An article I had to write. I had a limit on word count and therefore could not go into the nitty gritty details as I would have liked to. Anyway, this is my first contribution to "Hack This Site".

Abstract
This article describes how the Tor (Onion Router) works. First through the Directory Authority and connection with its relays and how it determines the relays by time known, weighted fractional uptime and bandwidth. It then discusses some of the security measures in Tor including signing of certificates and keys, algorithms used and hashes. Further it explains how the client extends the hops between onion router or relays by creating cells and replay cells. The last part shows some insecurities in the Tor network where traffic analysis has been used to de-anonymize the client user and also man-in-the-middle attacks wich can be performed on the exit node.

1. Introduction
Tor is an acronym for The Onion Router. Its main purpose is to try to help improve both privacy and security when using the internet. It is a cross-platform software program, written in the C programming language and with approximately 146,000 lines of code. It can be used by different web browsers and also for remote login to a server. Today, one can also implement Tor on some smartphones. This includes smartphones which use the mobile operating system Android. This is not possible on Apple’s iPhone under normal circumstances.

Onion routing was originally developed by the United States Naval Research Laboratory in the 1990’s with continued development by DARPA, the Defense Advanced Research Projects Agency in 1997. Its main purpose at this time was to protect United States intelligence as communication through the internet became common. The first version of Tor, the Tor project was released in 2002 and two years later, in 2004, it was released to the public and known as the Second Generation Onion Router. The code was at this time released by the United States Naval Research Laboratory under a free license. Since its release and until today, some of the sponsors include large corporations including Google, different US Departments and also its former developers, organizations in other countries, and companies and individuals which want to stay anonymous.

Its users are just as diverse as its sponsors. Journalists use Tor to communicate and likewise citizen journalists which report from different places in the world where there are censorships and activists, and whistleblowers use Tor so that they can avoid repercussions. The government and different federal agencies use Tor, not only for inside communication, but also to be able to view websites on the internet that might not be legal, and being able to view these websites without leaving a trace like an IP address is a good start. One should not forget ordinary individuals, which use Tor for their own reasons. In the western hemisphere we know that the first communication outside of our own router is the Internet Service Provider (ISP) and until Edward Snowden came with his revelations about information gathering, this was not an issue of concern. But in certain countries of the world, even having the ISP know that one connected to the Tor website and the download process in bits and byte is worrisome. And websites we consider normal to view, within politics, religion, abortion and more are not legal activities to perform. This brings us to how does Tor work, what security measures are involved and is it really secure?

2. How does Tor (The Onion Router) work?
There are many ways to install Tor, but the most common of these is installing the Tor Browser Bundle. Even though Tor works on both Chrome and Firefox, the Tor Browser Bundle is a modified version of Firefox ESR, which is an Extended Support Release. This is a release that does not get functionality updates, but only security updates. The Firefox proxy settings is set to use Tor directly as a SOCKS proxy.

2.1 Step 1, The Directory Server
The first phase of a connection between our client using the Tor Browser Bundle and, for example, a webpage one wants to view on a server, is to obtain a list of Tor nodes from a directory server. These are specialized servers which are also called a Directory Authority. The exact number of DA’s are uncertain but the Tor project gives a rough estimate between 5 and 10 such servers [1]. The Tor Browser Bundle has a default list of them, and makes contact for the purpose of finding out which relays / nodes are available.

2.2 Relays in the Tor Network
The Directory Authority has a list of the relays that can be used. But before we can explain what happens when we traverse the relays from our client to our server destination, we need to know what a relay is and its purpose. Relays are in layman terms Tor volunteers which donate bandwidth and have their computer be a connection point. Everyone using the Tor Browser Bundle is not a relay. This is one way the Tor project asks for donations, having volunteers run relays. Between August 23, 2016 and November 21, 2016, which covers a three-month span, there were approximately 6,500 relays and 2,000 bridges in average. Statistics show that among the top ten countries which clients connect include the United States, Russia, Germany, Brazil and Japan [2]. The countries are located in different parts of the world and one would presume that the relays are not centered in any one place.

