This is a paper proposing improvements to onion routing, which anonymises data traffic and communications on the internet. The proposal is to put the routing protocol at network level, providing higher speed transmission and adding encryption features.
In this paper, we address the question of “what minimal mechanism can we use to frustrate pervasive surveillance?” and study the design of a high-speed anonymity system supported by the network architecture. We propose HORNET, a scalable and high-speed onion routing scheme for future Internet architectures. HORNET nodes can process anonymous traffic at over 93 Gb/s and require no per-flow state, paving the path for Internet-scale anonymity. Our experiments show that small trade-offs in packet header size greatly benefit security, while retaining high performance.
Recent revelations about global-scale pervasive surveillance programs have demonstrated that the privacy of Internet users worldwide is at risk. These revelations suggest massive amounts of private data, including web browsing activities, location information, and personal communications are being harvested in bulk by domestic and foreign intelligence agencies. The surveillance-prone design of the Internet accompanied by the decreasing cost of data storage have enabled mass-surveillance, through indiscriminate data collection and storage.
To protect against these and other surveillance threats, several anonymity protocols, tools, and architectures have been proposed. Among the most secure schemes for anonymous communications are mix networks, which are useful for cases where high-latency asynchronous messaging can be tolerated. Onion routing networks (most notably Tor), offer a balance between security and performance, enabling low-latency anonymous communication suitable for typical Internet activities (e.g., web browsing, instant messaging, etc.). Tor is the system of choice for over 2 million daily users, but its design as an overlay network suffers from performance and scalability issues: as more clients use Tor, more relays must be added to the network. Additionally, Tor’s design requires per-connection state to be maintained by intermediate nodes, limiting the total number of concurrent anonymous connections that can take place simultaneously.
The scalability and performance limitations of anonymous networks have been partially addressed by building protocols into the network layer rather than implementing them as overlays. Among these high-performing schemes are LAP and Dovetail, which offer network-level low-latency anonymous communication on next-generation network architectures. The high performance of both schemes, however, results in significantly degraded security guarantees; endpoints can be de-anonymized if the adversary has global data collection abilities, and payload protection relies on upper layer protocols which increases complexity.
In this paper, we present HORNET (High-speed Onion Routing at the NETwork layer), a highly-scalable anonymity system that leverages next-generation Internet architecture design. HORNET offers payload protection by default, and can defend against some global observation attacks. HORNET is designed to be highly efficient: instead of keeping state at each relay, connection state (including, e.g., onion layer decryption keys) is carried within packet headers, allowing intermediate nodes to quickly forward traffic for large numbers of clients.
While this paper proposes and evaluates a concrete anonymity system, a secondary goal herein is to broadly re-think the design of low-latency anonymity systems by envisioning networks where anonymous communication is offered as an in-network service to all users.
For example, what performance trade-offs exist between keeping anonymous connection state at relays and carrying state in packets? If routers perform anonymity-specific tasks, how can we ensure that these operations do not impact the processing of regular network traffic, including in adversarial circumstances? And if the network architecture should provide some support for anonymous communication, what should that support be? Throughout the paper we consider these issues in the design of our own system, and provide intuition for the requirements of other network-level anonymity systems.
Specifically, our contributions are the following:
• We design and implement HORNET, an anonymity system that uses source-selected paths and shared keys between end- points and routers to support onion routing. Unlike other onion routing implementations, HORNET routers do not keep per-flow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.
• We analyze the security of our system, showing that it can defend against passive attacks, and certain types of active attacks. Our system provides stronger security guarantees than existing network-level anonymity systems.
• We evaluate the performance of our system, showing that anonymous data processing speed is comparable to that of LAP and Dovetail (up to 93.5 Gb/s on a 120 Gb/s software router). Each HORNET node can process traffic for a practically unlimited number of sources.
Here is a direct link to the pdf of the paper…