TOR stands for “The Onion Router”.
It is a network designed to protect its users anonymity by routing the user’s TCP/IP traffic through multiple layers of encryption and multiple proxy nodes, obfuscating the user’s real IP address.
The proxy nodes are contributed by network volunteers, mostly in a distributed and decentralized fashion.
Web servers are normally unable to detect the user’s real IP, as traffic seems to originate from the last proxy node in the user’s TOR proxy chain (a.k.a. TOR circuit).
A TOR circuit is typically composed by:
- the user’s real IP
- 3 TOR nodes
- 1 Entry node
- 1 intermediate node
- 1 Exit node
Traffic is encrypted using several “onion layers”, for TCP/IP connections (UDP is not supported), as follows (simplified):
- A data packet (DP1) is encrypted with the Exit Node’s public key
- P1 = PKexit(DP1)
- The encrypted packet is again encrypted with the Intermediate Node’s public key:
- P2 = PKiterm( PKexit(DP1) )
- The encrypted packet is again encrypted with the Entry Node’s public key:
- P3 = PKentry ( PKiterm( PKexit(DP1) ) )
Each node only knows the preceding and following node. No node gets to “know” the complete circuit.
TOR can be useful in a number of situations, for example:
- protect whistle blowers identity
- circumvent network censorship in censored regions
- NGOs communicating with its volunteers in a foreign country
- users can publish web sites without needing to reveal the location of the site (using TOR’s hidden services)
Nevertheless, TOR must be used carefully, so that no “real IP” address leaks or other identity leaks occur (more info here (TOR Overview) ). Attention must also be paid to the risk of possible attacks from powerful adversaries, such as governments and agencies.
To connect to the TOR network, a user usually has to install the “TOR Client” in its device or network. You can download it at here (TOR project official site)
I’ll be exploring “TOR Client” low-level features in future posts.
[UPDATED with the new posts:]
- TOR client: low-level footprint analysis (Part 1)
- TOR client: low-level footprint analysis (Part 2 – “whonix gateway”)