0000: 23 20 4f 6e 69 6f 6e 20 52 6f 75 74 69 6e 67 20 # Onion Routing
0010: 23 0a 0a 41 6e 6f 6e 79 6d 69 74 79 20 69 73 20 #..Anonymity is
0020: 73 6f 6d 65 77 68 61 74 20 6f 72 74 68 6f 67 6f somewhat orthogo
0030: 6e 61 6c 20 74 6f 20 65 6e 63 72 79 70 74 69 6f nal to encryptio
0040: 6e 3a 20 54 68 65 20 72 6f 75 74 69 6e 67 20 69 n: The routing i
0050: 6e 66 6f 72 6d 61 74 69 6f 6e 20 69 6e 0a 79 6f nformation in.yo
0060: 75 72 20 6d 65 73 73 61 67 65 20 72 65 76 65 61 ur message revea
0070: 6c 73 20 77 68 6f 27 73 20 74 61 6c 6b 69 6e 67 ls who's talking
0080: 20 74 6f 20 77 68 6f 6d 2e 20 20 54 68 65 20 54 to whom. The T
0090: 4f 52 20 70 72 6f 6a 65 63 74 20 73 75 67 67 65 OR project sugge
00a0: 73 74 73 20 74 68 61 74 0a 61 6e 6f 6e 79 6d 69 sts that.anonymi
00b0: 74 79 20 63 61 6e 20 62 65 20 61 63 68 69 65 76 ty can be achiev
00c0: 65 64 20 62 79 20 75 73 69 6e 67 20 73 65 76 65 ed by using seve
00d0: 72 61 6c 20 68 6f 70 73 2c 20 61 6e 64 20 64 65 ral hops, and de
00e0: 63 72 79 70 74 69 6e 67 20 74 68 65 20 6d 65 73 crypting the mes
00f0: 73 61 67 65 0a 62 6c 6f 63 6b 73 20 6f 6e 20 65 sage.blocks on e
0100: 61 63 68 20 68 6f 70 2c 20 72 6f 75 74 69 6e 67 ach hop, routing
0110: 20 74 68 65 6d 20 66 6f 72 77 61 72 64 20 74 6f them forward to
0120: 20 61 6e 6f 74 68 65 72 20 68 6f 70 2e 0a 0a 54 another hop...T
0130: 68 65 20 72 65 71 75 69 72 65 6d 65 6e 74 73 20 he requirements
0140: 66 6f 72 20 6f 6e 69 6f 6e 20 72 6f 75 74 69 6e for onion routin
0150: 67 20 63 72 79 70 74 6f 67 72 61 70 68 79 20 61 g cryptography a
0160: 72 65 20 64 69 66 66 65 72 65 6e 74 20 66 72 6f re different fro
0170: 6d 20 74 68 65 20 72 65 73 74 0a 6f 66 20 6e 65 m the rest.of ne
0180: 74 32 6f 20 63 72 79 70 74 6f 67 72 61 70 68 79 t2o cryptography
0190: 2e 20 54 68 65 20 69 6e 74 65 72 6d 65 64 69 61 . The intermedia
01a0: 74 65 20 68 6f 70 73 20 64 6f 6e 27 74 20 6e 65 te hops don't ne
01b0: 65 64 20 74 6f 20 61 75 74 68 65 6e 74 69 63 61 ed to authentica
01c0: 74 65 20 74 68 65 0a 62 6c 6f 63 6b 73 3b 20 69 te the.blocks; i
01d0: 6e 20 66 61 63 74 2c 20 69 74 20 69 73 20 62 65 n fact, it is be
01e0: 74 74 65 72 20 77 68 65 6e 20 74 68 65 79 20 64 tter when they d
01f0: 6f 6e 27 74 20 65 76 65 6e 20 6b 6e 6f 77 20 77 on't even know w
0200: 68 6f 27 73 20 73 65 6e 64 69 6e 67 20 74 68 65 ho's sending the
0210: 6d 2e 0a 0a 23 23 20 54 4f 52 20 64 65 73 69 67 m...## TOR desig
0220: 6e 20 70 72 6f 62 6c 65 6d 73 20 23 23 0a 0a 54 n problems ##..T
0230: 4f 52 20 68 61 73 20 73 6f 6d 65 20 64 65 73 69 OR has some desi
0240: 67 6e 20 70 72 6f 62 6c 65 6d 73 2c 20 6f 6e 65 gn problems, one
0250: 20 69 73 20 74 68 65 20 6d 6f 73 74 6c 79 20 63 is the mostly c
0260: 65 6e 74 72 61 6c 69 7a 65 64 0a 64 69 63 74 69 entralized.dicti
0270: 6f 6e 61 72 79 2e 20 20 45 76 65 72 79 62 6f 64 onary. Everybod
0280: 79 20 61 73 6b 69 6e 67 20 74 68 65 20 64 69 72 y asking the dir
0290: 65 63 74 6f 72 79 20 73 65 72 76 65 72 20 69 73 ectory server is
02a0: 20 65 78 70 6f 73 65 64 20 61 73 0a 6f 62 76 69 exposed as.obvi
02b0: 6f 75 73 20 54 4f 52 20 75 73 65 72 2e 20 20 54 ous TOR user. T
02c0: 68 69 73 20 63 61 6e 20 62 65 20 65 61 73 69 6c his can be easil
02d0: 79 20 6d 69 74 69 67 61 74 65 64 20 62 79 20 75 y mitigated by u
02e0: 73 69 6e 67 20 61 20 44 48 54 2e 0a 41 6e 6f 74 sing a DHT..Anot
