Onion Courier: Anonymous Mixnet Communication Over Tor

Published: January 2025 | GitHub Repository

Overview

Onion Courier is an anonymous communication system implementing a mixnet architecture over Tor hidden services. The project provides cryptographic anonymity through layered encryption, traffic analysis protection, and systematic cover traffic generation.

Architecture

The system consists of four main components:

  • Mixnode Server - Receives, delays, and forwards encrypted messages through a mix pool
  • CLI Client - Creates multi-layer encrypted messages for transmission through the mixnet
  • Cover Traffic Daemon - Generates dummy messages to obscure communication patterns
  • Endpoint Server - Receives and processes final messages at destination

Core Features

Multi-Layer Encryption

Messages are encrypted using NaCl Box (Curve25519 + XSalsa20-Poly1305) for asymmetric operations and ChaCha20-Poly1305 for symmetric encryption. Each routing hop adds one encryption layer, creating an onion structure where nodes can only decrypt their own layer.

Traffic Analysis Resistance

All messages are padded to a constant 32KB size to prevent size-based correlation attacks. The mix pool introduces random delays between 5-20 minutes and shuffles messages using cryptographically secure randomization before forwarding.

Batch Processing

Messages are grouped into batches of 5-15 before processing. This batching, combined with message shuffling, makes timing analysis significantly harder for adversaries attempting to correlate incoming and outgoing traffic.

Forward Secrecy

Encryption keys rotate automatically every 12 hours. This ensures that compromise of current keys does not expose historical communications.

Replay Protection

Message identifiers are cached for 30 minutes to detect and reject duplicate submissions, preventing replay attacks while maintaining system performance.

Security Model

The system provides anonymity against:

  • Local adversaries - Cannot determine message destinations from source nodes
  • Timing attacks - Constant execution times and random delays obscure processing patterns
  • Traffic analysis - Fixed message sizes and cover traffic prevent pattern recognition
  • Replay attacks - Content-based message identification prevents duplicate processing

Routing

Messages traverse 2-5 randomly selected mixnodes before reaching the final recipient. Each node:

  1. Decrypts one encryption layer
  2. Adds message to mix pool
  3. Waits random delay (5-20 minutes)
  4. Shuffles pool messages
  5. Forwards to next hop via Tor

Nodes only know the immediate previous and next hop, maintaining unlinkability across the routing chain.

Additional Features

  • Rate limiting - Per-IP and global request throttling
  • Cover traffic - Automated dummy message generation
  • Node discovery - Health checking and status monitoring
  • Memory protection - Secure key storage using memguard
  • Constant-time operations - Timing-safe cryptographic primitives

Technical Implementation

Written in Go, the system uses:

  • golang.org/x/crypto/nacl/box for asymmetric encryption
  • golang.org/x/crypto/chacha20poly1305 for symmetric encryption
  • github.com/awnumar/memguard for secure memory handling
  • golang.org/x/net/proxy for Tor SOCKS5 integration

All communication occurs over Tor hidden services, with mixnodes listening on port 8080 and endpoints on port 8088.

Usage

# Initialize configuration
ocmix -i

# Send message through random 2-5 hop chain
ocmix -r < message.txt

# Generate cover traffic
ocmix -c

# Check node status
ocmix -p

Threat Model

The system assumes adversaries may:

  • Control some mixnodes (but not all in a chain)
  • Monitor network traffic at entry/exit points
  • Perform timing analysis on observable traffic
  • Submit malicious messages for analysis

It does not protect against global passive adversaries capable of observing all network traffic simultaneously.

Comparison to Similar Systems

Onion Courier shares design principles with Mixmaster and Mixminion but modernizes the cryptographic primitives and integrates natively with Tor infrastructure. Unlike simple Tor usage, the mixnet provides additional protection through batching, delays, and cover traffic.

Conclusion

Onion Courier provides a functional anonymous communication system with strong cryptographic foundations and practical traffic analysis defenses. The open-source implementation enables deployment of privacy-preserving communication networks over Tor hidden services.

Resources