Clothes with clasps
Author: Pavel Protasov Published in Computerra magazine #7 dated February 24, 2005
Privacy and anonymity on the web is not only for hooligans and spammers, it can also be necessary for law-abiding citizens. Today we will talk about one of the most interesting and effective programs that provide such anonymity. First there was the “onion”…
The Onion Routing project, the precursor of Tor (or it could be argued that Tor is actually Onion Routing as it was originally conceived), involves creating a distributed network of routers capable of transmitting encrypted user data. However, it was initially limited to running a prototype network on one of the computers at the U.S. Navy’s Washington research laboratory, with an opportunity for everyone to test it. The Tor program was later developed with support from the Electronic Frontier Foundation. The Tor program was subsequently developed with the support of the Electronic Frontier Foundation and some improvements were made: a different way of forming a secure communication channel, protection of transmitted data from distortion, etc.
Tor is distributed freely and works in both client and server mode. In other words, anyone who downloads the software will be able to run their own Onion router. Of course, such an approach to network formation is fraught with the fact that it can get all sorts of attackers and just hooligans who intend to steal other people’s data passing through their server. After all, in order to create their own server, they would only have to fix the configuration file and email their intention to join the network to be added to the list of servers. But as we’ll see below, this problem is managed.
The main idea of Onion Routing is to let data from a client computer to a server through a secure communication channel. At that, each of the links will know only about its neighbors in the chain, with whom it exchanges information. Asymmetric cryptography is used in data transmission, and each packet is encrypted with the public key of the server it passes through.
That’s why it’s called “Onion Routing”: Every data packet, like “clothes” on an onion, is covered with “encryption layers” using servers’ keys. If I can believe that it is possible to decrypt one “layer” of this onion in real time, then I definitely will not be able to do the same with several of them in a foreseeable time interval. Strip technology
Tor can be used to establish secure communication channels between any programs that communicate with each other using the TCP protocol. UDP is not supported. By default, it runs on ports 80 (HTTP) and 443 (HTTPS), but can be set up with a configuration file on any other port. The configuration file, in the case of the Windows version, is located in the directory C:Documents and Settings and user nameAplication DataTor. Accordingly, any TCP-enabled application – from a regular web-browser to an “ICQ” with IRC – can be “let” traffic through the program.
A network of onion routers consists of regular servers that transmit data and a certification server that stores a “snapshot” of the servers’ public keys. During the first startup the client application connects to the certification server where the data about routers with their key impressions is stored. Having read this data and stored it, the client starts forming a communication channel; by default, the channel is formed of three nodes. Encrypted user data is transmitted over it.
The first router in the chain (the so-called input) is accessed by the client application, transmitting and receiving data directly from it. The last (respectively output) is used to communicate with the server whose data the user needs and with which communication is in unencrypted form (In the case of “default” settings – the usual HTTP server).
To form a channel, the client software must first obtain from each node its public “identity key” used to verify the identity of the server. After comparing the key with the snapshot we downloaded during the first run, we make sure that the server is indeed who it says it is (or is the opposite). Then we decide to use it as one of the channel nodes (or ask it to go out and look for someone else). When we get enough nodes, each of them generates its own key pair to be used exclusively within a given communication session. The client program does the same. After exchanging public keys with all the servers, the channel can be considered formed.
Tor then receives from a client program (a browser, for example) the data that needs to be transferred to the network, and forms special packets of 512 bytes each. It does it so that the amount of outgoing data makes it impossible to tell which application is running. Users of “ICQ” and lovers of chat rooms have a reason to be unhappy with this approach because the traffic will greatly increase for them. But anonymity requires sacrifice.
The data packet is then encrypted using the public keys of all the servers that make up the link, sequentially from the furthest in the chain to the closest, so that the last key applied is the “entry” key. This is where the packet is transmitted. There it is decrypted and transmitted further, to the “output”, successively decrypted by each of the routers.
