commit 08af5ef5e4000a1ea8fe09901f6040034e1205ed Author: George Kadianakis <desnacked@riseup.net> Date: Mon Feb 27 20:24:03 2017 +0200 prop224: Improvements to HS ntor section. - AUTH_KEYID is actually AUTH_KEY these days - Make it more clear that the result of the ntor handshake includes a MAC. --- proposals/224-rend-spec-ng.txt | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 50bbdd3..4d773d4 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -1642,7 +1642,7 @@ Table of contents: generates a single-use keypair: x,X = KEYGEN() and computes: - secret_hs_input = EXP(B,x) | AUTH_KEYID | X | B | PROTOID + secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID info = m_hsexpand | subcredential hs_keys = KDF(secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) ENC_KEY = hs_keys[0:S_KEY_LEN] @@ -1698,7 +1698,7 @@ Table of contents: service host generates a keypair of y,Y = KEYGEN(), and uses its introduction point encryption key 'b' to computes: - secret_hs_input = EXP(X,b) | AUTH_KEYID | X | B | PROTOID + secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID info = m_hsexpand | subcredential hs_keys = KDF(secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN) HS_DEC_KEY = hs_keys[0:S_KEY_LEN] @@ -1707,16 +1707,17 @@ Table of contents: (The above are used to check the MAC and then decrypt the encrypted data.) - ntor_secret_input = EXP(X,y) | EXP(X,b) | AUTH_KEYID | B | X | Y | PROTOID + ntor_secret_input = EXP(X,y) | EXP(X,b) | AUTH_KEY | B | X | Y | PROTOID NTOR_KEY_SEED = MAC(ntor_secret_input, t_hsenc) verify = MAC(ntor_secret_input, t_hsverify) - auth_input = verify | AUTH_KEYID | B | Y | X | PROTOID | "Server" + auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server" + AUTH_INPUT_MAC = MAC(auth_input, t_hsmac) (The above are used to finish the ntor handshake.) The server's handshake reply is: SERVER_PK Y [G_LEN bytes] - AUTH MAC(auth_input, t_hsmac) [H_LEN bytes] + AUTH AUTH_INPUT_MAC [H_LEN bytes] These fields will be sent to the client in a RENDEZVOUS1 cell using the HANDSHAKE_INFO element (see [JOIN_REND]).