The past life of Darknet Tor (Onion Routing) and its related principles and techniques

Onion routing gave birth to the dark web

In 1995, scientists at the US Naval Research Laboratory began to develop an anonymous system to prevent people from being traced on the Internet. Because in this system, the data is protected by layers of passwords, this technique is called "onion routing".

The technology was originally funded by the US Naval Research Office and the Defense Advanced Research Projects Agency (DARPA). Early development was led by Paul Syverson, Michael Reed and David Goldschla. All three are mathematicians and computer system researchers working for the US military.

The original purpose of "Onion Routing" was not to protect privacy, or at least not to protect the "privacy" that most people think , but its purpose was to keep intelligence personnel's online activities from being monitored by hostile countries. In a 1997 paper by the US Naval Research Laboratory, "As military-grade communications equipment increasingly relies on public communications networks, it becomes very important to avoid traffic analysis when using public communications infrastructure. In addition, anonymity of communications Sex is also very necessary. "

The initial progress of the project was slow. By 2002, Paul Syverson from the Naval Research Institute remained on the project. Two MIT graduates Roger Dingledine and Nick Mathewson joined the project. These two individuals are not regular employees of the Naval Research Laboratory. Instead, it was added as a contract method for the high-reliability computing system of DARPA and the Naval Research Laboratory. In the following years, these three people developed a new version of the onion router, which was later Tor (The Onion Router).

There are two opinions about how Tor moved from the military to the civilians. One is that researchers have realized that it is not just the US government that uses the system itself. That is tantamount to demonstrating identity to others. It is necessary to allow others to use the system in order to realize the hiding of true meaning. Therefore, Tor launched a common user version for the public, and allowed everyone to use Tor's node to mix the flow of government intelligence personnel with the flow of volunteers to achieve the purpose of hiding. Second, due to the financial shortage of the US Naval Research Laboratory, it actively terminated the financial support for Tor and opened it up. Later, an organization called the Electronic Outpost Foundation (EFF) took over Tor's subsequent research and development and support.

For whatever reason, the Tor-based dark web has been established since then, and it is getting bigger. Due to Tor's anonymity, it quickly gained a lot of favors, including many dissidents, journalists, students, company employees, etc. People can express their opinions on the dark web without worrying about being retaliated. It is also because of Tor's anonymity that the dark web quickly became a hotbed of drugs, guns, and illegal sex trades. Numerous trading sites have gradually emerged on the dark web, selling guns, drugs, prohibited drugs, stolen identities, pornographic materials, hiring hackers, even hiring killers, human trafficking, watching live killings online, and various other illegal transactions, such as Agora, Silk Road, Evolution, etc. Some trading sites use bitcoin transactions, so they are not controlled by traditional financial channels, and like our commonly used trading platforms, buyers and sellers can also evaluate and even provide after-sales service. Now, Tor relay nodes have spread all over the world, and nearly 50 million people download Tor every year, so that even the inventor of Tor has admitted that he can't destroy Tor.

How does Tor achieve anonymity?

Tor's official website briefly introduces the principle of Tor. Tor is a triple agent. The Tor client first communicates with the directory server to obtain global active relay node information, and then randomly selects three nodes to form a circuit. The user traffic jumps these three nodes (hop) and finally reaches the target website There are two kinds of entities in the Tor network, namely users and relay nodes. When users need to access the network anonymously, they first access the directory server to obtain information about Tor relay nodes around the world, including IP addresses, public keys, exit policies, bandwidth, and online time. Then randomly select three nodes to form a circuit, which are the entrance node, the intermediate node and the exit node. When constructing a circuit, the user negotiates a shared session key with each relay node, and then sends layer-by-layer encrypted information to the circuit. After each decryption node decrypts once, it sends the information to the next node. In this way, only the entry node among the relay nodes knows the identity of the initiator of the communication. The intermediate node knows the identity of the ingress node and egress node in the channel, but does not know the identity of the initiator and receiver of anonymous communication. The egress node acts as a gateway responsible for the application layer connection of the Tor network and the external Internet network, and acts as a relay between the encrypted Tor network transmission traffic and the non-encrypted Internet transmission traffic, knowing the identity of the anonymous communication receiver. Under this design, no node in the circuit knows the complete information, so anonymous communication is achieved.

