[tor-dev] obfs4 questions

Yawning Angel yawning at schwanenlied.me
Fri Nov 28 15:50:19 UTC 2014

On Fri, 28 Nov 2014 15:37:06 +0000
Yawning Angel <yawning at schwanenlied.me> wrote:

> The Poly1305 authenticator is calculated based on the payload and the
> nonce.  In the case of the NaCL secretbox construct, 32 bytes of
> zeroes encrypted based on a one time key/counter derived from the
> actual key and the nonce. If the frames are reordered, the derived
> authenticator would be different.

Ugh, I did a terrible job of explaining that, sorry to reply to myself.

A one time poly1305 key is calculated for each box, based on 32 bytes
of zeroes encrypted with a one time Salsa20 key/counter derived from the
nonce and the box key.  You can view the use of Salsa20 there as an
arbitrary keyed hash function (in the case of the original paper, AES
was used).

Hope that clarifies things somewhat,

Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141128/4bb13763/attachment-0001.sig>

More information about the tor-dev mailing list