2.3 Step 2, Traversing the Relays
The communication from the client to the server has to pass through three relays in the Tor network. That is a security measure. The point being that anyone trying to eavesdrop on the communication cannot see both ends of the communication line. The client now chooses a path through these three relays, which could be any of numerous relays which the Tor network has to its disposal. It then builds a circuit, which one could describe as the communication line itself. What is interesting to note, and which makes Tor special, is that the relays only know about its predecessor and successor in the circuit. With the client, the three relays and the destination server included in the path, there is now no way for all to know about each other.

The first relay is called an entry guard. It is not completely picked by random. The Directory Authorities look for three characteristics that a relay must have. The relay must have been operational at least 8 days, known as time known, it must be operational as up and running known as weighted fractional uptime, and they need to have bandwidth. If a relay has all these, then it will receive a guard flag from the Directory Authority [3]. In this way the client will know how to look for the first relay, the entry guard among all the relays that exist. The entry guard is configured in such a way that it will rotate at certain weekly intervals, meaning it will not maintain its guard flag indefinitely.

After the client has connected with the first relay, the entry guard, it will pass on information to the entry guard, asking it to make one more hop to extend the circuit. This is a negotiation done through encryption keys. The first relay will then find a suitable second relay. What is interesting to note, is that it is the client, even though it does not know who the second relay is, which negotiates for the next hop. This is done through separate encryption keys, unknown to the first relay.

The last relay is called the exit node. From the exit node to the destination server, traffic is not encrypted. This is also true for the communication from the destination server and back to the exit node on the return trip to the client. That does not necessarily mean that all information is unencrypted. It also has to do with the destination server and the ability to use https. In Firefox one has the ability to use the HTTPS Everywhere extension.

3. Security Measures in Tor
The Tor Browser Bundle itself comes with some security measures. HTTPS Everywhere was created by the Tor Project and Electronic Frontier Foundation. What this does is forces the website that is viewed to use https instead of http, where that website has both protocols as an option. The Tor Browser Bundle will also block Flash, which can be manipulated into revealing the clients IP address [4]. But here we will mainly discuss encryption and how the circuit is developed.

3.1 The Directory Authority and Protocol
The onion routers need to know who else is an onion router so one can communicate and make a circuit. This is done through contacting the Directory Authority servers. They in return publish a signed network status document. Included in this document is a hash of the onion routers identity key, a hash of the most recent descriptor and other information [1], such as which onion routers are entry guard relays and exit node relays. Information that the onion router receives does not come only from one Directory Authority. It comes from more. The reason for this is to prevent an infiltrated Directory Authority from giving false information. The identity keys for the Directory Authority are unencrypted and used to sign network status documents to the onion routers. These keys are now stored offline. This is a Directory Authority signing key and it lasts for a duration of 3 to 12 months. But the Directory Authority also has an Authority Identity Key, which is long term and the two keys mentioned are not the same [1].

The way the Directory Authority knows the status of the onion routers in the Tor network, is because the routers at special times give signed router descriptors of their status. This information is its capabilities as described in part 2.3, but it also gives a status of its keys. The directory Authority will then check to see if the onion router giving a descriptor is not already assigned to another onion router with a different public key. This it can do because it keeps a record of identity keys from earlier. The identity par is referred to as Ed25519/RSA1024.

3.2 Different Types of Security
It is the RSA identity key that together with the Ed25519 master identity key that identify that the router is unique. The Ed2559 key is the master identity key which never changes. This is the key that signs and is trusted for the medium term signing key which signs duration for the 3 to 12 months. The medium signing key is also an Ed25519 key. The RSA1024 keys, apart from being used to identify the unique router is also used to decrypt the encrypted layers one layer at a time as the payload goes through the different onion routers towards its destination server. There is also a short term connection key that uses the RSA1024. This key is used for negotiating TLS connections between the involved parties in the circuit [5]. There is one more key that is essential. When the client has established communication with a relay, and wants to extend the circuit with one more hop, it uses a medium term ntor onion key. This key is used for handshakes. For the hash functions mentioned in 3.1, SHA-1 is used. The SHA-1 produces a 160-bit (20-byte) hash value known as the message digest. It is considered broken, and the Tor project website does state that this is something they should consider changing.