How Tor works

Specifically, when the user starts Tor, the Tor client will run an Onion Proxy (OP) on the machine, and then start to contact the directory server with the global relay node information to obtain the global relay node information. After the OP obtains the relay node information, the OP will randomly select three nodes to form a circuit and negotiate the session key separately. In this process, each layer of the session is encrypted information once, until it is triple encrypted, only the exit node can see the plain text. When the circuit is confirmed to be established, it starts to send real user access information.

In addition, in order to strengthen security, Tor will re-select three nodes every ten minutes to avoid traffic analysis and honeypot nodes.

A careful analysis of this process will reveal a problem. Since the exit node can obtain plain text information, this process only guarantees that the user's access cannot be fully known by the attacker. In other words, only the anonymity of the user when accessing the surface network is guaranteed. For dark web sites that want to hide their IP, this method will not work, because the exit node will know the user's access request and the server's IP address. So, what if the user visits the dark web site anonymously?

Unlike the surface network where the IP address of the target website can be obtained through the URL and domain name resolution server, the server IP address in the dark web cannot be exposed. The dark web has a distributed hash table similar to the DNS function, which stores information about some sites. In the dark web, if you want to build a website, you must first randomly select a few introduction points (introduction points), and establish a circuit with them, the method is basically the same as described above, so the introduction point does not know the real IP of the server. Then the server combines a descriptor, which contains the public key and the summary of each introduction point, then signs it with the private key, and finally uploads the descriptor to the aforementioned distributed hash table, and the website is established. The domain name of the website is a 16-bit character derived from the public key, usually using the top-level domain name .onion.

When someone needs to visit the dark site, enter the URL in the Tor browser, and the OP will establish a connection with the distributed hash table through the circuit and start querying the descriptor of the target URL. Afterwards, a node is randomly selected as a rendezvous point and a random one-time cookie is generated. The OP encrypts the cookie and rendezvous point IP with the site's public key, and then sends the ciphertext to the introduction point. After the introduction point receives the data, it is transmitted back to the server through the Tor circuit. The server decrypts the information with the private key, obtains the junction IP and cookie, and then establishes a connection with the junction through the Tor circuit and returns the cookie. After receiving the cookie, the user confirms that a connection has been established with the site, and then begins to officially visit the site. In the end, there are six relay nodes before the user and the darknet server, which are the user's entrance node, intermediate node, confluence point, server's exit node, intermediate node, and entrance node. In this way, the anonymous access of the user and the hiding of the site server IP are guaranteed at the same time.

Is Tor really safe?

Tor researchers have long realized that more users will bring better anonymity, so at the beginning of Tor design, the ease of use and deployability were important goals. They believe that Tor should not require users to modify any applications, should not require users to perform complex system configurations, and should not require users to modify operating systems. In the end, Tor has indeed become a multi-platform, simple configuration software, so the use of Tor is not complicated. The Tor network can be accessed by the Tor software provided by The Tor Project. Tor is the core of the software, and Vidalia is a visualization software used with Tor, making it easier to use Tor.

But is Tor really absolutely safe? This may be a concern for every user who uses Tor. First of all, Tor is open source. Anyone can verify whether there is a backdoor in Tor, and no reports of backdoors have been found so far, but this only shows that Tor is not "intentionally unsafe."

At the USENIX Security Symposium in 2015, researchers at the Massachusetts Institute of Technology and the Qatar Computing Institute stated that by analyzing the encrypted data transmissions performed by volunteers on the Tor network on a separate computer, the attacker can infer the hidden server Location, or find the specified Tor user information through the information source. During the establishment of a circuit, the computers on the Tor network will transfer data back and forth in large quantities. Researchers have found that through a guard, it is easy to find the flow of packets in all directions. Using machine learning algorithms, it can be distinguished with 99% accuracy that this is a common web page loop, and the introduction-point circuit is still a rendezvous-point. In addition, by using Tor's computer to connect to a series of different hidden services, similar to the traffic analysis mode, these services can be determined with 88% accuracy. This means that when a lucky attacker enters the guard of the hidden service, it will be 88% sure that it is the host of the hidden service. If a Tor browser uses an ordinary browser, this accuracy can even be increased to more than 99%.

