An Enhancing Security Research of Tor Anonymous Communication to Against DDos Attacks

Tor (The Second Onion Router) is modified by the first generation onion router and known as the most prevalent anonymous communication system. According to the advantage of low latency, high confidentiality of transmission content, high security of communication channels and et al., Tor is widely used in anonymous Web browsing, instant message and so on. However, the vulnerability and blemish of Tor affect system security. An identity and Signcryption-based concurrent signature scheme was used to prevent the behaviors of attackers from inserting controlled nodes and conspiring to make DDos attacks. The integrated security of Tor system was enhanced in our scheme. In addition we have proved the scheme.


Introduction
Anonymous communication can hide the telecommunication relationship in the business flow without changing the existing network protocol and complete the protection of the privacy information such as the user's identity.Consequently, the eavesdropper cannot directly or indirectly infer the telecommunication relationship and the identity of communications [1] .According to the advantage of simple configuration and excellent performance, the third system of Tor anonymous communication system has been developed quickly.Tor can resist the attack from listening and flow analysis, which is currently one of the most widely, used anonymous communication system on the Internet [2] .So, Tor can guarantee the anonymity and security of the communication better.What's more, Tor can coordinate with existing many applications, so Tor has better flexibility and extensibility [3] .As one large-scale application anonymous communication system, in the design of Tor, performance, user demand and other factors have been considered.In the realization of the specific function, some unsafe strategy were adopted which exposed the vulnerability.In order to a low delay, Tor does not have completely anonymous, plus with lack of user access certification, which have has provided the favorable natural conditions for the attacker to DDos attacks [4] .
In order to improve the security of Tor anonymous communication system, a new kind of anonymous communication scheme is proposed by Zhou et.al [1] , the scheme make up the deficiency of the traditional Tor anonymous communication system in some extent.However, the scheme increases time.Based on the technology signcryption, Zheng et.al [4] proposes a node authentication mechanism, which is realizes a third party certification between TTP and node and among nodes by introducing the authority of the third party (TTP).
In the present study, a concurrent signature scheme based on identity authentication and signcryption [5] were adopted.The scheme can Verifies the reliability of accessed Tor nodes eliminate the false nodes.In the stage of middle volunteer node (OR) added to the Tor network, confirm the identity of the both sides through mutual authentication, and use signcryption to ensure the authentication information are unforgeable in the validation process.Through the authentication mechanism of the directory server and nodes, and between nodes, the scheme can effectively improve the reliability of system Tor nodes, prevent malicious nodes got into the system to improve security and effectiveness.(2) Non-degeneracy: ( , ) 1 e g g ≠ .

Prepared Knowledge
We say that 0 G is a bilinear group if the group operation in 0 G and the bilinear map e g g e g g e g g = = .

Tor System Basic Model
The Tor system is a distributed global network, using a centralized directory management structure.The entire Tor network consists of seven parts [6] : (1) User Clients(User): A computer that communicates anonymously with the outside world through onion routing networks, usually the user needs to connect to the Tor network with an onion proxy.
(2) Onion Proxy: Responsible for the establishment of data transmission channel, receive TCP data stream, and sends the data stream to the established transmission channel.
(3) Onion Router: To establish an anonymous communication link and to forward data.
(4) Entry Node: The first onion router on the path, which communicates directly with the user.
(5) Exit Node: Refers to the last onion router on the path that communicates directly with the target server.
(6) Middle Node: Means an onion router on a path other than the ingress and egress nodes.(7) The Directory Server: Mainly responsible for the collection, management, storage of all OR information and node exit and join the network-related operations.
Onion routing system can be roughly divided into three stages which are establishing connection, transferring data and closing connection [7] .

Establishment of Anonymous Communication Link
First, Alice's onion proxy sends a "Create" command packet to the first onion router OR1 which is chosen.This "Create" packet, let AB C represent the CircID between Alice and Bob, and also includes the first half of the Diffie-Hellman handshake information ( x y g ) [8] .Once the link is established, Alice and Bob can send forward packets.The forwarded packets are encrypted with their negotiated session key 1 K .
If you want to expand this virtual circuit, Alice sends an Relay Extend packet with 1 K encrypted to Bob, which contains the encrypted information 2 x g and the next-hop onion router address (Known as Carol).Bob builds a "Create" packet.Use BC C to represent the CircID between Bob and Carol, also contains the half of the handshake information 2 x g , then encrypted with Carol's public key and sent to Carol.Carol returns a "Created" packet, which contains the latter half of Diffie-Hellman handshake information ( 2 y g ) and the hash value ), then send it back to Alice.Now, the link to Carol, Alice, and Carol's session key is 2 K [9] .
Alice just need repeats the process, it can gradually expand the length of the virtual circuit, and finally to establish a connection with the destination node (Figure 3 Tor link establishment process).

