Analyzing the Difficulties in Backtracing Onion Router Traffic

The objective of Onion Routing is to make it completely impossible for third parties to perform traffic analysis. This goal is achieved by applying cryptographic techniques to networking. The packets transiting the chain of onion routers thus appear anonymous. Yes, we are talking about a chain. Practically speaking, there is a group of onion routers distributed around the public network, each of which has the task of encrypting the socket connections and to act in turn as a proxy. Experiments with Onion Routing have already been carried out on Sun Solaris 2.4 using proxies for http (www) and RLOGIN. At the moment, proxy operations are planned for e-mail (SMTP), FTP and a slew of other protocols. Let’s imagine we have to make an http transaction. This is how it works: 1) The application does not connect directly to the destination Web server, but rather to a socket connection with an Onion Routing proxy; 2) The Onion Routing proxy establishes a direct anonymous connection with its nearest sister. To guarantee the impossibility of interceptions, the first Onion Routing proxy makes another connection with others of its ilk to complete the chain. To avoid hijacking and man-in-the-middle phenomena, the communication between onion routers is forced. Practically speaking, each onion router is only able to identify and dialog with its adjacent kin included in the route. Each packet can currently make a maximum of 11 hops, then it has to reach its destination. 3) Each time an onion router handles a transaction, it strips away a layer of encryption with respect to the preceding hop. This means that at the end of the route the packet arrives in cleartext. This is one of the first problems an investigator may encounter. Practically speaking, both because of the encryption and because at each hop the link to the preceding routing point is literally stripped away, traceback becomes impossible. The only way to carry out an effective investigation is to implement a logging function at the proxy level as we will describe in greater detail below; 4) In addition, the encryption and transmission of data through the links of the chain is carried out randomly in such a way as to render impossible any sort of “sequence prediction”. Furthermore, whenever the connection is interrupted, for any reason, all information relating to a given transaction is deleted from the rest of the chain. It is basically a sort of “no cache” system.