diff options
Diffstat (limited to 'rend-spec-v2.txt')
-rw-r--r-- | rend-spec-v2.txt | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/rend-spec-v2.txt b/rend-spec-v2.txt index d3a93e1..7ea0362 100644 --- a/rend-spec-v2.txt +++ b/rend-spec-v2.txt @@ -103,6 +103,7 @@ 0.3. Constants and new cell types Relay cell types + 32 -- RELAY_COMMAND_ESTABLISH_INTRO 33 -- RELAY_COMMAND_ESTABLISH_RENDEZVOUS 34 -- RELAY_COMMAND_INTRODUCE1 @@ -166,9 +167,13 @@ To prevent replay attacks, the HS field contains a SHA-1 hash based on the shared secret KH between Bob's OP and the introduction point, as follows: + HS = H(KH | "INTRODUCE") + That is: + HS = H(KH | [49 4E 54 52 4F 44 55 43 45]) + (KH, as specified in tor-spec.txt, is H(g^xy | [00]) .) Upon receiving such a cell, the OR first checks that the signature is @@ -713,6 +718,7 @@ Bob's OP builds a new Tor circuit ending at Alice's chosen rendezvous point, and sends a RELAY_COMMAND_RENDEZVOUS1 cell along this circuit, containing: + RC Rendezvous cookie [20 octets] g^y Diffie-Hellman [128 octets] KH Handshake digest [20 octets] @@ -740,7 +746,9 @@ has sent a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell but which has not yet received a reply, it uses g^y and H(g^xy) to complete the handshake as in the Tor circuit extend process: they establish a 60-octet string as + K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02]) + and generate KH, Df, Db, Kf, and Kb as in the KDF-TOR key derivation approach documented in tor-spec.txt. @@ -905,10 +913,14 @@ ATYPE Authorization type: set to 1. [1 octet] ALEN Number of clients := 1 + ((clients - 1) div 16) [1 octet] + for each symmetric descriptor cookie: + ID Client ID: H(descriptor cookie | IV)[:4] [4 octets] SKEY Session key encrypted with descriptor cookie [16 octets] + (end of client-specific part) + RND Random data [(15 - ((clients - 1) mod 16)) * 20 octets] IV AES initialization vector [16 octets] IPOS Intro points, encrypted with session key [remaining octets] |