diff options
| author | George Kadianakis <desnacked@riseup.net> | 2017-02-27 20:25:41 +0200 |
|---|---|---|
| committer | George Kadianakis <desnacked@riseup.net> | 2017-02-28 17:16:01 +0200 |
| commit | 526ed4ad03cd66319b659b547e5651ff91870f5d (patch) | |
| tree | 5e176cfa9a40671281ff9bb24c809618f3356dc1 /proposals/224-rend-spec-ng.txt | |
| parent | 08af5ef5e4000a1ea8fe09901f6040034e1205ed (diff) | |
| download | torspec-526ed4ad03cd66319b659b547e5651ff91870f5d.tar.gz torspec-526ed4ad03cd66319b659b547e5651ff91870f5d.zip | |
prop224: Precisely specify the RENDEZVOUS1 verification procedure.
Diffstat (limited to 'proposals/224-rend-spec-ng.txt')
| -rw-r--r-- | proposals/224-rend-spec-ng.txt | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 4d773d4..103542a 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1808,18 +1808,31 @@ Table of contents: HANDSHAKE_INFO [variable; depends on handshake type used.] - where RENDEZVOUS_COOKIE is the cookie suggested by the client - during the introduction (see [PROCESS_INTRO2]). + where RENDEZVOUS_COOKIE is the cookie suggested by the client during the + introduction (see [PROCESS_INTRO2]) and HANDSHAKE_INFO is defined in + [NTOR-WITH-EXTRA-DATA]. If the cookie matches the rendezvous cookie set on any not-yet-connected circuit on the rendezvous point, the rendezvous point connects the two circuits, and sends a RENDEZVOUS2 cell to the client containing the contents of the RENDEZVOUS1 cell. - Upon receiving the RENDEZVOUS2 cell, the client verifies that the - HANDSHAKE_INFO correctly completes a handshake. Now both parties use the - handshake output to derive shared keys for use on the circuit as specified - in the section below: + Upon receiving the RENDEZVOUS2 cell, the client verifies that HANDSHAKE_INFO + correctly completes a handshake. To do so, the client parses SERVER_PK from + HANDSHAKE_INFO and reverses the final operations of section + [NTOR-WITH-EXTRA-DATA] as shown here: + + ntor_secret_input = EXP(Y,x) | EXP(B,x) | AUTH_KEY | B | X | Y | PROTOID + NTOR_KEY_SEED = MAC(ntor_secret_input, t_hsenc) + verify = MAC(ntor_secret_input, t_hsverify) + auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server" + AUTH_INPUT_MAC = MAC(auth_input, t_hsmac) + + Finally the client verifies that the received AUTH field of HANDSHAKE_INFO + is equal to the computed AUTH_INPUT_MAC. + + Now both parties use the handshake output to derive shared keys for use on + the circuit as specified in the section below: 4.2.1. Key expansion |