diff options
Diffstat (limited to 'spec/rend-spec/hsdesc-encrypt.md')
-rw-r--r-- | spec/rend-spec/hsdesc-encrypt.md | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md index 10a7d77..06713a2 100644 --- a/spec/rend-spec/hsdesc-encrypt.md +++ b/spec/rend-spec/hsdesc-encrypt.md @@ -1,6 +1,6 @@ <a id="rend-spec-v3.txt-2.5"></a> -## Hidden service descriptors: encryption format {#HS-DESC-ENC} +# Hidden service descriptors: encryption format {#HS-DESC-ENC} Hidden service descriptors are protected by two layers of encryption. Clients need to decrypt both layers to connect to the hidden service. @@ -12,7 +12,7 @@ and protects against entities that do not possess valid client credentials. <a id="rend-spec-v3.txt-2.5.1"></a> -### First layer of encryption {#HS-DESC-FIRST-LAYER} +## First layer of encryption {#HS-DESC-FIRST-LAYER} The first layer of HS descriptor encryption is designed to protect descriptor confidentiality against entities who don't know the public @@ -20,7 +20,7 @@ identity key of the hidden service. <a id="rend-spec-v3.txt-2.5.1.1"></a> -#### First layer encryption logic {#first-layer-logic} +### First layer encryption logic {#first-layer-logic} The encryption keys and format for the first layer of encryption are generated as specified in \[HS-DESC-ENCRYPTION-KEYS\] with customization @@ -43,7 +43,7 @@ multiple of 10k bytes. <a id="rend-spec-v3.txt-2.5.1.2"></a> -#### First layer plaintext format {#first-layer-plaintext} +### First layer plaintext format {#first-layer-plaintext} After clients decrypt the first layer of encryption, they need to parse the plaintext to get to the second layer ciphertext which is contained in the @@ -138,7 +138,7 @@ Here are all the supported fields: <a id="rend-spec-v3.txt-2.5.1.3"></a> -#### Client behavior {#FIRST-LAYER-CLIENT-BEHAVIOR} +### Client behavior {#FIRST-LAYER-CLIENT-BEHAVIOR} ```text The goal of clients at this stage is to decrypt the "encrypted" field as @@ -160,7 +160,7 @@ Here are all the supported fields: <a id="rend-spec-v3.txt-2.5.1.4"></a> -#### Hiding client authorization data {#hiding-client-auth} +### Hiding client authorization data {#hiding-client-auth} ```text Hidden services should avoid leaking whether client authorization is @@ -183,7 +183,7 @@ Here are all the supported fields: <a id="rend-spec-v3.txt-2.5.2"></a> -### Second layer of encryption {#HS-DESC-SECOND-LAYER} +## Second layer of encryption {#HS-DESC-SECOND-LAYER} The second layer of descriptor encryption is designed to protect descriptor confidentiality against unauthorized clients. If client authorization is @@ -196,7 +196,7 @@ does not offer any additional security, but is still used. <a id="rend-spec-v3.txt-2.5.2.1"></a> -#### Second layer encryption keys {#second-layer-keys} +### Second layer encryption keys {#second-layer-keys} The encryption keys and format for the second layer of encryption are generated as specified in \[HS-DESC-ENCRYPTION-KEYS\] with customization @@ -213,7 +213,7 @@ parameters as follows: <a id="rend-spec-v3.txt-2.5.2.2"></a> -#### Second layer plaintext format {#second-layer-plaintext} +### Second layer plaintext format {#second-layer-plaintext} After decrypting the second layer ciphertext, clients can finally learn the list of intro points etc. The plaintext has the following format: @@ -396,7 +396,7 @@ newline. <a id="rend-spec-v3.txt-2.5.3"></a> -### Deriving hidden service descriptor encryption keys {#HS-DESC-ENCRYPTION-KEYS} +## Deriving hidden service descriptor encryption keys {#HS-DESC-ENCRYPTION-KEYS} In this section we present the generic encryption format for hidden service descriptors. We use the same encryption format in both encryption layers, @@ -439,7 +439,7 @@ Here is the key generation logic: <a id="rend-spec-v3.txt-2.5.4"></a> -### Number of introduction points {#NUM_INTRO_POINT} +## Number of introduction points {#NUM_INTRO_POINT} This section defines how many introduction points an hidden service descriptor can have at minimum, by default and the maximum: |