[tor-commits] [torspec/master] Document what we use for KH when we're doing ntor.

[nickm at torproject.org]

commit 36761c7d553df7b0160bd1180c19b4a58362c827
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri Nov 1 19:43:42 2013 -0400

    Document what we use for KH when we're doing ntor.
    
    KH is part of the material derived from the KDF during the onion key
    process.
    
    In the TAP handshake, KH played two roles: it was sent by the server
    towards the client to prove that the server was able to complete the
    TAP handshake, AND it was included as part of the
    RELAY_ESTABLISH_INTRO message to make it impossible to replay a
    RELAY_ESTABLISH_INTRO from one circuit on another circuit.
    
    With the ntor handshake, the first value of KH was removed.  But we
    still needed a shared, circuit-specific value for hidden service
    code to work.  This value is taken as an additional 20 bytes from
    the KDF.  It wasn't documented in the spec, though.  Adding it here.
---
 tor-spec.txt |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tor-spec.txt b/tor-spec.txt
index 80d9e23..0ec3b3d 100644
--- a/tor-spec.txt
+++ b/tor-spec.txt
@@ -1000,8 +1000,9 @@ see tor-design.pdf.
 
    When used in the ntor handshake, the first HASH_LEN bytes form the
    forward digest Df; the next HASH_LEN form the backward digest Db; the
-   next KEY_LEN form Kf, and the final KEY_LEN form Kb.  Excess bytes
-   from K are discarded.
+   next KEY_LEN form Kf, the next KEY_LEN form Kb, and the final
+   DIGEST_LEN bytes are taken as a nonce to use in the place of KH in the
+   hidden service protocol.  Excess bytes from K are discarded.
 
 5.3. Creating circuits