Onion routing is some seriously cool secure networking. This is way beyond encrypted tunnels. Basically you have a series of “onion routers” which each have their own public/private keys. When you send a message to the first router, it randomly picks a series of the other routers and encrypts the message with each of those routers’ public keys. Then it sends the message to the last router who’s key was used to encrypt it. That router decrypts it and sends the message to the next router who’s key was used to encrypt the message. So you have multiple layers of encryption, each router peels a layer from the “onion” and sends it to the next router creating a completely random path. When it reaches its destination, the response is put in the included “reply onion” and sent back a different path. Therefore not even the destination knows the origin!
In order to compromise this, one must either have control of ALL the onion routers, or break the multiple layers of encryption. Sounds pretty solid to me.
I just have to note one thing though, the Wired article is inaccurate since its saying they’re poking holes in Iran’s firewall. Really its not poking holes. Poking holes implies you’ve hacked the firewall and opened up access to something that was previously blocked. This tech is sending encrypted packets through protocols and ports that are apparently still open. Whoever controls the firewall could easily block known onion routers or block the protocols/ports they’re using, making it a much more difficult first hop. They also do not mention if this traffic is masked as simple web traffic or what. Onion routing is simply a means to disguise the origin, destination, path, and messages, not for bypassing firewalls. However, if the firewalls block Twitter.com, for example, the firewall would not know to block these onion messages going to a random onion router who’s final destination is Twitter.com. Still, that’s not “poking holes” in anyone’s firewall. That’s just being sneaky.
Must reads:
Activists Use U.S. Tech to Poke Holes in Iran Firewall – [Wired]
Onion Routing – [Wikipedia]