02f0: 68 65 72 20 70 72 6f 62 6c 65 6d 20 69 73 20 6e her problem is n
0300: 6f 74 20 72 65 6c 61 74 65 64 20 74 6f 20 54 4f ot related to TO
0310: 52 20 69 74 73 65 6c 66 2c 20 62 75 74 20 74 6f R itself, but to
0320: 20 74 68 65 20 63 75 72 72 65 6e 74 0a 69 6e 74 the current.int
0330: 65 72 6e 65 74 3a 20 54 68 65 20 74 72 61 66 66 ernet: The traff
0340: 69 63 20 66 72 6f 6d 20 54 4f 52 20 65 78 69 74 ic from TOR exit
0350: 20 6e 6f 64 65 73 20 61 6e 64 20 62 65 79 6f 6e nodes and beyon
0360: 64 20 69 73 20 6f 66 74 65 6e 0a 75 6e 65 6e 63 d is often.unenc
0370: 72 79 70 74 65 64 3b 20 61 73 20 54 4f 52 20 65 rypted; as TOR e
0380: 78 69 74 20 6e 6f 64 65 73 20 61 72 65 20 65 61 xit nodes are ea
0390: 73 79 20 74 6f 20 73 70 6f 74 20 28 74 68 65 79 sy to spot (they
03a0: 20 61 72 65 20 6c 69 73 74 65 64 20 69 6e 0a 74 are listed in.t
03b0: 68 65 20 64 69 72 65 63 74 6f 72 79 20 73 65 72 he directory ser
03c0: 76 65 72 29 2c 20 74 68 65 79 20 61 72 65 20 76 ver), they are v
03d0: 65 72 79 20 6c 69 6b 65 6c 79 20 74 6f 20 67 65 ery likely to ge
03e0: 74 20 73 70 65 63 69 61 6c 20 74 72 65 61 74 6d t special treatm
03f0: 65 6e 74 2c 0a 61 6e 64 20 61 6c 6c 20 74 72 61 ent,.and all tra
0400: 66 66 69 63 20 69 73 20 6d 6f 6e 69 74 6f 72 65 ffic is monitore
0410: 64 2e 20 20 53 63 61 72 69 6e 67 20 54 4f 52 20 d. Scaring TOR
0420: 65 78 69 74 20 6e 6f 64 65 20 6f 70 65 72 61 74 exit node operat
0430: 6f 72 73 20 69 6e 74 6f 0a 73 68 75 74 74 69 6e ors into.shuttin
0440: 67 20 64 6f 77 6e 20 74 68 65 69 72 20 73 65 72 g down their ser
0450: 76 69 63 65 73 20 72 65 64 75 63 65 73 20 62 61 vices reduces ba
0460: 6e 64 77 69 64 74 68 2c 20 61 6e 64 20 6d 61 6b ndwidth, and mak
0470: 65 73 20 54 4f 52 0a 64 69 66 66 69 63 75 6c 74 es TOR.difficult
0480: 20 74 6f 20 75 73 65 2e 0a 0a 54 68 65 72 65 66 to use...Theref
0490: 6f 72 65 2c 20 61 6e 6f 6e 79 6d 6f 75 73 20 72 ore, anonymous r
04a0: 65 6c 61 79 73 20 6f 6e 6c 79 20 77 6f 72 6b 20 elays only work
04b0: 77 65 6c 6c 20 77 68 65 6e 20 6d 61 6e 79 20 70 well when many p
04c0: 61 72 74 69 63 69 70 61 6e 74 73 20 64 69 73 74 articipants dist
04d0: 72 69 62 75 74 65 0a 74 68 65 20 6c 6f 61 64 2c ribute.the load,
04e0: 20 61 6e 64 20 63 61 6e 27 74 20 65 61 73 69 6c and can't easil
04f0: 79 20 62 65 20 73 63 61 72 65 64 20 74 6f 20 74 y be scared to t
0500: 75 72 6e 20 69 74 20 6f 66 66 2e 0a 0a 23 23 20 urn it off...##
0510: 6e 65 74 32 6f 20 6f 6e 69 6f 6e 20 72 6f 75 74 net2o onion rout
0520: 69 6e 67 20 23 23 0a 0a 2a 54 68 69 73 20 69 73 ing ##..*This is
0530: 20 6e 6f 74 20 79 65 74 20 69 6d 70 6c 65 6d 65 not yet impleme
0540: 6e 74 65 64 2a 0a 0a 41 73 20 6f 6e 69 6f 6e 20 nted*..As onion
0550: 72 6f 75 74 69 6e 67 20 75 73 65 73 20 63 72 79 routing uses cry
0560: 70 74 6f 67 72 61 70 68 79 20 6f 6e 20 61 6c 72 ptography on alr
0570: 65 61 64 79 20 65 6e 63 72 79 70 74 65 64 20 61 eady encrypted a
0580: 6e 64 0a 61 75 74 68 65 6e 74 69 63 61 74 65 64 nd.authenticated
0590: 20 70 61 63 6b 65 74 73 2c 20 61 6e 64 20 73 68 packets, and sh
05a0: 6f 75 6c 64 20 6e 6f 74 20 69 6e 63 72 65 61 73 ould not increas
05b0: 65 20 74 68 65 20 73 69 7a 65 20 6f 66 20 74 68 e the size of th
05c0: 65 0a 70 61 63 6b 65 74 73 2c 20 49 20 77 69 6c e.packets, I wil
