The Tor Project has begun replacing its legacy relay encryption system, known as tor1, with a modern design called Counter Galois Onion (CGO).
This upgrade targets key weaknesses in Tor’s circuit traffic protection, enhancing anonymity for users worldwide.
Tor routes user data through multiple relays, each peeling off one layer of encryption like an onion.
The old tor1 method used AES-128-CTR stream cipher alongside a short 4-byte SHA-1 digest to check data integrity across the circuit.
While effective in the early days, tor1 lacks proper hop-by-hop authentication, making encryption malleable.
Vulnerabilities In Tor’s Old Encryption
Attackers exploit tor1’s malleability through tagging attacks, where they alter ciphertext on a controlled relay.
Since counter mode computes ciphertext as C=S⊕PC=S⊕P with keystream SS and plaintext PP, flipping bits with a pattern MM yields C′=S⊕(P⊕M)C′=S⊕(P⊕M), passing as valid modified data downstream.
A malicious relay at both circuit ends detects the tag, confirms control, and traces users before real traffic flows.
This creates internal covert channels, far stronger than passive correlation, though high circuit failures might alert clients.
Tor1 also lacks forward secrecy, reusing keys across entire circuits that last days, allowing past traffic to be decrypted if keys leak.
Its tiny digest offers a 1-in-4-billion chance of forgery, relying on path-based defenses rather than robust tags.
According to Tor, CGO deploys a Rugged Pseudorandom Permutation (RPRP) named UIV+, crafted by cryptographers Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam.
It splits cells into a short left part for tweakable block-cipher (LRW2-AES) processing and a longer right part, XORed with a pseudorandom stream.
Tags are chained across cells: each encrypted tag TT seeds the next tweak T′T′, and the originating cells update keys and nonce via an irreversible transform.
.webp "Tor Network Adopts Galois Onion Encryption To Strengthen User Protection 2")
Any tampering garbles the whole cell and chains forward, blocking tags. Keys ratchet per cell for immediate secrecy, and 16-byte authenticators replace SHA-1, slashing forgery odds.
Efficiency stays high versus wide-block rivals, avoiding per-layer overheads that bloated bandwidth.
Developers integrated CGO into the Rust-based Arti client and C Tor relays, refactoring cell handling for flexibility.
It remains experimental, pending default enablement, onion service support, and CPU tweaks. Users gain benefits automatically post-deployment, bolstering Tor against active threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.