Anonymous Routing: Onion Routing

Abstract: Security and privacy are the major concerns while routing
data through a wired or wireless network. Although encryption is used
to protect data from being read by unintended recipients it still does not
ensure complete safeness. The reason being that information can be
gathered by an eavesdropper by indirect inferences like traffic analysis
etc. In my literature survey project I have focused on the topic of
anonymous routing – onion routing in wired networks and extended it to
wireless networks. In onion routing the data is wrapped in layers of
encryption in a data structure called as an onion, which is transmitted
over the network. The onion is constructed in such a way that it prevents
any eavesdropper from gaining information about the parties involved
in the communication or the nature of their data exchange. Anonymous
routing in wired networks cannot be directly mapped to wireless
networks. This is because wireless networks are more vulnerable to
privacy issues as compared to wired networks due to the mobility of
nodes, limited battery power, and nature of message transmission.
Hence it is more challenging to create anonymous routing protocols for
a wireless scenario.
1 Introduction:

The World Wide Web (WWW) is the most popular and widespread discovery of
the millennium. Although it has been a few years since its inception, security is
still a major concern over the web. Data that is transmitted over the network is
subject to various threats ranging from privacy, confidentiality, integrity etc by an
active or a passive attacker. An active attacker not only snoops over the
communication but also corrupts communication by injecting malicious data. To
minimize the vulnerability of data during transmission encryption is used. A
passive attacker on the other hand simply eavesdrops and gathers information by
observing the ongoing traffic. At times the mere fact that communication is being
carried over a particular link or between two parties could be more valuable than
the actual data that is being transmitted between them. Hence meta data can
sometimes be more sensitive than the actual transmission data content. Meta data
includes the sender and receiver identities, their location, length and time of the
message etc. Hence by analyzing such traffic data, indirect inferences can be made
about the people communicating over a public network like their identities, their
relationships etc. This is in line with evidence gathered by MIT reality mining
project.

2 Traffic Analysis:

2.1 Overview:

Traffic analysis is the process of intercepting and examining messages in order to

deduce information from the patterns in communication. It can be performed even
when the messages are encrypted and cannot be decrypted. Thus an intruder can
simply sniff packets and capture them. And analyzing the header content which has
the source and destination address the intruder can gather valuable information
about the ongoing communication. For example: an attacker can gain important
information by monitoring, the frequency and timing of network packets.

2.2 Mechanism of traffic analysis:

Internet data packets have two parts: a data payload and a header used for routing.

 The data payload is the information being sent; e.g.: an email message, a
web page etc.
  The header consists of the source address, destination address, timing
information, sizing information etc.

Although the data payload is encrypted, traffic analysis still reveals a great deal
about what a communicator is doing and, possibly, what they’re saying. This is
because it focuses on the header, which discloses the source, destination, size,
timing, and other critical information. Thus encryption does not help against these
attackers, since it only hides the content of internet traffic and not the headers. And
it is not possible to encrypt the headers since the destination will not be able to
identify the packet meant for it. Thus by analyzing the data headers and observing
the packet movement trend an attacker can indirectly gather sensitive information
about the communicating parties. A very simple form of traffic analysis might
involve sitting somewhere between sender and recipient on the network, looking at
headers.

2.3 Importance of Traffic analysis:

 Although traffic analysis provides lower quality information, it is preferred

over cryptanalysis because it is easier than breaking complex encrypted
messages.
 It is also cheaper because traffic data can be automatically collected and
processed to provide a high degree of intelligence.
 It is used for military purposes and by various organizations to track
unpleasant events over the internet.

2.4 Resisting traffic analysis and need for anonymous routing:

As it can be seen traffic analysis can be used to extract a lot of sensitive

information and it can strip a person of all his communication privacy over the
internet. Hence it becomes important to take precautions against it and to increase
the level of anonymity on the web. This is the main motivation for anonymous
routing. Thus Onion routing, Chaums Mixes, Tor are a few methods that provide
resilience towards traffic analysis.
3 Onion Routing:

3.1 Overview:

Onion routing was conceived in 1996 by David. M. Goldschlag, Michael. G. Reed

and Paul. F. Syverson for the Naval Research Laboratory’s research group in high
assurance system. It lives just beneath the application layer and is designed to
interface with a wide variety of unmodified internet services by means of proxies.
Onion routing is the mechanism in which the sender (initiator) and the receiver
(responder) nodes communicate with each other anonymously by means of some
anonymous intermediate nodes called as onion routers. It protects against traffic
analysis and makes it very hard for an eavesdropper to determine who is talking to
whom over the network. It concentrates on encrypting the packet header in such a
way that only the intended destination understands that the packet is meant for
him.