05d0: 6c 20 75 73 65 20 61 20 62 6c 6f 63 6b 20 63 69 l use a block ci
05e0: 70 68 65 72 2c 20 77 69 74 68 20 61 6e 20 41 45 pher, with an AE
05f0: 53 2d 58 45 58 20 76 61 72 69 61 6e 74 20 6f 72 S-XEX variant or
0600: 0a 54 68 72 65 65 66 69 73 68 20 77 68 65 6e 20 .Threefish when
0610: 74 68 65 20 63 6f 73 74 20 6f 66 20 41 45 53 20 the cost of AES
0620: 69 73 20 74 6f 6f 20 68 69 67 68 2e 20 20 54 68 is too high. Th
0630: 65 20 64 65 73 74 69 6e 61 74 69 6f 6e 20 6d 65 e destination me
0640: 6d 6f 72 79 0a 61 64 64 72 65 73 73 20 61 6e 64 mory.address and
0650: 20 74 68 65 20 73 65 63 6f 6e 64 20 66 6c 61 67 the second flag
0660: 20 62 79 74 65 20 77 69 6c 6c 20 61 6c 73 6f 20 byte will also
0670: 62 65 20 65 6e 63 72 79 70 74 65 64 2c 20 75 73 be encrypted, us
0680: 69 6e 67 20 45 43 42 0a 28 74 61 6b 69 6e 67 20 ing ECB.(taking
0690: 74 68 65 20 66 69 72 73 74 20 70 61 72 74 20 6f the first part o
06a0: 66 20 74 68 65 20 6d 65 73 73 61 67 65 20 74 6f f the message to
06b0: 20 66 69 6c 6c 20 74 68 65 20 31 36 20 62 79 74 fill the 16 byt
06c0: 65 73 29 2c 20 74 68 65 0a 64 65 63 72 79 70 74 es), the.decrypt
06d0: 65 64 20 6d 65 6d 6f 72 79 20 61 64 64 72 65 73 ed memory addres
06e0: 73 20 69 73 20 74 68 65 20 73 65 63 74 6f 72 20 s is the sector
06f0: 69 6e 64 65 78 20 66 6f 72 20 41 45 53 2d 58 45 index for AES-XE
0700: 58 20 6f 72 20 74 68 65 20 74 77 65 61 6b 0a 66 X or the tweak.f
0710: 6f 72 20 54 68 72 65 65 66 69 73 68 2e 20 54 68 or Threefish. Th
0720: 69 73 20 65 6e 63 72 79 70 74 69 6f 6e 20 69 73 is encryption is
0730: 20 6e 6f 74 20 74 61 6d 70 65 72 2d 70 72 6f 6f not tamper-proo
0740: 66 2c 20 62 75 74 20 74 61 6d 70 65 72 65 64 0a f, but tampered.
0750: 70 61 63 6b 65 74 73 20 77 69 6c 6c 20 62 65 20 packets will be
0760: 66 69 6c 74 65 72 65 64 20 6f 75 74 20 61 74 20 filtered out at
0770: 74 68 65 20 6c 65 67 69 74 69 6d 61 74 65 20 64 the legitimate d
0780: 65 73 74 69 6e 61 74 69 6f 6e 2e 20 20 54 68 65 estination. The
0790: 0a 72 65 71 75 69 72 65 6d 65 6e 74 20 68 65 72 .requirement her
07a0: 65 20 69 73 20 74 68 61 74 20 69 74 20 69 73 20 e is that it is
07b0: 68 61 72 64 65 72 20 74 6f 20 63 6f 72 72 65 6c harder to correl
07c0: 61 74 65 20 69 6e 70 75 74 20 61 6e 64 20 6f 75 ate input and ou
07d0: 74 70 75 74 20 6f 66 0a 61 20 72 65 6c 61 79 20 tput of.a relay
07e0: 74 68 72 6f 75 67 68 20 64 65 63 72 79 70 74 69 through decrypti
07f0: 6f 6e 20 74 68 61 6e 20 74 68 72 6f 75 67 68 20 on than through
0800: 6f 74 68 65 72 20 6d 65 61 6e 73 2e 0a 0a 54 68 other means...Th
0810: 65 20 6d 6f 73 74 20 69 6e 74 65 72 65 73 74 69 e most interesti
0820: 6e 67 20 70 72 6f 62 6c 65 6d 20 68 6f 77 65 76 ng problem howev
0830: 65 72 20 68 65 72 65 20 69 73 20 68 6f 77 20 74 er here is how t
0840: 6f 20 6e 6f 74 20 65 78 70 6f 73 65 20 74 68 65 o not expose the
0850: 0a 72 6f 75 74 69 6e 67 20 66 69 65 6c 64 2c 20 .routing field,
0860: 62 65 63 61 75 73 65 20 69 74 20 63 6f 6e 74 61 because it conta
0870: 69 6e 73 20 74 68 65 20 70 61 74 68 20 74 68 72 ins the path thr
0880: 6f 75 67 68 20 74 68 65 20 6f 6e 69 6f 6e 20 72 ough the onion r
0890: 6f 75 74 69 6e 67 0a 6e 65 74 77 6f 72 6b 2c 20 outing.network,
08a0: 61 6e 64 20 61 6c 73 6f 20 73 65 6c 65 63 74 73 and also selects
08b0: 20 74 68 65 20 70 72 6f 70 65 72 20 6b 65 79 2e the proper key.
