tor-design.tex 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271
  1. \documentclass[times,10pt,twocolumn]{article}
  2. %\usepackage{/home/syverson/papers/latex8}
  3. %\usepackage{/home/syverson/papers/times}
  4. \usepackage{latex8}
  5. \usepackage{times}
  6. \usepackage{url}
  7. \usepackage{graphics}
  8. \usepackage{amsmath}
  9. \pagestyle{empty}
  10. \renewcommand\url{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
  11. \newcommand\emailaddr{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
  12. % If an URL ends up with '%'s in it, that's because the line *in the .bib/.tex
  13. % file* is too long, so break it there (it doesn't matter if the next line is
  14. % indented with spaces). -DH
  15. %\newif\ifpdf
  16. %\ifx\pdfoutput\undefined
  17. % \pdffalse
  18. %\else
  19. % \pdfoutput=1
  20. % \pdftrue
  21. %\fi
  22. \begin{document}
  23. %% Use dvipdfm instead. --DH
  24. %\ifpdf
  25. % \pdfcompresslevel=9
  26. % \pdfpagewidth=\the\paperwidth
  27. % \pdfpageheight=\the\paperheight
  28. %\fi
  29. \title{Tor: Design of a Next-Generation Onion Router}
  30. \author{Anonymous}
  31. %\author{Roger Dingledine \\ The Free Haven Project \\ arma@freehaven.net \and
  32. %Nick Mathewson \\ The Free Haven Project \\ nickm@freehaven.net \and
  33. %Paul Syverson \\ Naval Research Lab \\ syverson@itd.nrl.navy.mil}
  34. \maketitle
  35. \thispagestyle{empty}
  36. \begin{abstract}
  37. We present Tor, a connection-based low-latency anonymous communication
  38. system which addresses many limitations in the original onion routing design.
  39. Tor works in a real-world Internet environment,
  40. requires little synchronization or coordination between nodes, and
  41. protects against known anonymity-breaking attacks as well
  42. as or better than other systems with similar design parameters.
  43. \end{abstract}
  44. %\begin{center}
  45. %\textbf{Keywords:} anonymity, peer-to-peer, remailer, nymserver, reply block
  46. %\end{center}
  47. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  48. \Section{Overview}
  49. \label{sec:intro}
  50. Onion routing is a distributed overlay network designed to anonymize
  51. low-latency TCP-based applications such as web browsing, secure shell,
  52. and instant messaging. Users choose a path through the network and
  53. build a \emph{virtual circuit}, in which each node in the path knows its
  54. predecessor and successor, but no others. Traffic flowing down the circuit
  55. is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key
  56. at each node, revealing the downstream node. The original onion routing
  57. project published several design and analysis papers
  58. \cite{or-journal,or-discex,or-ih,or-pet}. While there was briefly
  59. a network of about a dozen nodes at three widely distributed sites,
  60. the only long-running and publicly accessible
  61. implementation was a fragile proof-of-concept that ran on a single
  62. machine. Many critical design and deployment issues were never implemented,
  63. and the design has not been updated in several years.
  64. Here we describe Tor, a protocol for asynchronous, loosely
  65. federated onion routers that provides the following improvements over
  66. the old onion routing design:
  67. \begin{itemize}
  68. \item \textbf{Perfect forward secrecy:} The original onion routing
  69. design is vulnerable to a single hostile node recording traffic and later
  70. forcing successive nodes in the circuit to decrypt it. Rather than using
  71. onions to lay the circuits, Tor uses an incremental or \emph{telescoping}
  72. path-building design, where the initiator negotiates session keys with
  73. each successive hop in the circuit. Onion replay detection is no longer
  74. necessary, and the network as a whole is more reliable to boot, since
  75. the initiator knows which hop failed and can try extending to a new node.
  76. \item \textbf{Applications talk to the onion proxy via Socks:}
  77. The original onion routing design required a separate proxy for each
  78. supported application protocol, resulting in a lot of extra code (most
  79. of which was never written) and also meaning that a lot of TCP-based
  80. applications were not supported. Tor uses the unified and standard Socks
  81. \cite{socks4,socks5} interface, allowing us to support any TCP-based
  82. program without modification.
  83. \item \textbf{Many applications can share one circuit:} The original
  84. onion routing design built one circuit for each request. Aside from the
  85. performance issues of doing public key operations for every request, it
  86. also turns out that regular communications patterns mean building lots
  87. of circuits can endanger anonymity \cite{wright03}. Tor multiplexes many
  88. connections down each circuit, but still rotates the circuit periodically
  89. to avoid too much linkability.
  90. \item \textbf{No mixing or traffic shaping:} The original onion routing
  91. design called for full link padding both between onion routers and between
  92. onion proxies (that is, users) and onion routers \cite{or-journal}. The
  93. later analysis paper \cite{or-pet} suggested \emph{traffic shaping}
  94. to provide similar protection but use less bandwidth, but did not go
  95. into detail. However, recent research \cite{econymics} and deployment
  96. experience \cite{freedom2-arch} indicate that this level of resource
  97. use is not practical or economical; and even full link padding is still
  98. vulnerable to active attacks \cite{defensive-dropping}.
