commit 39aa6ffabe29ae305fbb1c36e78a9abb154e0894 Author: Philipp Winter phw@torproject.org Date: Sat Mar 8 17:40:35 2014 +0100

Fix ticket handshake spec.

The first message makes use of the HMAC key which is derived from the master key. It does not use the master key itself. --- doc/scramblesuit/scramblesuit-spec.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/doc/scramblesuit/scramblesuit-spec.txt b/doc/scramblesuit/scramblesuit-spec.txt index 208b264..f928845 100644 --- a/doc/scramblesuit/scramblesuit-spec.txt +++ b/doc/scramblesuit/scramblesuit-spec.txt @@ -114,12 +114,14 @@ uniformly chosen from {0..1388} bytes. After the padding, a 16-byte mark M is appended which is defined as:

- M = HMAC-SHA256-128(k_t, T) + M = HMAC-SHA256-128(k_sh, T)

The mark is used to easily locate the MAC which is the last part of the - handshake. The MAC is defined as: + handshake. k_sh is the 256-bit HMAC key which is used by the client to + authenticate outgoing data. It is derived from k_t (which is embedded in + the ticket) as described in Section 2.3. The MAC is defined as:

- MAC = HMAC-SHA256-128(k_t, T | P | E) + MAC = HMAC-SHA256-128(k_sh, T | P | E)

The variable E is a string representation of the current Unix epoch divided by 3600. It represents the amount of hours which have passed since the