Instead of making a socket connection directly with the destination machine, the
sender makes a connection to an onion proxy on a remote machine. This onion
proxy then randomly selects a set of onion routers up to the destination and builds
an anonymous connection to the destination via them. It then constructs a special
data structure called as an onion and routes it through this established connection.
Onion routing relies on public key cryptography. This enables the creation of an
onion which is nothing but the transmission data wrapped in multiple layers of
encryption with the route information in each layer of encryption. It is done in such
a way that when the data moves from one onion router to the next, each onion
router strips a layer of the onion using its private key to find its next hop, and
routes the packet accordingly. This goes on till the packet reaches the receiver.
Thus every onion router knows only its previous and next hop. Padding may be
applied at each onion router to maintain the size of the onion. So data passed along
this anonymous connection appears different to each onion router. Also since an
onion is decrypted at each router there is no correspondence between an incoming
and outgoing onion for a particular router. Hence data cannot be tracked en route
and even a compromised onion router cannot be of much help. Even if an onion
router is compromised only the previous and next hop would be visible but the
actual sender and receiver would still be hidden. This provides added resistance to
an attacker.

3.2 Infrastructure for Onion Routing:

Onion routing hardware can be subdivided into two parts:

 Network Infrastructure:

As shown in the figure the network infrastructure consists of onion routers

that carry traffic between the initiator and the responder (via the intermediate
onion routers). Each onion router has a single connection to each of its
neighbouring onion routers. The job of a onion router is to decrypt an
incoming packet using its private key and pass it to the next onion router
mentioned in the onion packet. It may also apply padding to maintain the
size of the onion thus making traffic analysis more difficult.

 Proxy interfaces:

The proxy links the initiator to the anonymous connection (node W) on the
initiator end and at the responder end it links the anonymous connection to
 the responder (node Z). e g: When the initiator sends a request for say a
particular URL; instead of directly connecting to the server where the URL
content is stored, it connects to an onion proxy W. This proxy then randomly
chooses a set of onion routers say X-Y-Z. It then encrypts the packet with
Y’s, X’s and Z’s public key and their addresses and sends it to the first onion
router on the desired root. The data then moves along the route and is
transmitted by Z to the responder. Z also acts as a proxy because it passes
data from the responder to the anonymous connection.
Each onion proxy maintains a list of onion routers on the network and their
IP addresses. There are also directory servers where active routers register
with. So onion proxies can query directory servers from time to time in order
to get an up-to-date list of servers on the network.

3.3 Detailed Mechanism for Onion Routing:

Onion routing consists of the following steps:

 Defining a route.
 Constructing an anonymous connection.
 Moving data through an anonymous connection.
 Destroying the anonymous connection.

The following steps give a brief description of the above steps.

When an onion proxy receives a message it first randomly selects a set of onion
routers up to the destination by checking in its existing list of onion routers. It then
uses public key cryptography to construct the onions in such a way that only the
intended onion routers can peel off the outer layer. The following example
illustrates the process.

Consider the case where there are n onion routers numbered from 1 to n. The
public and the private key of a particular router say i is denoted by Ipu and Ipr
respectively. The onion proxy knows the public keys of all the onion routers in its
list. The private keys are known only to that particular router. An encryption and
decryption function is used to encrypt and decrypt the data. The encryption
function is Ekey(data) and the decryption function is Dkey(data). Data encrypted
by a public key can be decrypted by a private key and vice versa. Hence we have
DI_public_key ( EI_private_key (data)) = data.

