Articles

Tor: Onion Routing's Layered Crypto Explained

March 15, 2026 5 min read

Tor is a network that allows for anonymous communication by encrypting traffic and routing it through a series of volunteer-operated servers.

Imagine you want to send a letter to a friend, but you don’t want anyone to know you sent it. You could put the letter in an envelope, then put that envelope in another envelope, and so on. Each envelope is addressed to a different post office. The first post office opens the first envelope, sees the address of the second post office, and sends it along. The second post office opens its envelope, sees the address of the third post office, and so on. Finally, the last post office opens its envelope and finds your letter, which it then delivers to your friend. Crucially, each post office only knows where the letter came from and where it’s going next; no single post office knows the original sender and the final recipient.

This is a simplified analogy for how Tor works. When you use Tor Browser, your internet traffic is encrypted in layers, like those envelopes. Your traffic is then sent through a randomly selected path of Tor relays (servers operated by volunteers).

Here’s a more technical breakdown of the process:

  1. Encryption: Before your data leaves your computer, the Tor Browser encrypts it multiple times. Think of it like nesting Russian dolls. The outermost layer is encrypted for the first Tor relay (the "entry node"), the next layer for the second relay (the "middle node"), and the innermost layer for the final relay (the "exit node").

  2. Circuit Building: Tor establishes a "circuit" through the network. This circuit is a path of three relays: an entry node, a middle node, and an exit node. This path is chosen randomly and changes periodically (typically every 10 minutes) to enhance anonymity.

  3. Data Transmission:

    • Your encrypted data first goes to the entry node. The entry node decrypts the outermost layer of encryption, revealing the address of the middle node. It does not know the final destination or the original sender.
    • The entry node then forwards the partially decrypted data to the middle node. The middle node decrypts its layer of encryption, revealing the address of the exit node. It does not know the final destination or the original sender.
    • Finally, the middle node forwards the data to the exit node. The exit node decrypts the innermost layer of encryption, revealing the original, unencrypted data and its final destination (e.g., the website you want to visit). The exit node knows the final destination but not the original sender, only that the request came from the middle node.

  4. Destination Server: The exit node sends your request to the destination server. The destination server sees the request originating from the exit node’s IP address, not yours.

  5. Return Traffic: The response from the destination server travels back through the same circuit in reverse, with each node adding a layer of encryption before sending it back to the previous node.

The key to Tor’s anonymity lies in this layered encryption and the distributed nature of the relays. No single point in the network knows both who you are and what you’re doing online.

Consider the following torrc configuration, which is the main configuration file for a Tor relay. This isn’t for a browser user, but for someone running a node in the network:

Nickname MyTorRelay
ContactInfo YourName <your-email@example.com>
ORPort 9001
ExitPolicy reject *:*
SocksPort 0

In this example:

  • Nickname MyTorRelay assigns a human-readable name to the relay.
  • ContactInfo YourName <your-email@example.com> is essential for the Tor Project to contact you if there are issues with your relay.
  • ORPort 9001 is the port on which Tor relays communicate with each other (OR stands for "Onion Routing").
  • ExitPolicy reject *:* is a critical security setting. This specific policy means this relay will not act as an exit node. It will only serve as an entry or middle node. If you wanted it to be an exit node, you’d have to explicitly define what traffic it is allowed to exit, for example: ExitPolicy accept 80,443,22,700,8080,8443 *:*.

The Tor network relies on a distributed system of trust. While the relays themselves don’t know your full path, the directory authorities (a small, trusted set of servers) maintain the list of active relays. This means the directory authorities know all the relays, but they don’t know your traffic. Your IP is known by the entry node, but not the exit node. The exit node knows the destination, but not your IP. This separation of knowledge is what makes Tor work.

One of the most surprising aspects of Tor’s cryptography is that it uses a technique called Onion Routing, which is a specific implementation of asymmetric encryption and symmetric encryption. When a Tor circuit is built, the entry node and middle node use asymmetric encryption (like RSA) to securely exchange symmetric keys (like AES) with the exit node. Then, the actual data is encrypted and decrypted using these faster symmetric keys as it traverses the circuit. This hybrid approach balances strong security with the performance needed for interactive browsing.

The next step in understanding anonymous communication is exploring decentralized VPNs and how they differ in their trust models and technical implementations.

Want structured learning?

Take the full Cryptography course →