Onion Routing

Executive Summary

The use of a switched communications network should not require revealing who is talking to whom. Onion Routing is a flexible communications infrastructure that is resistant to both eavesdropping and traffic analysis. Onion routing accomplishes this goal by separating identification from routing. Connections are always anonymous, although communication need not be. Communication may be made anonymous by removing identifying information from the data stream. Onion routing can be used by a variety of unmodified Internet applications by means of proxies (non-invasive procedure) or by modifying the network protocol stack on a machine to be connected to the network (moderate or highly-invasive procedure).

Traffic analysis can be used to infer who is talking to whom over a public network. For example, in a packet switched network, packets have a header used for routing, and a payload that carries the data. The header, which must be visible to the network (and to observers of the network), reveals the source and destination of the packet. Even if the header were obscured in some way, the packet could still be tracked as it moves through the network. Encrypting the payload is similarly ineffective, because the goal of traffic analysis is to identify who is talking to whom and not (to identify directly) the content of that conversation.

The efficiencies of the public Internet are strong motivation for companies to use it instead of private intranets. However, these companies may want to protect their interests. For example, a researcher using the World Wide Web (Web) may expect his particular focus to remain private, and the existence of inter-company collaboration may be confidential. Individuals may wish to protect their privacy too. The identities of the participants in an e-mail conversation should be known only to the communicating parties. A person shopping on the Web may not want his visits tracked. Certainly, someone spending anonymous e-cash expects that the source of the e-cash be untraceable.

Onion routing was originally prototyped on Sun Solaris 2.5.1/2.6. The prototype included proxies for private Web browsing, remote login, and also anonymizing versions of those proxies that remove identifying information from the data stream. These pages describes the Onion Routing system at several levels of abstraction, including a detailed specification for reimplementors.

Our motivation here is not specifically to provide anonymous communication, but, to separate identification from routing. Applications and users may identify themselves to each other, but the use of a public network should not automatically reveal to others the identities of communicating parties.

The Traffic Analysis Problem

Letters sent through the Post Office are usually in an envelope marked with the sender's and recipient's addresses. We trust that the Post Office does not peek inside the envelope, because we consider the contents private. We also trust that the Post Office does not monitor who sends mail to whom, because that information is also considered private.

These two types of sensitive information, the contents of an envelope and its address, apply equally well to electronic communication over the Internet. Just like mail, electronic messages travel in electronic envelopes, and protecting the privacy of these messages requires both safeguarding the contents of those envelopes and hiding the addresses on the envelopes. Although communicating parties usually identify themselves to one another, there is no reason that the use of a public network like the Internet ought to reveal to others who is talking to whom and what they are talking about. The first concern is traffic analysis, the latter is eavesdropping.

By making both eavesdropping and traffic analysis hard, the privacy of communication is protected. But what about anonymity? Can two parties communicate, if one or both do not want to be identified to the other? If the electronic envelope keeps its contents private, and the address on the envelope is also hidden, then any identifying information can only be inside the envelope! So for anonymous communication, we remove identifying information from the contents of an envelope. This may be called anonymizing a private envelope.

These goals may appear to be insolvable: Can the contents of an envelope really be kept private? How can a letter reach its destination if its address is hidden? Can two parties communicate without revealing their identities to one another? Can all this be done without trusting third parties (the Post Office, for example) not to remember addresses or to open envelopes?

Onion Routing uses well known networking and cryptographic techniques to protect both the privacy and anonymity of Internet communication against both eavesdropping and traffic analysis. Onion Routing is easily used in a wide variety of Internet applications (web browsing and chat, for example) to communicate both privately and anonymously.

The Onion Routing Solution

If we protect a communications channel against both eavesdropping and traffic analysis, and remove identifying information from the data stream, then we have anonymous and private communication.

Onion Routing provides socket connections that are strongly resistant to both eavesdropping and traffic analysis. The privacy of these socket connections is moved beneath the application layer and made application independent. Unmodified Internet applications may use these anonymous socket connections by means of proxies. If the proxies anonymize the data stream, anonymity may be layered on top of anonymous socket connections. Onion Routing was originally implemented on Sun Solaris 2.4 including proxies for HTTP (WWW), RLOGIN, e-mail (SMTP), and FTP. Generation 2 Onion Routing implementation, Tor, runs on most common operating systems.

Onion Routing works in the following way: An application, instead of making a (socket) connection directly to a destination machine, makes a socket connection to an Onion Routing Proxy. That Onion Routing Proxy builds an anonymous connection through several other Onion Routers to the destination. Each Onion Router can only identify adjacent Onion Routers along the route. Before sending data over an anonymous connection, the first Onion Router adds a layer of encryption for each Onion Router in the route. As data moves through the anonymous connection, each Onion Router removes one layer of encryption, so it finally arrives as plaintext. This layering occurs in the reverse order for data moving back to the initiator. Data passed along the anonymous connection appears different at each Onion Router, so data cannot be tracked en route and compromised Onion Routers cannot cooperate. When the connection is broken, all information about the connection is cleared at each Onion Router.

Users can use Onion Routing in another, slightly more invasive way. A "bump" is inserted into the TCP/IP network protocol stack so that all TCP traffic is redirected over Onion Routing. This is not implemented for Tor, because it runs contrary to both simple usability (no need to be root to install and use Tor) and platform independence. In generation 1 OR, this was, however, feasible by using the NRaD redirector (for Windows 95/NT). This piece of code transparently routed raw TCP/IP connections through the Onion Routing network. Research into similar techniques compatible with usability, interoperability, and deployability goals of Onion Routing is ongoing.

Onion Routing differs from other anonymity services in three ways: Communication is real-time and bidirectional; the anonymous connections are application independent; and there is no centralized trusted component. Applications may choose whether to identify their users over an anonymous connection. However, the use of a switched public network should not automatically reveal who is talking to whom. This is the traffic analysis that Onion Routing complicates.

Historical page reflecting onion-router.net as of 2005, not regularly maintained. Address questions to Paul Syverson.