[tor-bugs] #22052 [Core Tor/Tor]: Synchronize prop224 key blinding spec with implementation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 1 12:06:51 UTC 2017
#22052: Synchronize prop224 key blinding spec with implementation
------------------------------------+------------------------------------
Reporter: asn | Owner: asn
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs prop224 ed25519 | Actual Points:
Parent ID: #21888 | Points: 1
Reviewer: | Sponsor:
------------------------------------+------------------------------------
Comment (by asn):
Another thing we should fix:
In prop224 we actually don't need `KH` as part of the key expansion
procedure. In the legacy design we used KH as a key confirmation of the
key expansion, however in prop224 we have a whole mac just for this
`AUTH_INPUT_MAC`. So we actually don't need KH in the following paragraph:
{{{
The hidden service and its client need to derive crypto keys from the
NTOR_KEY_SEED part of the handshake output. To do so, they use the KDF
construction as follows:
K = KDF(NTOR_KEY_SEED | m_hsexpand, HASH_LEN * 3 + S_KEY_LEN *
2)
The first HASH_LEN bytes of K form KH; the next HASH_LEN form the
forward
digest Df; the next HASH_LEN bytes form the backward digest Db; the
next
S_KEY_LEN bytes form Kf, and the final S_KEY_LEN bytes form Kb. Excess
bytes from K are discarded.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22052#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list