• 欢迎访问速搜资源吧,如果在网站上找不到你需要的资源,可以在留言板上留言,管理员会尽量满足你!

【速搜问答】洋葱路由是什么

问答 admin 1年前 (2020-09-07) 248次浏览 已收录 0个评论

汉英对照:
Chinese-English Translation:

洋葱路由是一种电脑网络上匿名沟通技术。洋葱路由网络中,消息一层一层的加密包装成像洋葱一样的数据包,并经由一系列被称作洋葱路由器的网络节点发送,每经过一个洋葱路由器会将数据包的最外层解密,直至目的地时将最后一层解密,目的地因而能获得原始消息。

Onion routing is an anonymous communication technology on computer networks. In onion routing network, messages are encrypted layer by layer like packets, which are sent through a series of network nodes called onion routers. Each Onion Router decrypts the outermost layer of the packet until it reaches the destination. The destination can obtain the original message.

洋葱路由(Onion routing)为一种在电脑网络上匿名沟通的技术。在洋葱路由的网络中,消息一层一层的加密包装成像洋葱一样的数据包,并经由一系列被称作洋葱路由器的网络节点发送,每经过一个洋葱路由器会将数据包的最外层解密,直至目的地时将最后一层解密,目的地因而能获得原始消息。而因为透过这一系列的加密包装,每一个网络节点(包含目的地)都只能知道上一个节点的位置,但无法知道整个发送路径以及原发送者的地址。

Onion routing is an anonymous communication technology on computer network. In onion routing network, messages are encrypted layer by layer like packets, which are sent through a series of network nodes called onion routers. Each Onion Router decrypts the outermost layer of the packet until it reaches the destination. The destination can obtain the original message. Because through this series of encryption packaging, each network node (including the destination) can only know the location of the previous node, but can not know the entire sending path and the address of the original sender.

发明与实现

Invention and Realization

1990 年代中期,美国海军研究实验室的研究员保罗‧塞维利亚森(Paul Syverson)、麦可‧里德和大卫‧戈尔德施拉格(David Goldschlag)为了保护美国在线情报系统而开发了洋葱路由。其后国防高等研究计划署接手该项目继续开发,并在 1998 年获得海军的专利。2002 年计算机科学家罗杰‧丁高戴恩(Roger Dingledine)和尼克‧马修森(Nick Mathewson)加入了塞维利亚森的项目,并开始开发 Tor;Tor 为“洋葱路由项目”(The Onion Routing project)的头字语,该项目后来成为规模最大的洋葱路由实现并广为人知。之后美国海军研究实验室将 Tor 以自由软件授权的方式公开了源代码,丁高戴恩、马修森以及其他五位成员在 2006 年成立了名为“The Tor Project”的非营利组织,并获得包含电子前哨基金会在内的几个组织的财政资助。

In the mid-1990s, researchers at the U.S. Naval Research Laboratory, Paul syverson, Michael reed and David goldschlag, developed onion routing to protect the U.S. online intelligence system. Later, DARPA took over the project and continued to develop it. In 1998, it obtained a patent from the Navy. In 2002, computer scientists Roger dingledine and Nick Mathewson joined sevillason’s project and began to develop tor, the acronym of the onion routing project, which has since become the largest onion routing implementation and is widely known. Later, the U.S. Naval Research Laboratory released the source code of tor in the form of free software authorization. Dingo Dane, matthewson and five other members established a non-profit organization called “the tor project” in 2006, and obtained financial support from several organizations, including the electronic outpost foundation.

数据结构

data structure

一个在洋葱路由网络中传递的数据包例子。发送者首先将数据包发送给路由器 A,解密了蓝色一层,并发现要传给 B,而数据包发送至 B 时又解密了绿色一层,同理再传给 C,而 C 在解密了红色一层后得到原始要发送的消息并将之传给目的地。

An example of a packet passing through an onion routing network. The sender first sends the packet to router a, decrypts the blue layer, and finds that it is to be passed to B. when the packet is sent to B, it decrypts the green layer and then passes it to C. After decrypting the red layer, C gets the original message to be sent and transmits it to the destination.

被称作洋葱路由的原因在于消息一层一层的加密包装成被称作洋葱数据包的数据结构,层数取决于到目的地中间会经过的节点数,每经过一个节点层会将数据包的最外层解密,因此任一个节点都无法同时知晓这个消息最初与最终的目的地,使发送者达到匿名的效果。

The reason for onion routing is that the message layer by layer encryption is packaged into a data structure called onion packet. The number of layers depends on the number of nodes passing through the destination. Each node will decrypt the outermost layer of the packet. Therefore, no node can know the original and final destination of the message at the same time, so that the sender can achieve the effect of anonymity 。

数据包的创建与发送

Creating and sending packets

为了发送洋葱数据包,发送消息者会从“目录节点”(directory node)提供的列表中选取一些节点,并以这些规划出一条被称作“链”(chain)或“线路”(circuit)的发送路径,这条路径将为传输数据包所用。为了确保发送者的匿名性,任一节点都无法知道在链中自己的前一个节点是发送者还是链上的另一节点;同理,任一节点也无法知道在链中自己的下一节点是目的地还是链上另一节点。只有链上的最后一个节点知道自己是链上最终节点,该节点被称作“出口节点”(exit node)。

In order to send onion packets, the sender selects some nodes from the list provided by the “directory node”, and plans a sending path called “chain” or “circuit”, which will be used to transmit packets. In order to ensure the anonymity of the sender, no node can know whether its previous node in the chain is the sender or another node in the chain; similarly, no node can know whether its next node in the chain is the destination or another node in the chain. Only the last node in the chain knows that it is the final node in the chain, which is called the “exit node”.

