From 73f26437470e4b4b360a484daaa1ce94efad317f Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 17 Nov 2017 15:18:57 -0500 Subject: rend-spec-v3: document trailing zero byte in BLIND_STRING (A.2.) The implementation uses sizeof instead of strlen, so the C string NUL byte is hashed. --- rend-spec-v3.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'rend-spec-v3.txt') diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index ef5f940..d595268 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2160,7 +2160,7 @@ A.2. Tor's key derivation scheme blinding factor like this: h = H(BLIND_STRING | A | s | B | N) - BLIND_STRING = "Derive temporary signing key" + BLIND_STRING = "Derive temporary signing key" | INT_1(0) N = "key-blind" | INT_8(period-number) | INT_8(period_length) then clamp the blinding factor 'h' according to the ed25519 spec: -- cgit v1.2.3-54-g00ecf From 42e31d525b38fd8810006d7deacc8f41ef34db8d Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 17 Nov 2017 15:19:45 -0500 Subject: rend-spec-v3: add details to blinding implementation (A.2.) In particular, document how to derive the second half of the private key. --- rend-spec-v3.txt | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'rend-spec-v3.txt') diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index d595268..e408e8b 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2162,6 +2162,7 @@ A.2. Tor's key derivation scheme h = H(BLIND_STRING | A | s | B | N) BLIND_STRING = "Derive temporary signing key" | INT_1(0) N = "key-blind" | INT_8(period-number) | INT_8(period_length) + B = "(1511[...]2202, 4631[...]5960)" then clamp the blinding factor 'h' according to the ed25519 spec: @@ -2171,8 +2172,15 @@ A.2. Tor's key derivation scheme and do the key derivation as follows: - private key for the period: a' = h a - public key for the period: A' = h A = (ha)B + private key for the period: + + a' = h a mod l + RH' = SHA-512(RH_BLIND_STRING | RH)[:32] + RH_BLIND_STRING = "Derive temporary signing key hash input" + + public key for the period: + + A' = h A = (ha)B Generating a signature of M: given a deterministic random-looking r (see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature @@ -2185,6 +2193,8 @@ A.2. Tor's key derivation scheme = rB + (hash(R,A',M)ah)B = R + hash(R,A',M)A' ) + This boils down to regular Ed25519 with key pair (a', A'). + See [KEYBLIND-REFS] for an extensive discussion on this scheme and possible alternatives. Also, see [KEYBLIND-PROOF] for a security proof of this scheme. -- cgit v1.2.3-54-g00ecf From ae8d5de13ba64238bc24b841e6269af72b86460a Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 17 Nov 2017 15:22:17 -0500 Subject: dir-spec, rend-spec-v3: typos and simplifications --- dir-spec.txt | 24 ++++++++++++------------ rend-spec-v3.txt | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) (limited to 'rend-spec-v3.txt') diff --git a/dir-spec.txt b/dir-spec.txt index 1c63b21..54e122f 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -285,11 +285,13 @@ [arguments] NL SIGNATURE NL The "SIGNATURE" Object contains a signature (using the signing key) of - the PKCS1-padded digest of the entire document, taken from the + the PKCS#1 1.5 padded digest of the entire document, taken from the beginning of the Initial item, through the newline after the Signature Item's keyword and its arguments. - Unless otherwise, the digest algorithm is SHA-1. + The signature does not include the algorithmIdentifier specified in PKCS #1. + + Unless specified otherwise, the digest algorithm is SHA-1. All documents are invalid unless signed with the correct signing key. @@ -2102,7 +2104,7 @@ See shared-rand-current-value decription above. - The authority section of a consensus contains groups the following items, + The authority section of a consensus contains groups of the following items, in the order given, with one group for each authority that contributed to the consensus, with groups sorted by authority identity digest: @@ -2144,7 +2146,8 @@ "Nickname" is the OR's nickname. "Identity" is a hash of its identity key, encoded in base64, with trailing equals sign(s) removed. "Digest" is a hash of its most recent descriptor as - signed (that is, not including the signature), encoded in base64. + signed (that is, not including the signature) by the RSA identity + key (see section 1.3.), encoded in base64. "Publication" is the publication time of its most recent descriptor, in the form YYYY-MM-DD HH:MM:SS, in UTC. Implementations MAY base @@ -3398,7 +3401,7 @@ prefer fallbacks to authorities, trying them earlier and more frequently. In all other cases, the client downloads from caches randomly chosen from among those believed to be V3 directory servers. (This information comes - from the network-status documents; see 6 below.) + from the network-status documents.) After receiving any response client MUST discard any network-status documents that it did not request. @@ -3484,8 +3487,8 @@ After choosing mirrors, the client divides the descriptors among them randomly. - After receiving any response client MUST discard any descriptors that it - did not request. + After receiving any response the client MUST discard any descriptors that + it did not request. When a descriptor download fails, the client notes it, and does not consider the descriptor downloadable again until a certain amount of time @@ -3847,11 +3850,8 @@ D. Inferring missing proto lines. Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 - For Desc, Tor versions before 0.2.7.stable should be taken to have Desc=1 - and versions 0.2.7.stable or later should have Desc=1-2. - - For Microdesc and Cons, Tor versions before 0.2.7.stable should be taken to - support version 1; 0.2.7.stable and later should have 1-2. + For Desc, Microdesc and Cons, Tor versions before 0.2.7.stable should be + taken to only support version 1. E. Limited ed diff format diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index e408e8b..ebe05d8 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2232,7 +2232,7 @@ Appendix C. Recommendations for searching for vanity .onions [VANITY] While pk does not satisfy X: Add the number 8 to sk - Add the scalar 8*B to pk + Add the point 8*B to pk Return sk, pk. -- cgit v1.2.3-54-g00ecf