commit 36761c7d553df7b0160bd1180c19b4a58362c827 Author: Nick Mathewson <nickm@torproject.org> Date: Fri Nov 1 19:43:42 2013 -0400 Document what we use for KH when we're doing ntor. KH is part of the material derived from the KDF during the onion key process. In the TAP handshake, KH played two roles: it was sent by the server towards the client to prove that the server was able to complete the TAP handshake, AND it was included as part of the RELAY_ESTABLISH_INTRO message to make it impossible to replay a RELAY_ESTABLISH_INTRO from one circuit on another circuit. With the ntor handshake, the first value of KH was removed. But we still needed a shared, circuit-specific value for hidden service code to work. This value is taken as an additional 20 bytes from the KDF. It wasn't documented in the spec, though. Adding it here. --- tor-spec.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tor-spec.txt b/tor-spec.txt index 80d9e23..0ec3b3d 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -1000,8 +1000,9 @@ see tor-design.pdf. When used in the ntor handshake, the first HASH_LEN bytes form the forward digest Df; the next HASH_LEN form the backward digest Db; the - next KEY_LEN form Kf, and the final KEY_LEN form Kb. Excess bytes - from K are discarded. + next KEY_LEN form Kf, the next KEY_LEN form Kb, and the final + DIGEST_LEN bytes are taken as a nonce to use in the place of KH in the + hidden service protocol. Excess bytes from K are discarded. 5.3. Creating circuits