commit 316481f4386428f61a436feefa3a4a11a46890bc Author: George Kadianakis desnacked@riseup.net Date: Tue May 10 14:15:36 2016 -0400

prop224: More improvements.

- Specify credential/subcredential format. - Bump up revision-counter to 64-bits. - Specify descriptor encryption padding. --- proposals/224-rend-spec-ng.txt | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 365f4fd..260036b 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -626,9 +626,17 @@ Table of contents: leaving the hidden service's private key offline.

The subcredential for a period is derived as: - H("subcredential" | - credential | - blinded-public-key). + + subcredential = H("subcredential" | credential | blinded-public-key). + + In the above formula, credential corresponds to: + + credential = H(public-identity-key | authorization-key) + + where public-identity-key is the public identity master key of the hidden + service, and authorization-key is an optional secret used for client + authorization. If no client authorization is specified, authorization-key is + left blank.

2.2. Locating, uploading, and downloading hidden service descriptors [HASHRING] @@ -949,7 +957,7 @@ Table of contents: descriptor even if the content of the descriptor hasn't changed. (So that we don't leak whether the intro point list etc. changed)

- secret_input = blinded_public_key | subcredential | INT_4(revision_counter) + secret_input = blinded_public_key | subcredential | INT_8(revision_counter) keys = KDF(secret_input, salt, "hsdir-encrypted-data", S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)

@@ -964,14 +972,10 @@ Table of contents: MAC MAC of both above fields [32 bytes]

The encryption format is ENCRYPTED = - STREAM(SECRET_IV,SECRET_KEY) xor Plaintext + STREAM(SECRET_IV,SECRET_KEY) XOR Plaintext

- Before encryption, the plaintext must be padded to a multiple of ??? - bytes with NUL bytes. The plaintext must not be longer than ??? - bytes. [TODO: how much? Should this be a parameter? What values in - practice are needed to hide how many intro points we have, and how - many might be legacy ones? Note that Single Onion Services add extend - intro points as well. ] + Before encryption, the plaintext must be padded to a multiple of 4096 bytes + with NUL bytes.

The plaintext format is:

@@ -1007,7 +1011,7 @@ Table of contents:

[Exactly once per introduction point]

- Base-64 encoded introduction point authentication key that was + Base64 encoded introduction point authentication key that was used to establish introduction point circuit, cross-certifying the blinded public key. This uses the certificate format of proposal 220 with type [09]. The signing-key extension is @@ -1460,7 +1464,7 @@ Table of contents:

Hidden services may restrict access only to authorized users. One mechanism to do so is the credential mechanism, where only users who - know the credential for a hidden service may connect at all. For more + know the credentialo for a hidden service may connect at all. For more fine-grained conntrol, a hidden service can be configured with password-based or public-key-based authentication.