Tor Project Announces Relay Encryption Scheme Improvements

Today, the Tor Project announced they are sunsetting some of the oldest and most important encryption algorithms in Tor: the relay encryption algorithm, and replacing them with a research-backed new design called "Counter Galois Onion" (CGO), which will be supported in upcoming Tor and Arti releases.

According to the project, CGO adds forward secrecy to Tor connections, prevents attackers from tampering with encrypted traffic, and "brings Tor's encryption up to modern standards." Their blog post states:

This overhaul will defend users against a broader class of online attackers [...] and form the basis for more encryption work in the future.

Tor already uses the standard TLS protocol for encryption between relays in a circuit, and encryption between clients and relays. However, for end-to-end protection of the content itself, Tor additionally requires the use of a "specialized algorithm" designed for encrypting user data as it traverses multiple relays.

The design of this specialized algorithm isn't exactly what you would design today with modern cryptography knowledge. Tor was designed when AES was brand new, and authenticated encryption was only beginning to emerge as a field of study. It's a lack of proper authentication that poses a threat to Tor.

The biggest problem Tor is addressing with this change are "tagging attacks," which they describe as the ability for an active attacker to trace traffic by modifying it at one place in the network and then observing behavior elsewhere in the network. Attackers are not able to modify the content you eventually see, but this attack can be used by an attacker to ensure they control both ends of your Tor circuit.

Here's why: When an attacker modifies a circuit with a specific pattern, honest relay nodes will fail (not deanonymizing you), but Tor clients will keep retrying that connection. Eventually, your client could try using a relay which is controlled by the same attacker, at which point they could undo the pattern of data they've modified, and return the proper data to your client. Additionally, the specific pattern they use could be used to encode the client's IP address or another unique identifier and transmit it between the attacker's nodes.

According to Tor:

The downside for the attacker is that the resulting failure rate of circuits can be detected by the client. Currently, Tor clients emit log notices and warnings when circuit failure rates are excessively high. Unfortunately, as vigilant users have noticed, when the DDoS attacks on Tor become severe, these detectors give false alarms.

Tor Project is officially updating its threat model to specifically cover threats like this.

The other attacks addressed by CGO are minor in comparison, but still worth resolving. The current lack of forward secrecy for messages on a circuit is an issue, but since circuits typically don't last very long in the first place, the window of opportunity for attackers is low. Tor believes longer-lived circuits may be better for anonymity, however, so adding in forward secrecy will allow them to do that in the future if they decide it makes sense.

Their blog post has many more technical details if you are interested in learning more about the current and future state of relay encryption:

Counter Galois Onion: Improved encryption for Tor circuit traffic | Tor Project

Tor is upgrading its relay encryption algorithm for improved security. In upcoming releases, Arti and Tor will both support a new encryption algorithm called Counter Galois Onion (CGO). CGO prevents attackers from tampering with encrypted traffic, adds forward secrecy, and brings Tor’s encryption up to modern standards.

The Tor Projectnickm

The Tor Project says implementation of CGO is currently underway.