The routers communicate with each other using TLS, aka Transport Layer Security Protocol, and each can communicate with any other. Once a data packet approaches the “output”, it is decrypted, converted from “onion” to a normal packet suitable for processing by normal applications, and transmitted to the web server. The reverse process, from server to browser, is a little simpler: the “output” gets a portion of the data and encrypts it with a single key for the client application. Also, by the way, a reasonable measure: the stream of data going from server to client is much larger than from client to server, so it’s logical to spend less time encrypting it, wrapping it in just one wrapper. The encrypted packet then goes back up the chain.
That’s pretty much the whole process. However, anyone who has read the article carefully may notice an inconsistency in the reasoning: the communication channel from the server to the client application is protected by only one level of encryption.
So, when using Tor, the client program periodically forms a new channel from other routers. In addition, multiple data streams can go on the same channel at once, unlike OR where there could only be one stream per channel.
The “onion” network also has “servers” with the domain suffix .onion, which are used to establish two-way anonymous connections. In such connections, two applications, client and server, build each over a secure communication channel, which subsequently “meet” each other.
To establish a connection, the server application organizes several “introduction points” by establishing a channel to each of them. The client simply enters, also through an encrypted channel, into one of these locations and transmits a connection request from which the server cannot determine its identity. In response, the server establishes or denies the connection. In program terminology, the point at which the connection is established is referred to as the rendevous point, that is, the meeting point.
With this method of communication, the user of both the client and server applications can hide their identity. As an example of such a site, I will cite Hidden Wiki (6sxoyfb3h2nvok2d.onion). And since the .onion suffix is non-standard, it’s only supported within the router network, and if you stop Tor, you’ll lose access to the sites.
For more detailed instructions, go to https://_www.wiki.noreply.org/wiki/TnRouter/TorFAQ and _www.tor.eff.org/documentation.html.
Important note: Tor ensures the anonymity of the connection itself, not the data being transmitted. In other words, the server at the other end of the secure channel won’t know just where you came from, but any data your browser transmits (other than your IP address) that could identify you is perfectly encrypted by Tor and goes where you tell it to. Accordingly, you’ll need another program to cut such data out of the outgoing stream. That is, the filtering is also required at application level, and while it may be provided by a local proxy server for web surfing, there may be no software filtering personal data for other applications (say, Windows updater…)
Actually, you can configure any local proxy server for the good cause of anonymous surfing, but you can configure it. But we will look for easy ways and follow the advice of Tor developers and use Privoxy(_www.privoxy.org). This is exactly a local proxy-server (fig. 1), but it’s specialized for cutting off all kind of private information. Besides it knows how to block “cookies”, popups and banners – that’s with the default settings. There is config.txt file in program’s directory, where you can spend a lot of time flexibly changing settings, but in general it will work the way we need it to, without any additional tricks. Software distributions are available for a bunch of platforms: Windows, various Linux distributions, OS/2, NetBSD, FreeBSD and others. Do – once!
The simplest way to make Tor work is to do the following:
Install Tor and Privoxy. Add the line: “forward-socks4a / localhost:9050 .” to the mentioned Privoxy config. (with a period!). It is necessary to prevent data leakage and ensure anonymity of all requests sent to the network, including requests to DNS servers. Add “localhost” through port 8118 to the list of proxy servers of your browser – encrypted traffic will go through this local server. If you want to encrypt all traffic, you can register the server in the settings of a particular network connection “hard”, but it is not recommended to do so, as the volume of transmitted data will increase, and the speed will on the contrary drop. It is possible to change proxies quickly while working with most browsers – both with “add-ons” for Internet Explorer and with “add-ons” for Firefox. Run Privoxy and Tor.
Tor itself is not very talkative: when you start, it will display a command line window, telling you that you are alive and well, and, after some time, that a connection has been established (it does not always tell you to establish a channel, but it works fine nevertheless). To check if the whole bundle is working, you can go to one of the dedicated pages (peertech.org/privacy-knoppix) and see how the server reacts. It “knows” most of the “onion” routers and if your IP address is the same as one of them, it will immediately inform you about it (Fig. 2). It will tell you that the server you come from is one of the “outputs” of Tor it knows. However, sometimes it also has a fault: IP it can show an obviously foreign one, but the actual server – say that it is not “onion” at all. Most likely, there’s no data about it in the database, because when I refreshed the page after some time and connected via a new channel, I got a message that everything works again.
And it does seem to be working.