diff options
author | Nick Mathewson <nickm@torproject.org> | 2023-11-11 21:57:53 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2023-11-11 22:05:07 -0500 |
commit | 46f947115f4cce14b7b2368a414c765fc18e86b4 (patch) | |
tree | b0c69346efa722a145ed9bcb6e88a96c489880dd /spec/tor-spec/obsolete-channels.md | |
parent | a602166da2fffe55e882dd7879ecd82994996a45 (diff) | |
download | torspec-46f947115f4cce14b7b2368a414c765fc18e86b4.tar.gz torspec-46f947115f4cce14b7b2368a414c765fc18e86b4.zip |
Finish revising the channel handshake
Diffstat (limited to 'spec/tor-spec/obsolete-channels.md')
-rw-r--r-- | spec/tor-spec/obsolete-channels.md | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/spec/tor-spec/obsolete-channels.md b/spec/tor-spec/obsolete-channels.md index 33874d4..52e716f 100644 --- a/spec/tor-spec/obsolete-channels.md +++ b/spec/tor-spec/obsolete-channels.md @@ -214,3 +214,56 @@ it would need to verify that: not expired, and not before their `validAfter` dates. + +<a id="tor-spec.txt-4.4.1"></a> + +## Link authentication type 1: RSA-SHA256-TLSSecret {#RSA-SHA256-TLSSecret} + +This is an obsolete authentication method +used before RFC5705 support was ubiquitous. +It is nearly the same as +[Ed25519-SHA256-RFC5705](./negotiating-channels.md#Ed25519-SHA256-RFC5705), +but lacks support for Ed25519, +and does not use keying material exporters +(which were not widely supported at the time it as used. + +If AuthType is `[00 01]` (meaning "RSA-SHA256-TLSSecret"), +then the authentication field of the AUTHENTICATE +cell contains the following: + +| Field | Size | Description | +| --------- | ---- | ----------- | +| `TYPE` | 8 | The nonterminated string `AUTH0001` | +| `CID` | 32 | `SHA256(KP_relayid_rsa)` for initiator | +| `SID` | 32 | `SHA256(KP_relayid_rsa)` for responder | +| `SLOG` | 32 | SHA256 of responder transcript | +| `CLOG` | 32 | SHA256 of initiator transcript | +| `SCERT` | 32 | SHA256 of responder's TLS certificate | +| `TLSSECRETS`|32 | An ad-hoc HMAC output | +| `RAND` | 24 | [Random bytes] | +| `SIG` | Variable | RSA signature | + + +Notes are as for [Ed25519-SHA256-RFC5705], +except as follows: + + +- The `TLSSECRETS` fields holds a SHA256 HMAC, + using the TLS master secret as the secret key, + of the following concatenated fields: + - `client_random`, as sent in the TLS Client Hello + - `server_random`, as sent in the TLS Server Hello + - the NUL terminated ASCII string: + `"Tor V3 handshake TLS cross-certification"` +* The `SIG` fields holds an RSA signature of a SHA256 hash + of all the previous fields + (that is, `TYPE` through `RAND`), + using the initiator's `KS_legacy_linkauth_rsa`. + This field extends through the end of the Authenticate message. + +[Random bytes]: ./preliminaries.md#random-values +[Ed25519-SHA256-RFC5705]: ./negotiating-channels.md#Ed25519-SHA256-RFC5705 + +Responders MUST NOT accept this AuthType if the initiator has +claimed to have an Ed25519 identity. + |