DI_private_key ( EI_public_key (data)) = data

On receiving a packet the onion proxy selects a random sequence of routers from
its list say 4, 3 and 5. So it constructs the onion in the following manner. It first
encrypts the data packet with public key of 5 followed by public key of 3 and
finally 4. So the encrypted data now looks like E4pu (3’s IP address, E3pu ((5’s IP
address, (E5pu (recipient’s IP address, data))))). This is then sent to onion router 4.
Onion router 4 uses its private key to peel the outermost encryption layer. It finds
the IP address of the next hop i.e. router 3. So it passes to router 3 the onion which
now looks like E3pu ((5’s IP address, (E5pu (recipient’s IP address, data)))). Again
router 5 uses its private key to peel the outermost encryption layer. It finds the data
and the recipient’s IP address and concludes that it is the final anonymous hop to
the destination. It simply forwards the packet to the destination.

Thus sending an onion over a chosen path creates a virtual circuit. This circuit is
bidirectional i.e. the destination can also send a message to the source along the
same path. In the given example it simply encrypts the data with its private key and
forwards it to onion router 5. Erecipient_private(IP address, data). Onion router 5
then encrypts it with its private key and forwards it to 3 as E5pr
(Erecipient_private(IP address, data)). Similarly router 3 and 4 also encrypt it step
by step with their private key and outer 4 sends it to the onion proxy that initiated
connection with it. The data that is received by the onion proxy looks like E4pr
(E3pr (E5pr (Erecipient_private(IP address, data)))). The onion proxy now uses the
public keys of these routers and decrypts each layer of the onion, using the
outermost layers key first. It retrieves the data and simply routes it to the sender.

Since the size of the onion reduces as it nears the destination an attacker can infer
details about the destination. To avoid this onions are padded at each onion router
to maintain the size of the onion. Padding is simply adding redundancy. This is a
really big advantage because it complicates traffic analysis, as an attacker cannot
infer location or other details of the destination by getting hold of an onion. Every
onion router has details of only its previous and next hop. So even if an onion
router has been compromised the attacker can only get the encrypted onion with
the next hop. He will not be able to decrypt the onion without the private keys and
hence will not infer any valuable information from it.

Each layer of onion also contains an expiration time. An onion router is to ignore
expired and replayed onions. Further if the connection breaks during the routing
process then all the onion routers are informed via a destroy message. Ensuring
that all onion are of the same size, timing information of the circuit is obfuscated
and adding noise makes traffic analysis very difficult.

3.4 Vulnerabilities of Onion Routing:

It is susceptible to denial of service attacks. This can be done by forcing onion
routers to do a large number of cryptographic operations by many sending packets
to it. Eventually the router simply ends up doing cryptographic operations and is
not able to forward packets.

This can be mitigated using client puzzles. Here the onion proxy (i.e. the server)
forces a requesting client to complete a puzzle before it allocates resources. This
forces an attacker to find additional resources. But puzzle solving has an impact on
the latency although it reduces DOS vulnerability.

An attacker can record data going on between routers and can compromise a router
at a later stage, to acquire private key and decrypt data. This can be avoided by
using a session key between communicating parties. The session key is used to
encrypt data and is valid only for the duration of the communication.

3.5 Advantages of Onion Routing:

 It supports multiple applications like email, web browsing etc.

 A tunable configuration allows various degree of protection to individual
users.
 Data is unreadable throughout the route except at the end points.

4 Onion Routing in Wireless Networks:

As it can be seen, the problems in wireless networks pertaining to security are

manifold. Some modifications have to be made to the protocols in the wired
network so that it can fit the wireless scenario. Currently there is a lot of research
that is on to come up with an optimal protocol for defeating traffic analysis in the
wireless environment. All the protocols have onion routing and traffic mixing at
their core. There are many protocols for the same but I shall briefly review only
three of them in this paper.

