nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 20:33:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revise section 1, remove very throughout.

Browse Source 
svn:r679
This commit is contained in:
Nick Mathewson 2003-10-26 22:59:18 +00:00
parent 5432fb02cc
commit 57474d772a
1 changed files with 72 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
doc/tor-design.tex
View File

@ -72,7 +72,8 @@ as or better than other systems with similar design parameters.
Onion Routing is a distributed overlay network designed to anonymize Onion Routing is a distributed overlay network designed to anonymize
low-latency TCP-based applications such as web browsing, secure shell, low-latency TCP-based applications such as web browsing, secure shell,
and instant messaging. Clients choose a path through the network and and instant messaging. Clients choose a path through the network and
build a \emph{virtual circuit}, in which each node in the path knows its build a \emph{virtual circuit}, in which each node (or ``onion router'')
in the path knows its
predecessor and successor, but no others. Traffic flowing down the circuit predecessor and successor, but no others. Traffic flowing down the circuit
is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key
at each node (like the layers of an onion) and relayed downstream. The at each node (like the layers of an onion) and relayed downstream. The
@ -83,7 +84,7 @@ a wide area Onion Routing network,
% how long is briefly? a day, a month? -RD % how long is briefly? a day, a month? -RD
the only long-running and publicly accessible the only long-running and publicly accessible
implementation was a fragile proof-of-concept that ran on a single implementation was a fragile proof-of-concept that ran on a single
machine. Many critical design and deployment issues were never implemented, machine. Many critical design and deployment issues were never resolved,
and the design has not been updated in several years. and the design has not been updated in several years.
Here we describe Tor, a protocol for asynchronous, loosely Here we describe Tor, a protocol for asynchronous, loosely
federated onion routers that provides the following improvements over federated onion routers that provides the following improvements over
@ -92,13 +93,15 @@ the old Onion Routing design, and over other low-latency anonymity systems:
\begin{tightlist} \begin{tightlist}
\item \textbf{Perfect forward secrecy:} The original Onion Routing \item \textbf{Perfect forward secrecy:} The original Onion Routing
design is vulnerable to a single hostile node recording traffic and later design was vulnerable to a single hostile node recording traffic and later
compromising successive nodes in the circuit and forcing them to compromising successive nodes in the circuit and forcing them to
decrypt it. decrypt it.
Rather than using Rather than using a single onion to lay each circuit,
onions to lay the circuits, Tor uses an incremental or \emph{telescoping} Tor now uses an incremental or \emph{telescoping}
path-building design, where the initiator negotiates session keys with path-building design, where the initiator negotiates session keys with
each successive hop in the circuit. Onion replay detection is no longer each successive hop in the circuit. Once these keys are deleted,
subsequent compromised nodes cannot decrypt old traffic.
As a side benefit, onion replay detection is no longer
necessary, and the process of building circuits is more reliable, since necessary, and the process of building circuits is more reliable, since
the initiator knows when a hop fails and can then try extending to a new node. the initiator knows when a hop fails and can then try extending to a new node.
@ -107,33 +110,40 @@ the initiator knows when a hop fails and can then try extending to a new node.
\item \textbf{Separation of protocol cleaning from anonymity:} \item \textbf{Separation of protocol cleaning from anonymity:}
The original Onion Routing design required a separate ``application The original Onion Routing design required a separate ``application
proxy'' for each proxy'' for each
supported application protocol, resulting in a lot of extra code --- most supported application protocol --- most
of which was never written, so most applications were not supported. of which were never written, so many applications were never supported.
Tor uses the unified and standard Socks Tor uses the standard and near-ubiquitous SOCKS
\cite{socks4,socks5} proxy interface, allowing us to support most TCP-based \cite{socks4,socks5} proxy interface, allowing us to support most TCP-based
programs without modification. This design change allows Tor to programs without modification. This design change allows Tor to
use the protocol-normalization features of privacy-enhancing use the filtering features of privacy-enhancing
application-level proxies such as Privoxy without having to application-level proxies such as Privoxy without having to
incorporate those features itself. incorporate those features itself.
