Onions may be the secret ingredient in protecting the Pentagon's classified information.
During an afternoon presentation at the Usenix Security conference on Thursday, a researcher at the U.S. Naval Research Laboratory described a technology known as "Onion Routing," which preserves anonymity by wrapping the identity of users in onion-like layers.
"Public networks are vulnerable to traffic analysis. Packet headers identify recipients, and packet routes can be tracked," said Paul Syverson, who works at the NRL's Center for High Assurance Computer Systems. "Even encrypted data exposes the identity of the communicating parties."
Even if you bother to scramble the contents of your message, someone snooping your e-mail or Web-browsing habits can still see your Internet address and the address of the person or website with whom you're communicating. In other words, if you're a CIA or military intelligence agent, you don't want to visit the website of an underground group and risk revealing you're coming from a dot-mil network.
The Onion Routing solution, which follows much the same recipe as Zero Knowledge's Freedom software and cypherpunk-developed mixmaster remailers, is to forward communications through a complicated network that bounces Internet packets around like pinballs and hides the origin and destination from all but the most determined eavesdroppers.
Syverson said that the U.S. government was awarded patent number 6,266,704 for Onion Routing on July 24.
That announcement prompted an angry reaction from Usenix attendees, many of whom are programmers, security consultants and system administrators, who aren't big fans of software patents -- especially in the area of anonymous communications, where there's been so much prior work before the Navy ever got involved.
Mathematician David Chaum, for instance, wrote an article titled "Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms" for Communications of the ACM as far back as 1981. Lance Cottrell, who now runs anonymizer.com, wrote part of the mixmaster system in the early 1990s, and similar techniques were discussed on the cypherpunks mailing list even earlier.
Syverson, who is listed on the patent with co-inventors Michael Reed and David Goldschlag, defended the government's move. "It is a necessary step for those of us working for the government to bring technology to the public," Syverson said.
The patent describes Onion Routing, which has been the subject of analysis at previous security conferences, as providing "an electronic communication path between an initiator and a responder on a packet-switching network comprising an onion routing network that safeguards against traffic analysis and eavesdropping by other users of the packet switching network" such as the Internet.
Onion Routing works though a complex system of several routers that wrap data in successive layers of public key encryption to prevent anyone from identifying what is in the packet. The trick is that the original sender of the packet and the packet's destination are wrapped up within these layers of code.
"The originating proxy server knows the routing topography and picks the route the packet will take at random," Syverson said.
This year's Usenix Security confab -- the next one is in San Francisco -- was most notable for a packed presentation Wednesday, where Princeton University professor Ed Felten and his co-authors presented a paper describing how they broke a digital watermarking scheme.
Music industry groups, including the Recording Industry Association of America, had warned at one point of a possible lawsuit under the Digital Millennium Copyright Act if Felten described the paper at a previous conference in April. They now say that they never threatened the research team.
Another paper presented was titled "Inferring Internet Denial-of-Service Activity," which describes a novel technique to learn the frequency of denial-of-service attacks.
Typically denial-of-service attacks work with an attacking computer forging a return Internet protocol (IP) address. By tracking how often bounced messages return to a certain range of IP addresses during a three-week test period, the researchers reported they were able to observe over 12,000 attacks against more than 5,000 targets.
The technique, called "backscatter analysis," was developed by authors David Moore, of the San Diego Supercomputer Center, and Geoffrey Voelker and Stefan Savage at the University of California at San Diego.
Andrew Osterman contributed to this report
