Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion.
There is a large set of precautionary measures and best practices to make web browsing safer and more secure for users. Let’s say that you send an HTTPS request to a server and someone intercepts that request but that person can’t know what that message says because it’s encrypted. But you are still not satisfied with this level of security and want to take this to the next level i.e. you don’t even want anyone sniffing on your network to know which server you are contacting and if you are making any requests or not. This is where onion routing comes in.
The Onion Routing program consists of studies that investigate, design, construct and analyze anonymous communication networks. The focus is on realistic solutions for low-latency Internet-based connections that can withstand traffic analysis, eavesdropping, and other attacks from both outsiders (such as Internet routers) and insiders (such as hackers) (Onion Routing servers themselves). Onion Routing hides who is communicating with whom from the transport medium; the network just knows that communication is taking place. Furthermore, until the transmission leaves the OR network, the content of the conversation remains hidden from eavesdroppers.
Refer to this image for details.
How does onion routing work?
If you are browsing the internet on a normal web browser like chrome, firefox, etc you request webpages by making simple GET requests to servers without any intermediary. It’s just a single connection between a client and a server and someone sniffing on your network can know which server your computer is contacting.
- Onion routing does this differently. In onion routing, the connection is maintained between different nodes i.e. the connection hops from one server to another and when it reaches the last server on this circuit it is the server that we wanted to contact and it will process our request and serve us the desired webpage which is sent back to us using the same network of nodes.
- Now you must think why is it called the onion router. It is because the message we send and the responses we receive are encrypted with different keys, with a unique key for encryption for every different hop or server visit.
- The client has access to all the keys but the servers only have access to the keys specific for encryption/decryption to that server.
- Since this process wraps your message under layers of encryption which have to be peeled off at each different hop just like an onion that’s why it’s called an onion router.
Understanding Onion routing concept an example
Now suppose you are browsing the internet using Tor(the onion router) which is a special browser that lets you use the onion routers. You want to access YouTube but you live in China and since YouTube is banned in China you don’t want your government to know that you are visiting YouTube so you decide to use Tor. Your computer needs to contact a particular server to get the homepage of YouTube but it doesn’t directly contact that server. It does that through 3 nodes/servers/routers (these servers are maintained all over the world by volunteers) before that server so that no one can trace back your conversation with that server. To make this example simple I am using 3 nodes but a real Tor network can have hundreds of nodes in between.
Onion Routing Circuit(made using lucid chart)
- The client with access to all the encryption keys i.e key 1, key 2 & key 3 encrypts the message(get request) thrice wrapping it under 3 layers like an onion which have to be peeled one at a time.
- This triple encrypted message is then sent to the first server i.e. Node 1(Input Node).
- Node 1 only has the address of Node 2 and Key 1. So it decrypts the message using Key 1 and realizes that it doesn’t make any sense since it still has 2 layers of encryption so it passes it on to Node 2
- Node 2 has Key 2 and the addresses of the input & exit nodes. So it decrypts the message using Key 2 realizes that it’s still encrypted and passes it onto the exit node
- Node 3 (exit node) peels off the last layer of encryption and finds a GET request for youtube.com and passes it onto the destination server
- The server processes the request and serves up the desired webpage as a response.
- The response passes through the same nodes in the reverse direction where each node puts on a layer of encryption using their specific key
- It finally reaches the client in the form of a triple encrypted response which can be decrypted since the client has access to all the keys
How does it provide anonymity?
Imagine if there is a sniffer listening in at the first connection(client – input node) all it can know is the address of the input node and a thrice encrypted message that doesn’t make sense. So all the attacker/sniffer knows that you are browsing tor.
Similarly, if sniffing starts at the exit node all the sniffer sees is a server contacting another server but it can’t track the client or the source of the request generated.
But now you may think that if someone is listening in at Node 2 they will know the address of the input and exit and can trace the client and the destination server. But it’s not that simple, each of these nodes has hundreds of concurrent connections going on, and to know which one leads to the right source and destination is not that easy. In our circuit, Node 2 is a middle node but it can be a part of another circuit on a different connection where it acts as the input node receiving requests or an exit node serving up webpages from various servers.
