionthathasexpired,heignoresthataswNoticethatateachhoptheonionshrinksasalaerispeeledo.Tcompromisednodesinferringrouteinformationfromthismonotonicallydimin-ishingsize,arandombitstringthesizeofthepeeledolaerisappendedtotheendofthebeforeforwarding.Noproxyexceptthelastwillknowhohofthehereceivesissuchpaddingbecausehewon'tknowwhere Dependingoncertainassumptionsabouttheeldsineachonionlaer,anaiveRSAtationofthesimplepublickeyencryptionimpliedbyournotationcouldbevulnerabletoanattackasdescribedin[7].Inourimplementation,thispotenvulnerabilityisillusorysincethepublickeyisonlyusedtoencryptasecretk,andthatsecretkeyisusedtoencrypttheremainderofthemessageusinganeciensymmetricalgorithm.Thisalsomakesforamoreecientimplementationthanthesimple,straighardimplementationusingonlypublickSpecifyingtopairsoffunctionsuniesthevirtualcircuitsthatareconstructedbardandreplyonions.Seesection3.3. vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. heisinthechain.Hesimply`decrypts'thepaddingalongwiththerestoftheonion.Evenaconstantsizeonionmightbetracedunlessallonionsarethesamesize,sowexthesizeoftheonion.Tomaintainthisconstantsizetohidethelengthofthechainfromtheresponder'spro,theinitiator'sproxywillpadtheaccordingtothesizeoftheonion,i.e.,thenberofhops.So,whenanyonionarrivesattheresponder'sproxyitwillalwyshaethesametofpadding,eitheraddedinitiallyorenroute.CreatingthecircuitThegoalinsendingtheonionistoproducevirtualcircuitswithinlinkencryptedconnectionsalreadyrunningbeteenroutingnodes.Moredetailswillbegivinsection4.Anonionoccursasthedataeldinoneofthepresentlydescribed`messages'.Suchmessagescontainacircuitidentier,acommand(,and),anddata.Anyothercommandisconsideredanerror,andthenodewhoreceivessuchamessageignoresthatmessageexcepttoreturnacommandbackthroughthatvirtualcircuit.Thecommandaccompaniesanonion.Whenanodereceivesacreatecommandalongwithanonion,hehoosesavirtualcircuitidentierandsendsanothermessageconthisidentiertothenextnodeandtheonion(paddedwithhislaerpeeledo).Healsostoresthevirtualcircuitidentierhereceivedandvirtualcircuittierhesentasapair.Untilthecircuitisdestroed,wheneverhereceivdataontheoneconnectionhesendsitoontheother.Heappliestheforwcryptographicfunctionandkey(obtainedfromtheonion)todatamovinginthearddirection(alongtheroutetheoniontraeled)andthebacardcryp-tographicfunctionandkeytodatamovingintheoppositedirection(alongtheonion'sreverseroute).Thevirtualcircuitestablishedbytheonioningure2isillustratedingure3:Datasenytheinitiatoroeravirtualcircuitis\pre-crypted"repeatedlyyhisproxybyapplyingtheinerseofalltheforwardcryptographicoperationsspeciedintheonion,innermostrst.Therefore,theselaersofcryptographwillbepeeledoasthedatatraelsforwardthroughthevirtualcircuit.Dataytheresponderis\crypted"oncebyhisproxyandagainbyeachpreviousnodeinthevirtualcircuitusingthebacardcryptographicoperationspeciedatthecorrespondinglaeroftheonion.Theinitiator'sproxyappliestheinofthebacardcryptographicoperationsspeciedintheonion,outermostrst,tothisstream,toobtaintheplainLooseRoutingItisnotnecessarythattheentireroutebeprespeciedbytheinitiator'sproHecaninstructvariousnodesalongtheroutetochoosetheirownroutetothe Onionscouldbeusedtocarrydataalso,butsinceonionshaetobetracedtotrepla,thiswouldintroducealargecost.edenethevtomeantheapplicationofacryptographicoperation,beitencryptionordecryption,wherethetoarelogicallyin vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. Data Flow (with Function/Key Pairs if crypted)F XUYZ FFFFF Fig.3.AVirtualCircuit.nextprespeciednode.Thiscanbeusefulforsecurit,addingmorehopstothehain.Itcouldalsobeusediftheinitiatingproxydoesnotknowacomplete,connectedroutetotheresponderbutbelievesthatthenodewhereanybreakoccurscanconstructaroutetothenextnode.Or,looseroutingcanbeusedtohandleconnectionchangesthatoccurofwhichtheinitiatorwasunaare.Also,sinceonionsareallofxedsize,thereisaxedmaximumlengthtotheroutefromtheinitiator'sproxytotheresponder'spro.Looseroutingallowsustoincreasethesizeofthatmaximumforthesamexedonionsize.WhythisissoshouldbecomeclearpresenItisalsopossibletoiteratethelooseroutingprocess,allowingnodesontheaddedroutetothemselvesaddtothechain.Obeneedamechanismtotthechainfromlengtheningindenitely.Thiscanbeincorporatedintheonionstructure.Anonionforasystemthatallowsforlooseroutingisas time;next hop;max Ifthenodereceivingthisoniondecidestoloose-routetheonion,hepreparesanewonionwithupto ers.Thepayloadofthisonionis vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. simplytheonionhereceivedwithhangedforthelast(innermost)nodeheaddedtothechain.Inotherwords,hebehaesasaninitiator'sproxyexceptthathispayloadisitselfalreadyanonion.(Thisnodebehaeslikeaninitiator'sxywithrespecttodataalso,sincehemustrepeatedlypre-andpost-cryptdatathatmoesalongthedivertedroute.)Teeptheonionaconstantlengthhemusttruncatethepayloadbyanamountcommensuratewiththelaershehasaddedtotheonion.Theinitiatingproxymustanticipatetheamountofpadding(bothpresentinitiallyandanyaddedand/ortruncatedenroute)thatwillbeonthecentralpayloadatthetimelooseroutingoccurstoallowforthistruncation.Failuretopre-padcorrectlyorignoringanonion'sxedsizewillresultinamalformedonionlaterintheroute.Thetotalofthe aluesoccurringintheaddedlaersplusthenberofaddedlaersmustbelessthanorequaltothe aluethattheaddingnodereceivReplyOnionsThereareapplicationsinwhichitwouldbeusefulforarespondertosendbacareplyaftertheoriginalcircuitisbroken.Thiswouldallowanswers(likee-mailreplies)tobesenttoqueriesthatwerenotaailableatthetimeoftheoriginalconnection.Asweshallseepresen,thisalsoallowstheresponderaswellastheinitiatortoremainhidden.Theweallowforthesedelaedrepliesisbsendingareplyoniontoaccompanythereply.Liketheforwardonion,itrevtoeachnodeenrouteonlythenextsteptobetaken.Ithasthesamestructureastheforwardonionandistreatedthesamewynodesenroute.Innodesprocessinganonioncannotdierentiatebeteenforwardandreplyonions.urthermore,thebehavioroftheoriginalinitiatorandresponderproxiesarethesame,oncethecircuitisformed.Theprimarydierencebeteenaforwardandareplyonionistheinnermostyload.Thepayloadoftheforwardonioncanbeeectivelyempty(cononlypadding).Thereplyonionpayloadcontainsenoughinformationtoenabletheinitiator'sproxytoreachtheinitiatorandallthecryptographicfunctionandeypairsthataretocryptdataalongthevirtualcircuit.Theinitiator'sproesthekeysfromtheonion.Figure4illustratesareplyonionconstructedytheinitiator'sProxy/RoutingNodeforananonymousroutebacktohimstartingattheresponder'sProxy/RoutingNodethroughintermediateroutingnodesThereisnodierencebeteenvirtualcircuitsestablishedbyreplyonionsandforwardonions,exceptthatincircuitsestablishedbyreplyonionsindiateroutingnodesappeartothinkthatforwardpointstoardtheinitiator's.Butsincethebehaviorofintermediateroutingnodesissymmetric,thisdierenceisirrelevt.TheterminalProxy/Routingnodes,hoer,haethesamebehaviorincircuitsestablishedbyforwardandreplyonions.Therefore,agureofthevirtualcircuitformedbythereplyonionillustratedingure4wbeidenticaltothevirtualcircuitillustratedingure3eventhoughthecircuitasformedbythereplyonionmovingfromtheresponder'sproxynodetothe vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. z,y,x,ZYX Fig.4.AReplyOnion.initiator'sproxynode.Internallytotheintermediatenodes,theforwardcrypto-graphicfunctionsareappliedtodatamovinginthedirectionthatthecircuitwestablished,andthebacardcryptographicfunctionsareappliedtodatamoingintheoppositedirection.ThelocationoftheterminalProxy/RoutingNodesareinthissensereversed,withtheinitiator'sproxyattheendofthecircuitandtheresponder'sproxyatthebeginningofthecircuit.Hoer,thebehavioroftheinitiatorandresponderproxiesisidenticaltotheirbehaviorinthevirtualcircuitformedbyaforwardonion.Thisisthereasonforhavingforwardandardfunction/keypairsateachlaeroftheonion.eaforwardonion,areplyonioncanonlybeusedonce.Whenanodeesanonionitiskeptuntilitexpires,andanyonionreceivediscomparedtodetectrepla.Ifareplayisdetected,itistreatedasanerrorandignored.Sincereplyonionscanonlybeusedonce,ifmultiplerepliesaredesired,mreplyonionsmustbesent.Ofcourse,theyneednotallfollowthesamereturnroute;althoughtheyma.Ifrepliesareonlylikelytobeforthcomingiftheyareymous,oneormorereplyonionscanbebroadcast.Anonecanthenreplywithanunusedonion.Ifhecanmaintainanonyfromorincooperationwiththeresponder'sproxyforthatreplyonion,thenhecandosoanonTheeasiestwytobuildoursystemwithoutrequiringthecompleteredesignandtofnewclientandserversoftareistomakeuseofexistingprohnologies.Historically,proxytechnologieshaebeenusedtocreatetunnelsthrougharewall.Theuseofproxytechnologiesrequiresthattheclientapplica-tionsbe`proxyaare'.ThewidespreaddeplotofrewallsontheInhascreatedthedemandforsuchproxyaareapplications,whichsoftareman-ufacturersarerushingtomeet. vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. Intherewallsetting,asystemadministratorwillsetupaproxyserverontherewallmachinewhichwillberesponsibleforforwardingrequestsfromtheprotecteddomainoutontotheopenInternet,andmaintainareturnpathfortheresponsetotherequest.Aproxyservercanbedividedintotoparts:thetendthatreceivesandparsestherequest,andthebackendthatprocessestherequestandreturnstheresultsbacktotherequester.Classically,thefronandbackendsarethesameprocessrunningononemacUnderoursystemwewilluseatraditionalproxyfrontendandbackend,but,theywillbeseparateprocessesonseparatemachineswithatunnelconnectingthem.Inthismanner,ourProxy/RoutingNodeswilllooknodierenttothetandserversoftarethananyotherproxyserver.Acoupleofassumptionswillholdfortheremainderofthispaper:1)Proxy/RoutingNodesandindiateroutingnodesknowabouteachotherinadvanceoftheiroperation,and2)publickeycerticatesforeachnodehaebeensecurelydistributedtoallotherspriortooperation.Allnodesareconnectedbylinkencryptedconnectionswhicultiplexmanvirtualcircuitsbeteeninitiatorandresponderproxynodes.Theseconnectionsarelinkencryptedinanoddwy(foreciency).Allmessagesmovingthroughtheseconnectionsareofxedsizeandhaocomponents,headerandpaelds.Headereldscontainthevirtualcircuitidentierandthecommandandarelinkencryptedusingastreamcipher[10].Sinceallpayloadeldswillbeencryptedviaothermechanisms(publickeysoronionkeys),theyneednotbelinkencrypted.Therearethreecommandsthatnodesunderstand.Therstistovirtualcircuit.Ateachnode,avirtualcircuithastoconnections.Dataarriv-ingononeispassedalongontheother.Thecircuitisdenedbythelabelsforthesetoconnections.Creatingavirtualcircuitistheprocessofdeningtheselabelsforeachnodealongtheroute.FortherstProxy/RoutingNode,oneconnectionisalinktotheinitiator,andtheotherisalinktothenextroutingnode.TheProxy/RoutingNodecreatesanoniondeningthesequenceofintermediateroutingnodestotheresponder'sProxy/RoutingNode.Itbreakstheonionupintopayloadsizedcunksandtransmitsthesecunksinordertothenextnodewithacontroleldcontainingboththelabeloftheconnectionandacommand.Eachsubsequentnodereassemblestheonionandpeelsoalaerfromtheonionwhichrevealsthenextnodeintherouteandtocryp-tographicfunction/keypairs.Beforeactingonthecommand,thenodekswhethertheonionhasexpiredorisareplakforrepla,thenodeconsultsatableofunexpiredonions.Iftheonionisvalid,itisinsertedintothetable,andthenodethenlabelsanewconnectiontothenextnodeandpassesthepeeledandpaddedonioninasimilarsequenceofmessagestothenextnode.Italsoupdatesatablecontainingthelabelsandcryptographicfunction/keypairsassociatedwiththenewvirtualcircuit.Theappropriate(forwardorbaceypairshouldbeusedtocryptdatamovingalongthatcircuit.Theresponder'sProxy/RoutingNode,recognizingthattheonionisempt,willpar-tiallyupdateitstables.Aswithstandardproxiesthenextmessagealong vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. thiscircuitwillidentifytheresponder.Thesecondcommandis.Thesecondroleoftheinitiator'sProingNodeistopassastreamofdatafromtheinitiatoralongthevirtualcircuittogetherwithothercontrolinformationfortheresponder'sProxy/RoutingNode.odothis,hebreakstheincomingstreaminto(atmost)payloadsizedcandrepeatedlypre-cryptseacunkusingtheinerseofthecryptographicoperationsspeciedintheonion,innermostrst.Thefunction/keypairsthatareapplied,andthevirtualcircuitidentieroftheconnectiontothenextnodeareobtainedfromatable.Theheadereldforeachpayloadisthelabeloftheconnectionandacommand.Eachsubsequentnodelooksatitstable,obtainingthecryptographicfunction/keypairassociatedwiththecircuit(fortheappropriatedirection)andthevirtualcircuitidentieroftheconnectiontothenextnode.Itthenpeelsoalaerofcryptographyandforwardsthepeeledyloadtothenextnode.Oncethedatareachestheresponder'spro,itsnalcryptionwillproducetheplaintextthatistobeprocessedorforwardedtotheresponder.commandcanalsobeusedtomoedatafromtheresponder'sxy/RoutingNodetotheinitiator'sProxy/RoutingNode.Theresponder'sxy/RoutingNodeobtainsthecryptographicfunction/keypairandthevir-tualcircuitidentierforthenextnodefromitstables,andcryptsthestream.Itbreaksthecryptedstreamintopayloadsizedcunksandforwardsthemtothenextnodewiththeappropriatecontroleld.Eachsubsequentnodefurtherstreamcryptseachpayloadusingtheappropriatefunction/keyassociatedwiththatvirtualcircuit.Onceamessagesarrivesattheinitiator'sProNodehelooksathistableandappliestheinerseofthebacardcryptographicoperationsspeciedintheonion,outermostrst,tothisstreamtoobtainthetext.Theplaintextisforwardedtotheinitiator.Thethirdcommandishisusedtoteardownavirtualcircuitwhenitisnolongerneededorinresponsetocertainerrorconditions.Noticemessagescanbeinitiatedbyanynodealongavirtualcircuit,anditisanode'sobligationtoforwardthemessagesintheappropriatedirec-tions.