The Data Transfer Process of Tor
OP sends the encrypted packet to the OR node of next-hop.Theoretically, each node on the Tor rerouting path is randomly selected by the user.But in practical application, the OR nodes responsible for forwarding are randomly selected by Tor.In Figure 4, we choose a client OP, three OR nodes to form an anonymous communication link.Shows the transfer of data from the OP to the server E [10] .As can be seen from the figure, the link establishment procedure from A to E, need to go through B, C, D three forwarding nodes (Relay).Corresponding to each forwarding node, before the transmission, communication data was also encrypted from the back to front by onion agent according to its public key, which passed Tor nodes, and formed a recursive hierarchical data structure called the onion package [11] .Thus, the communication usually uses Onion to replace the usual TCP / IP packets.This ensures that each onion router only knows the onion router that passes it data and the next-hop onion router it wants to pass data to, without knowing all the onion routers that are going to pass between the sender and the receiver.So as to achieve the purpose of hiding routing information and resist traffic analysis.In the sending process, the message packets are decrypted one layer while passed an onion routing node.Until after routing node D export of Tor network, the sending information is restored to the plain text message.In the whole link, the forwarding node only needs to know the nodes of the next hop and the next hop.Thus ensuring the security of the identity information of the two sides of communication [12]   .

An Identity and Signcryption-based Concurrent Signature Scheme
User A represents the initial signer, and user B represents the matching signer.The signcryption algorithm in the scheme is mutual.A and B each run this algorithm once.
In this scheme, i is the signer and j is the matching signer, , {A,B} i j ∈ the scheme includes the following algorithm: (1) System establishment: 1 G is a q -order cyclic additive group, q is a prime number, p is the generator of , l is the length of the plaintext to be encrypted.PKG (2) Key extraction: using A,BID:

S sQ ≈
, and 0 (ID ) . The public key of A and B is: and private keys is S A , S B .
(3) keystone mapping(Footprint):The input parameter of this algorithm is ( , , and is the keystone selected by the signer.Calculate (4) Signcryption: the input parameter for this algorithm is (ID , ID ,Q ,Q ,S ,f , m ) , the algorithm runs as follows:

(m || R || ID
) true, output accept, else output reject.( 7) Third-party authentication (Verify): This algorithm is implemented after the respective keystone is released.The role is that any third party can confirm who is the signer by this algorithm except the both parties involved in this scheme so that binding signature to signer's identity is realized.The input of this algorithm is

The Authentication Process of Tor Node
The directory server in the Tor network is used as a third-party authentication authority.If OR node (1, 2,3...n wants to join the Tor network, which must register with the directory server.The directory server then checks the performance of the OR, including uptime, bandwidth, and so on.OR needs to be authenticated to confirm its reliability when it joins the Tor network.In order to prevent the information from being falsified and tampered with during the verification process, we combine identity-based signcryption.Increased node reliability through directory server and node, node-to-node authentication mechanisms.The authentication procedure is shown in Figure 5 and The identity of the node B will be questioned by node A node A not to provide any services to node B else if ( , , , )  ( , , , )

R H k =
then node B to node A's verify will be passed else The identity of the node A will be questioned by node B else The identity of the node A will be questioned by node B (6) Similarly, after node A verifies the node B: if ( , , , ) The verification from node A to node B will be passed.else The identity of the node B will be questioned by node A else The identity of the node B will be questioned by node A , As shown in the above equation, as long as the encryption algorithm is executed correctly, the decryption algorithm solves the encrypted plaintext in the encryption algorithm.
(2) OR nodes are mutually authenticated The OR (B) node verifies the signature of the OR (A) node: e sP h e P h e P r r r The OR (A) node verifies the signature of the OR (B) As shown in the above equation, If the OR (A), OR (B) node's signcryption algorithm is executed correctly, then the Averify algorithm will return the accept result.

Proof of Safety
Through the Tor anonymous network mechanism combined with the identity-based concurrent signature technology, the middle volunteer node join the Tor network must to authenticate the identity.The OR (A) node sends the attribute information to the OR (B) node, So the mutual authentication process between OR nodes is confidential.

