diff options
author | George Kadianakis <desnacked@gmail.com> | 2011-05-11 20:40:03 +0200 |
---|---|---|
committer | George Kadianakis <desnacked@gmail.com> | 2011-05-11 20:40:03 +0200 |
commit | 1dfb05ca8798934522777fb39a7c2c22ca5761e4 (patch) | |
tree | 42e2c2d659d150efb7c534bc164b9f7cdb354f7e /proposals/ideas | |
parent | 9fabb940723ca01c56aeb763c59ebcea8f8bd775 (diff) | |
download | torspec-1dfb05ca8798934522777fb39a7c2c22ca5761e4.tar.gz torspec-1dfb05ca8798934522777fb39a7c2c22ca5761e4.zip |
Trivial fixes in proposals/ideas/xxx-ntor-handshake.txt
Diffstat (limited to 'proposals/ideas')
-rw-r--r-- | proposals/ideas/xxx-ntor-handshake.txt | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/proposals/ideas/xxx-ntor-handshake.txt b/proposals/ideas/xxx-ntor-handshake.txt index b39a39f..54c81b0 100644 --- a/proposals/ideas/xxx-ntor-handshake.txt +++ b/proposals/ideas/xxx-ntor-handshake.txt @@ -19,7 +19,7 @@ Notation: Let H(x,t) be a tweakable hash function of output width H_LENGTH bytes. - Let t_keyid, t_mac, t_key, and t_verify be a set of arbitrarily-chosen tweaks + Let t_mac, t_key, and t_verify be a set of arbitrarily-chosen tweaks for the hash function. Let EXP(a,b) be a^b in some appropriate group G where the appropriate DH @@ -38,13 +38,13 @@ Instantiation: Set H(x,t) == HMAC_SHA256 with message x and key t. So H_LENGTH == 32. Set t_mac == PROTOID | ":mac" - t_key1 == PROTOID | ":key1" - t_key2 == PROTOID | ":verify" + t_key == PROTOID | ":key" + t_verify == PROTOID | ":verify" Set EXP(a,b) == curve25519(a,b), and g == 9 . Set KEYID(B) == B. (We don't need to use a hash function here, since our keys are already very short. It is trivially collision-resistant, since - KEYID(A)====KEYID(B) iff A==B.) + KEYID(A)==KEYID(B) iff A==B.) Protocol: @@ -53,7 +53,7 @@ Protocol: As setup, the router generates a secret key b, and a public onion key B = EXP(g,b). The router publishes B in its server descriptor. - To send a create cell, the client generates a keypair of x, X=EXP(g,y) and + To send a create cell, the client generates a keypair of x, X=EXP(g,x) and sends a CREATE cell with contents: NODEID: ID -- H_LENGTH bytes @@ -75,7 +75,7 @@ Protocol: The client then checks Y, and computes secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID - KEY_SEED = H(secret_input, t_key1) + KEY_SEED = H(secret_input, t_key) verify = H(secret_input, t_verify) auth_input = verify | ID | B | Y | X | PROTOID | "Server" @@ -88,7 +88,7 @@ Key expansion: Currently, the key expansion formula used by Tor here is - K = SHA(K0 | [00]) | SHA(K0 | [01]) | SHH(K0 | [02]) | ... + K = SHA(K0 | [00]) | SHA(K0 | [01]) | SHA(K0 | [02]) | ... where K0==g^xy, and K is divvied up into Df, Db, Kf, and Kb portions. |