Diffie-Hellman is used is used for exchanging the keys. In this way the relays need not have prior knowledge of each other to establish a shared secret. Information can now be encrypted with a symmetric key cipher. The stream cipher used by Tor is 128-bit AES in counter mode [5].

3.3 Circuit Creation and Security
An entry guard relay doesn’t only receive a TCP stream from one client at a time. There can be numerous clients using the same relay. In Tor the client creates the circuits incrementally, one relay at a time. Here, the client negotiates with the relay about the symmetric key to use. This is done by the client sending the first relay a create cell. The payload of the create cell is the first half part of the Diffie Hellman handshake which is encrypted with the onion key. The onion key is the key used to decrypt the “skins of the onion”. The first relay responds with a created cell which includes the Diffie Hellman and a hash negotiated. When the client and the first relay has established a connection they can start sending encrypted relay cells.

Now the client needs to make one more hop to the next relay, which we will call relay-2. To do this the client sends a relay extend cell to the first relay, giving it the address of relay-2 and an encryption to use. The first relay uses the half-handshake and puts it into a create cell and passes this to relay-2. This is done in such a way that the client and relay-2 do not know the circuit path and have no knowledge of each other. When relay-2 responds, it does not respond to the client, but the first relay. It responds with a created cell, which the first relay wraps the payload into a relay extended cell which is then passed to the client. Even though the client and the relays further away do not know each other, the messages the client is sending is to those relays, but through the relays closer to itself [6].

After the create and created cells are used to establish the connection, the communication can continue with relay cells. Because of this anonymity between all the elements in the circuit and because a relay should only know its adjacent connections, one can say that for each relay the payload, information, is moving away from the client, a layer of encryption is pealed away. The exit node sees the original message which is sent to the destination server. The core reason it is called The Onion Router. The opposite is true on the way back from the destination server towards the client. And because of the session keys, the payload from the destination server knows which path it has to take towards the client. The cells themselves are fixed sized containing 512 bytes, consisting of a header and the payload.

4. Is Tor Secure?
Tor is secure, all depending on how one interprets the question. Tor is not completely anonymous. It does not implement any code to try to make using Tor anonymous. An Internet Service Provider (ISP) will know that one has downloaded the Tor Browser Bundle and it can detect the use of Tor. The way one likes to present it, is that the ISP doesn’t know what website the client is connected to.

4.1 Traffic Analysis
Traffic analysis could be looked upon as an attack technique that looks at communication patterns between different parts of a network. Here one can intercept and examine messages in order to find information from patterns in the communication. It does not matter if the messages are encrypted or not, the point being to try to find out who is communicating with who, when and for how long. The size of the packets could also be valuable, but in Tor there is a fixed size cell. By using traffic analysis, it could also be possible to fingerprint networks.

Making the anonymous host visible with traffic analysis could possibly be achieved in two steps. First, one has to find the relays are that are most likely to transport the communication between the client and the destination server. Then one has to correlate this traffic to find patterns. This is where the relay bandwidth comes into play, because traffic congestion can be spotted [7]. The one relay, of the entry guard, middle relay and the exit relay that is most likely to present congestion is the entry guard [8]. Still, finding the client through traffic analysis seems very difficult if not impossible without other means. That means that one either has to control or infiltrate the destination server to further be able to track the client.

One way one could manipulate the network and Tor relays is to have many volunteer relays with high bandwidth. As described earlier, Directory Authorities view bandwidth as an advantage for different purposes through the circuit.