4.1 Wireless Anonymous Routing (WAR):

It is based on onion routing and traffic mixing. Here the keys are distributed using
a RadioGram. RadioGram object is like an onion which has layers of encryption
around the data content. RadioGrams are broadcast into the network and the
intended nodes along the route to the destination decrypt a layer at a time.
4.1.1 Description:

The structure of a radiogram is as follows: [tid] {[sk] [MIC] [^]}{[sk] [MIC] [^]….
{[sk] [MIC] [^]} [content] [padding]

1. The information contained within the curly braces {} represent each layer of
the onion.
2. Transmitter ID i.e. tid: It uniquely defines a radiogram. It is a RSA public
key. It is used to encrypt the session key. And the session key is then used to
encrypt the rest of the fields.
3. Session key i.e. sk: It is a symmetric key encrypted by the public key of the
transmitter.
4. MIC or Checksum: It is the pre-computed hash value of everything the
onion skin wraps except the padding.
5. Control Signals i.e. ^: It tells the receiver what has to be done with the
received message. It also tells about the type of message and the padding.
6. Content: This is the actual data that is being transmitted and can be
interpreted only by the final destination.
7. Padding: This is used just to maintain the size of the onion. Without padding
the onion can grow smaller as it nears the destination and can be analyzed
easily by an attacker.

4.1.2 Example:

Node A wishes to send data to C via B. B is in the wireless range of A and C is

within B’s wireless range. A -> B ->C. So A performs the following steps to
construct the RadioGram and broadcasts it.

[A.id] [B.sk] [B.MIC] [B.^] [C.sk] [C.MIC] [C.^] [content] [padding]

1. A generates the content [content].

2. It then generates a random session key (16 byte) C.sk .
3. It sets the control signal C.^ appropriately i.e. type= MESSAGE and
padding = k bits .
4. It prepends [C.^] to [ content]
5. It computes a 16 byte MIC over [C.sk] [C.^] [content] and calls it C.MIC.
6. It encrypts [C.MIC] [C.^] [content] under C.sk .
7. It encrypts C.sk using C’s public key and calls it C.sk’ .
8. It prepends [C.sk’] to [C.MIC] [C.^] [content] .
9. Append any padding if required.
 10.It renames [C.sk’] [C.MIC] [C.^] [content] to [content]
11.It repeats the above steps for (all other intermediate nodes) B.

When the nodes within the transmission range of A receive the Radiogram they
perform the following steps:

1. They strip A.id and save it

2. They strip B.MIC and save it.
3. They strip the encrypted B.sk’.
4. They try to decrypt B.sk’ to B.sk using their private key. (If it succeeds then
they are the intended recipient else they simply drop the packet. Only B is
able to decrypt B.sk’ as it was encrypted with his public key.)
5. B assumes that the message is for him and now uses B.sk to decrypt the
remainder of the message i.e. [B.MIC] [B.^] [content]
6. B checks B.^]to determine where the padding begins and the other rules it is
supposed to follow.
7. B computes B.MIC’ over [B.sk] [B.^] [content].
8. It compares B.MIC’ to B.MIC. If they are equal B checks B.^ for further
information. If they are unequal it implies that the packet has been altered
and B drops it or logs it as required.
9. It then prepends his transmitter id and puts the packet which looks like
[B.id] [C.sk] [C.MIC] [C.^] [content] [padding] on the outgoing queue and
broadcasts it.
10.Again all the nodes in B’s range perform the above steps. But only C is able
to decrypt the message and read it.

4.1.3 Drawbacks of the WAR protocol:

 Key distribution is a problem.

 Time taken for a packet to be delivered to a destination is long because of
RSA encryption and decryption. This algorithm relies on public key
cryptography.
 The sender needs to know the topology of the entire network as there is no
route discovery.
 It does not ensure packet delivery because if an intermediate node on the
destination path fails then the packet will never reach the destination.
 A node has to perform a certain number of decryptions just so that it can
determine if it is the intended node on the route to the destination.
  It is susceptible to DDOS attacks because an attacker can send keep
broadcasting packets and force the legitimate nodes on a root to do a large
number of decryptions. Thus a valid packet may not be transmitted.

4.2 Secure Distributed Anonymous Routing Protocol (SDAR):

This protocol is also based on onion routing and encrypting the packet header thus
abstaining from using unreliable intermediate node. It does not require the source
node to know the entire network topology unlike the previous WAR protocol. Here
the source node broadcasts a path discovery packet with certain trust requirement.
All intermediate nodes satisfying these requirements add their IDs and a session
key into the path discovery packet and forward it. This goes on till the packet
reaches the destination. On receiving the path discovery packet, the destination
encapsulates the information of all the intermediate nodes in a multilayered
message and sends it on the reverse path to the source node. Each node on the
reverse path decrypt one layer and keep forwarding the message till it reaches the
source node. When the packet reaches the source node it has information about all
the trusted intermediate nodes and their session keys. It uses these keys to encrypt
the data and forwards it along the discovered route.