\item \textbf{Many TCP streams can share one circuit:} The original \item \textbf{Many TCP streams can share one circuit:} The original
Onion Routing design built one circuit for each application-level Onion Routing design built a separate circuit for each application-level
request. request.
Aside from the performance issues of doing multiple public key This hurt perfomance by requiring multiple public key operations for
operations for every request, building a circuit for each request can every request, and also presented
endanger anonymity. a threat to anonymity (see Section~\ref{maintaining-anonymity}).
The very first Onion Routing design \cite{or-ih96} protected against \footnote{The first Onion Routing design \cite{or-ih96} protected against
this to some extent by hiding network access behind an onion this threat to some
extent by encouraging users to hide network access behind an onion
router/firewall that was also forwarding traffic from other nodes. router/firewall that was also forwarding traffic from other nodes.
However, even if this meant complete protection, many users can However, it is desirable for users to
benefit from Onion Routing for which neither running one's own node benefit from Onion Routing even when they can't run their own
nor such firewall configurations are adequately convenient to be onion routers.
feasible. Those users, especially if they engage in certain unusual %Such users, especially if they engage in certain unusual
communication behaviors, may be identifiable \cite{wright03}. To %communication behaviors, may be identifiable \cite{wright03}.
complicate the possibility of such attacks Tor multiplexes many %To
stream down each circuit, but still rotates the circuit %complicate the possibility of such attacks Tor multiplexes many
periodically to avoid too much linkability from requests on a single %stream down each circuit, but still rotates the circuit
circuit. %periodically to avoid too much linkability from requests on a single
%circuit.
%
% [This digression probably belongs in maintaining-anonymity. -NM
}
The current Tor design multiplexes multiple TCP streams along each virtual
circuit, in order to improve efficiency and anonymity.
\item \textbf{No mixing, padding, or traffic shaping:} \item \textbf{No mixing, padding, or traffic shaping:}
The original Onion Routing The original Onion Routing
@ -146,14 +156,14 @@ experience \cite{freedom21-security} suggest that this level of resource
use is not practical or economical; and even full link padding is still use is not practical or economical; and even full link padding is still
vulnerable to active attacks \cite{defensive-dropping}. vulnerable to active attacks \cite{defensive-dropping}.
%[An upcoming FC04 paper. I'll add a cite when it's out. -RD] %[An upcoming FC04 paper. I'll add a cite when it's out. -RD]
Thus, absent a proven design for traffic shaping, Tor currently generates
%Say that: although some less resource-heavy traffic shaping approaches may no dummy traffic.
%help resist certain attacks, we aren't getting on the bandwagon yet? -NM. % We don't mention mixing in the above, but we mention it in the title. -NM
\item \textbf{Leaky-pipe circuit topology:} Through in-band \item \textbf{Leaky-pipe circuit topology:} Through in-band
signalling within the signalling within the
circuit, Tor initiators can direct traffic to nodes partway down the circuit, Tor initiators can direct traffic to nodes partway down the
circuit. This allows for long-range padding to frustrate traffic circuit. This not only allows for long-range padding to frustrate traffic
shape and volume attacks at the initiator \cite{defensive-dropping}, shape and volume attacks at the initiator \cite{defensive-dropping},
but because circuits are used by more than one application, it also but because circuits are used by more than one application, it also
allows traffic to exit the circuit from the middle -- thus allows traffic to exit the circuit from the middle -- thus
@ -165,14 +175,16 @@ vulnerable to active attacks \cite{defensive-dropping}.
\item \textbf{Congestion control:} Earlier anonymity designs do not \item \textbf{Congestion control:} Earlier anonymity designs do not
address traffic bottlenecks. Unfortunately, typical approaches to load address traffic bottlenecks. Unfortunately, typical approaches to load
balancing and flow control in overlay networks involve inter-node control balancing and flow control in overlay networks involve inter-node control
communication and global views of traffic. Our decentralized ack-based communication and global views of traffic. Tor's decentralized ack-based
congestion control maintains reasonable anonymity while allowing nodes congestion control maintains reasonable anonymity while allowing nodes
at the edges of the network to detect congestion or flooding attacks at the edges of the network to detect congestion or flooding attacks
and send less data until the congestion subsides. and send less data until the congestion subsides.
