Documentation
PART 1 — Foundations of Hidden Networks
Module 2 —
2.1 Tor’s Onion Routing — Architectural Deep Dive

2.1 Tor’s Onion Routing — Architectural Deep Dive

Onion routing is the central mechanism powering the Tor network.
It enables users to communicate across the internet without revealing their identity, location, or communication patterns.
This chapter explains how it works — not how to use it — focusing on the architecture, mathematical foundations, and design philosophy behind Tor’s routing model.

A. What Is Onion Routing?

Onion routing is a privacy-enhancing communication technique where data is wrapped in multiple layers of encryption — like layers of an onion — and routed through a sequence of relays.
Each relay knows only:

  • its previous hop

  • its next hop

but not the full route, nor the sender or receiver.

This prevents a single node from linking the source and destination.

B. The Three-Hop Circuit Architecture

Tor’s routing operates through a three-relay chain, called a circuit.
Each relay performs a unique role.

1. Entry Guard (First Relay)

  • Knows the user’s IP address

  • Does not know the final destination

  • Protects the user from malicious first-hop relays

Entry guards remain stable for months to reduce attack surface.

2. Middle Relay (Second Relay)

  • Only forwards encrypted data

  • Cannot see sender or destination

  • Breaks correlation between first and last hop

This “middle hop” ensures no single entity sees both ends.

3. Exit Relay (Third Relay)

  • Knows the final destination

  • Does not know who the user is

  • Decrypts the final layer of encryption

  • Sends data to the clearnet (unless it’s a .onion service)

Key Principle

No relay sees both the user and the destination.

This is the core anonymity property of Tor’s architecture.

C. Circuit Creation Process (High-Level)

When a Tor user wants to connect:

  1. Client obtains relay information from Tor directory authorities.

  2. Client selects a guard → middle → exit relay.

  3. A layered cipher is constructed using:

    • Diffie–Hellman key exchange

    • elliptic-curve cryptography (in v3)

  4. A session key is negotiated with each relay.

  5. The onion circuit becomes ready.

Every layer of encryption protects traffic from being interpreted by intermediate nodes.

D. Multi-Layer Encryption Explained

Each relay removes exactly one layer of encryption.

If the layers are represented as:

[ Exit Layer ][ Middle Layer ][ Guard Layer ]Payload

Then the path behaves like this:

  • Guard removes Guard Layer

  • Middle removes Middle Layer

  • Exit removes Exit Layer

  • Destination receives plaintext payload

This ensures:

  • confidentiality

  • unlinkability

  • independence of relays

Even if a relay is compromised, it cannot deanonymize the user alone.

E. Key Cryptographic Concepts Used in Onion Routing

1. Elliptic Curve Diffie–Hellman (ECDH)

Establishes symmetric session keys between client and relays.

2. AES Symmetric Encryption

Fast encryption for each hop in the circuit.

3. TLS for Relay Communication

Relays communicate through TLS tunnels, protecting metadata between nodes.

4. Perfect Forward Secrecy

Even if keys leak in the future, past sessions remain protected.

5. Sphinx Packet Format (tor-layers influenced)

Not used directly in Tor, but conceptually similar to modern onion encryption designs (used by Nym).

F. How Tor Achieves Unlinkability

Tor prevents linking of sender and destination through:

1. Separate Knowledge Models

  • Guard only knows user.

  • Exit only knows destination.

  • Middle knows nothing useful.

2. Constant Relay Rotation

Circuits rotate every ~10 minutes to minimize long-term linkability.

3. Packet Padding & Cell Format

All Tor packets are standardized to fixed-size 512-byte cells, reducing traffic fingerprinting.

G. Limitations of Onion Routing (Academic Findings)

Despite its strengths, onion routing has constraints noted by researchers:

1. Vulnerable to Global Passive Adversaries

An entity monitoring both entry and exit traffic can attempt correlation.

2. Exit Relay Traffic Visibility

Exit relays see outbound, unencrypted traffic if the destination does not use HTTPS.

3. Latency

Multiple hops create slower performance compared to direct connections.

4. Not Metadata-Perfect

Timing and volume analysis are possible under certain conditions.

These are theoretical and research-level limitations, not instructions for misuse.

H. Why Tor Uses Three Hops (Not Two or Ten)

Two hops

Too weak — single correlation attack becomes easier.

Three hops

Strong enough for anonymity while keeping latency manageable.

More than three hops

Adds latency with limited anonymity gain.
Empirical research by Tor developers shows diminishing returns.

I. Hidden Services and Onion Routing

For .onion websites, routing differs slightly:

  • Both client and server build circuits.

  • They meet at a rendezvous point.

  • Neither side sees the other’s IP.

This enables full mutual anonymity.

31e2874ae3fda723e0e8c22278a8d56e.png

a48d5c666908068906eb0e7b6b4269d7.png

 

docs