TOR? How Does It Work?

Valentin Quelquejay
Feb 11 · 6 min read

You surely have already heard about it. It would allow you to stay anonymous on the Internet. It is called TOR. But how does it work ? Is it useful ?

What is TOR ?

TOR is presented as a free and open-source web browser that you can download at torproject.org. Unlike other web browsers such as Chrome, Firefox, Brave or Safari, TOR implements an additional module which allows it to exploit the principle of onion routing in order to make our communications anonymous.

What’s the anonymity problem in the internet ?

In the current Internet, each host is identified by an IP Address which is unique — in reality it is a bit more complicated today. This address works exactly like a postal address. It enables the postal services and the postman (In internet, it is the routers) to deliver your parcels 📦 (route the data packets) from the sender (the host) to the recipient (the destination). The problem is that like your postal address, your IP address is not encrypted, and it cannot. Otherwise, how would the routers know where to send the data packets ? We can compare this with our postal address : assume you lived in a secret location, in a secret town whose name and ZIP code is only known to you. How can the postal services deliver your mail ? They can’t. It works exactly the same on the Internet. We understand why our IP address cannot remain private. So, are we doomed to stay public on the internet ? At least in real life, we can always go to the middle of the Saharan desert 🐪 if we want to hide. The good news is that because the Internet is marvelous, it is possible and (way) easier online 🌍. The answer is called 🧅 routing.

Onion routing, the easy way.

« There’s a genius in all of us » — Albert Einstein

Thankfully, we live in a world where there is always a solution. And once again, it is true in that case.

Let’s think again of our postal service. How can I send an anonymous parcel to someone without revealing my identity and my address ? I don’t want the post office knowing that I’m the one who sent the parcel. One way to do it is to give the parcel to a friend and ask him to send the package on my behalf. But what if my correspondent discovered that I was not the true sender and corrupted my friend, asking him to denounce me ? Is there a workaround ? Happily, yes ! Think about the following solution :

  1. Ask a friend to send the package to a third party.
  2. In the package, put a notice that asks the third party to send the content of the parcel again to the final recipient.

Thus, the final recipient would have to corrupt 2 people to discover my identity. If I want to increase the security even more, I can even add a third friend to transfer the package between my 2 friends, and a fourth etc.. This is exactly the principle of onion routing. Instead of parcels, it is data packets, and instead of friends, it is what we call TOR “relays”.

Also, in case I want the recipient of the package to be able to confirm he received it, I need to provide him a way to reply to me without providing him my true identity. One way to do it is to add another notice in the package that asks each node to keep track of the address from whom they received the original package, and to forward an eventual reply to this same address. That way, I will be able to receive the confirmation.

To connect to a website through TOR, you connect to at least and usually 3 and up to 8 relays. A relay acts exactly like one of my friend : it receives a packet, look where it needs to forward it, and forward it to the intended relay. The first relay is called the entry guard, the second one the middle relay and the last one the exit relay. This set of relays is called a TOR circuit.

Onion routing, a bit more involved.

First, TOR browser connects to an entry guard. It uses the public list of all TOR nodes IP addresses to find one. Then, it asks this entry guard to « extend the circuit » towards a middle relay. This means the middle relay only sees the address of the entry guard but not our address. One more time, our TOR browser asks (through the partially established circuit) the middle node to extend the circuit to the exit node. This completes the circuit. Each node can only see the address of its predecessor and its successor without knowing nothing more. The entry guard can see the address of the host but doesn’t know the address of the destination. The exit node can see the address of the destination but can’t see the address of the host. Thus, privacy is ensured.

All of this can be done thanks to the power of cryptography. In particular what we call hybrid cryptography. Without going into details, the main idea is to create a secret key for each node and to distribute it securely to them using their long time key. Why not using their long time key directly ? Mainly for performance reasons. When the circuit is completed, we share a unique secret key with each node of the circuit, and each node only knows its predecessor and its sucessor. Then, we can successively encrypt our packets with all the secret keys we negotiated during the circuit setup phase. This is where the “onion” routing name comes from. The succession of all these layers of encryption looks like an onion.

To understand a bit better how it works let’s look at a small drawing :

Principle of onion routing

The data packet we send from our computer is symbolized by the black dot. Each relay shares with us its own secret key 🔑 symbolized by the color of its circle. A relay can only decrypt the data for which he has the key.

We can see that our TOR browser (our computer) encrypts the data packet successively with each secret keys we negotiated with each relay, starting with the exit relay key and finishing with the entry guard key. What’s the point ? The point is to make sure that each relay can only see the data it is intended to see : the address of the next relay where it should forward the packet and nothing more.

When the packet arrives at relay1, it decrypts the yellow layer with its own key from which he learns that it needs to forward the packet to relay2. It forwards the packet to relay2. When relay2 receives the packets, it proceeds exactly the same way. And finally, relay3 decrypts the last TOR encryption layer of the packet and forwards it to the website server.

When the website server replies to us, everything happens exactly the same way, but in reverse. Instead of «peeling the onion», the onion is «rebuilt» 😉. Thanks to the table they build during circuit setup, each relay knows which key to use to encrypt the packet back, and to which relay to forward the reply. When the reply reaches our computer, we can successively use all the keys to decrypt the reply. We peel the onion again.

Amazing ! So, I can be anonymous at an time ?

The Startup

Get smarter at building your thing. Join The Startup’s +788K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Valentin Quelquejay

Written by

🇨🇭Cybersecurity student. DJ & Musician. Interested about too much things. Improving every minute.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store