(Anodeinitiatingamessageinanactivevirtualcircuitforwitinbothdirections.Anodethatreceivesamessagepassesitalonginthesamedirection.)Thepayloadofacommandisemptypadding.Nonetheless,thispayloadisstillcryptedwiththeappropriatefunction/keypair.Inadditiontothecommand,thecontroleldcontainsthevirtualcir-cuitidentieroftherecipientofthecommand.Uponreceiptofacommandanodedeletesthetableentriesassociatedwiththatvirtualcircuit.OnionRoutingisnotinvulnerabletotracanalysisattacks.Withenoughdata,itisstillpossibletoanalyzeusagepatternsandmakeeducatedguessesabouttheroutingofmessages.Also,sinceourapplicationrequiresrealtimecommnication,itmaybepossibletodetectthenearsimultaneousopeningofsoc vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. connectionsontherstandlastproxyserversrevealingwhoisrequestingwhatinformation.Hoer,thesesortsofattacksrequirethecollectionandanalysisofhugeamountsofdatabyexternalobservOtherattacksdependuponcompromisedProxyServersandRoutingNodes.Iftheinitiator'sproxyiscompromisedthenallinformationisrevealed.Ingeneralitissucientforasingleroutingnodetobeuncompromisedtocomplicatetracanalysis.Hoer,asinglecompromisedroutingnodecandestroyconnectionsorstopforwardingmessages,resultingindenialofserviceattacOnionRoutingusesexpirationtimestoprevtreplayattacks.Itiscuriousthat,unliketimestamps,thevulnerabilityduetopoorlysynchronizedclockshereisadenialofserviceattack,insteadofareplayattack.Ifanode'sclockistoofast,otherwisetimelyonionswillappeartohaealreadyexpired.Also,sinceexpirationtimesdenethewindowduringwhichnodesmuststoreusedonions,anodewithaslowclockwillendupstoringmoreinformation.Iftheresponder'sproxyiscompromised,andcandeterminewhentheunen-crypteddatastreamhasbeencorrupted,itispossibleforcompromisednodesearlierinthevirtualcircuittocorruptthestreamandaskwhichresponder'sxyreceiveduncorrupteddata.Byworkingwithcompromisednodesaroundasuspectedinitiator'spro,onecanidentifythebeginningofthevirtualcircuit.Thedicultywiththisattackisthatoncethedatastreamhasbeencorrupted,itwillremaincorrupted(becauseweuseastreamcipher),limitingfurtheranalysis.InorderforOnionRoutingtobeeective,theremustbesignicantuseofallthenodes,andProxyNodesmustalsobeintermediateroutingnodes.Choosingtheappropriatebalancebeteenecientuseofnetorkcapacityandsecurityisahardproblembothfromatheoreticalandpracticalstandpoint.Theoreticallyitisdiculttocalculatethevalueofthetradeo.Formoresecurit,nettracmustberelativelyconstant.Thisrequiressendingdummytracoeraconnectionwhentracislightandbueringdatawhentracishea.Iftracisveryburstyandresponsetimeisimportant,smoothingoutnetorktracrequireswastingcapacit.Ifhoer,tracisrelativelyconstant,additionalsmoothingmaynotbenecessaryromapracticalpointofview,theInynotprovidethecontrolnecessarytosmoothouttrac:unlikTM,usersdonotowncapacityonsharedconnections.Theimportantobservation,hoisthatOnionRoutingformsanarchitecturewithinwhichthesetradeoscanbemadeandexplored.OnionRoutingisanarchitecturethathidesroutinginformationwhileproreal-time,bi-directionalcommunication.Sinceitprovidesavirtualcircuitthatcanreplaceasocetconnection,OnionRoutingcanbeusedinanyprotocolthatcanbeadaptedtouseaproxyservice.AlthoughourrstuseisinHTTPandTELNET,itiseasytoimagineotherapplications.Ine-mail,forexample,OnionRoutingwouldcreateananonymoussocetconnectionbeteentosendmaildaemons.ThiscontrastswithAnonymousRemailers,whereeachremailerpro- vