Onion Routing Averts Prying EyesBy Ann Harrison
Story location: http://www.wired.com/news/privacy/0,1848,64464,00.html
02:00 AM Aug. 05, 2004 PT
Computer programmers are modifying a communications system, originally developed by the U.S. Naval Research Lab, to help Internet users surf the Web anonymously and shield their online activities from corporate or government eyes.
The system is based on a concept called onion routing. It works like this: Messages, or packets of information, are sent through a distributed network of randomly selected servers, or nodes, each of which knows only its predecessor and successor. Messages flowing through this network are unwrapped by a symmetric encryption key at each server that peels off one layer and reveals instructions for the next downstream node.
In contrast, messages traveling across the Internet are generally not encrypted, and the path of a message can be seen easily, linking users to activities like website visits.
The Navy is financing the development of a second-generation onion-routing system called Tor, which addresses many of the flaws in the original design and makes it easier to use. The Tor client behaves like a SOCKS proxy (a common protocol for developing secure communication services), allowing applications like Mozilla, SSH and FTP clients to talk directly to Tor and route data streams through a network of onion routers, without long delays.
Onion routing does not guarantee perfect anonymity. But it helps protect users from eavesdroppers who aren't watching both the initiator and recipient of the message at the time of the transaction. Developers say Tor can be used to prevent websites from tracking their users; block governments from collecting lists of website visitors; protect whistleblowers; and circumvent local censorship by employers, ISPs or schools that restrict access to certain online services.
The Navy is financing Tor because it wants to hide the identity of government employees who have long used anonymous communications systems for intelligence gathering and politically sensitive negotiations.
"The point of the Tor system is to spread the traffic over multiple points of control so that no one person or company has the ability to link people," said programmer Roger Dingledine. Dingledine and Nick Mathewson, both based in Boston, are building Tor as a research platform with a worldwide community of open-source software developers.
Their goal is to blend together a wide range of users and avoid the weakness of many anonymizing services that are located on a handful of machines and vulnerable to a single point of failure.
Companies could also use Tor for discreet competitive research, said Dingledine, or to route their employees' Web browsing so employment sites like Monster can't determine which of them are trolling for a job. "Plenty of people don't want their source IP listed in Web logs, especially .mil or .gov visitors," said Dingledine.
The security of the Tor service is proportional to the number of nodes in the system. Tor is slowly scaling and looking for tens of thousands of participants who can provide enough nodes to prevent the service from being compromised by what the project website describes as "curious telcos and brute-force attacks."
"The current Tor version very effectively builds on 20 years of development in anonymous designs," said cryptographer David Chaum, whose 1981 paper on untraceable e-mail, return addresses and digital pseudonyms set the groundwork for the Tor service.
Tor is distributed as free software under the commonly used 3-clause BSD license. About 1,000 users (it's an anonymous network, so developers aren't exactly sure) are running the service in client or server mode.
The Tor network currently includes 35 servers that forward each data stream at least three times. Each server averages 10 Kbps of bandwidth. Those with reliable Internet connections, who can support at least 1 Mbps in both directions, are being recruited as potential servers in the network.
Users are permitted to operate an unrestricted number of nodes. But Dingledine pointed out that a well-funded adversary could sign up for a large number of servers and potentially take over the network.
Those who want to operate Tor routers must therefore convince the Tor directory server operators that they are trustworthy and reliable. Dingledine said developers are trying to find ways to scale the system without having to have a human check the integrity of every new server that becomes part of the network.
Dingeldine said the developers of another online anonymity project, called JAP, were forced by the German government to insert a backdoor into the program and were barred from revealing it. If anyone insisted on similar measures for Tor, Dingledine said the community of open-source developers who analyze source-code changes for each Tor revision would expose it -- as they did with JAP.
"The reason Tor works is that it's free and available software," said Dingledine. "If it was a closed source or a proprietary system, there is no way to know."