The Tor Project has announced a significant cryptographic overhaul, retiring its legacy relay encryption algorithm after decades of service and replacing it with Counter Galois Onion (CGO). <\/p>\n
This research-backed encryption design defends against a broader class of sophisticated online attackers.<\/p>\n
Tor\u2019s relay encryption serves a specialized function distinct from the standard TLS protocol<\/a> used between relays and clients. <\/p>\n This algorithm encrypts user data as it traverses multiple relays in a circuit, with clients sharing symmetric keys with each relay and progressively removing encryption layers. <\/p>\n The current system, now designated \u201ctor1,\u201d dates back to Tor\u2019s early years when modern cryptographic practices were still emerging. <\/p>\n While functional, tor1\u2019s design exhibits several vulnerabilities that researchers have successfully exploited in controlled settings.<\/p>\n The most severe threat is tagging attacks, in which active adversaries modify encrypted traffic<\/a> at a single network point and observe predictable changes elsewhere. <\/p>\n Tor1\u2019s reliance on AES-128-CTR encryption without hop-by-hop authentication creates a malleable ciphertext. <\/p>\n Attackers can XOR patterns into encrypted cells, knowing that modifications will persist through decryption layers. <\/p>\n By controlling both circuit endpoints, adversaries can inject identifiers such as IP addresses that traverse the entire path undetected. <\/p>\n This represents an \u201cInternal Covert Channel\u201d attack, enabling definite deanonymization before any application traffic flows.<\/p>\n Beyond tagging vulnerabilities, tor1 suffers from limited forward secrecy. Keys persist throughout a circuit\u2019s lifetime, meaning stolen keys compromise all historical traffic. <\/p>\n The algorithm also employs only a 4-byte authentication digest roughly a 1-in-4-billion forgery probability relying on path-bias detection rather than cryptographic strength. <\/p>\n Additionally, tor1 uses SHA-1, an increasingly compromised hashing function<\/a>.<\/p>\n Developed by cryptographers Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre M\u00fcnch, and Martijn Stam, CGO implements a Rugged Pseudorandom Permutation (RPRP) construction explicitly designed for Tor\u2019s asymmetric encryption model. <\/p>\n Unlike full Strong Pseudorandom Permutations, which require two passes over the data, the UIV+ foundation enables one-directional tagging resistance at reduced computational cost.<\/p>\n CGO addresses all identified vulnerabilities. Wide-block construction ensures that any tampering renders the entire message unrecoverable. <\/p>\n Chaining authentication tags across cells means that single-cell modifications garble all subsequent messages. <\/p>\n Immediate forward secrecy is provided by the Update algorithm, which irreversibly transforms keys after each cell, preventing decryption of historical traffic. Authentication now uses a robust 16-byte authenticator, replacing the deprecated digest.<\/p>\n The Tor Project <\/a>has implemented CGO in Arti (Rust) and in C for relay compatibility. Development required extensive refactoring to eliminate assumptions about relay cell structure. <\/p>\n Next steps include enabling CGO by default in Arti, implementing onion service negotiation protocols, and optimizing performance for modern CPUs.<\/p>\n While CGO represents a relatively new cryptographic design still undergoing academic scrutiny, researchers emphasize that identified weaknesses are unlikely to exceed tor1\u2019s vulnerabilities. <\/p>\n Adoption means a methodical progression toward stronger anonymity protections for millions of Tor users worldwide.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Tor Adopts Galois Onion Encryption to Strengthen Defense Against Online Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCritical Vulnerabilities Addressed<\/strong><\/h2>\n
![\"Originating](\"https:\/\/blog.torproject.org\/introducing-cgo\/cgo-originate.svg\")