洋葱路由网络使用非对称加密,发送者从目录节点获得一把公开密钥,用之将要发送的消息加密并发送给链上的第一个节点,该节点又被称作入口节点(entry node);其后与之创建连接和共享密钥。创建连接后发送者就可以通过这条连接发送加密过的消息至链上的第二个节点,该消息将只有第二个节点可以解密;当第二个节点收到此消息后,便会与前一个节点也就是入口节点同样的创建连接,使发送者的加密连接延伸到它,但第二个节点并不晓得前一个节点在链中的身份。之后按照同样原理,发送者通过入口节点和第二个节点的这条加密连接将只有第三个节点能解密的消息发送给第三个节点,第三节点同样的与第二个节点创建连接;借由重复相同的步骤,发送者能产生一条越来越长的连接,但在性能上仍有限制。

Onion routing network uses asymmetric encryption. The sender obtains a public key from the directory node, encrypts the message to be sent and sends it to the first node in the chain, which is also called the entry node, and then creates a connection and shares the key with it. After the connection is created, the sender can send the encrypted message to the second node in the chain through this connection, and only the second node can decrypt the message. When the second node receives the message, it will create the connection with the previous node, that is, the entry node, so that the sender’s encrypted connection extends to it, but the second node does not know the previous node Identity in the chain. After that, according to the same principle, the sender sends the message that only the third node can decrypt to the third node through the encrypted connection between the entrance node and the second node, and the third node also creates a connection with the second node. By repeating the same steps, the sender can generate a longer and longer connection, but there are still limitations in performance.

当链上的连接都创建后,发送者就可以透过其发送数据并保持匿名性。当目的地回送数据时,链上的节点会透过同一条连接将数据回传,且一样对数据层层加密,但加密的顺序与发送者完全相反;原发送者收到目的地回传的数据时,将仅剩最内一层加密,此时对其解密就可拿到目的地回送的消息。

When all the links in the chain are created, the sender can send data through it and keep anonymity. When the destination sends back the data, the nodes in the chain will send the data back through the same connection, and encrypt the data layer by layer, but the encryption order is completely opposite to that of the sender. When the original sender receives the data returned from the destination, only the innermost layer of encryption will be left. At this time, the decryption can get the message sent back by the destination.

弱点

weakness

计时分析

Timing analysis

传统互联网不被认为具有匿名性的一个理由为互联网服务供应商具有纪录和追踪各电脑间的连接能力;例如当有人访问一个特定网站时,往来的信息内容如密码等,虽然能透过像是 HTTPS 等加密连接方式保护让其他人无法得知内容,但是连接本身却仍会有纪录,包含何时创建连接,多少数据量被发送等。洋葱路由虽然能创建并隐藏两电脑之间的连接,使两者之间并无一个可分辨的直接连接,但仍会有上述的连接纪录问题。流量分析可借由搜索连接纪录的连接时间和数据传输量来试图判别潜在的一对发送者与接收者;例如当有人发送 51KB 的数据到一个未知的电脑,三秒后另一未知的电脑发送 51KB 的数据给一个特定的网站,则可以推断此人可能与该网站曾创建连接。此外还有一些原因可以让流量分析更加有效,包含节点的损坏或离开网络,以及当链已经因为定期重建而改变,但有些链上节点却仍在追踪此前创建的会话等。

One reason why the traditional Internet is not considered anonymous is that Internet service providers have the ability to record and track the connections between computers. For example, when someone visits a specific website, the information content, such as password, can be accessed through such things as HTTPS However, the connection itself will still have records, including when the connection was created and how much data was sent. Although onion routing can create and hide the connection between two computers so that there is no discernible direct connection between the two computers, there will still be the above connection record problem. Traffic analysis can try to identify a potential sender and receiver by searching the connection time and data transmission volume recorded in the connection. For example, when someone sends 51kb data to an unknown computer, and three seconds later another unknown computer sends 51kb data to a specific website, it can be inferred that the person may have created a connection with the website. In addition, there are several reasons why traffic analysis can be more effective, including node damage or leaving the network, and when the chain has changed due to periodic reconstruction, but some nodes on the chain are still tracking the sessions created previously.

大蒜路由是洋葱路由的一种变体,其结合了 I2P 网络并将多份消息加密打包在一起,使其更难被攻击者以流量分析的方式破解。

Garlic routing is a variant of onion routing, which combines i2p network and encrypts multiple messages together, making it more difficult for attackers to crack by traffic analysis.

出口节点漏洞

Exit node vulnerability

虽然消息在洋葱路由网络中被层层加密,但是在出口节点时,该节点会把最后一层解密并将原始消息传给接收者;因此若出口节点遭到攻击或是受控制,则原始的消息将会被截取。瑞典研究员丹‧伊格史塔德(瑞典语:Dan Egersta)曾用此方式获得了超过 100 封寄给外国大使馆的电子邮件密码。出口节点漏洞的原理与未加密无线网络很类似,后者为用户将未加密的数据在无线网络上传送时可能中途被其他人截走;这两种问题都可以透过端对端加密连接如 SSL、HTTPS 等方式解决。

Although the message is encrypted layer by layer in onion routing network, the node will decrypt the last layer and pass the original message to the receiver when the exit node is attacked or controlled, the original message will be intercepted. Dan egersta, a Swedish researcher, has used this method to obtain more than 100 e-mail passwords sent to foreign embassies. The principle of exit node vulnerability is similar to that of unencrypted wireless network. The latter means that the user may intercept the unencrypted data during transmission on the wireless network; both problems can be solved by end-to-end encrypted connections such as SSL and HTTPS.


速搜资源网 , 版权所有丨如未注明 , 均为原创丨转载请注明原文链接:【速搜问答】洋葱路由是什么
喜欢 (0)
[361009623@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址