From 1d5ba4f51a302992b9c29a2aca1c8f6bf4f29872 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 17 Jan 2023 13:25:39 +0000 Subject: Uwe formal notation for credential and subcredential In particular, give these formal names which contain "hs" (since they are part of the hidden service protocol, and not any other kind of authentication or authorisation scheme), and "N" to indicate that they are hash-generated nonces, not passwords. Change the references in the formulae, which it really seems to me ought to refer to the formal names. --- rend-spec-v3.txt | 14 ++++++++------ tor-spec.txt | 2 ++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index c6586ce..bc565fa 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -502,9 +502,11 @@ Table of contents: This is achieved using two nonces: * A "credential", derived from the public identity key KP_hsid. + N_hs_cred. * A "subcredential", derived from the credential N_hs_cred and information which various with the current time period. + N_hs_subcred. The body of each descriptor is also encrypted with a key derived from the public signing key. @@ -697,11 +699,11 @@ Table of contents: The subcredential for a period is derived as: - subcredential = H("subcredential" | credential | blinded-public-key). + N_hs_subcred = H("subcredential" | N_hs_cred | blinded-public-key). In the above formula, credential corresponds to: - credential = H("credential" | public-identity-key) + N_hs_cred = H("credential" | public-identity-key) where public-identity-key is the public identity master key of the hidden service. @@ -1243,7 +1245,7 @@ Table of contents: And here is what the hidden service computes: SECRET_SEED = x25519(hs_y, client_X) - KEYS = KDF(subcredential | SECRET_SEED, 40) + KEYS = KDF(N_hs_subcred | SECRET_SEED, 40) CLIENT-ID = fist 8 bytes of KEYS COOKIE-KEY = last 32 bytes of KEYS @@ -1476,7 +1478,7 @@ Table of contents: descriptor even if the content of the descriptor hasn't changed. (So that we don't leak whether the intro point list etc. changed) - secret_input = SECRET_DATA | subcredential | INT_8(revision_counter) + secret_input = SECRET_DATA | N_hs_subcred | INT_8(revision_counter) keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN) @@ -1937,7 +1939,7 @@ Table of contents: and computes: intro_secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID - info = m_hsexpand | subcredential + info = m_hsexpand | N_hs_subcred hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) ENC_KEY = hs_keys[0:S_KEY_LEN] MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN] @@ -1991,7 +1993,7 @@ Table of contents: introduction point encryption key 'b' to compute: intro_secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID - info = m_hsexpand | subcredential + info = m_hsexpand | N_hs_subcred hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) HS_DEC_KEY = hs_keys[0:S_KEY_LEN] HS_MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN] diff --git a/tor-spec.txt b/tor-spec.txt index d967a8e..6654e0e 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -97,6 +97,8 @@ see tor-design.pdf. PK -- a public key. SK -- a private key. K -- a key for a symmetric cipher. + N -- a "nonce", a random value, usually deterministically chosen + from other inputs using hashing. a|b -- concatenation of 'a' and 'b'. -- cgit v1.2.3-54-g00ecf