diff options
| author | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2023-01-17 13:25:39 +0000 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2023-01-19 10:20:45 -0500 |
| commit | 1d5ba4f51a302992b9c29a2aca1c8f6bf4f29872 (patch) | |
| tree | 2bb989c8eef0429b763d1033dd0480bdc0460910 /rend-spec-v3.txt | |
| parent | 3c68fd57e11467978f1ca7c8bad1c4c58d58685f (diff) | |
| download | torspec-1d5ba4f51a302992b9c29a2aca1c8f6bf4f29872.tar.gz torspec-1d5ba4f51a302992b9c29a2aca1c8f6bf4f29872.zip | |
Uwe formal notation for credential and subcredential
In particular, give these formal names which contain "hs" (since they
are part of the hidden service protocol, and not any other kind of
authentication or authorisation scheme), and "N" to indicate that they
are hash-generated nonces, not passwords.
Change the references in the formulae, which it really seems to me
ought to refer to the formal names.
Diffstat (limited to 'rend-spec-v3.txt')
| -rw-r--r-- | rend-spec-v3.txt | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index c6586ce..bc565fa 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -502,9 +502,11 @@ Table of contents: This is achieved using two nonces: * A "credential", derived from the public identity key KP_hsid. + N_hs_cred. * A "subcredential", derived from the credential N_hs_cred and information which various with the current time period. + N_hs_subcred. The body of each descriptor is also encrypted with a key derived from the public signing key. @@ -697,11 +699,11 @@ Table of contents: The subcredential for a period is derived as: - subcredential = H("subcredential" | credential | blinded-public-key). + N_hs_subcred = H("subcredential" | N_hs_cred | blinded-public-key). In the above formula, credential corresponds to: - credential = H("credential" | public-identity-key) + N_hs_cred = H("credential" | public-identity-key) where public-identity-key is the public identity master key of the hidden service. @@ -1243,7 +1245,7 @@ Table of contents: And here is what the hidden service computes: SECRET_SEED = x25519(hs_y, client_X) - KEYS = KDF(subcredential | SECRET_SEED, 40) + KEYS = KDF(N_hs_subcred | SECRET_SEED, 40) CLIENT-ID = fist 8 bytes of KEYS COOKIE-KEY = last 32 bytes of KEYS @@ -1476,7 +1478,7 @@ Table of contents: descriptor even if the content of the descriptor hasn't changed. (So that we don't leak whether the intro point list etc. changed) - secret_input = SECRET_DATA | subcredential | INT_8(revision_counter) + secret_input = SECRET_DATA | N_hs_subcred | INT_8(revision_counter) keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN) @@ -1937,7 +1939,7 @@ Table of contents: and computes: intro_secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID - info = m_hsexpand | subcredential + info = m_hsexpand | N_hs_subcred hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) ENC_KEY = hs_keys[0:S_KEY_LEN] MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN] @@ -1991,7 +1993,7 @@ Table of contents: introduction point encryption key 'b' to compute: intro_secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID - info = m_hsexpand | subcredential + info = m_hsexpand | N_hs_subcred hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) HS_DEC_KEY = hs_keys[0:S_KEY_LEN] HS_MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN] |