Tor Upgrades Onion Relay Encryption with New Algorithm
▼ Summary
– Tor has replaced its old tor1 relay encryption with a new Counter Galois Onion (CGO) system to improve security and resilience against modern traffic-interception attacks.
– The Tor network uses onion routing through three relays to encrypt data, enabling private communication, anonymity, censorship bypass, and evasion of ISP tracking for its users.
– Tor1’s vulnerabilities included malleable encryption allowing tagging attacks, partial forward secrecy enabling decryption if keys were stolen, and weak 4-byte SHA-1 authentication.
– CGO addresses these issues with wide-block encryption, key updates after every cell for full forward secrecy, and a 16-byte authenticator to prevent tampering and forgery.
– The CGO upgrade is being integrated into Tor’s software and will automatically benefit users once fully deployed, though no timeline has been provided for its default implementation.
The Tor network has taken a major step forward in user security by introducing a new encryption algorithm designed to protect against sophisticated modern threats. This upgrade replaces the older tor1 relay encryption with a system called Counter Galois Onion (CGO), strengthening the entire network against potential attacks that could compromise anonymity and data integrity. By addressing specific vulnerabilities in the previous design, Tor ensures that individuals relying on its service for private communication can browse with greater confidence.
Tor operates through a worldwide collection of relays that direct data packets through a circuit consisting of three hops: an entry relay, a middle relay, and an exit relay. Each relay adds a layer of encryption, a technique known as onion routing, which helps obscure the origin and destination of internet traffic. People who use the Tor Browser, a specially configured version of Firefox, depend on this system to communicate privately, access information without being tracked, avoid censorship, and protect their identities. The network serves a wide range of users, including journalists, activists, researchers, and others who prioritize privacy, though it is also sometimes exploited for illegal activities.
According to the project’s announcement, the tor1 encryption method was developed during an era when cryptographic standards were less advanced. It suffered from several security shortcomings that the new CGO system now resolves. One significant issue was the use of AES-CTR encryption without hop-by-hop authentication, which made relay encryption malleable. This weakness allowed an adversary controlling certain relays to alter traffic and observe predictable changes, a type of tagging attack. Another problem was that tor1 only provided partial forward secrecy, reusing the same AES keys for the entire lifetime of a circuit. If those keys were ever stolen, past communications could be decrypted. A third concern was the reliance on a 4-byte SHA-1 digest for cell authentication, which gave attackers a one in four billion chance to forge a cell without detection.
CGO effectively tackles each of these vulnerabilities. It is built on a Rugged Pseudorandom Permutation construction known as UIV+, which was designed by a team of cryptography researchers. The Tor project confirms that this new system has undergone verification to ensure it meets critical security requirements. These include resistance to tagging, immediate forward secrecy, longer authentication tags, limited bandwidth overhead, efficient operation, and the use of modern cryptographic techniques.
Key improvements offered by CGO include robust tagging protection through wide-block encryption and tag chaining. Any attempt to modify a cell renders not only that cell but all subsequent cells unrecoverable, effectively neutralizing tagging attacks. The system also achieves immediate forward secrecy by updating encryption keys after every single cell. This means that even if an attacker obtains the current keys, they cannot decrypt any previously transmitted data. Additionally, CGO eliminates the outdated SHA-1 algorithm entirely from relay encryption, replacing it with a much stronger 16-byte authenticator. The Tor team notes that this is the type of authentication “sensible people use.” Finally, circuit integrity is strengthened because CGO chains encrypted tags and initial nonces across cells, so each cell’s validity depends on all previous cells, making tampering easily detectable.
Overall, CGO represents a modern, research-backed encryption and authentication framework that fixes tor1’s weaknesses without introducing significant performance costs. Developers are currently integrating CGO into the C Tor implementation and the Rust-based Arti client, marking the feature as experimental for now. Remaining tasks include adding support for onion service negotiation and carrying out performance optimizations. Once fully deployed, the upgrade will happen automatically in the background. Tor Browser users will not need to take any action to benefit from the improved security, though the project has not yet announced a specific timeline for when CGO will become the default.
(Source: Bleeping Computer)