\item \textbf{Directory servers:} Rather than attempting to flood \item \textbf{Directory servers:} Rather take the original Onion
link-state information through the network, which can be unreliable and Routing's approach and attempting to flood
open to partitioning attacks or outright deception, Tor takes a simplified link-state information through the network --- an approach which can be
unreliable and
open to partitioning attacks or outright deception --- Tor takes a simplified
view towards distributing link-state information. Certain more trusted view towards distributing link-state information. Certain more trusted
onion routers also serve as directory servers; they provide signed onion routers also serve as directory servers; they provide signed
\emph{directories} describing all routers they know about, and which \emph{directories} describing all routers they know about, and which
@ -180,17 +192,18 @@ are currently up. Users periodically download these directories via HTTP.
\item \textbf{End-to-end integrity checking:} Without integrity checking \item \textbf{End-to-end integrity checking:} Without integrity checking
on traffic going through the network, any onion router on the path on traffic going through the network, any onion router on the path
can change the contents of cells as they pass by, e.g. to redirect a can change the contents of cells as they pass by --- for example, to redirect a
connection on the fly so it connects to a different webserver, or to connection on the fly so it connects to a different webserver, or to
tag encrypted traffic and look for the tagged traffic at the network tag encrypted traffic and look for the tagged traffic at the network
edges \cite{minion-design}. edges \cite{minion-design}. Tor hampers these attacks by checking data
integrity before it leaves the network.
\item \textbf{Robustness to failed nodes:} A failed node in a traditional \item \textbf{Robustness to failed nodes:} A failed node in a traditional
mix network means lost messages, but thanks to Tor's step-by-step mix network means lost messages, but thanks to Tor's step-by-step
circuit building, users can notice failed circuit building, users can notice failed
nodes while building circuits and route around them. Additionally, nodes while building circuits and route around them. Additionally,
liveness information from directories allows users to avoid liveness information from directories allows users to avoid
unreliable node in the first place. unreliable nodes in the first place.
%We further provide a %We further provide a
%simple mechanism that allows connections to be established despite recent %simple mechanism that allows connections to be established despite recent
%node failure or slightly dated information from a directory server. Tor %node failure or slightly dated information from a directory server. Tor
@ -208,20 +221,28 @@ unreliable node in the first place.
%is offline, so there shouldn't even be a latency hit. -NM] %is offline, so there shouldn't even be a latency hit. -NM]
\item \textbf{Variable exit policies:} Tor provides a consistent \item \textbf{Variable exit policies:} Tor provides a consistent
mechanism for mechanism for
each node to specify and advertise a policy describing the hosts and each node to specify and advertise a policy describing the hosts and
ports to which it will connect. These exit policies ports to which it will connect. These exit policies
are critical in a volunteer-based distributed infrastructure, because are critical in a volunteer-based distributed infrastructure, because
each operator is comfortable with allowing different types of traffic each operator is comfortable with allowing different types of traffic
to exit the Tor network from his node. to exit the Tor network from his node.
\item \textbf{Implementable in user-space}. \item \textbf{Implementable in user-space:} Because it only attempts to
anonymize TCP streams, Tor differs from some other anonymity
systems\cite{freedom} in that it does not require patches to an operating
system's network stack in order to operate. Although this approach is less
flexible, it has proven valuable to Tor's portability and deployabilitiy.
\item \textbf{Rendezvous points and location-protected servers:} Tor \item \textbf{Rendezvous points and location-protected servers:} Tor
provides an integrated mechanism for responder-anonymity provides an integrated mechanism for responder-anonymity
location-protected servers. [XXX say more.] location-protected servers. Previous Onion Routing designs included
[XXX Mention that reply onions are out because they're brittle don't give PFS.] long-lived ``reply onions'' which could be used to build virtual
circuits towards a hidden server, but this design is vulnerable to
flooding attacks, and is incompatible with forward security. In Tor's
current design, clients use {\it introduction points} to negotiate {\it
rendezvous points} to connect with hidden servers, and reply onions
are no longer required.
