[or-cvs] Correct description of extracting Kf and Kb from g^xy.

Nick Mathewson nickm at seul.org
Mon Aug 25 18:50:32 UTC 2003


Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv8783/doc

Modified Files:
	tor-spec.txt 
Log Message:
Correct description of extracting Kf and Kb from g^xy.

Index: tor-spec.txt
===================================================================
RCS file: /home/or/cvsroot/doc/tor-spec.txt,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- tor-spec.txt	25 Aug 2003 08:26:34 -0000	1.25
+++ tor-spec.txt	25 Aug 2003 18:50:29 -0000	1.26
@@ -278,11 +278,18 @@
 4.2. Setting circuit keys
 
    Once the handshake between the OP and an OR is completed, both
-   servers can now calculate g^xy with ordinary DH.  They divide the
-   last 32 bytes of this shared secret into two 16-byte keys, the
-   first of which (called Kf) is used to encrypt the stream of data
-   going from the OP to the OR, and second of which (called Kb) is
-   used to encrypt the stream of data going from the OR to the OP.
+   servers can now calculate g^xy with ordinary DH.  From the base key
+   material g^xy, they compute two 16 byte keys, called Kf and Kb as
+   follows.  First, the server represents g^xy as a big-endian
+   unsigned integer.  Next, the server computes 40 bytes of key data
+   as K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) where "00" is a single
+   octet whose value is zero, and "01" is a single octet whose value
+   is one.  The first 16 bytes of K form Kf, and the next 16 bytes of
+   K form Kb.  
+
+   Kf is used to encrypt the stream of data going from the OP to the
+   OR, whereas Kb is used to encrypt the stream of data going from the
+   OR to the OP.
 
 4.3. Creating circuits
 



More information about the tor-commits mailing list