What is Onion Routing?
Onion routing is a technique for anonymous communication over a network. It works by encapsulating messages in multiple layers of encryption—like the layers of an onion—which are peeled off at each hop in the network.
The Core Concept
Step 1 - Encrypt for Exit Node:
[Exit Key] → E("Hello, darkwiki.ink")
Step 2 - Encrypt for Middle Node:
[Middle Key] → E(E("Hello, darkwiki.ink"))
Step 3 - Encrypt for Entry Node:
[Entry Key] → E(E(E("Hello, darkwiki.ink")))
Final Packet: [[[encrypted message]]]
└── 3 layers, like an onion
How Each Layer is Removed
As the message travels through the network:
- Entry Node: Uses its private key to decrypt the outer layer. Sees the middle nodes address but not the message or destination.
- Middle Node: Decrypts its layer. Sees only the exit nodes address. Knows nothing about origin or destination.
- Exit Node: Decrypts the final layer and sends the message to the destination. Sees the destination but not the origin.
Key Insight: No single node ever knows both the source AND destination of a message. This is the fundamental guarantee of onion routing.
Cryptographic Foundations
Key Exchange
Tor uses Diffie-Hellman key exchange to establish shared secrets with each relay without transmitting the actual keys. This prevents eavesdroppers from reading the traffic even if they capture all packets.
Encryption Algorithm
Each layer uses AES-128 in counter mode for encryption. The symmetric keys are derived from the Diffie-Hellman exchange.
Integrity Checking
Messages include cryptographic hashes to verify they havent been tampered with in transit.
Limitations
- Traffic Analysis: An adversary watching both ends can correlate timing patterns
- Exit Node Vulnerability: Unencrypted traffic (non-HTTPS) is visible to exit nodes
- Global Adversary: An entity monitoring the entire network can potentially deanonymize users