Tor Network
Translated from the original Arabic version using Gemini 2.5 Flash. Verified by author.
The Tor network is an encrypted communication network operating on the internet, run by thousands of independent volunteers, with over ten thousand volunteer servers in the network. The network aims to provide privacy and anonymity to its users by encrypting data packets and passing them through three or more servers. For communications destined for the global internet, the software selects three servers and ensures there is no connection between them. The first server is called the guard, responsible for introducing you to the Tor network. After it comes the middle relay, whose job is to transmit the packet to the third server, which is the exit relay. The exit relay sends the packet to the server outside the Tor network (the packet’s destination) and receives the reply, then encrypts the reply and sends it back along the same path. This path is called a Tor circuit.
The first relay knows the Tor user and the IP from which they connected but does not know the destination of the connection. The middle relay knows neither the user nor the final destination but knows the guard and the next server (the exit). The exit relay, however, knows neither the user nor the guard but knows the final destination with which the user is connecting. The function of each relay is to forward data to the next relay and does not store it because it is encrypted and cannot be utilized. This is why each server in the Tor network is called a “relay.”
Within the Tor network, there are services called onion services, which are servers that connect to the Tor network like a regular user to exchange data. This data can be a web page or digital media. When connecting to one of these services, the user does not use an exit node because they will not leave the network. The connection and data transfer are managed entirely within the network.
Data destined for onion services is transferred through relays called rendezvous relays. These relays function to connect two Tor circuits, where the Tor user connects to them, as does the onion service. When data is sent from one of the paths, it is directed to the other path.
Relays
The Tor client chooses the circuit relays from a list containing all Tor relays. This list indicates the type of relay, whether it is a guard, exit, or middle relay. This list is published by nine entities called Directory Authorities (DirAuths). This list contains all network relays and some properties, such as whether the relay is fast or not. The nine authorities are chosen by the Tor development team and included in the Tor software.
New Relay Entry
When a new Tor relay starts, it creates a self-identifying descriptor. This descriptor contains the relay’s IP address, its public identity key, and a signing key signed by the private identity key. The identity key’s purpose is solely to identify the relay and only signs the signing key. The signing key’s purpose is to sign the descriptor, as the relay must periodically send the descriptor to the Directory Authorities to inform them that the relay is active and still functioning. The signing key changes periodically because it is used frequently, and the risk of compromise by attackers is high, but the identity key is not used frequently and is stored by the relay in a secure folder to which no one else has access. Therefore, compromising a Tor relay requires an attacker to fully control the server.
When relays send their descriptors to the authorities, they, in turn, test them to ensure they are real servers and assign them flags. If the relay is stable (sends its descriptor continuously), it is given the ‘Stable’ flag, and if it is fast, it is given the ‘Fast’ flag. Flags are only given after the authorities test the relays. The list of servers is published every hour. The nine authorities agree on a single list by majority vote and publish it. Thus, even if one authority is compromised, the attacker cannot publish a false list of relays and apply it to the network, because the other authorities will reject it.
Tor Circuit
The Tor client communicates with the nine lists and retrieves the list of relays from them. The client selects the circuit relays from this list, choosing a relay with the ‘Guard’ flag to be its first relay, a relay without it to be its second server, and an exit relay to be its exit server, and then builds the circuit. In the relay list, each relay has a key called the onion key. The purpose of this key is to set up the connection between the client and the relay. The first message from the client to the relay is encrypted with this key and carries a temporary key with this relay in this circuit and a circuit-specific identifier between them. The relay replies with a public temporary key it also created specifically for this client in this circuit, and a signature that can be verified with the client’s private key. Since the client sent its public key encrypted with the relay’s onion key, if the relay can decrypt and recognize it and create a signature for it, it means the connection has been established, and the client will use a combination of its temporary key and the relay’s temporary key to encrypt the connection between them. Keys are derived from the encryption key after a period of connection, but most Tor clients create an entirely new circuit instead of renewing keys.