4.2.1 Detailed description:

SDAR is divided into three parts; path discovery, path reverse and data transfer.

Path discovery: This allows the source node S to establish a path up to the
destination using intermediate nodes. But the beauty of this phase is that none of
the intermediate nodes can discover the identity of any of the participating nodes
except its neighbors. The source S creates a path discovery packet and broadcasts
it.

Path reverse: When the receiver receives the path discovery message it puts in the
ids and session keys of all the intermediate nodes into one message. It encrypts this
message again and again with the session keys of the intermediate nodes beginning
from the last node. It then broadcasts the packet. Every node along the reverse path
removes a layer of encryption and broadcasts the packet. So when the source
receives the message it has the ids and keys of all the nodes on the path to the
destination. It uses these keys to encrypt the data and broadcasts it.
Data Transfer: The source encrypts the data using the keys of the intermediate
nodes and broadcasts it. Each node on the way decrypts a layer and forwards it. So
when the message reaches the destination all the encryption layers have been
peeled off and the receiver is able to read the message.

4.2.3 Drawbacks of the SDAR protocol:

 There is no control over the route length since the path to the destination is a
discovery process. Hence it may take a really long time for the actual data
transfer to begin.
 If malicious nodes keep forwarding path discovery packet amongst each
other then it may never reach the intended receiver.

4.2.4 Advantages of the SDAR protocol:

 The source need not know the topology of the entire network since path
discovery is a dynamic process.
 Hence traffic analysis becomes more difficult.
 Symmetric keys of intermediate nodes are collected using a global trapdoor
managed by the source and destination nodes, thus providing anonymity and
end to end data privacy.
6 Conclusion:

Security is an important aspect of communication over the web. Mere encryption

of messages doesn’t keep it from malicious attackers. An attacker can gain a lot of
information by indirect traffic analysis as can be seen from the study above. Hence
it becomes very essential to mitigate traffic analysis. Onion routing is by far the
best solution for maintaining anonymity over the web. In onion routing (for wired
networks) data is wrapped under multiple layers of encryption and forwarded
towards the destination and each node on the route decrypts a layer and forwards it.
But certain modifications need to be made while applying onion routing on the
wireless network. Wireless networks are more vulnerable to attacks due to lack of
central management, dynamic nature of the network, broadcast nature of packet
forwarding etc. Thus onion routing is modified appropriately to suit the wireless
environment. WAR, SDAR, ARM provide anonymity to a great deal although they
have drawbacks. Research is currently on in this field to develop more and more
better suited protocols that can be more resilient towards traffic analysis.
 References:

I] http://en.wikipedia.org/wiki/Traffic_analysis

II]http://www.more.net/technical/netserv/troubleshooting/trafficanalysis.html

III] http://tor.eff.org/overview.html.en

IV] http://en.wikipedia.org/wiki/Onion_routing

1] Mary Elisabeth Gaup Moe. “Security Models for Anonymous Routing”.

Norwegian University of Science and Technology.

2] George Danezis. “Introducing traffic Analysis- Attacks, Defenses and public

Policy Issues”. Invited Talk.

3] Yih Chun Hu, Adrian Perrig. “A Survey of Secure Wireless Ad Hoc Routing”.
University of California- Berkeley, Carnegie Mellon University.

4] Adam Back, Ulf Moller, Anton Stiglic. “Traffic Analysis Attacks and Trade-
Offs in Anonymity Providing Systems”. Zero-knowledge Systems Inc.

5] Marc O’ Morain, Vladislav Titov, Wendy Verbuggen. “Onion Routing for

Anonymous Communication”.

6] Michael G. Reed, Paul F. Syverson, David M. Goldschlag. “Proxies for

anonymous Routing”. Naval Research Laboratory, Washington DC.

7] Nicholas A. Fraser, Richard A. Raines, Rusty O. Baldwin. “Tor: An

Anonymous Routing Network for Covert On-line Operations.” Air Force Institute
of Technology, Wright Patterson AFB.