08c0: 20 20 53 6f 20 74 68 65 20 72 6f 75 74 69 6e 67 So the routing
08d0: 20 66 69 65 6c 64 20 6e 65 65 64 73 0a 74 6f 20 field needs.to
08e0: 62 65 20 65 6e 63 72 79 70 74 65 64 20 61 6e 64 be encrypted and
08f0: 20 69 74 20 69 73 20 75 73 65 64 20 74 6f 20 69 it is used to i
0900: 64 65 6e 74 69 66 79 20 74 68 65 20 63 6f 6e 6e dentify the conn
0910: 65 63 74 69 6f 6e 20 77 68 69 6c 65 0a 65 6e 63 ection while.enc
0920: 72 79 70 74 65 64 2e 20 20 54 68 65 20 72 6f 75 rypted. The rou
0930: 74 69 6e 67 20 66 69 65 6c 64 20 69 73 20 73 74 ting field is st
0940: 69 6c 6c 20 75 73 65 64 20 74 6f 20 66 6f 72 77 ill used to forw
0950: 61 72 64 20 70 61 63 6b 65 74 73 2c 20 74 68 6f ard packets, tho
0960: 75 67 68 0a 74 68 65 20 72 6f 75 74 69 6e 67 20 ugh.the routing
0970: 77 69 74 68 69 6e 20 74 68 65 20 6f 6e 69 6f 6e within the onion
0980: 20 6e 65 74 77 6f 72 6b 20 69 73 20 73 65 74 20 network is set
0990: 75 70 20 62 65 66 6f 72 65 2c 20 73 6f 20 69 74 up before, so it
09a0: 27 73 20 6d 6f 73 74 6c 79 0a 61 20 73 77 69 74 's mostly.a swit
09b0: 63 68 65 64 20 63 69 72 63 75 69 74 20 6e 65 74 ched circuit net
09c0: 77 6f 72 6b 2e 20 20 48 61 6e 64 6f 76 65 72 73 work. Handovers
09d0: 20 73 68 6f 75 6c 64 20 62 65 20 6e 65 67 6f 74 should be negot
09e0: 69 61 74 65 64 20 73 65 70 61 72 61 74 65 6c 79 iated separately
09f0: 2e 0a 0a 54 68 65 20 67 6f 6f 64 20 6e 65 77 73 ...The good news
0a00: 20 69 73 20 74 68 61 74 20 69 74 20 64 6f 65 73 is that it does
0a10: 6e 27 74 20 6e 65 65 64 20 74 6f 20 62 65 20 75 n't need to be u
0a20: 6c 74 72 61 20 72 65 6c 69 61 62 6c 65 2e 20 20 ltra reliable.
0a30: 49 66 20 77 65 0a 66 69 6e 64 20 74 68 61 74 20 If we.find that
0a40: 74 77 6f 20 6b 65 79 73 20 70 6f 73 73 69 62 6c two keys possibl
0a50: 79 20 6d 61 74 63 68 2c 20 77 65 20 63 61 6e 20 y match, we can
0a60: 6a 75 73 74 20 64 65 63 72 79 70 74 20 61 6e 64 just decrypt and
0a70: 20 66 6f 72 77 61 72 64 20 74 68 65 0a 70 61 63 forward the.pac
0a80: 6b 65 74 20 77 69 74 68 20 74 77 6f 20 6b 65 79 ket with two key
0a90: 73 20 74 6f 20 74 77 6f 20 64 69 66 66 65 72 65 s to two differe
0aa0: 6e 74 20 64 65 73 74 69 6e 61 74 69 6f 6e 73 2e nt destinations.
0ab0: 20 20 49 74 20 77 69 6c 6c 20 62 65 20 74 68 72 It will be thr
0ac0: 6f 77 6e 0a 61 77 61 79 20 69 66 20 69 74 20 64 own.away if it d
0ad0: 6f 65 73 6e 27 74 20 6d 61 74 63 68 20 66 75 72 oesn't match fur
0ae0: 74 68 65 72 2c 20 61 74 20 6c 65 61 73 74 20 61 ther, at least a
0af0: 74 20 74 68 65 20 65 6e 64 70 6f 69 6e 74 73 2e t the endpoints.
0b00: 20 20 49 27 6d 20 6e 6f 74 0a 63 6f 6e 76 69 6e I'm not.convin
0b10: 63 65 64 20 74 68 61 74 20 74 68 65 20 6e 6f 72 ced that the nor
0b20: 6d 61 6c 20 31 36 20 62 79 74 65 20 70 61 74 68 mal 16 byte path
0b30: 20 69 73 20 73 75 66 66 69 63 69 65 6e 74 20 66 is sufficient f
0b40: 6f 72 20 6f 6e 69 6f 6e 0a 72 6f 75 74 69 6e 67 or onion.routing
0b50: 2c 20 65 73 70 65 63 69 61 6c 6c 79 2c 20 61 73 , especially, as
0b60: 20 74 68 65 20 6e 6f 72 6d 61 6c 20 70 61 74 68 the normal path
0b70: 20 69 73 20 6e 65 65 64 65 64 20 74 6f 20 67 65 is needed to ge
0b80: 74 20 66 72 6f 6d 20 6f 6e 65 0a 6f 6e 69 6f 6e t from one.onion
0b90: 20 72 6f 75 74 65 72 20 68 6f 70 20 74 6f 20 74 router hop to t
0ba0: 68 65 20 6e 65 78 74 2c 20 74 6f 6f 2e 20 20 53 he next, too. S
0bb0: 6f 20 6f 6e 69 6f 6e 20 72 6f 75 74 69 6e 67 20 o onion routing
0bc0: 6e 65 65 64 73 20 61 6e 0a 61 64 64 69 74 69 6f needs an.additio
0bd0: 6e 61 6c 2c 20 6c 6f 6e 67 65 72 2c 20 63 6f 6e nal, longer, con
0be0: 73 74 61 6e 74 2d 73 69 7a 65 20 70 61 74 68 20 stant-size path
0bf0: 77 69 74 68 69 6e 20 74 68 65 20 6f 6e 69 6f 6e within the onion
0c00: 20 6e 65 74 77 6f 72 6b 2e 20 20 4c 69 6b 65 0a network. Like.