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. videsasinglehopinachainofmailforwarding.Inthissense,inOnionRouting,thereroutingofmessagesisindependentofthetypeofmessage.Otherextensionsarealsopossibleandintegratenicelywiththeproxyap-htoanonorexample,tocreateacompletelyanonymousconsationbeteentoparties,eachpartouldmakeananonymousconnectiontosomeanonyserver,whichmatesconnectionssharingsometoken.Thish,similartoIRCservers,canalsobeusediftheresponderdoesnottrusttheinitiator,especiallywith(broadcast)replyonions.Theresponderbuildshiswn(trusted)connectiontosomeanonyserver,andasksthatanonertobuildanotherconnectiontotheinitiatorusingareplyonionandtomatethetoconnections.EachpartyisthereforeprotectedbyaroutethatheInOnionRoutingtheencryptionburdenonconnectedintermediatenodesislessthantheburdenoflinkencryptiononrouters.Inlinkencryption,eachpacisencryptedbythesenderanddecryptedbytherecipient.InOnionRoutingtheheaderandpayloadofeachmessagearecryptedseparately:theheaderisencryptedanddecryptedusingtheconnection'sk,andthepayloadiscrypted(onlybytherecipient)usingtheappropriatefunction/keypairassociatedwiththevirtualcircuit.Ourgoalhereisnottoprovideanonymouscommunication,but,toplaceiden-ticationwhereitbelongs.Theuseofapublicnetorkshouldnotautomaticallyealtheidentitiesofcommunicatingparties.Ifanonymouscommunicationisundesirable,itiseasytoimagineltersontheendpointmachinesthatrestrictontosignedmessages.OnionRoutingwillonlybeeectiveincomplicatingtracanalysisifitsxyandRoutingNodesbecomewidespreadandwidelyused.Thereisanob-vioustensionbeteenanonyandlawenforcement.Ifthistensionisresolvinfaoroflawenforcement,itwouldbestraighardtointegrateakeyescrosystemwithintheonion,whicouldmakeroutinginformationaailabletothewfulauthorities.Discussionswithmanypeoplehelpeddeveloptheideasinthispaper.WetothankRanAtkinson,MarkusJakobbsen,JohnMcLean,CathyMeadoAndyMoore,MoniNaor,HolgerPeterson,BirgitPtzmann,MichaelSteiner,andtheanonymousrefereesfortheirhelpfulsuggestions.1.D.unicationsoftheACM,v.24,n.2,Feb.1981,pages84-88.2.D.Chaum,TheDiningCryptoaphersProblem:UncalSenderandRientUntrJournalofCryptology,1/1,1988,pages65-75. vidM.Goldschlag,MichaelG.Reed,andPaulF.Syverson.\HidingRoutingInformation,"orkshoponInformationHiding,Cambridge,UK,Ma,1996. 3.S.ChcurityManagementofATMNetworks,Ph.D.thesis,inprogress,bridgeUniv4.D.E.Comer.InternetworkingwithTCP/IP,Volume1:Principles,Prols,andtice{Hall,EngelwoodClis,NewJersey,1995.5.L.Cottrell.MixmasterandRemailerAloki/remailer/remailer-essa6.C.GulcuandG.Tsudik.MixingEmailwithBabel1996SymposiumonNetandDistributedSystemSecurit,SanDiego,February1996.7.A.PtzmannandB.Ptzmann.HowtoBraktheDirctRSA-implementationofancesinCryptology{EURYPT'89Proceedings,Springer-VBerlin,1990,pages373-381.8.A.Ptzmann,B.Ptzmann,andM.WISDN-Mixes:UntrableCommu-ationwithVerySmallBandwidthOverheGI/ITGConference:CommtioninDistributedSystems,MannheimFeb,1991,Informatik-Fbericte267,erlag,Heildelberg1991,pages451-463.9.A.PtzmannandM.WNetworksWithoutUserObservability,&Securit,6/21987,pages158-166.10.B.ScdCryptoaphy:Prols,AlgorithmsandSoureCodeinC,JohnWileyandSons,1994.11.W.R.StevTCP/IPIllustrd,Volume3:TCPforTansactions,HTTP,NNTP,andtheUNIXDomainPresley,Reading,Mass.,1996.12.L.D.Stein.HowtoSetupandMaintainaWorldWideWebSite:TheGuideforInformationPresley,Reading,Mass.,1995.ThisarticlewasprocessedusingtheLXmacropacagewithLLNCSst