\end{tightlist} \end{tightlist}
[XXX carefully mention implementation, emphasizing that experience [XXX carefully mention implementation, emphasizing that experience
@ -318,7 +339,7 @@ data stream. Crowds is also designed only for HTTP traffic.
Hordes \cite{hordes-jcs} is based on Crowds but also uses multicast Hordes \cite{hordes-jcs} is based on Crowds but also uses multicast
responses to hide the initiator. Herbivore \cite{herbivore} and responses to hide the initiator. Herbivore \cite{herbivore} and
P5 \cite{p5} go even further requiring broadcast. P5 \cite{p5} go even further requiring broadcast.
They each use broadcast in very different ways, and tradeoffs are made to They each use broadcast in different ways, and tradeoffs are made to
make broadcast more practical. Both Herbivore and P5 are designed primarily make broadcast more practical. Both Herbivore and P5 are designed primarily
for communication between communicating peers, although Herbivore for communication between communicating peers, although Herbivore
permits external connections by requesting a peer to serve as a proxy. permits external connections by requesting a peer to serve as a proxy.
@ -847,7 +868,7 @@ mail locally. Further, most organizations have specific hosts that will
deliver mail on behalf of certain IP ranges; Tor operators must be aware deliver mail on behalf of certain IP ranges; Tor operators must be aware
of these hosts and consider putting them in the Tor exit policy. of these hosts and consider putting them in the Tor exit policy.
The abuse issues on closed (e.g. military) networks are very different The abuse issues on closed (e.g. military) networks are different
from the abuse on open networks like the Internet. While these IP-based from the abuse on open networks like the Internet. While these IP-based
access controls are still commonplace on the Internet, on closed networks, access controls are still commonplace on the Internet, on closed networks,
nearly all participants will be honest, and end-to-end authentication nearly all participants will be honest, and end-to-end authentication
@ -855,7 +876,7 @@ can be assumed for anything important.
Tor is harder than minion because tcp doesn't include an abuse Tor is harder than minion because tcp doesn't include an abuse
address. you could reach inside the http stream and change the agent address. you could reach inside the http stream and change the agent
or something, but that's a very specific case and probably won't help or something, but that's a specific case and probably won't help
much anyway. much anyway.
And volunteer nodes don't resolve to anonymizer.mit.edu so it never And volunteer nodes don't resolve to anonymizer.mit.edu so it never
even occurs to people that it wasn't you. even occurs to people that it wasn't you.
@ -872,7 +893,7 @@ without just making the whole network wide open.
even limiting most nodes to allow http, ssh, and aim to exit and reject even limiting most nodes to allow http, ssh, and aim to exit and reject
all other stuff is sketchy, because plenty of abuse can happen over all other stuff is sketchy, because plenty of abuse can happen over
port 80. but it's a very good start, because it blocks most things, port 80. but it's a good start, because it blocks most things,
and because people are more used to the concept of port 80 abuse not and because people are more used to the concept of port 80 abuse not
coming from the machine's owner. coming from the machine's owner.
@ -1312,14 +1333,14 @@ deploying a wider network. We will see what happens!
% 'mix', 'mixes' (as noun) % 'mix', 'mixes' (as noun)
% 'mix-net' % 'mix-net'
% 'mix', 'mixing' (as verb) % 'mix', 'mixing' (as verb)
% 'Mixminion Project'
% 'Mixminion' (meaning the protocol suite or the network)
% 'Mixmaster' (meaning the protocol suite or the network)
% 'middleman' [Not with a hyphen; the hyphen has been optional % 'middleman' [Not with a hyphen; the hyphen has been optional
% since Middle English.] % since Middle English.]
% 'nymserver' % 'nymserver'
% 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer' % 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer'
% 'Onion Routing design', 'onion router' [note capitalization] % 'Onion Routing design', 'onion router' [note capitalization]
% 'SOCKS'
% %
% 'Whenever you are tempted to write 'Very', write 'Damn' instead, so %
% your editor will take it out for you.' -- Misquoted from Mark Twain % 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
% editor will delete it and the writing will be just as it should be.'
% -- Mark Twain