0c10: 74 68 65 20 72 65 73 74 20 6f 66 20 74 68 65 20 the rest of the
0c20: 6d 65 73 73 61 67 65 2c 20 74 68 65 20 6f 6e 69 message, the oni
0c30: 6f 6e 20 70 61 74 68 20 69 73 20 65 6e 63 72 79 on path is encry
0c40: 70 74 65 64 2f 64 65 63 72 79 70 74 65 64 20 6f pted/decrypted o
0c50: 6e 20 65 61 63 68 0a 68 6f 70 2c 20 61 6e 64 20 n each.hop, and
0c60: 74 68 65 20 65 6e 64 20 6e 6f 64 65 20 6a 75 73 the end node jus
0c70: 74 20 66 6c 69 70 73 20 74 68 65 20 70 61 74 68 t flips the path
0c80: 20 73 6f 20 74 68 61 74 20 74 68 65 20 69 6e 73 so that the ins
0c90: 65 72 74 65 64 0a 70 61 74 68 6c 65 74 73 20 63 erted.pathlets c
0ca0: 61 6e 20 62 65 20 75 73 65 64 20 61 73 20 72 65 an be used as re
0cb0: 74 75 72 6e 20 70 61 74 68 2e 0a 0a 45 61 63 68 turn path...Each
0cc0: 20 65 6c 65 6d 65 6e 74 20 6f 66 20 74 68 65 20 element of the
0cd0: 70 61 74 68 20 69 73 20 70 65 72 2d 68 6f 70 20 path is per-hop
0ce0: 65 6e 63 72 79 70 74 65 64 2f 64 65 63 72 79 70 encrypted/decryp
0cf0: 74 65 64 20 69 6e 20 45 43 42 20 6d 6f 64 65 2c ted in ECB mode,
0d00: 0a 73 6f 20 65 6e 63 72 79 70 74 69 6f 6e 20 61 .so encryption a
0d10: 6e 64 20 64 65 63 72 79 70 74 69 6f 6e 20 61 72 nd decryption ar
0d20: 65 20 69 6e 74 65 72 63 68 61 6e 67 65 61 62 6c e interchangeabl
0d30: 65 20 6f 70 65 72 61 74 69 6f 6e 73 20 28 34 20 e operations (4
0d40: 74 69 6d 65 73 0a 64 65 63 72 79 70 74 65 64 20 times.decrypted
0d50: 77 69 74 68 20 6b 65 79 31 20 74 6f 20 6b 65 79 with key1 to key
0d60: 34 20 61 6e 64 20 74 68 65 6e 20 65 6e 63 72 79 4 and then encry
0d70: 70 74 65 64 20 77 69 74 68 20 6b 65 79 34 20 74 pted with key4 t
0d80: 6f 20 6b 65 79 31 20 67 69 76 65 73 0a 75 73 20 o key1 gives.us
0d90: 74 68 65 20 70 6c 61 69 6e 74 65 78 74 20 61 67 the plaintext ag
0da0: 61 69 6e 29 2e 20 20 54 6f 20 66 69 6e 64 20 74 ain). To find t
0db0: 68 65 20 63 6f 72 72 65 63 74 20 6b 65 79 2c 20 he correct key,
0dc0: 74 68 65 20 72 6f 75 74 65 72 20 74 72 69 65 73 the router tries
0dd0: 0a 61 6c 6c 20 61 76 61 69 6c 61 62 6c 65 20 6b .all available k
0de0: 65 79 73 20 66 72 6f 6d 20 61 20 73 69 6e 67 6c eys from a singl
0df0: 65 20 73 6f 75 72 63 65 2c 20 61 6e 64 20 73 74 e source, and st
0e00: 6f 70 73 20 69 66 20 74 68 65 20 64 65 63 72 79 ops if the decry
0e10: 70 74 65 64 0a 64 65 73 74 69 6e 61 74 69 6f 6e pted.destination
0e20: 20 6c 6f 6f 6b 73 20 6c 65 67 69 74 3b 20 73 69 looks legit; si
0e30: 6e 63 65 20 74 68 65 72 65 20 69 73 20 6e 6f 20 nce there is no
0e40: 72 65 71 75 69 72 65 6d 65 6e 74 20 66 6f 72 0a requirement for.
0e50: 75 6c 74 72 61 2d 72 65 6c 69 61 62 69 6c 69 74 ultra-reliabilit
0e60: 79 2c 20 61 20 73 68 6f 72 74 20 49 56 20 61 6e y, a short IV an
0e70: 64 20 61 20 73 69 6d 70 6c 65 20 63 68 65 63 6b d a simple check
0e80: 73 75 6d 20 69 73 20 73 75 66 66 69 63 69 65 6e sum is sufficien
0e90: 74 0a 28 65 2e 67 2e 20 33 32 20 62 69 74 20 65 t.(e.g. 32 bit e
0ea0: 61 63 68 29 2e 20 20 4f 6e 65 20 62 69 74 20 69 ach). One bit i
0eb0: 6e 20 74 68 65 20 61 64 64 72 65 73 73 20 69 73 n the address is
0ec0: 20 75 73 65 64 20 74 6f 20 64 65 74 65 72 6d 69 used to determi
0ed0: 6e 65 0a 77 68 65 74 68 65 72 20 74 68 61 74 27 ne.whether that'
0ee0: 73 20 74 68 65 20 65 6e 64 70 6f 69 6e 74 20 6f s the endpoint o
0ef0: 66 20 74 68 65 20 6f 6e 69 6f 6e 20 72 6f 75 74 f the onion rout
0f00: 69 6e 67 20 6f 72 20 6e 6f 74 2e 20 20 49 66 20 ing or not. If
0f10: 79 6f 75 20 61 72 65 0a 65 6e 64 70 6f 69 6e 74 you are.endpoint
0f20: 2c 20 79 6f 75 20 6b 65 65 70 20 74 68 65 20 72 , you keep the r
0f30: 65 74 75 72 6e 20 70 61 74 68 20 61 6e 64 20 63 eturn path and c
0f40: 72 65 61 74 65 20 61 20 6e 6f 72 6d 61 6c 20 6e reate a normal n
0f50: 65 74 32 6f 20 70 61 63 6b 65 74 3b 0a 74 68 65 et2o packet;.the
0f60: 20 69 6e 73 65 72 74 65 64 20 72 65 74 75 72 6e inserted return
0f70: 20 70 61 74 68 20 61 6c 6c 6f 77 73 20 74 6f 20 path allows to
0f80: 69 64 65 6e 74 69 66 79 20 74 68 65 20 6f 6e 69 identify the oni
0f90: 6f 6e 20 72 6f 75 74 69 6e 67 20 70 61 74 68 2e on routing path.