The results of the study also confirmed the EFF (Electronic Sentinel Fund) view. At the cryptographic level, it cannot be deciphered. The most likely attack method is to exploit browser vulnerability unilateral channel attacks, user misconfigurations, and traffic correlation attacks . At the same time, EFF also admits that if someone can obtain data from both parties at the same time, there is a way to confirm your traffic through statistical methods. In addition, Tor's threat model at the time of design is for a single point of unreliability, and when an organization has enough nodes, Tor's anonymity effect will be greatly reduced. So in 2011, in a discussion about Tor ’s security, Tor developer Mike Perry admitted that Tor was not so effective in dealing with powerful, organized attackers (that is, governments) who were able to monitor large amounts of Internet traffic. .

Even at the theoretical level, Tor can only protect the security of user anonymity, not the security of user data or information. The exit node is a major safety hazard. Because the user's data packets need to be transmitted to the network through the egress node, and in the Tor network, the egress node cannot be controlled by the user, so on these nodes, the user's traffic is easily snooped without knowing it. Swedish security researcher Chloe tested the Tor exit node through the honeypot website and confirmed that the information was indeed stolen at the exit node.

Therefore, it is not possible to absolutely hide identity in the dark web. The capture of the infamous "Silk Road" founder some time ago is a good example.

In addition, on the one hand, technical problems have caused Tor's security to be questioned. On the other hand, Tor's identity from the military project has also led some people to believe that Tor's anonymity is a false impression.

According to foreign media reports, after the Tor project was transferred by the US military, it has been officially supported through various related agency funding and government contracts. Among them, the Pentagon ’s funded project description describes Tor like this, "This is a Basic and applied research projects in naval command, control, communications, computer, intelligence, and surveillance. "

In 2013, The Washington Post reported that the NSA had mastered several methods of cracking the anonymous Tor network, which mentioned that "according to a research paper called 'Tor', since 2006, the NSA has been studying how it can There are different ways to crack anonymous traffic. For example, one of them can use Tor to change the speed of their network to analyze and identify users. From the NSA file decrypted by Snowden, NSA seems to have mastered several methods. 'More confident'. '

In fact, law enforcement agencies in the United States have captured many cybercriminals using the Tor network. One of the most typical examples is the example of Harvard student Eldo Kim arrested using Tor network to publish bomb threat information at the end of 2013. Perhaps due to Snowden ’s influence, Kim overestimated Tor ’s “stealth” ability and issued a false alarm on the bomb attack through Tor, trying to delay the final exam date, but unfortunately the FBI agents quickly I found Kim. In addition, in 2013, law enforcement agencies in the United States destroyed the child pornography site Free Hosting hosted on the Tor network and the online black market Silk Road, and in 2014 destroyed Silk Road 2.0. These incidents also indicate that Tor is not absolutely safe. Generally there is no absolutely safe system in this world!

Tor safety precautions

1. Make sure Tor is configured correctly.

The correct configuration of Tor is the basis for the safe use of the dark web.

2. Update from time to time.

Tor, like other software, has some small bugs, so it needs to be updated regularly to solve this problem.

3. Use HTTPS.

Enhancing the end-to-end encryption protocol, the most useful of which is generally HTTPS. The Tor website supports HTTPS by default. Check if the HTTPS button is green before you send any sensitive information.

3. Use anonymous services.

You can also use websites and services that do not record activities to improve your safety. For example, using a browser like Duck DuckGo, it has a service function that does not retain any information about you. You can also combine Cryptocat encrypted chat function for private conversations.

4. Avoid transmitting personal information.

The safest way to avoid leakage of personal information is to avoid sending information when it is used.

5. Avoid login.

In the same way as the previous article, try to avoid using websites that require you to log in.

Issues that need attention

1. Do not use it for P2P applications such as BT download. Regardless of the legitimacy, Tor's forwarding nodes are built by volunteers on the network using their own servers and network bandwidth. If Tor data is used to transmit huge amounts of data, it will affect service performance.

2. Don't use Tor to send spam.

Tor's encryption function can help to send anonymous emails. Please do not use this function to send spam, which will cause trouble to others.

3. Don't use Tor to conduct malicious attacks.

Due to the characteristics of encryption and layer-by-layer forwarding, it is difficult to discover attacks by Tor. In order to provide Tor with services all the time, please do not use it for such illegal activities. Of course, Tor also considers these issues in its design. Network activities with the above characteristics are likely to be filtered out of Tor's internal loop and will not be sent to the external network.

4. Stay away from the dark web.

References: "Focus on the Internet", Dark Web Development: The Story of Tor (Onion Routing)