Onion Routing
What is Onion Routing?
Onion RoutingAn anonymous communication technique that wraps a message in nested layers of encryption, with each relay removing one layer until the payload reaches its destination.
Onion routing is the cryptographic design behind Tor and similar mixnets. The client chooses a path of relays, derives a separate symmetric key with each one, and then encrypts the message in successive layers, innermost first. As the packet traverses the circuit, each relay decrypts exactly one layer and learns only its immediate predecessor and successor, never both endpoints together. This prevents network-level observers, ISPs, or any single relay from linking source to destination. Onion routing also enables hidden services, where both client and server build half-circuits that rendezvous inside the network. Limitations include traffic-analysis attacks, malicious exit nodes for plaintext traffic, and latency overhead; mitigations include guard-relay pinning, end-to-end TLS, and constant-rate cover traffic.
● Examples
- 01
A Tor circuit of guard, middle, and exit relays where each peels off one layer of AES encryption.
- 02
An onion service's introduction-point and rendezvous-point handshake that hides both client and server addresses.
● Frequently asked questions
What is Onion Routing?
An anonymous communication technique that wraps a message in nested layers of encryption, with each relay removing one layer until the payload reaches its destination. It belongs to the Attacks & Threats category of cybersecurity.
What does Onion Routing mean?
An anonymous communication technique that wraps a message in nested layers of encryption, with each relay removing one layer until the payload reaches its destination.
How does Onion Routing work?
Onion routing is the cryptographic design behind Tor and similar mixnets. The client chooses a path of relays, derives a separate symmetric key with each one, and then encrypts the message in successive layers, innermost first. As the packet traverses the circuit, each relay decrypts exactly one layer and learns only its immediate predecessor and successor, never both endpoints together. This prevents network-level observers, ISPs, or any single relay from linking source to destination. Onion routing also enables hidden services, where both client and server build half-circuits that rendezvous inside the network. Limitations include traffic-analysis attacks, malicious exit nodes for plaintext traffic, and latency overhead; mitigations include guard-relay pinning, end-to-end TLS, and constant-rate cover traffic.
How do you defend against Onion Routing?
Defences for Onion Routing typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- attacks№ 1165
Tor / Tor Browser
An anonymity network and hardened Firefox-based browser that routes traffic through three relays using onion routing to conceal user identity and destination.
- attacks№ 503
I2P
The Invisible Internet Project: a peer-to-peer anonymity network where every node also acts as a router, using unidirectional tunnels and garlic routing.
- attacks№ 271
Dark Web
A subset of the internet that requires special software such as Tor or I2P to access and that intentionally hides both client and server identities.
- attacks№ 296
Deep Web
All web content that is not indexed by public search engines, including private databases, intranets, and authenticated portals; distinct from the dark web.
- privacy№ 274
Data Anonymization
Irreversibly transforming personal data so that no individual can be identified, directly or indirectly, even when combined with other available information.
- network-security№ 1212
VPN (Virtual Private Network)
A technology that creates an encrypted, authenticated tunnel over a public network so that traffic appears to travel through a private network.