Tor, the world's largest and most well-known "onion router" network, offers a degree of anonymity that has made it a popular tool of journalists, dissidents, and everyday Internet users who are trying to avoid government or corporate censorship (as well as Internet drug lords and child pornographers). But one thing that it doesn't offer is speed—its complex encrypted "circuits" bring Web browsing and other tasks to a crawl. That means that users seeking to move larger amounts of data have had to rely on virtual private networks—which while they are anonymous, are much less protected than Tor (since VPN providers—and anyone who has access to their logs—can see who users are).

A group of researchers—Chen Chen, Daniele Enrico Asoni, David Barrera, and Adrian Perrig of the Swiss Federal Institute of Technology (ETH) in Zürich and George Danezis of University College London—may have found a new balance between privacy and performance. In a paper published this week, the group described an anonymizing network called HORNET (High-speed Onion Routing at the NETwork layer), an onion-routing network that could become the next generation of Tor. According to the researchers, HORNET moves anonymized Internet traffic at speeds of up to 93 gigabits per second. And because it sheds parts of Tor's network routing management, it can be scaled to support large numbers of users with minimal overhead, they claim.

Like Tor, HORNET encrypts encapsulated network requests in "onions"—with each layer being decrypted by each node passing the traffic along to retrieve instructions on where to next send the data. But HORNET uses two different onion protocols for protecting anonymity of requests to the open internet and a modified version of Tor's "rendezvous point" negotiation for communication with a site concealed within the HORNET network.

When sending a request to a site that isn't protected by HORNET, a more Tor-like "Sphinx" onion protocol is first used to set up the channel. "Each Sphinx packet allows a source node to establish a set of symmetric keys, one for each node on the path through which packets are routed," the researchers explained. Those keys, created via a Diffie-Helman exchange, are used to encrypt the "Forwarding Segment"—the chain of session state information for the stream of data packets that follow. "The [Forwarding Segment] allows its creating node to dynamically retrieve the embedded information (i.e., next hop, shared key, session expiration time), while hiding this information from unauthorized third parties," Chen et al wrote.

For the actual data packets, the sending system collects all of the forwarding segments from each node on the channel to the destination and combines them into what the researchers call an anonymous header (AHDR). "An AHDR grants each node on the path access to the [forwarding segment] it created, without divulging any information about the path except for a node’s previous and next nodes," they explained. The data itself is "onioned", encrypted with the keys for each of the nodes in the channel, until it reaches its destination. The upside of this approach, Chen et al said, is that it drastically reduces the cryptography work required for each packet, as well as the amount of session flow information the network has to manage.

For communications between two nodes that are both anonymized by HORNET—a scenario like Tor's method of connecting users' requests to "hidden services"—the researchers propose an approach that lets any node on the network act as a rendezvous point for communication to keep both the source and destination of traffic hidden from each other. Hidden services select a rendezvous point and set up a session using the Sphinx protocol, then publish an AHDR to a directory that has the encrypted information about how to get from the rendezvous point to the service. When a client goes to connect to a service, it finds the rendezvous point in the directory, along with the AHDR for the trip to the service, and then builds its own connection to the rendezvous point—adding the AHDR provided to get to the service to its own and a header with information for the return trip back.

The upsides of this scheme—in addition to the fact that any node can act as a rendezvous point without having to maintain state information about the connection—are that a service can advertise multiple rendezvous points in a directory, and a client can pick one that is closest in terms of network time. The two ends can also re-negotiate the route traffic takes through a better rendezvous point to improve performance as channels are expired. On the downside, the size of the headers used to communicate between the two is doubled in size,

As implemented in its testing, HORNET's routing nodes can actually be embedded in network routers. The researchers build HORNET infrastructure code into Intel software routers using the Data Plane Development Kit (DPDK). HORNET client code, which included hidden services, was built in Python. "To our knowledge, no other anonymity protocols have been implemented in a router SDK," the researchers wrote.

HORNET, like Tor, is not immune to targeted attacks on anonymity. If an attacker, such as a government agency or law enforcement organization, could control more than one of the nodes along a path selected for a HORNET channel, they would be able to perform "confirmation attacks"—the sort of timing analysis, flow analysis, and packet tagging that other security researchers have demonstrated could be used against Tor. "HORNET cannot prevent such confirmation attacks targeting individual users," the researchers concluded. "However, HORNET raises the bar of deploying such attacks for secretive mass surveillance: the adversary must be capable of controlling a significant percentage of ISPs often residing in multiple geopolitical boundaries, not to mention keeping such massive activity confidential."