- 855
- 236
Tor Project developers announced the implementation of a new traffic encryption algorithm, Counter Galois Onion (CGO), which will replace the outdated Tor1. The main goal of the upgrade is to increase the network's resilience to modern data interception attacks and strengthen user anonymity.
As the project team explains, Tor1 was created during an era when cryptography was less advanced, and since then, standards have advanced, exposing the vulnerabilities of the old algorithm.
Tor1's main problem is its use of AES-CTR encryption without authentication between nodes. This makes traffic vulnerable to tagging attacks, where an attacker controlling multiple nodes can modify data and track predictable changes.
Another vulnerability is the use of only partial forward secrecy. Tor1 uses the same AES keys throughout the entire chain, allowing all traffic to be decrypted if the key is stolen. Additionally, a 4-byte SHA-1 digest is used for block authentication, giving an attacker a one-in-four-billion chance of forging a block.
The new CGO algorithm is built on a Rugged Pseudorandom Permutation (RPRP) cryptographic construct called UIV+ and has been tested for compliance with modern security requirements. It improves several aspects and offers:
Work is already underway to integrate CGO into the C implementation of Tor and the Rust client Arti, but the feature is currently experimental. The developers still need to configure the negotiation for onion services and optimize performance. The transition to the new algorithm will occur automatically after full deployment, but the exact timeframe for when CGO will become the default has not yet been announced.
As the project team explains, Tor1 was created during an era when cryptography was less advanced, and since then, standards have advanced, exposing the vulnerabilities of the old algorithm.
Tor1's main problem is its use of AES-CTR encryption without authentication between nodes. This makes traffic vulnerable to tagging attacks, where an attacker controlling multiple nodes can modify data and track predictable changes.
Another vulnerability is the use of only partial forward secrecy. Tor1 uses the same AES keys throughout the entire chain, allowing all traffic to be decrypted if the key is stolen. Additionally, a 4-byte SHA-1 digest is used for block authentication, giving an attacker a one-in-four-billion chance of forging a block.
The new CGO algorithm is built on a Rugged Pseudorandom Permutation (RPRP) cryptographic construct called UIV+ and has been tested for compliance with modern security requirements. It improves several aspects and offers:
- Tagging protection. CGO uses wide-block encryption and tag chaining, and any attempt to modify it renders the current and all subsequent blocks unrecoverable, completely blocking attacks.
- Immediate forward secrecy. Keys are updated after each block, so even if the current keys are compromised, past traffic remains encrypted.
- Strong authentication. SHA-1 is completely eliminated from relay encryption; instead, CGO uses a 16-byte authenticator—a standard that, according to the developers, "reasonable people rely on."
- CGO links encrypted tags (T') and initial nonces (N) between data blocks—each block depends on all previous ones, making undetectable counterfeiting impossible.
Work is already underway to integrate CGO into the C implementation of Tor and the Rust client Arti, but the feature is currently experimental. The developers still need to configure the negotiation for onion services and optimize performance. The transition to the new algorithm will occur automatically after full deployment, but the exact timeframe for when CGO will become the default has not yet been announced.