Anonymity service Tor: Better encryption "Counter Galois Onion"

The Tor Project is working on a new encryption for Tor circuit traffic. It will be named "Counter Galois Onion" (CGO) and is intended to prevent some attacks.

The changes affect the encryption of Tor relays. This relies on TLS for communication encryption between relays and between clients and relays. However, a special algorithm is needed to encrypt user data while it travels through multiple relays in a circuit. Tor refers to this as relay encryption. "The client shares a symmetric key with each relay in its circuit and encrypts an outgoing message or 'relay cell' with each of these keys. Each relay can remove a single layer of encryption until the client's cell reaches the exit relay," write the developers.

On its way through the circuit, Tor must ensure that the data is not altered on its way from the client. In the old design for verification, there are some flaws that enable attacks, such as so-called "tagging attacks." Malicious actors can thus track traffic in the onion network. They can also ensure that they control both ends of a circuit and selectively route and deanonymize traffic. While higher error rates generated by these attacks can be detected by clients, DDoS attacks on Tor, for example, lead to false alarms. Tor developers consider this attack particularly important and want to prevent it with the new CGO.

Less important problems that CGO solves

With CGO, the programmers also want to solve less serious problems. On the one hand, it's about forward secrecy, i.e., preventing past sessions from being decrypted in the future. The old Tor design uses the same AES key for the entire lifetime of a circuit. If the key is lost during the lifetime of a circuit, the entire session can be decrypted with it. "If the lifetime of a circuit is only a few minutes, that's not a big deal, but sometimes circuits last for days," explains the Tor Project. Long-lived circuits are therefore actually better for anonymity, which is why it's a good idea to use them more. Another problem is a 4-byte digest for authenticating a cell. In addition, SHA-1 is used here as well – "which at least shows its age," according to the authors.

All of this is now to be solved by the Counter Galois Onion algorithm (Specification). The Tor developers summarize concisely that CGO ensures that the complete message and all future messages become unrecoverable if any parts of the encrypted data are altered. The Tor maintainers present the GCO crypto algorithm in a paper. Interested parties can find more detailed information in the associated Blog post on the Tor Project page.

The implementation is well underway, assure the Tor programmers. They have already written CGO for Arti, a Tor implementation in Rust. An implementation also exists in C, and the Arti project is still "work in progress" and unfinished. As next steps, they want to enable CGO by default in Arti and implement CGO negotiation for onion services – due to the complexity, the feature might remain exclusive to Arti. They also want to optimize performance for modern processors.

(dmk)