commit f439d980caef07a834771fde90a726dcf156e31d Author: George Kadianakis <desnacked@gmail.com> Date: Mon Dec 19 13:42:03 2011 +0100 Improve obfs2 doc/protocol-spec.txt. * Change E_K(s) notation to E(K,s) to improve readability. * Mention that the connection should be closed immediately in the case of wrong plength/magic (#3291). * Mention that the shared secret is hashed before using it in MAC(). --- doc/protocol-spec.txt | 19 +++++++++---------- 1 files changed, 9 insertions(+), 10 deletions(-) diff --git a/doc/protocol-spec.txt b/doc/protocol-spec.txt index c11f653..4035b23 100644 --- a/doc/protocol-spec.txt +++ b/doc/protocol-spec.txt @@ -1,4 +1,4 @@ -The Twobfuscator + obfs2 (The Twobfuscator) 0. Protocol overview @@ -17,9 +17,9 @@ The Twobfuscator 1. Primitives, notation, and constants. H(x) is SHA256 of x. - H^n(x) is H(x) called iteratively n times. + H^n(x) is H(x) called iteratively n times. - E_K(s) is the AES-CTR-128 encryption of s using K as key. + E(K,s) is the AES-CTR-128 encryption of s using K as key. x | y is the concatenation of x and y. UINT32(n) is the 4 byte value of n in big-endian (network) order. @@ -34,8 +34,8 @@ The Twobfuscator MAX_PADDING is 8192 HASH_ITERATIONS is 100000 - KEYLEN is the length of the key used by E_K(s) -- that is, 16. - IVLEN is the length of the IV used by E_K(s) -- that is, 16 + KEYLEN is the length of the key used by E(K,s) -- that is, 16. + IVLEN is the length of the IV used by E(K,s) -- that is, 16. HASHLEN is the length of the output of H() -- that is, 32. @@ -64,18 +64,17 @@ The Twobfuscator The initiator then sends: - SEED | INIT_PAD_KEY( UINT32(MAGIC_VALUE) | UINT32(PADLEN) | WR(PADLEN) ) + INIT_SEED | E(INIT_PAD_KEY, UINT32(MAGIC_VALUE) | UINT32(PADLEN) | WR(PADLEN)) and the responder replies with: - SEED | RESP_PAD_KEY( UINT32(MAGIC_VALUE) | UINT32(PADLEN) | WR(PADLEN) ) + RESP_SEED | E(RESP_PAD_KEY, UINT32(MAGIC_VALUE) | UINT32(PADLEN) | WR(PADLEN)) Upon receiving the SEED from the other party, each party derives the other party's padding key value as above, and decrypts the next 8 bytes of the key establishment message. If the MAGIC_VALUE does not match, or the PADLEN value is greater than MAX_PADDING, the - party receiving it should wait for a random amount of time (with - maximum wait time being 4 seconds) then close the connection. + party receiving it should close the connection immediately. Otherwise, it should read the remaining PADLEN bytes of padding data and discard them. @@ -99,6 +98,6 @@ The Twobfuscator Optionally, if the client and server share a secret value SECRET, they can replace the MAC function with: - MAC(s,x) = H^n(s | x | SECRET | s) + MAC(s,x) = H^n(s | x | H(SECRET) | s) where n = HASH_ITERATIONS.