[tor-commits] [torspec/master] prop224: Remove KH from ntor key derivation.

nickm at torproject.org nickm at torproject.org
Tue May 30 12:43:38 UTC 2017


commit c8e256400689fd19f4c429349f532ab21cb7583e
Author: George Kadianakis <desnacked at riseup.net>
Date:   Tue May 23 15:48:21 2017 +0300

    prop224: Remove KH from ntor key derivation.
    
    We don't need KH anymore since we do a MAC check anyway.
---
 proposals/224-rend-spec-ng.txt | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index f8e131c..6f16fce 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1857,12 +1857,11 @@ Table of contents:
    NTOR_KEY_SEED part of the handshake output. To do so, they use the KDF
    construction as follows:
 
-       K = KDF(NTOR_KEY_SEED | m_hsexpand,    HASH_LEN * 3 + S_KEY_LEN * 2)
+       K = KDF(NTOR_KEY_SEED | m_hsexpand,    HASH_LEN * 2 + S_KEY_LEN * 2)
 
-   The first HASH_LEN bytes of K form KH; the next HASH_LEN form the forward
-   digest Df; the next HASH_LEN bytes form the backward digest Db; the next
-   S_KEY_LEN bytes form Kf, and the final S_KEY_LEN bytes form Kb.  Excess
-   bytes from K are discarded.
+   The first HASH_LEN bytes of K form the forward digest Df; the next HASH_LEN
+   bytes form the backward digest Db; the next S_KEY_LEN bytes form Kf, and the
+   final S_KEY_LEN bytes form Kb.  Excess bytes from K are discarded.
 
    Subsequently, the rendezvous point passes relay cells, unchanged, from each
    of the two circuits to the other.  When Alice's OP sends RELAY cells along





More information about the tor-commits mailing list