  99. \item \textbf{Leaky pipes:} Through in-band signalling within the circuit,
  100. Tor initiators can direct traffic to nodes partway down the circuit. This
  101. allows for long-range padding to frustrate timing attacks at the initiator
  102. \cite{defensive-dropping}, but because circuits are used by more than
  103. one application, it also allows traffic to exit the circuit from the
  104. middle -- thus frustrating timing attacks based on observing exit points.
  105. %Or something like that. hm.
  106. \item \textbf{Congestion control:} Earlier anonymity designs do not
  107. address traffic bottlenecks. Unfortunately, typical approaches to load
  108. balancing and flow control in overlay networks involve inter-node control
  109. communication and global views of traffic. Our decentralized ack-based
  110. congestion control maintains reasonable anonymity while allowing nodes
  111. at the edges of the network to detect congestion or flooding attacks
  112. and send less data until the congestion subsides.
  113. \item \textbf{Directory servers:} Rather than attempting to flood
  114. link-state information through the network, which can be unreliable and
  115. open to partitioning attacks or outright deception, Tor takes a simplified
  116. view towards distributing link-state information. Certain more trusted
  117. onion routers also serve as directory servers; they provide signed
  118. \emph{directories} describing all routers they know about, and which
  119. are currently up. Users periodically download these directories via HTTP.
  120. \item \textbf{End-to-end integrity checking:} Without integrity checking
  121. on traffic going through the network, an onion router can change the
  122. contents of cells as they pass by, e.g. by redirecting a connection on
  123. the fly so it connects to a different webserver, or by tagging encrypted
  124. traffic and looking for traffic at the network edges that has been
  125. tagged \cite{minion-design}.
  126. \item \textbf{Robustness to node failure:} router twins
  127. \item \textbf{Exit policies:}
  128. Tor provides a consistent mechanism for each node to specify and
  129. advertise an exit policy.
  130. \item \textbf{Rendezvous points:}
  131. location-protected servers
  132. \end{itemize}
  133. We review previous work in Section \ref{sec:background}, describe
  134. our goals and assumptions in Section \ref{sec:assumptions},
  135. and then address the above list of improvements in Sections
  136. \ref{sec:design}-\ref{sec:maintaining-anonymity}. We then summarize
  137. how our design stands up to known attacks, and conclude with a list of
  138. open problems.
  139. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  140. \Section{Threat model and background}
  141. \label{sec:background}
  142. anonymizer
  143. pipenet
  144. freedom
  145. onion routing
  146. isdn-mixes
  147. crowds
  148. real-time mixes, web mixes
  149. anonnet (marc rennhard's stuff)
  150. morphmix
  151. P5
  152. gnunet
  153. rewebbers
  154. tarzan
  155. herbivore
  156. \SubSection{Known attacks against low-latency anonymity systems}
  157. We discuss each of these attacks in more detail below, along with the
  158. aspects of the Tor design that provide defense. We provide a summary
  159. of the attacks and our defenses against them in Section \ref{sec:attacks}.
  160. \Section{Design goals and assumptions}
  161. \label{sec:assumptions}
  162. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  163. \Section{The Tor Design}
  164. \label{sec:design}
  165. \Section{Other design decisions}
  166. \SubSection{Exit policies and abuse}
  167. \label{subsec:exitpolicies}
  168. \SubSection{Directory Servers}
  169. \label{subsec:dir-servers}
  170. \Section{Rendezvous points: pseudonyms with responder anonymity}
  171. \label{sec:rendezvous}
  172. \Section{Maintaining anonymity sets}
  173. \label{sec:maintaining-anonymity}
  174. \SubSection{Using a circuit many times}
  175. \label{subsec:many-messages}
  176. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  177. \Section{Attacks and Defenses}
  178. \label{sec:attacks}
  179. Below we summarize a variety of attacks and how well our design withstands
  180. them.
  181. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  182. \Section{Future Directions and Open Problems}
  183. \label{sec:conclusion}
  184. Tor brings together many innovations from many different projects into
  185. a unified deployable system. But there are still several attacks that
  186. work quite well, as well as a number of sustainability and run-time
  187. issues remaining to be ironed out. In particular:
  188. \begin{itemize}
  189. \item foo
  190. \end{itemize}
  191. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  192. \Section{Acknowledgments}
  193. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  194. \bibliographystyle{latex8}
  195. \bibliography{minion-design}
  196. \end{document}
  197. % Style guide:
  198. % U.S. spelling
  199. % avoid contractions (it's, can't, etc.)
  200. % 'mix', 'mixes' (as noun)
  201. % 'mix-net'
  202. % 'mix', 'mixing' (as verb)
  203. % 'Mixminion Project'
  204. % 'Mixminion' (meaning the protocol suite or the network)
  205. % 'Mixmaster' (meaning the protocol suite or the network)
  206. % 'middleman' [Not with a hyphen; the hyphen has been optional
  207. % since Middle English.]
  208. % 'nymserver'
  209. % 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer'
  210. %
  211. % 'Whenever you are tempted to write 'Very', write 'Damn' instead, so
  212. % your editor will take it out for you.' -- Misquoted from Mark Twain