Onion Routing

KayakNet uses onion routing to provide anonymity for all network traffic.

What is Onion Routing?

Onion routing wraps messages in multiple layers of encryption, like layers of an onion. Each node in the path can only see the previous and next hop, never the full route.

How It Works

Circuit Building

┌────────┐                                              ┌────────┐
│ Sender │                                              │Receiver│
└───┬────┘                                              └────▲───┘
    │                                                        │
    │  Encrypted for Hop 3                                   │
    │  ┌─────────────────────────────────────────────────┐   │
    │  │ Encrypted for Hop 2                             │   │
    │  │ ┌─────────────────────────────────────────────┐ │   │
    │  │ │ Encrypted for Hop 1                         │ │   │
    │  │ │ ┌─────────────────────────────────────────┐ │ │   │
    │  │ │ │           Original Message              │ │ │   │
    │  │ │ └─────────────────────────────────────────┘ │ │   │
    │  │ └─────────────────────────────────────────────┘ │   │
    │  └─────────────────────────────────────────────────┘   │
    │                                                        │
    ▼                                                        │
┌───────┐          ┌───────┐          ┌───────┐              │
│ Hop 1 │─────────▶│ Hop 2 │─────────▶│ Hop 3 │──────────────┘
└───────┘          └───────┘          └───────┘
Removes one        Removes one        Removes final
layer              layer              layer

Step by Step

Sender selects 3 random nodes from the network
Sender generates session keys for each hop
Message is encrypted in layers:
- Layer 3: Encrypted with Hop 3's key
- Layer 2: Encrypted with Hop 2's key
- Layer 1: Encrypted with Hop 1's key
Hop 1 receives, decrypts outer layer, forwards
Hop 2 receives, decrypts its layer, forwards
Hop 3 receives, decrypts final layer, delivers

KayakNet Implementation

Circuit Parameters

Parameter

Value

Rationale

Hops

Balance of anonymity and latency

Circuit Lifetime

10 minutes

Prevent long-term correlation

Key Algorithm

X25519

Fast, secure key exchange

Encryption

ChaCha20-Poly1305

Modern AEAD cipher

Circuit Selection

Nodes are selected to maximize anonymity:

// Pseudocode for node selection
func selectCircuit() []Node {
    // Avoid selecting same node twice
    // Prefer nodes from different subnets
    // Exclude recently used nodes
    // Favor nodes with good reputation
}

Header Format

┌─────────────────────────────────────────────┐
│ Version (1 byte)                            │
├─────────────────────────────────────────────┤
│ Circuit ID (16 bytes)                       │
├─────────────────────────────────────────────┤
│ Next Hop Address (encrypted)                │
├─────────────────────────────────────────────┤
│ Ephemeral Public Key (32 bytes)             │
├─────────────────────────────────────────────┤
│ Encrypted Payload                           │
└─────────────────────────────────────────────┘

Traffic Analysis Resistance

Beyond basic onion routing, KayakNet implements:

1. Constant Packet Size

All packets are padded to 1024 bytes, preventing size correlation.

2. Timing Obfuscation

Random delays (0-100ms) prevent timing analysis.

3. Dummy Traffic

Nodes send fake traffic to obscure real patterns.

4. Traffic Mixing

Packets are batched and shuffled before forwarding.

Anonymity Properties

What Onion Routing Provides

✅ Sender Anonymity - Receiver doesn't know sender ✅ Receiver Anonymity - Sender doesn't know receiver's IP ✅ Relationship Anonymity - Third parties can't link sender/receiver ✅ Forward Secrecy - Past traffic can't be decrypted

What It Doesn't Provide

❌ Global Passive Adversary - Nation-state level monitoring may correlate ❌ Endpoint Compromise - If sender or receiver is compromised ❌ Traffic Confirmation - If adversary controls first and last hop

Compared to Tor

Feature

KayakNet

Tor

Default Hops

Circuit Rotation

10 min

Traffic Padding

Yes

Limited

Timing Obfuscation

Yes

Dummy Traffic

Yes

Directory Servers

No (DHT)

Yes

Performance Impact

Onion routing adds latency:

Metric

Without Onion

With Onion

Latency

~50ms

~150-300ms

Throughput

High

Moderate

CPU Usage

Low

Moderate

The tradeoff is acceptable for privacy-focused applications.

Configuration

# Use 5 hops instead of 3 (not recommended)
./kayakd --onion-hops 5

# Note: More hops = more latency, diminishing returns on security

PreviousNetwork Topology NextDHT & Peer Discovery

Last updated 1 month ago

Good evening

hashtagWhat is Onion Routing?

hashtagHow It Works

hashtagCircuit Building

hashtagStep by Step

hashtagKayakNet Implementation

hashtagCircuit Parameters

hashtagCircuit Selection

hashtagHeader Format

hashtagTraffic Analysis Resistance

hashtag1. Constant Packet Size

hashtag2. Timing Obfuscation

hashtag3. Dummy Traffic

hashtag4. Traffic Mixing

hashtagAnonymity Properties

hashtagWhat Onion Routing Provides

hashtagWhat It Doesn't Provide

hashtagCompared to Tor

hashtagPerformance Impact

hashtagConfiguration