| In this work, we examine why a popular anonymity network, Tor, is vulnerable to timing side-channel attacks. We explore removing this vulnerability from Tor without sacrificing its low-latency which is important for usability.;We find that Tor is vulnerable because inter-packet delays propagate along the network path from the source to the destination. This provides an easily detected signature. We explore techniques for making the timing signature either expensive or impossible to detect.;If each packet took a unique, disjoint path from source to destination the inter-packet delay signature would be undetectable. Jitter and latency would change packet arrival orders. This is impractical since the overhead for constructing these circuits would be prohibitive. We scaled this idea back to reflect how the BitTorrent protocol creates a large number of possible paths from a small number of nodes.;We form a fully connected network with the source, destination, and a small number of nodes. The number of paths through this network from source to destination grows quickly with the addition of each node. Paths do not have to include every node, so the delay of each path is different. By transmitting consecutive packets on different paths, the network delays will mask the inter-packet delay signature. |
