Tor works by creating a chain of nodes (other Tor users) between Alice and Bob. Each connection in the chain is encrypted separately, such that only the correct node can read its assigned payload. This is enforced using asymmetric cryptography to distribute the keys. When each node receives a message, it strips its assigned layer of encryption off, revealing its instructions and the payload to give to the next node.
(key3)
(key2) (key3)
*(key1) *(key2) *(key3)
Alice ---> Node1 ---> Node2 ---> Node3 ---> Bob
This system ensures that a node only knows which node it got the message from, and which node to send the message to. Since the origin of the message (in this case Alice) sends a standard payload, Node1 doesn't know whether Alice is the source or just another node in a chain. Node2 knows who Node1 is, but doesn't know if it is the message origin, or a node in the chain. Node3 knows it is the exit node (unless Bob is running as a Tor hidden service, in which case the encryption is maintained right to his front door) and knows that Node2 gave it the message, but has no idea who the message originated from. So, at no point does any node know both the source and target.
Now, how would we attack Tor? The first thing to remember is that each chain has to have some kind of identifier. In this case, the best identifier is a TCP connection. If we know Node3 created a TCP connection to Bob, we can look for connections to Node3 that started at roughly the same time. This gives us the IP address of Node2. The same can be applied to each node in the chain, until we have no correlating connection. In theory, we can use this to trace people through Tor. In practice, it's a little more difficult.
Bluffdale only siphons traffic going through tier 1 nodes in the USA, whereas Tor has nodes operating worldwide. Furthermore, Tor actively attempts to geographically distribute the nodes in a chain. In fact, I'm relatively sure it tries to avoid having the first node in the same country as the last node, but I'm not certain on that one. Anyway, let's assume Node3 is in America, well within the grasp of Bluffdale. You might have access to connection logs to and from Node3, you have no way to tell where the connections went after that because Node2 is in Russia and Node1 is in Spain. Good luck filing subpoenas there!
There are other attacks that correlate traffic when both the origin and target are within your logs, but they're much more probabilistic, which makes life difficult for law enforcement if they need to get a warrant. It does, however, provide them with leads to investigate.
So, whilst Bluffdale does represent a theoretical attack against the Tor network, there are a lot of variables to consider before they can mount a practical attack. On a slightly more reassuring note, this project costs millions of dollars per year to run, so utilisation will be focused on high priority threats. The NSA are hardly going to waste money tracing petty credit card theives and Anonymous members when they've got international terrorism on their plate, so they're certainly not going to bother reading the emails of a random netizen.
