[tor-commits] [torspec/master] prop224: Precisely specify the RENDEZVOUS1 verification procedure.

asn at torproject.org asn at torproject.org
Tue Feb 28 15:18:46 UTC 2017 

commit 526ed4ad03cd66319b659b547e5651ff91870f5d
Author: George Kadianakis <desnacked at riseup.net>
Date:   Mon Feb 27 20:25:41 2017 +0200

    prop224: Precisely specify the RENDEZVOUS1 verification procedure.
---
 proposals/224-rend-spec-ng.txt | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 4d773d4..103542a 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1808,18 +1808,31 @@ Table of contents:
        HANDSHAKE_INFO             [variable; depends on handshake type
                                    used.]
 
-   where RENDEZVOUS_COOKIE is the cookie suggested by the client
-   during the introduction (see [PROCESS_INTRO2]).
+   where RENDEZVOUS_COOKIE is the cookie suggested by the client during the
+   introduction (see [PROCESS_INTRO2]) and HANDSHAKE_INFO is defined in
+   [NTOR-WITH-EXTRA-DATA].
 
    If the cookie matches the rendezvous cookie set on any
    not-yet-connected circuit on the rendezvous point, the rendezvous
    point connects the two circuits, and sends a RENDEZVOUS2 cell to the
    client containing the contents of the RENDEZVOUS1 cell.
 
-   Upon receiving the RENDEZVOUS2 cell, the client verifies that the
-   HANDSHAKE_INFO correctly completes a handshake. Now both parties use the
-   handshake output to derive shared keys for use on the circuit as specified
-   in the section below:
+   Upon receiving the RENDEZVOUS2 cell, the client verifies that HANDSHAKE_INFO
+   correctly completes a handshake. To do so, the client parses SERVER_PK from
+   HANDSHAKE_INFO and reverses the final operations of section
+   [NTOR-WITH-EXTRA-DATA] as shown here:
+
+      ntor_secret_input = EXP(Y,x) | EXP(B,x) | AUTH_KEY | B | X | Y | PROTOID
+      NTOR_KEY_SEED = MAC(ntor_secret_input, t_hsenc)
+      verify = MAC(ntor_secret_input, t_hsverify)
+      auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server"
+      AUTH_INPUT_MAC = MAC(auth_input, t_hsmac)
+
+   Finally the client verifies that the received AUTH field of HANDSHAKE_INFO
+   is equal to the computed AUTH_INPUT_MAC.
+
+   Now both parties use the handshake output to derive shared keys for use on
+   the circuit as specified in the section below:
 
 4.2.1. Key expansion

More information about the tor-commits mailing list