commit 36761c7d553df7b0160bd1180c19b4a58362c827
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Fri Nov 1 19:43:42 2013 -0400
Document what we use for KH when we're doing ntor.
KH is part of the material derived from the KDF during the onion key
process.
In the TAP handshake, KH played two roles: it was sent by the server
towards the client to prove that the server was able to complete the
TAP handshake, AND it was included as part of the
RELAY_ESTABLISH_INTRO message to make it impossible to replay a
RELAY_ESTABLISH_INTRO from one circuit on another circuit.
With the ntor handshake, the first value of KH was removed. But we
still needed a shared, circuit-specific value for hidden service
code to work. This value is taken as an additional 20 bytes from
the KDF. It wasn't documented in the spec, though. Adding it here.
---
tor-spec.txt | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tor-spec.txt b/tor-spec.txt
index 80d9e23..0ec3b3d 100644
--- a/tor-spec.txt
+++ b/tor-spec.txt
@@ -1000,8 +1000,9 @@ see tor-design.pdf.
When used in the ntor handshake, the first HASH_LEN bytes form the
forward digest Df; the next HASH_LEN form the backward digest Db; the
- next KEY_LEN form Kf, and the final KEY_LEN form Kb. Excess bytes
- from K are discarded.
+ next KEY_LEN form Kf, the next KEY_LEN form Kb, and the final
+ DIGEST_LEN bytes are taken as a nonce to use in the place of KH in the
+ hidden service protocol. Excess bytes from K are discarded.
5.3. Creating circuits