commit 4d3041c6fe8b27e92919970860487107d8ee3da6
Author: Nick Mathewson <ni...@torproject.org>
Date:   Thu Mar 27 16:03:48 2014 -0400

    Document that rend-spec.txt uses KDF-Tor like TAP does
    
    Fix for #8809
---
 rend-spec.txt |   14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/rend-spec.txt b/rend-spec.txt
index ebaf4e8..d030b8e 100644
--- a/rend-spec.txt
+++ b/rend-spec.txt
@@ -733,19 +733,17 @@
    received a reply, it uses g^y and H(g^xy) to complete the handshake as in
    the Tor circuit extend process: they establish a 60-octet string as
        K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02])
-   and generate
-       KH = K[0..15]
-       Kf = K[16..31]
-       Kb = K[32..47]
+   and generate KH, Df, Db, Kf, and Kb as in the KDF-TOR key derivation
+   approach documented in tor-spec.txt.
 
    Subsequently, the rendezvous point passes relay cells, unchanged, from
-   each of the two circuits to the other.  When Alice's OP sends
-   RELAY cells along the circuit, it first encrypts them with the
+   each of the two circuits to the other.  When Alice's OP sends RELAY cells
+   along the circuit, it authenticates with Df, and encrypts them with the
    Kf, then with all of the keys for the ORs in Alice's side of the circuit;
    and when Alice's OP receives RELAY cells from the circuit, it decrypts
    them with the keys for the ORs in Alice's side of the circuit, then
-   decrypts them with Kb.  Bob's OP does the same, with Kf and Kb
-   interchanged.
+   decrypts them with Kb, and checks integrity with Db.  Bob's OP does the
+   same, with Kf and Kb interchanged.
 
 1.11. Creating streams
 

_______________________________________________
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Reply via email to