commit 18db73dd4d3f5a3a35019474dc5e53b1ef2f14c3 Author: Philipp Winter phw@torproject.org Date: Sun Mar 2 00:01:03 2014 +0100

Fix problems in UniformDH spec.

1. Fix a typo by changing "X" to "Y". 2. Add "M_C" and "M_S" to the respective MAC function as they are also authenticated.

The problem was pointed out by Yawning Angel in: https://bugs.torproject.org/10893 --- doc/scramblesuit/scramblesuit-spec.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/scramblesuit/scramblesuit-spec.txt b/doc/scramblesuit/scramblesuit-spec.txt index 66c1ac8..45a35f5 100644 --- a/doc/scramblesuit/scramblesuit-spec.txt +++ b/doc/scramblesuit/scramblesuit-spec.txt @@ -80,15 +80,15 @@ 256-bit master key k_t. Session keys are then derived from k_t as discussed in Section 2.3.

- Client Server Legend: - | X | P_C | M_C | MAC(X | P_C | E) | X: client public key - | ---------------------------------> | Y: server public key - | Y | P_S | M_S | MAC(X | P_S | E) | P_{C,S}: padding - | <--------------------------------- | M_{C,S}: mark to locate the MAC - | AEnc(k_t+1 | T_t+1) | E: approximate timestamp - | <--------------------------------- | k_t+1: future master key - | AEnc(Tor traffic) | T_t+1: future ticket - | <--------------------------------> | + Client Server Legend: + | X | P_C | M_C | MAC(X | P_C | M_C | E) | X: client public key + | ---------------------------------------> | Y: server public key + | Y | P_S | M_S | MAC(Y | P_S | M_S | E) | P_{C,S}: padding + | <--------------------------------------- | M_{C,S}: mark to locate MAC + | AEnc(k_t+1 | T_t+1) | E: approximate timestamp + | <--------------------------------------- | k_t+1: future master key + | AEnc(Tor traffic) | T_t+1: future ticket + | <--------------------------------------> |

Immediately after the handshake succeeded, the server proceeds to issue and send a new session ticket T_t+1 together with the according master key