5

I was just wondering if anyone has a diagram showing what is encrypted inside an onion packet when it leaves the sender?

When a Tor client sends the packet out, wouldn't the entry onion node know send real IP address? When reply traffic comes, what is the destination address for the traffic when it leaves the server?

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
m1xed0s
  • 65
  • 1
  • 5

1 Answers1

3

The image below shows how a packet is encrypted, and sent through the network.

enter image description here

Tor uses its own protocol to negotiate encryption keys. Through this protocol the client receives encryption keys for Routers A, B and C.

From the Tor Project

The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

Before a packet is sent, it is encrypted with C's then B's then A's encryption key. When the message reaches router A it decrypts its layer, and forwards the rest to router B. Router A only know that the message needs to go to router B, and that it came from the client. It cannot see any other IP information.

For Tor (and onion routing) to work a minimum of 3 routers are required. So that no two routers will know both the source and destination IPs. When a Tor client sends a packet out the Entry Node will know the source IP address, but not the destination. The Exit Node will know the end destination, but not the real source address (just the previous relay). The IP address the server uses for the first layer will be the Exit Node's.

To address questions in your comments
If an Entry Node is compromised then it can reveal the source's IP address. But it will only know the next node in the circuit. Without some type of relationship to the destination the anonymity stays intact.

The Exit Node never seeds the original source address, and uses its own IP for communication with the end destination.

For more info look at the original Tor design paper.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
  • Thanks. So onion entry router will see the real source IP address and can reveal the sender if compromised, right? Also, does the exit node decrypts and changes the source address in real message to its own IP address and then send to server? – m1xed0s Dec 19 '14 at 14:48
  • Yes, the entry router will see the real source ip. But it do not know what the final destination is. So it only know that you send something, but do not know what, or what the final destination is (it might not be true for hidden services!?). Your right about the exit node, it will use its own IP address to communicate to the final destination. – Dog eat cat world Dec 19 '14 at 14:55
  • @m1xed0s I updated my answer. – RoraΖ Dec 19 '14 at 14:59
  • @raz, thanks. More questions :), when tor client encrypts data to be sent out, what is the source IP address it uses in the real data, the exit node's IP? If so, how can the reply traffic got routed back to the real sender while the real data from server has exit node's IP as destination IP? There has to be some mapping table on onion router, right? – m1xed0s Dec 19 '14 at 15:05
  • @m1xed0s You have to remember there are 3 onion routers. The original message uses the real destination's IP address. However, that message is encrypted 3 times (at a minimum). The onion routers take care of the routing within the Tor network. Only when the exit node decrypts the final layer does it know where to send it. – RoraΖ Dec 19 '14 at 15:10
  • @raz, The link of the document helped. I did read the doc before but did not think I understand then... especially the section 4.3. The pre-established stream and stream id concepts are the ones I am looking for. – m1xed0s Dec 19 '14 at 15:24
  • @m1xed0s Yeah those are the important part, makes the whole circuit work. Hopefully I answered your questions! – RoraΖ Dec 19 '14 at 16:27