Vulnerability in Onion Routing
The only security flaw in onion routing is that if someone is listening in on a server at the same time and matches the request at the destination to a request made by a client on the other side of a network by analyzing the length and the frequency of the characters found in the intercepted request or response at the destination server and using that to match with the same request made by a client a fraction of a second (time-stamps on requests and responses can also be helpful in deducing that) and then tracking them down and knowing their online activity and shattering the idea of anonymity. This is pretty hard to do but not impossible. But removing this flaw from Tor is virtually impossible.
features of onion routing:
Encryption: Onion routing encrypts each layer of data, making it difficult for an attacker to intercept and decode the data.
Anonymity: Onion routing provides anonymity by masking the IP address of the sender and the receiver, making it difficult for an attacker to identify them.
Relays: Onion routing uses a series of relays to route data through the network, with each relay only aware of the previous and next relays in the chain, adding another layer of anonymity.
Decentralized: Onion routing is decentralized, with no central authority or control over the network.
Resistance to traffic analysis: Onion routing makes it difficult for an attacker to analyze the traffic patterns and identify the source and destination of the communication.
Hidden Services: Onion routing can also be used to provide hidden services, which allow websites and other services to be hosted on the network without revealing their location or IP address.
onion routing provides a powerful technique for enhancing the security and privacy of internet communications, particularly in situations where anonymity and resistance to traffic analysis are important. It is commonly used by activists, journalists, and others who require a high level of security and privacy in their online communications.
Advantages of Onion Routing:
Enhanced Security: Onion routing provides enhanced security by encrypting data multiple times and routing it through several servers, making it difficult for attackers to intercept or tamper with the communication.
Anonymity: Onion routing provides anonymity by masking the IP address of the sender and the receiver, making it difficult for anyone to identify them.
Resistance to Traffic Analysis: Onion routing makes it difficult for attackers to analyze the traffic patterns and identify the source and destination of the communication, thereby enhancing privacy and security.
Decentralized: Onion routing is decentralized, with no central authority or control over the network, making it more resilient to attacks.
Evades Censorship: Onion routing can help users bypass censorship and access content that may be restricted or blocked by governments or internet service providers.
Protects Whistleblowers: Onion routing can provide a safe and anonymous means for whistleblowers to communicate sensitive information without fear of reprisal or retaliation.
Enhances Privacy: Onion routing can help protect user privacy by preventing internet service providers, advertisers, and other third parties from tracking or monitoring their online activity.
Increased Accessibility: Onion routing can allow users to access content or services that may be geographically restricted or blocked, such as streaming services or websites.
Improved Network Performance: Onion routing can improve network performance by distributing traffic across multiple servers, reducing the load on any one server and potentially reducing latency.
Flexible Routing: Onion routing allows for flexible routing of data, as it is not limited to a specific route or set of nodes. This can allow for more efficient and customized routing based on network conditions or user preferences.
Secure Communications for Sensitive Data: Onion routing can provide secure communication channels for sensitive data, such as financial transactions, personal information, or confidential business communications.
Protection Against Network Surveillance: Onion routing can protect against network surveillance by government agencies or other malicious actors who may be monitoring internet traffic for surveillance purposes.
Cross-Platform Compatibility: Onion routing is compatible with multiple operating systems and devices, making it accessible to a wide range of users.
Disadvantages of Onion Routing:
Slow Performance: Onion routing can result in slow performance due to the multiple layers of encryption and the need to route data through several servers.
Limited Accessibility: Onion routing is not widely accessible, and users may need specialized software to use it.
Malicious Use: Onion routing can be used for malicious purposes, such as to facilitate illegal activities, making it a target for law enforcement agencies.
Vulnerability to Endpoints: While onion routing provides enhanced security and anonymity during transmission, the endpoints of the communication may still be vulnerable to attacks, making it important to secure the endpoints as well.
Resource Intensive: Onion routing can be resource-intensive, requiring a large number of servers to route data, which can result in high bandwidth usage and increased costs.
Vulnerable to Exit Nodes: The exit nodes of the onion routing network can be vulnerable to attacks, making it important to use reputable and trusted exit nodes.
Limited Quality of Service: Onion routing can result in limited quality of service, with slower connection speeds and reduced network capacity, which may not be suitable for certain applications such as streaming or online gaming.
Difficult to Debug: Debugging problems in onion routing networks can be difficult due to the multiple layers of encryption and the decentralized nature of the network.
This article is contributed by Palash Nigam. If you like GeeksforGeeks and would like to contribute, you can also write an article using write.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.