0fa0: 0a 0a 54 68 65 20 72 65 6c 61 79 20 75 73 65 73 ..The relay uses
0fb0: 20 74 68 65 20 73 61 6d 65 20 6b 65 79 20 66 6f the same key fo
0fc0: 72 20 62 6f 74 68 20 64 69 72 65 63 74 69 6f 6e r both direction
0fd0: 73 2c 20 6f 6e 65 20 64 69 72 65 63 74 69 6f 6e s, one direction
0fe0: 20 75 73 65 73 0a 65 6e 63 72 79 70 74 69 6f 6e uses.encryption
0ff0: 2c 20 74 68 65 20 6f 74 68 65 72 20 64 65 63 72 , the other decr
1000: 79 70 74 69 6f 6e 2e 20 20 54 68 65 20 6f 72 69 yption. The ori
1010: 67 69 6e 61 74 6f 72 20 6e 65 65 64 73 20 74 6f ginator needs to
1020: 20 6b 6e 6f 77 20 61 6c 6c 0a 6b 65 79 73 2c 20 know all.keys,
1030: 61 6e 64 20 65 6e 63 72 79 70 74 20 77 69 74 68 and encrypt with
1040: 20 61 6c 6c 20 6f 66 20 74 68 65 6d 20 6f 6e 20 all of them on
1050: 73 65 6e 64 69 6e 67 2c 20 61 6e 64 20 64 65 63 sending, and dec
1060: 72 79 70 74 20 77 69 74 68 20 61 6c 6c 20 6f 66 rypt with all of
1070: 0a 74 68 65 6d 20 6f 6e 20 72 65 63 65 69 76 69 .them on receivi
1080: 6e 67 20 2d 20 73 6f 20 74 68 65 20 6f 72 69 67 ng - so the orig
1090: 69 6e 61 74 6f 72 20 61 63 74 75 61 6c 6c 79 20 inator actually
10a0: 63 6f 6d 70 75 74 65 73 20 74 68 6f 73 65 20 6b computes those k
10b0: 65 79 73 2e 0a 54 68 65 72 65 66 6f 72 65 2c 20 eys..Therefore,
10c0: 61 20 66 61 73 74 2c 20 68 61 72 64 77 61 72 65 a fast, hardware
10d0: 2d 61 63 63 65 6c 65 72 61 74 65 64 20 61 6c 67 -accelerated alg
10e0: 6f 72 69 74 68 6d 20 69 73 20 69 6d 70 6f 72 74 orithm is import
10f0: 61 6e 74 20 68 65 72 65 3b 0a 73 65 63 75 72 69 ant here;.securi
1100: 74 79 20 63 6f 6e 63 65 72 6e 73 20 61 62 6f 75 ty concerns abou
1110: 74 20 41 45 53 20 77 65 61 6b 6e 65 73 73 65 73 t AES weaknesses
1120: 20 61 6e 64 20 6d 6f 64 65 20 70 72 6f 62 6c 65 and mode proble
1130: 6d 73 20 61 72 65 0a 73 65 63 6f 6e 64 61 72 79 ms are.secondary
1140: 2e 20 20 54 68 69 73 20 69 73 20 6f 6e 6c 79 20 . This is only
1150: 6d 61 6b 69 6e 67 20 69 74 20 6d 6f 72 65 20 64 making it more d
1160: 69 66 66 69 63 75 6c 74 20 74 6f 20 63 6f 6d 70 ifficult to comp
1170: 75 74 65 20 61 0a 63 6f 72 72 65 6c 61 74 69 6f ute a.correlatio
1180: 6e 2c 20 62 72 65 61 6b 69 6e 67 20 74 68 65 20 n, breaking the
1190: 65 6e 63 72 79 70 74 69 6f 6e 20 74 68 65 72 65 encryption there
11a0: 66 6f 72 65 20 73 68 6f 75 6c 64 20 6f 6e 6c 79 fore should only
11b0: 20 62 65 20 68 61 72 64 65 72 0a 74 68 61 6e 20 be harder.than
11c0: 61 6e 79 20 6f 74 68 65 72 20 6d 65 61 6e 20 74 any other mean t
11d0: 6f 20 63 6f 72 72 65 6c 61 74 65 20 70 61 63 6b o correlate pack
11e0: 65 74 73 20 28 65 2e 67 2e 20 75 73 69 6e 67 20 ets (e.g. using
11f0: 74 69 6d 69 6e 67 20 61 74 74 61 63 6b 73 29 2e timing attacks).
