By the end, we need to wind up in a situation where the user shares a separate symmetric key with each router, and where each router knows the previous and the next router in the sequence
In the original (patented!) onion routing protocol, the user would do build a data structure like this:
E_A( K_A, B, E_B( K_B, C, E_C( K_C, destination) ) )
where E_A is encryption with A's public key, K_A is a random symmetric key shared by the user and nobody else, and A is the identity of A
The user would then give this "onion" to router A. Router A would decrypt it, and see K_A (the symmetric key shared with the user and A), and see B (the next router in the sequence).
Router A would also see a chunk of encrypted data: E_B( K_B, C, E_C( K_C, destination) ) . Router A can't read this, since it is for router B. Router A passes it on, and extends the circuit to B. And so on.
As the "onion" moves down the circuit, each router removes one layer, learns its key, and sees who the next router is
So far so good?