nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
c42d928b30
tor/doc/tor-design.tex
Roger Dingledine e826873ac6 another todo item, a half-written tor-design intro 
svn:r543
2003-10-07 15:59:30 +00:00

224 lines
6.9 KiB
TeX
Raw Blame History

\documentclass[times,10pt,twocolumn]{article}
\usepackage{latex8}
\usepackage{times}
\usepackage{url}
\usepackage{graphics}
\usepackage{amsmath}
\pagestyle{empty}
\renewcommand\url{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
\newcommand\emailaddr{\begingroup \def\UrlLeft{<}\def\UrlRight{>}\urlstyle{tt}\Url}
% If an URL ends up with '%'s in it, that's because the line *in the .bib/.tex
% file* is too long, so break it there (it doesn't matter if the next line is
% indented with spaces). -DH
%\newif\ifpdf
%\ifx\pdfoutput\undefined
% \pdffalse
%\else
% \pdfoutput=1
% \pdftrue
%\fi
\begin{document}
%% Use dvipdfm instead. --DH
%\ifpdf
% \pdfcompresslevel=9
% \pdfpagewidth=\the\paperwidth
% \pdfpageheight=\the\paperheight
%\fi
\title{Tor: Design of a Next-generation Onion Router}
\author{Roger Dingledine \\ The Free Haven Project \\ arma@freehaven.net \and
Nick Mathewson \\ The Free Haven Project \\ nickm@freehaven.net \and
Paul Syverson \\ Naval Research Lab \\ syverson@itd.nrl.navy.mil}
\maketitle
\thispagestyle{empty}
\begin{abstract}
We present Tor, a connection-based low-latency anonymous communication
system which addresses many flaws in the original onion routing design.
Tor works in a real-world Internet environment,
requires little synchronization or coordination between nodes, and
protects against known anonymity-breaking attacks as well
as or better than other systems with similar design parameters.
\end{abstract}
%\begin{center}
%\textbf{Keywords:} anonymity, peer-to-peer, remailer, nymserver, reply block
%\end{center}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{Overview}
\label{sec:intro}
Onion routing is a distributed overlay network designed to anonymize
low-latency TCP-based applications such as web browsing, secure
shell, and instant messaging. Users choose a path through the
network and build a \emph{virtual circuit}, in which each node in
the path knows its predecessor and successor, but no others. Traffic
flowing down the circuit is unwrapped by a symmetric key at each
node which reveals the downstream node. The original onion routing
project published several design and analysis papers several years
ago \cite{or-journal,or-discex,or-ih,or-pet}, but because the only
implementation was a fragile proof-of-concept that ran on a single
machine, many critical design and deployment issues were not considered
or addressed. Here we describe Tor, a protocol for asynchronous, loosely
federated onion routers that provides the following improvements over
the old onion routing design:
\begin{itemize}
\item \textbf{Applications talk to the onion proxy via Socks:}
The original onion routing design required a separate proxy for each
supported application protocol, resulting in a lot of extra code (most
of which was never written) and also meaning that a lot of TCP-based
applications were not supported. Tor uses the unified and standard Socks
\cite{socks4,socks5} interface, allowing us to support any TCP-based
program without modification.
\item \textbf{No mixing or traffic shaping:} The original onion routing
design called for full link padding both between onion routers and between
onion proxies (that is, users) and onion routers \cite{or-journal}. The
later analysis paper \cite{or-pet} suggested \emph{traffic shaping}
schemes that would provide similar protection but use less bandwidth,
but did not go into detail. However, recent research \cite{econymics}
and deployment experience \cite{freedom2-arch} indicate that this level
of resource use is not practical or economical, especially if.
\item \textbf{Directory servers:} Traditional link state
\item \textbf{Congestion control:} Traditional flow control solutions
Our decentralized ack-based congestion control
allows nodes at the edges of the network to detect incidental congestion
or flooding attacks and send less data until the congestion subsides.
\item \textbf{Forward security:}
\item \textbf{Many applications can share one circuit:}
leaky pipes
\item \textbf{End-to-end integrity checking:}
\item \textbf{Robustness to node failure:} router twins
\item \textbf{Exit policies:}
Tor provides a consistent mechanism for each node to specify and
advertise an exit policy.
\item \textbf{Rendezvous points:}
location-protected servers
\end{itemize}
We review mixes and mix-nets in Section \ref{sec:background},
describe our goals and assumptions in Section \ref{sec:assumptions},
and then address the above list of improvements in Sections
\ref{sec:design}-\ref{sec:nymservers}. We then summarize how our design
stands up to known attacks, and conclude with a list of open problems.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{Threat model and background}
\label{sec:background}
anonymizer
pipenet
freedom
onion routing
isdn-mixes
crowds
real-time mixes, web mixes
anonnet (marc rennhard's stuff)
morphmix
P5
gnunet
rewebbers
tarzan
herbivore
\SubSection{Known attacks against low-latency anonymity systems}
We discuss each of these attacks in more detail below, along with the
aspects of the Tor design that provide defense. We provide a summary
of the attacks and our defenses against them in Section \ref{sec:attacks}.
\Section{Design goals and assumptions}
\label{sec:assumptions}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{The Tor Design}
\label{sec:design}
\Section{Other design decisions}
\SubSection{Exit policies and abuse}
\label{subsec:exitpolicies}
\SubSection{Directory Servers}
\label{subsec:dir-servers}
\Section{Rendezvous points: pseudonyms with responder anonymity}
\label{sec:rendezvous}
\Section{Maintaining anonymity sets}
\label{sec:maintaining-anonymity}
\SubSection{Using a circuit many times}
\label{subsec:many-messages}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{Attacks and Defenses}
\label{sec:attacks}
Below we summarize a variety of attacks and how well our design withstands
them.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{Future Directions and Open Problems}
\label{sec:conclusion}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\Section{Acknowledgments}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\bibliographystyle{latex8}
\bibliography{minion-design}
\end{document}
% Style guide:
% U.S. spelling
% avoid contractions (it's, can't, etc.)
% 'mix', 'mixes' (as noun)
% 'mix-net'
% 'mix', 'mixing' (as verb)
% 'Mixminion Project'
% 'Mixminion' (meaning the protocol suite or the network)
% 'Mixmaster' (meaning the protocol suite or the network)
% 'middleman' [Not with a hyphen; the hyphen has been optional
% since Middle English.]
% 'nymserver'
% 'Cypherpunk', 'Cypherpunks', 'Cypherpunk remailer'
%
% 'Whenever you are tempted to write 'Very', write 'Damn' instead, so
% your editor will take it out for you.' -- Misquoted from Mark Twain
Reference in New Issue View Git Blame Copy Permalink