1200: 0a 54 68 65 20 63 6f 6e 74 65 6e 74 20 65 6e 63 .The content enc
1210: 72 79 70 74 69 6f 6e 20 69 73 20 62 65 6c 6f 77 ryption is below
1220: 20 74 68 61 74 20 6c 61 79 65 72 3b 20 75 73 69 that layer; usi
1230: 6e 67 20 61 6e 20 65 6e 74 69 72 65 6c 79 0a 64 ng an entirely.d
1240: 69 66 66 65 72 65 6e 74 20 61 6c 67 6f 72 69 74 ifferent algorit
1250: 68 6d 20 70 72 6f 76 69 64 65 73 20 61 64 64 69 hm provides addi
1260: 74 69 6f 6e 61 6c 20 73 65 63 75 72 69 74 79 3a tional security:
1270: 20 41 74 74 61 63 6b 65 72 73 20 6f 66 20 72 65 Attackers of re
1280: 6c 61 79 65 64 0a 74 72 61 66 66 69 63 20 6e 65 layed.traffic ne
1290: 65 64 20 74 6f 20 62 72 65 61 6b 20 74 77 6f 20 ed to break two
12a0: 65 6e 63 72 79 70 74 69 6f 6e 20 73 63 68 65 6d encryption schem
12b0: 65 73 2e 20 20 59 6f 75 20 63 61 6e 20 73 65 74 es. You can set
12c0: 75 70 20 61 20 72 65 6c 61 79 0a 74 6f 20 69 74 up a relay.to it
12d0: 73 65 6c 66 20 6f 6e 20 79 6f 75 72 20 64 65 73 self on your des
12e0: 74 69 6e 61 74 69 6f 6e 20 74 6f 20 61 64 64 20 tination to add
12f0: 61 6e 20 41 45 53 20 65 6e 63 72 79 70 74 69 6f an AES encryptio
1300: 6e 20 6f 6e 20 74 6f 70 20 6f 66 0a 4b 65 63 63 n on top of.Kecc
1310: 61 6b 20 65 6e 63 72 79 70 74 69 6f 6e 2c 20 74 ak encryption, t
1320: 68 65 20 64 65 73 74 69 6e 61 74 69 6f 6e 20 74 he destination t
1330: 68 65 6e 20 6f 6e 6c 79 20 72 65 63 65 69 76 65 hen only receive
1340: 73 20 70 61 63 6b 65 74 73 20 77 68 69 63 68 0a s packets which.
1350: 6c 6f 6f 6b 20 6c 69 6b 65 20 72 65 6c 61 79 65 look like relaye
1360: 64 20 70 61 63 6b 65 74 73 2e 0a 0a 54 68 65 20 d packets...The
1370: 72 65 6c 61 79 20 6d 61 79 20 73 6c 6f 77 20 64 relay may slow d
1380: 6f 77 6e 20 70 61 63 6b 65 74 20 72 61 74 65 73 own packet rates
1390: 20 74 6f 20 6d 61 6b 65 20 63 6f 72 72 65 6c 61 to make correla
13a0: 74 69 6f 6e 20 68 61 72 64 65 72 2c 20 62 75 74 tion harder, but
13b0: 20 69 73 20 6e 6f 74 0a 61 6c 6c 6f 77 65 64 20 is not.allowed
13c0: 74 6f 20 73 70 65 65 64 20 75 70 20 62 75 72 73 to speed up burs
13d0: 74 73 2c 20 62 65 63 61 75 73 65 20 74 68 61 74 ts, because that
13e0: 20 77 6f 75 6c 64 20 62 72 65 61 6b 20 6e 65 74 would break net
13f0: 32 6f 27 73 20 66 6c 6f 77 20 63 6f 6e 74 72 6f 2o's flow contro
1400: 6c 0a 28 70 61 72 74 69 61 6c 20 73 70 65 65 64 l.(partial speed
1410: 20 75 70 20 69 6e 73 69 64 65 20 61 20 62 75 72 up inside a bur
1420: 73 74 20 69 73 20 61 6c 6c 6f 77 65 64 2c 20 74 st is allowed, t
1430: 68 6f 75 67 68 29 2e 20 20 52 65 6c 61 79 73 20 hough). Relays
1440: 73 68 61 6c 6c 20 64 6f 0a 66 61 69 72 20 71 75 shall do.fair qu
1450: 65 75 69 6e 67 20 74 6f 20 68 65 6c 70 20 74 68 euing to help th
1460: 65 20 66 6c 6f 77 20 63 6f 6e 74 72 6f 6c 2e 0a e flow control..
1470: 0a 52 65 6c 61 79 20 67 65 6e 65 72 61 74 69 6f .Relay generatio
1480: 6e 20 69 73 20 6a 75 73 74 20 6f 6e 65 20 73 69 n is just one si
1490: 6e 67 6c 65 20 63 6f 6d 6d 61 6e 64 3a 0a 0a 20 ngle command:..
14a0: 20 20 20 63 72 65 61 74 65 2d 72 65 6c 61 79 20 create-relay
14b0: 28 20 24 6b 65 79 20 61 6c 67 6f 20 2d 2d 20 29 ( $key algo -- )
14c0: 0a 0a 52 65 6c 61 79 73 20 61 75 74 6f 6d 61 74 ..Relays automat
14d0: 69 63 61 6c 6c 79 20 61 72 65 20 73 68 75 74 20 ically are shut
14e0: 64 6f 77 6e 20 61 66 74 65 72 20 31 20 6d 69 6e down after 1 min
14f0: 75 74 65 20 6f 66 20 69 6e 61 63 74 69 76 69 74 ute of inactivit
1500: 79 3b 0a 72 65 6c 61 79 73 20 61 72 65 20 63 72 y;.relays are cr
1510: 65 61 74 65 64 20 77 69 74 68 20 6f 6e 6c 79 20 eated with only
1520: 6f 6e 65 2d 74 69 6d 65 20 6b 65 79 73 2c 20 62 one-time keys, b
1530: 65 63 61 75 73 65 20 79 6f 75 20 64 6f 6e 27 74 ecause you don't
1540: 20 77 61 6e 74 20 74 68 65 0a 72 65 6c 61 79 20 want the.relay
1550: 74 6f 20 6b 6e 6f 77 20 77 68 6f 20 79 6f 75 20 to know who you
1560: 61 72 65 2c 20 62 75 74 20 79 6f 75 20 77 61 6e are, but you wan
1570: 74 20 74 6f 20 6b 6e 6f 77 20 74 68 61 74 20 74 t to know that t
1580: 68 65 20 72 65 6c 61 79 20 69 73 20 74 68 65 0a he relay is the.
