diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-03-27 16:03:48 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-03-27 16:09:50 -0400 |
commit | 4d3041c6fe8b27e92919970860487107d8ee3da6 (patch) | |
tree | 26fbf9c765bcac631496fdf6dafa4ac1f8ecc41c /rend-spec.txt | |
parent | f13c1960c9f852cb64e4f7cd1fdcb696d5be8cc3 (diff) | |
download | torspec-4d3041c6fe8b27e92919970860487107d8ee3da6.tar.gz torspec-4d3041c6fe8b27e92919970860487107d8ee3da6.zip |
Document that rend-spec.txt uses KDF-Tor like TAP does
Fix for #8809
Diffstat (limited to 'rend-spec.txt')
-rw-r--r-- | rend-spec.txt | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/rend-spec.txt b/rend-spec.txt index ebaf4e8..d030b8e 100644 --- a/rend-spec.txt +++ b/rend-spec.txt @@ -733,19 +733,17 @@ received a reply, it uses g^y and H(g^xy) to complete the handshake as in the Tor circuit extend process: they establish a 60-octet string as K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02]) - and generate - KH = K[0..15] - Kf = K[16..31] - Kb = K[32..47] + and generate KH, Df, Db, Kf, and Kb as in the KDF-TOR key derivation + approach documented in tor-spec.txt. Subsequently, the rendezvous point passes relay cells, unchanged, from - each of the two circuits to the other. When Alice's OP sends - RELAY cells along the circuit, it first encrypts them with the + each of the two circuits to the other. When Alice's OP sends RELAY cells + along the circuit, it authenticates with Df, and encrypts them with the Kf, then with all of the keys for the ORs in Alice's side of the circuit; and when Alice's OP receives RELAY cells from the circuit, it decrypts them with the keys for the ORs in Alice's side of the circuit, then - decrypts them with Kb. Bob's OP does the same, with Kf and Kb - interchanged. + decrypts them with Kb, and checks integrity with Db. Bob's OP does the + same, with Kf and Kb interchanged. 1.11. Creating streams |