The Tor Project has announced that it is replacing its original relay encryption method, called tor1, with a new design that it calls Counter Galois Onion (CGO) in a bid to improve security against active online attackers. The Tor Project said that the new cryptography method has been implemented in Arti (the Rust Tor implementation) and in the C Tor implementation for relays.
Three problems identified with the old tor1 encryption are tagging attacks, a lack of immediate forward secrecy, and weak authentication. Among these, tagging attacks are the biggest issue. Tor1 uses AES-CTR without hop-by-hop authentication, making it malleable. This means an attacker can de-anonymize users, potentially.
The lack of immediate forward secrecy present in tor1 means the same AES keys are used for the entire life of the circuit (the route you take to connect to a website). If a key gets stolen, all previous traffic on a long-lived circuit can be decrypted.
Finally, tor1 has weak authentication. It uses a small 4-byte digest based on SHA-1, creating a 1-in-4 billion chance of undetected cell forgery. With the new CGO encryption, the 4-byte digest is replaced with a stronger 16-byte authenticator.
Addressing the forward secrecy, CGO has an “Update” construction that transforms the encryption keys irrecoverably every time a new cell is originated or received. This eliminates the ability to decrypt earlier cells. It also prevents tagging attacks by using a wide-block construction. If the input is tampered with, it renders the entire output unrecoverable.
If you use the Tor Browser or Tails operating system, you will eventually benefit from this change, but it will be a silent change in the background that you don’t have to think about.
If you’re not familiar with Tor, it is a network to assist you in anonymizing your browsing activities. The main way people use it is via the Tor Browser, but other tools such as Tails OS and Orbot leverage it to.
To reiterate what was said at the start, the new cryptography method has been implemented in Arti (the Rust Tor implementation) and in the C Tor implementation for relays. The Tor Project did not specify if, or which Tor Browser version will get this update.
