In-depth analysis of Tor changes: CGO, or how 2025 cryptography crushes 2002 standards
In my last post, I hinted at a revolution coming to the Tor network. But for those of you who like to know "how it works under the hood," I’ve prepared a deeper analysis. The change in the relay encryption algorithm from the veteran "tor1" to Counter Galois Onion (CGO) is a fascinating piece of engineering.
Here is exactly what is changing and why you should be excited (or at least feel safer).
Why "tor1" had to die: Anatomy of an attack
The old protocol, which the creators have only now named "tor1" (just to have something to put in the documentation for its deprecation), was created around 2002. It was based on the AES-128-CTR stream cipher.
The main problem was the so-called malleability of the stream cipher. In counter mode (CTR), the ciphertext ($C$) is created by XORing the keystream ($S$) with the plaintext ($P$), i.e., $C = S \oplus P$. This is elementary school math that served as the nail in the coffin for anonymity:
- If an attacker (let's call him Mr. Nosy) intercepts an encrypted packet and XORs it with his own pattern ($M$), the plaintext—once decrypted by the victim—will also contain that pattern.
- The attacker can therefore "tag" traffic at the entry to the network and listen for where this corrupted pattern emerges at the exit.
- The result? Total deanonymization of the circuit before we even send any data.
Worse still, users often confused the effects of these attacks (dropped connections) with DDoS attacks, causing false alarms in Tor client logs.
CGO: Cryptographic "All or Nothing"
The new standard, Counter Galois Onion (CGO), is based on the UIV+ construction and the concept of Rugged Pseudorandom Permutation (RPRP). Instead of a simple stream, we are dealing with a wide-block cipher design that is resistant to malleability.
How does it work in practice?
- Domino Effect: Every cell is encrypted in such a way that it depends on the previous ones. CGO uses a 16-byte tag $T$, which is passed ("chained") to the next cell as $T'$.
- Destruction instead of modification: If an attacker changes even a single bit in the transmitted packet, the decryption algorithm will "explode." The entire message, and all subsequent ones in that circuit, will become unreadable garbage. The attacker can no longer "draw a dot" on the traffic—they can only burn the packet, which is easy to detect and does not reveal the sender's identity.
- Forward Secrecy: In "tor1", AES keys lived for the entire duration of the circuit. In CGO, with every cell sent or received, the keys are updated via an
Updatefunction. If someone steals the key at minute 5 of the connection, they cannot decrypt what happened in minute 4.
Performance: Where do we gain, and where do we lose?
This is perhaps the biggest surprise. Usually, "safer" means "slower." Here, we have an interesting anomaly. The old protocol used SHA-1 for integrity verification. SHA-1 is slow. CGO eliminates this overhead.
Benchmarks (conducted on Intel Cascade Lake processors) show the following results:
- Endpoints (Client/Proxy and Exit Node): Here, CGO is 3 times faster than the old Tor! This is a huge relief for overloaded exit nodes.
- Intermediate Nodes (Relays): Here we see a slowdown of 20-50%. This stems from the fact that the old Tor only performed very fast AES-CTR on middle nodes, whereas now they must perform the slightly more complex CGO math.
However, the creators reassure us—the gain at the edges of the network is more important, and modern processors with AES-NI and PCLMUL instructions (used to optimize CGO) will handle the overhead on intermediate nodes.
What next?
The implementation of CGO is already ready in Arti (the Tor client written in Rust) as well as in the classic C implementation. The next steps include enabling CGO by default in Arti and deploying CGO negotiation for onion services.
It is a fascinating moment where we see how academic cryptography (research by Degabriele, Melloni, Münch, Stam) is realistically fixing the internet.
Aleksander
Sources:
- Tor Project Blog: Counter Galois Onion
- Paper: Counter Galois Onion: Fast Non-Malleable Onion Encryption for Tor
- Tagging Attack Details (based on the "Problem 1: Tagging attacks" section)
- Implementation specs in Arti
About the Author
Dyrektor ds. Technologii w SecurHub.pl
Doktorant z zakresu neuronauki poznawczej. Psycholog i ekspert IT specjalizujący się w cyberbezpieczeństwie.
Powiązane artykuły
RODO i Cyberbezpieczeństwo: Praktyczny Przewodnik - Strategie, Technologia i Operacjonalizacja Zgodności
Współczesny ekosystem cyfrowy funkcjonuje w warunkach bezprecedensowej konwergencji wymogów prawnych i wyzwań technologicznych. Rozporządzenie o Ochronie Danych Osobowych (RODO), które weszło w życie w maju 2018 roku, trwale zmieniło sposób, w jaki organizacje muszą postrzegać bezpieczeństwo informacji.
Cloud Security 2025: Najlepsze Praktyki dla AWS, Azure i GCP - Zero Trust, IAM, CSPM i Shared Responsibility Model
Błędna konfiguracja IAM to główna przyczyna incydentów w chmurze. Odkryj różnice między AWS, Azure i GCP w modelu Shared Responsibility, jak wdrożyć Zero Trust, unikać "toxic combinations" uprawnień, zabezpieczyć klucze CMK i zautomatyzować CSPM dla compliance NIS2.
Incident Response Plan 2025: Jak Przygotować Firmę na Cyberatak? - Wymogi NIS2, Reguła 24/72h i Tabletop Exercises
W 2025 pytanie brzmi "kiedy", nie "czy" nastąpi atak. Zarząd ponosi osobistą odpowiedzialność do 600% wynagrodzenia, NIS2 wymaga raportowania w 24/72h, a "wyciągnięcie wtyczki" może zniszczyć dowody. Praktyczny przewodnik budowy IRP - od CSIRT po Tabletop Exercises.
Komentarze
Ładowanie komentarzy...