4.2 Man-in-the-Middle Attack
A man-in-the-middle attack is an unauthorized interception in a network. The packets that are sent can either be viewed or altered by a third party and the sender is not aware of this happening. In the Tor network that would be the exit node. This is where the encryption ends from the client. From the exit node to the destination server the message is unencrypted and viewed as normal traffic.
Identity-harvesting tools exist for man-in-the-middle attacks and can be made to work through a Tor exit node [9]. The problem in such a situation is that the website, for example, requests a username and password to give access. The third party at the exit node can see this. It will also see the username and password sent to the website. The problem is that even though the third party is sniffing information, the client and website, because of infiltration of the exit node, do not truly know if they are communicating with each other, because information can be altered.

4.3 Leaking Information Unknowingly
It does not seem that the Tor Browser Bundle leaks information through the client and the relays. But human nature sometimes gets the best of us. That meaning, that sometimes the information one wants from a website might not be retrievable without plugins needing for example Flash or other plugins, scripts or no-scripts. Carelessness from the client user could very well be mentioned as a “is it secure” question. Here, one can leak both IP addresses and DNS lookups which are done outside the Tor network. It might actually not be the client leaking, but another client trying to reach the same website. With information from the leaked client, that could eventually lead back to the second client, depending on a larger investigation.

5. Conclusion
There is quite a difference between anonymity, privacy and authentication when using the Tor network. The Tor network does not hold the anonymity from the client to the destination server. It makes this communication much more robust that without it, but man-in-the-middle attacks on the exit node and an infiltration or even owning the destination server can compromise the anonymity and even reveal the client. One cannot rely simply on the Tor Browser Bundle.

There have been many interesting cases these last years about law enforcement shutting down websites on the Dark Web. Here, one is mainly referring to hidden services using Tor to hide and users using Tor to connect. Not much technological information has reached the public on how this was done. But infiltrating a destination server or making oneself out to be part of the community cannot be ruled out.

What is important is a case that came out as late as February 25, 2016, that the renowned Carnegie Mellon University’s Software Engineering Institute was contracted by the Department of Defense to study how to break Tor anonymity. They compromised the network in 2014 and at the same time found IP address information related to an individual related to the Silk Road Case. In November 2015 Roger Dingledine, one of Tors directors, accused Carnegie Mellon University for accepting $1 million dollars from the FBI. In July 2015, the Tor Project did release information stating that they had earlier had many months of unknown activity on the network, but this had been patched [10].

I have only detailed three ways out of more, where one can question if Tor is secure. One can maybe draw the conclusion that if Tor is used as instructed, it can definitely keep you safer. But attacks exist that could reveal the client, even though the client is following instructions. I have not been able to verify the case between Carnegie Mellon University and the FBI from more than one source, but if ones takes this as a possible fact, it would show that it takes manpower, skill and money to de-anonymize the client.

6. References
[1] Tor Project Website; Tor Directory Protocol version 3; https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt

[2] Tor Project Website; Tor Metrics; Top-10 countries by directly connecting users; https://metrics.torproject.org/userstats-relay-table.html

[3] Tor Project Website; The lifecycle of a new relay;
https://blog.torproject.org/blog/lifecycle-of-a-new-relay

[4] Tor Project Website; Want Tor to really work?; https://www.torproject.org/download/download.html.en#Warning

[5] Dingledine, R.; Mathewson, N.; Tor Protocol Specification. On Tor Website https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt

[6] Dingledine, R.; Mathewson, N.; Syverson, P.; Tor: The Second-Generation Onion Router. In: 13th UNENIX Security Symposium Conference. Published 2004.

[7] Sambuddho C.; Traffic Analysis Attacks and Defenses in Low Latency Anonymous Communication. In: Doctoral Thesis at Columbia University 2014. https://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf

[8] Mittal, P.; Khursid, A.; Juen, J.; Caeser, M.; Borisov, N.; Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting. In: University of Illinois at Urbana-Champaign. https://www.princeton.edu/~pmittal/publications/throughput-fingerprinting-ccs11.pdf

[9] Sassaman, L.; How Tor puts certain users at greater risk. In: Katholieke Universiteit Leuven. https://securewww.esat.kuleuven.be/cosic/publications/article-896.pdf

[10] Mimoso, M.; Judge Confirms DoD Funded Research to Decloak Tor Users. In. Website Threat Post. https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor-users/116464/