Proof of Anti-collusion
In the entire Tor network, the directory server managers all OR nodes added and exit.The entire Tor network is also composed of many relay nodes.As shown in Figure 7.As shown in Figure 7above, in the first phase of the entire Tor network (The joining phase of the volunteer node).Through this program can guarantee that each legitimate relay node to join Tor to form the entire Tor network system When the user wants to communicate with the target node users are required to apply to the Tor directory server.The Tor directory server randomly selects the Tor relay node among the valid nodes that pass the audit and thereby establishing a communication link.The number of relay nodes in a Tor network is very large and the relay nodes before and after the link are randomly selected by the directory server.There is no interaction between the relay nodes during the link establishment phase.When the link is established, at the time of information transmission, the transmission of the message packets takes place in one direction.The message packet passes through each onion routing node, it will decrypt a layer to get to the next hop address, and the onion packet is then passed to the next node.Do not know the entire onion router between the senders to the receiver to go through.When this transmission is complete the link will be destroyed, so as to avoid the DDos attack initiated by OR nodes in the process of information transmission.

User
In the Tor network in the volunteer node to join the stage if not legitimate certification most illegitimate volunteer nodes can be disguised as legitimate nodes to join the Tor network.If the number of these illegal relay nodes occupies more than half of the legitimate relay nodes, when the link is established, the false probability of a randomly selected relay node of the directory server is extremely large.Multiple false nodes in the current link collusion before data communication get the private key of other false nodes that Decrypt the layer of their own.At the time of data transmission, a fake node obtains the onion packet because it owns the private key of a number of other false nodes; this onion packet security will have a great threat.The scheme adopted in this paper can authenticate the identities of the relay nodes that join the Tor network.Greatly reducing the possibility of false nodes joining the Tor network, which greatly reduces the DDos behavior that launched by the false nodes in the link.

Proof of High Efficiency
The same signcryption technology is used to prevents the insertion of malicious managed nodes into the Tor network The literature [4] is aimed at the user in the establishment of the anonymous link stage.The reliability, stability and reliability of the intermediate nodes of the Tor network are evaluated by a trusted third-party authority.Issue a reliable certificate for the Verifies OR node which has passed and generates a public-private pair for the OR node.By verifying each other's trusted certificate to determine each other's identity and a signcryption technique is used to ensure the unforgeability of the trusted certificate.The concurrent signature scheme in this paper does not require the third authority to issue trusted certificate, therefore part of the time overhead of issuing trusted certificate can be saved.
In this paper, the signature scheme based on signcryption technique is less expensive than the scheme in [4].The specific operation situation is shown in Table 1.From Table 1 can be drawn the scheme adopted in this paper has different degree of reduction in the decryption link Hash, multiplication operation.In addition, the scheme adopted in this paper is carried out in the OR node adding to the Tor network phase, without involving other time cost.The scheme adopted in [4] is carried out in the link establishment phase of the Tor network, which involves the fusion of original keys with OR nodes.So the scheme of this paper is more efficient than the literature [4].

Conclusion
The present concurrent signature scheme does not need a third authority party to issue a trusted certificate, save the overhead.Compared with [4], the present program has different degrees of reduction in decryption link Hash and multiplication operation.Proved from security, unforgeable and collusion-resistance, the present concurrent signature scheme has the advantage of safe, unforgeable and collusion-resistance.So the scheme can effectively resist the collusion DDos attack behavior of attacker from the very great degree in the Tor network insert controlled node.

2. 1 G and e be
Bilinear MapsLet 0 G and 1 G be two multiplicative cyclic groups of prime order p .Let g be a generator of 0 both efficiently computable.Notice that the map e is symmetric since( , ) public key encryption.Bob returns a Created packet, which contains the latter half of Diffie- receives the Carol response message, Bob encrypts a Relay Extended packet with the session key 1

Figure 4 .
Figure 4. Tor data transfer process

( 6 )
) Designcrypt: This algorithm is matching signers restore the ciphertext to plaintext.The input parameter is (c , U ,S ) Mutual authentication (Averify): This algorithm is mutual authentication between A and B. It is used to verify the validity of the received signature and the plaintext obtained in the previous algorithm.The input for this algorithm is { ,Q ,Q ,m} and σ may be the signcryption of A or the signcryption of B

Figure 5 .Figure 6 .
Figure 5. Mutual authentications between the Tor nodes then node A send node B's message m signcrypt B σ and node A's keystone B k include A σ , A U .Between the OR (A) and OR (B)nodes, if there is an attacker Bob, Bob must be informed Bob cannot know the private key S B of OR (B), Bob must have the contents of s P to calculate A is obviously B's CDH problem.The middle attacker Bob can't decrypt the content ( A σ and A U ) transferred from node OR(A) to node OR(B), even though he intercepts it.

Table 1 .
The scheme of this paper is compared with the literature