A typical Tor circuit looks like
OP -- OR1 -- OR2 -- OR3
where the three "--" links are all TLS connections. TLS protects the
OP's communications from adversaries outside the network, but another
layer of crypto (used inside TLS) is needed to protect them from the
onion routers themselves (e.g. we don't want OR1 to learn the identity
of OR3). Thus, the onion proxy (OP) negotiates AES keys and MAC keys
with each onion router; call the AES keys k_1, k_2, k_3 and MAC keys
d_1, d_2, d_3.
My question is this: why bother with k_1 and d_1? the communications
between OP and OR1 don't need to be protected from the other onion
routers. I understand the reason for using k_2,d_2 and k_3,d_3, but
k_1,d_1 doesn't seem to be adding anything.
-James