[tor-commits] [torspec/master] prop224: Precisely specify the RENDEZVOUS1 verification procedure.
asn at torproject.org
asn at torproject.org
Tue Feb 28 15:18:46 UTC 2017
commit 526ed4ad03cd66319b659b547e5651ff91870f5d
Author: George Kadianakis <desnacked at riseup.net>
Date: Mon Feb 27 20:25:41 2017 +0200
prop224: Precisely specify the RENDEZVOUS1 verification procedure.
---
proposals/224-rend-spec-ng.txt | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 4d773d4..103542a 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1808,18 +1808,31 @@ Table of contents:
HANDSHAKE_INFO [variable; depends on handshake type
used.]
- where RENDEZVOUS_COOKIE is the cookie suggested by the client
- during the introduction (see [PROCESS_INTRO2]).
+ where RENDEZVOUS_COOKIE is the cookie suggested by the client during the
+ introduction (see [PROCESS_INTRO2]) and HANDSHAKE_INFO is defined in
+ [NTOR-WITH-EXTRA-DATA].
If the cookie matches the rendezvous cookie set on any
not-yet-connected circuit on the rendezvous point, the rendezvous
point connects the two circuits, and sends a RENDEZVOUS2 cell to the
client containing the contents of the RENDEZVOUS1 cell.
- Upon receiving the RENDEZVOUS2 cell, the client verifies that the
- HANDSHAKE_INFO correctly completes a handshake. Now both parties use the
- handshake output to derive shared keys for use on the circuit as specified
- in the section below:
+ Upon receiving the RENDEZVOUS2 cell, the client verifies that HANDSHAKE_INFO
+ correctly completes a handshake. To do so, the client parses SERVER_PK from
+ HANDSHAKE_INFO and reverses the final operations of section
+ [NTOR-WITH-EXTRA-DATA] as shown here:
+
+ ntor_secret_input = EXP(Y,x) | EXP(B,x) | AUTH_KEY | B | X | Y | PROTOID
+ NTOR_KEY_SEED = MAC(ntor_secret_input, t_hsenc)
+ verify = MAC(ntor_secret_input, t_hsverify)
+ auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server"
+ AUTH_INPUT_MAC = MAC(auth_input, t_hsmac)
+
+ Finally the client verifies that the received AUTH field of HANDSHAKE_INFO
+ is equal to the computed AUTH_INPUT_MAC.
+
+ Now both parties use the handshake output to derive shared keys for use on
+ the circuit as specified in the section below:
4.2.1. Key expansion
More information about the tor-commits
mailing list