diff options
| author | George Kadianakis <desnacked@riseup.net> | 2017-02-27 20:24:03 +0200 |
|---|---|---|
| committer | George Kadianakis <desnacked@riseup.net> | 2017-02-28 17:15:59 +0200 |
| commit | 08af5ef5e4000a1ea8fe09901f6040034e1205ed (patch) | |
| tree | 72a71cf3df5320ada7e004ec0245d5fa7a4cf62c /proposals/224-rend-spec-ng.txt | |
| parent | 41049b27b2b604b7bc80ab4ab9ded3041434df85 (diff) | |
| download | torspec-08af5ef5e4000a1ea8fe09901f6040034e1205ed.tar.gz torspec-08af5ef5e4000a1ea8fe09901f6040034e1205ed.zip | |
prop224: Improvements to HS ntor section.
- AUTH_KEYID is actually AUTH_KEY these days
- Make it more clear that the result of the ntor handshake includes a MAC.
Diffstat (limited to 'proposals/224-rend-spec-ng.txt')
| -rw-r--r-- | proposals/224-rend-spec-ng.txt | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 50bbdd3..4d773d4 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1642,7 +1642,7 @@ Table of contents: generates a single-use keypair: x,X = KEYGEN() and computes: - secret_hs_input = EXP(B,x) | AUTH_KEYID | X | B | PROTOID + secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID info = m_hsexpand | subcredential hs_keys = KDF(secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) ENC_KEY = hs_keys[0:S_KEY_LEN] @@ -1698,7 +1698,7 @@ Table of contents: service host generates a keypair of y,Y = KEYGEN(), and uses its introduction point encryption key 'b' to computes: - secret_hs_input = EXP(X,b) | AUTH_KEYID | X | B | PROTOID + secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID info = m_hsexpand | subcredential hs_keys = KDF(secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) HS_DEC_KEY = hs_keys[0:S_KEY_LEN] @@ -1707,16 +1707,17 @@ Table of contents: (The above are used to check the MAC and then decrypt the encrypted data.) - ntor_secret_input = EXP(X,y) | EXP(X,b) | AUTH_KEYID | B | X | Y | PROTOID + ntor_secret_input = EXP(X,y) | EXP(X,b) | AUTH_KEY | B | X | Y | PROTOID NTOR_KEY_SEED = MAC(ntor_secret_input, t_hsenc) verify = MAC(ntor_secret_input, t_hsverify) - auth_input = verify | AUTH_KEYID | B | Y | X | PROTOID | "Server" + auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server" + AUTH_INPUT_MAC = MAC(auth_input, t_hsmac) (The above are used to finish the ntor handshake.) The server's handshake reply is: SERVER_PK Y [G_LEN bytes] - AUTH MAC(auth_input, t_hsmac) [H_LEN bytes] + AUTH AUTH_INPUT_MAC [H_LEN bytes] These fields will be sent to the client in a RENDEZVOUS1 cell using the HANDSHAKE_INFO element (see [JOIN_REND]). |