1590: 6f 6e 65 20 79 6f 75 20 61 73 6b 65 64 2c 20 73 one you asked, s
15a0: 6f 20 79 6f 75 20 77 61 6e 74 20 69 74 73 20 70 o you want its p
15b0: 75 62 6b 65 79 2c 20 61 6e 64 20 75 73 65 20 61 ubkey, and use a
15c0: 6e 6f 74 68 65 72 20 6f 6e 65 2d 74 69 6d 65 20 nother one-time
15d0: 6b 65 79 20 74 6f 0a 67 65 6e 65 72 61 74 65 20 key to.generate
15e0: 74 68 65 20 73 68 61 72 65 64 20 73 65 63 72 65 the shared secre
15f0: 74 2e 20 20 54 68 65 72 65 27 73 20 6e 6f 20 66 t. There's no f
1600: 75 6c 6c 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 73 ull connection s
1610: 65 74 75 70 20 77 69 74 68 20 61 0a 72 65 6c 61 etup with a.rela
1620: 79 2c 20 73 65 74 74 69 6e 67 20 75 70 20 61 20 y, setting up a
1630: 72 65 6c 61 79 20 73 68 6f 75 6c 64 20 74 61 6b relay should tak
1640: 65 20 74 68 72 65 65 20 6d 65 73 73 61 67 65 73 e three messages
1650: 20 6f 6e 6c 79 2e 0a 0a 59 6f 75 20 63 61 6e 20 only...You can
1660: 63 72 65 61 74 65 20 72 65 6c 61 79 20 74 72 65 create relay tre
1670: 65 73 20 28 77 69 74 68 20 74 68 65 20 72 6f 6f es (with the roo
1680: 74 20 69 6e 20 74 68 65 20 74 61 72 67 65 74 0a t in the target.
1690: 79 6f 75 20 74 61 6c 6b 20 74 6f 29 2c 20 61 6e you talk to), an
16a0: 64 20 73 77 69 74 63 68 20 62 65 74 77 65 65 6e d switch between
16b0: 20 6c 65 61 76 65 73 20 72 61 6e 64 6f 6d 6c 79 leaves randomly
16c0: 2c 20 61 73 20 6e 65 74 32 6f 20 70 72 6f 76 69 , as net2o provi
16d0: 64 65 73 20 70 65 72 66 65 63 74 0a 68 61 6e 64 des perfect.hand
16e0: 6f 76 65 72 20 73 75 70 70 6f 72 74 2e 20 44 69 over support. Di
16f0: 66 66 65 72 65 6e 74 20 70 61 74 68 73 20 73 68 fferent paths sh
1700: 61 6c 6c 20 68 61 76 65 20 64 69 66 66 65 72 65 all have differe
1710: 6e 74 20 73 65 74 73 20 6f 66 20 6b 65 79 73 2c nt sets of keys,
1720: 20 79 6f 75 20 77 69 6c 6c 0a 6b 6e 6f 77 20 77 you will.know w
1730: 68 69 63 68 20 70 61 74 68 20 68 61 73 20 62 65 hich path has be
1740: 65 6e 20 75 73 65 64 2e 0a 0a 23 23 20 44 6f 77 en used...## Dow
1750: 6e 73 69 64 65 73 20 6f 66 20 4f 6e 69 6f 6e 20 nsides of Onion
1760: 52 6f 75 74 69 6e 67 20 23 23 0a 0a 4f 6e 69 6f Routing ##..Onio
1770: 6e 20 72 6f 75 74 69 6e 67 20 69 6e 63 72 65 61 n routing increa
1780: 73 65 73 20 6c 61 74 65 6e 63 79 20 61 6e 64 20 ses latency and
1790: 74 72 61 66 66 69 63 2e 20 49 66 20 79 6f 75 20 traffic. If you
17a0: 77 61 6e 74 20 74 6f 20 6d 69 6e 69 6d 69 7a 65 want to minimize
17b0: 0a 6f 6e 20 74 68 61 74 2c 20 75 73 65 20 72 65 .on that, use re
17c0: 6c 61 79 73 20 63 6c 6f 73 65 20 74 6f 20 79 6f lays close to yo
17d0: 75 20 28 69 6e 20 74 65 72 6d 73 20 6f 66 20 6e u (in terms of n
17e0: 65 74 77 6f 72 6b 20 64 69 73 74 61 6e 63 65 29 etwork distance)
17f0: 2e 20 41 73 0a 62 69 67 20 69 6e 74 65 72 6e 65 . As.big interne
1800: 74 20 65 78 63 68 61 6e 67 65 73 20 61 72 65 20 t exchanges are
1810: 6d 75 63 68 20 6d 6f 72 65 20 6c 69 6b 65 6c 79 much more likely
1820: 20 74 6f 20 62 65 20 6d 6f 6e 69 74 6f 72 65 64 to be monitored
1830: 2c 20 6c 6f 63 61 6c 0a 72 65 6c 61 79 73 20 61 , local.relays a
1840: 6c 73 6f 20 70 72 6f 76 69 64 65 20 6c 65 73 73 lso provide less
1850: 20 6d 65 61 6e 73 20 74 6f 20 63 6f 6c 6c 65 63 means to collec
1860: 74 20 63 6f 72 72 65 6c 61 74 69 6f 6e 73 2e 0a t correlations..