commit 0567494b3f1cd51cc6f5404fc8d84ec5f4434bc8 Author: George Kadianakis desnacked@riseup.net Date: Tue Apr 12 15:18:25 2016 +0300

prop224: Clarify when we need fresh salt for descriptors. --- proposals/224-rend-spec-ng.txt | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 237ffdd..a3fb40b 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -851,15 +851,9 @@ Status: Draft The encrypted part of the hidden service descriptor is encrypted and authenticated with symmetric keys generated as follows:

- SALT = 16 bytes from H(random), different for each post to each replica, - even if the content of the descriptor hasn't changed. - (This avoids leaking service stability, and linking replicas - via encrypted data comparison.) - - (We hash salt so that we don't leak the raw bytes returned by a PRNG - to the network. See [RANDOM-REFS].) - - [ XX/teor - is the extra load on the HSDirs worth it? ] + SALT = 16 bytes from H(random), changes each time we rebuld the + descriptor even if the content of the descriptor hasn't changed. + (So that we don't leak whether the intro point list etc. changed)

secret_input = blinded_public_key | subcredential | INT_4(revision_counter) keys = KDF(secret_input, salt, "hsdir-encrypted-data",