Now, after the client connects to the guard, it asks the guard to extend the circuit with another relay to pass its data. The guard links the client’s session identifier with the other relay’s connection and informs the client that the connection has been established. Now, data can be sent from the client to the middle relay via the guard. When data is sent to the middle relay, it goes to the guard, which decrypts it and sends it directly. After sending, the client does what it did with the guard relay with the middle relay via the guard relay. The client is now connected to the middle relay and has a different circuit number than the guard relay’s circuit number to avoid connection monitoring. The client does the same thing, asking the middle relay to extend the circuit with the exit relay.
After the circuit is complete, the client encrypts the data from the exit relay to the guard relay. The encrypted exit relay data contains the raw data to be sent, such as an HTML page request. Then, it encrypts the encrypted data again for the middle relay and once more for the guard relay. When sent to the guard relay, it decrypts it and sends it to the middle relay because it is associated with the client’s circuit. The middle relay does the same thing and sends it to the exit relay. After decrypting it, the exit relay finds the HTML page request. After fetching the request, it encrypts it using the shared key with the client and sends it to the middle relay, which in turn encrypts it using the shared key with the client and sends it to the guard, which does the same. The client receives the data and decrypts it in order using the three keys and obtains the HTML page.
Onion Services
Onion services in Tor are hidden services; they are accessible but not reachable. You can use them but cannot know who operates them or where they are operated. These services are very important and useful in anonymous peer-to-peer applications, where each peer runs an onion service and communicates through them. This is more secure than communicating directly using an IP address because, through an IP address and without using Tor or a secure VPN, the other party can know your geographical location and reach your internet service provider to inquire about you. The entire connection is encrypted to and from the onion service. The user cannot know the identity of the service operator, and the service cannot know the identity of the user.
Running an Onion Service
An onion service needs a device and a way to access the Tor network to function. It does not require a static IP or powerful hardware. Running onion services cannot be displayed on the network and cannot be accessed until their persistent address is known. This address consists of 56 characters followed by a dot and onion. The first 54 characters are the service’s public key, and the last two characters are for verifying that the user has correctly typed the service address, as the Tor client verifies these two characters to ensure it is a valid address before searching for it.
The service publishes its descriptor to different relays every hour. These relays are called hidden service directory relays (HSDirs), which are ordinary relays that have published their HSDir capability. The hidden service does not choose these relays itself but relies on its selection based on the current hour and its public key. Network clients use a function whose purpose is to return a number for the current hour, called the network’s random number. Think of it like TOTP; you pass it the current time, and it returns a number. Using this number and the service’s public key, we can obtain the “blinded” public signing key, and using this number and the service’s private key, we can obtain the “blinded” private signing key. Using the blinded public signing key, we can retrieve the service descriptor’s identifier and its location within the relays.
The descriptor contains a body encrypted with the blinded private service key and can be decrypted with the blinded public service key. The body contains relays specified by the service, called introduction relays, and a public key specific to the service only in these introduction relays. Through this public key, you can connect to the introduction relays and ask them to communicate with the service. In some services, this body is “superencrypted,” a method that prevents access to the service even after knowing its address; instead, you must have another key to decrypt the body and obtain the introduction relays. The service owner gives the decryption key only to authorized people.
Introduction Relays
These are relays chosen by the service, as mentioned, and placed in the body of its descriptor in the directory relays where it must be present at the current time. Their function is to connect the user with the service only to pass the rendezvous point. The user randomly selects a rendezvous relay from the network and passes it to the service along with the encryption key and rendezvous cookie. The service then goes to this rendezvous relay to meet the user.
Rendezvous Relays
These are relays selected randomly by the user and connected to a service for rendezvous. After connecting to it, establishing a circuit with it, and preparing it for rendezvous, the rendezvous relay information is passed to the service via the introduction relays. The service, in turn, establishes a circuit with this rendezvous relay. After the circuit is established, the rendezvous relay connects the service with the user, and through it, the user can communicate with the service and vice versa.
Conclusion
With this, after both parties connect at the rendezvous relay, they can exchange data secretly and encrypted. The user does not know who operates the service, and the service does not know who the user is. The user has three relays (Tor circuit), and the service also has three relays.
I hope that the explanation of how the network works is clear. This article aims to simplify the mechanism without complication or disruption.
Sources
The information mentioned in this article is sourced from Tor Specifications and Tor Metrics.