Onion Routing

From Computing and Software Wiki

Revision as of 16:23, 3 April 2009 by Stallaj (Talk)

(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)

Onion Routing provides a way for two computers to communicate on a network anonymously. Onion routing focuses on hiding the source and destination addresses of a packet, rather than the contents of the packet 1. In order for this to work, a message is encrypted and placed inside an 'onion'. The intermediate nodes along the path, called onion routers, decrypt (peel off a layer) of the onion to reveal the next router along the path to receive the onion. Onion routing runs on top of TCP 1.

Onions

Onions are created by the sender of a message, who first determines the network path it wishes to send a message. Onions rely on Public Key Technology, where each router on the path has its own public key. The sender encrypts the message multiple times with the public keys of each of the intermediate routers. Starting with the public key of the last router on the path, and continually encrypting the message with the previous router's public key. The final message to be sent is encrypted with the public key of the first router in the path.

The concept of the onion data structure is based on the idea of 'peeling off' layers of the onion at each intermediate node to reveal information for that specific node. The first router on the path decrypts the onion with its private key, which reveals the address of the second router on the path, and then sends the message to that address. The newly 'peeled off' onion can now be decrypted by the router two with its private key. This process is continued until the final onion router receives the encrypted message, decrypts it with its private key to reveal the intended message encrypted by the sender. This message is finally sent to the recipient.

Anonymous Communication

Once decrypted, each layer of the onion contains only the address of the next router. This way each router along the path knows only the previous hop and next hop addresses. Further, no router along the path, except the final router, knows the destination address of the packet.

Traffic Analysis

In order to make it difficult for an observer to trace an onion's path, each onion router can perform timing alterations for outgoing onions. This strategy has each intermediate router wait a pseudo-random amount of time before sending out an onion. This way it makes it difficult for an observer tell which onion coming into a router corresponds to which onion going out. Another measure for protecting against traffic analysis is to pad each onion with random data to make each onion have the same size. This makes distinguishing between different onions difficult.

Onion routers can protect against traffic analysis.

Eavesdropping

>>>"Plus, as the entire onion is decrypted at each router, there is no correspondence on the data layer between an onion entering a router and an onion leaving the router. This means that an outside observer who sees the onion for a specific message enter a node does not know which of the onions leaving that node corresponds to that same message" <<< 1.