aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2004-04-28 20:01:54 +0000
committerRoger Dingledine <arma@torproject.org>2004-04-28 20:01:54 +0000
commitfd0d48e4843de1ad8d6dda7ff91bd505887d5889 (patch)
treefc7459fc37fe187f09334e6da7e89a0965655063
parent25d5425fdb85071069dc8ec9dd02209b8205c8ea (diff)
downloadtor-fd0d48e4843de1ad8d6dda7ff91bd505887d5889.tar
tor-fd0d48e4843de1ad8d6dda7ff91bd505887d5889.tar.gz
clarify the hybrid encryption in our spec
svn:r1736
-rw-r--r--doc/TODO18
-rw-r--r--doc/rend-spec.txt10
-rw-r--r--doc/tor-spec.txt30
3 files changed, 25 insertions, 33 deletions
diff --git a/doc/TODO b/doc/TODO
index e8bd43df6..90a7fa1cc 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -11,21 +11,6 @@ ARMA - arma claims
D Deferred
X Abandoned
-Flag-day changes: (things which are backward incompatible)
- o remove link key from directories, from connection_t.
- (just get it from the tls cert)
- o Generate link keys on startup; don't store them to disk.
- o make onion keys include oaep padding, so you can tell
- if you decrypted it correctly
- o Rotate onion keys as needed
- D Rotate TLS connections [arma]
- o Set expiration times on X509 certs [nickm]
- o add bandwidthrate and bandwidthburst to server descriptor [nickm]
- o directories need to say who signed them. [nickm]
- - remove assumption that 0.0.5 doesn't do rendezvous?
- D what other pieces of the descriptors need to change?
- maybe add a section for who's connected to a given router?
- add a flexible section for reputation info?
For September:
- Windows port
@@ -69,6 +54,9 @@ For September:
- allow non-clique topology
Other details and small things:
+ - hidserv offerers shouldn't need to define a SocksPort
+ - when the client fails to pick an intro point for a hidserv,
+ it should refetch the hidserv desc.
. should maybe make clients exit(1) when bad things happen?
e.g. clock skew.
- should retry exitpolicy end streams even if the end cell didn't
diff --git a/doc/rend-spec.txt b/doc/rend-spec.txt
index c428864d8..ac2b0aca8 100644
--- a/doc/rend-spec.txt
+++ b/doc/rend-spec.txt
@@ -255,12 +255,10 @@ Tor Rendezvous Spec
PK_ID is the hash of Bob's public key. RP is NUL-padded.
- The data is encrypted to Bob's PK as follows: Suppose Bob's PK is L octets
- long. If the data to be encrypted is shorter than L-42, then it is
- encrypted directly (with OAEP padding). If the data is at least as long
- as L-42, then a randomly generated 16-byte symmetric key is prepended to
- the data, after which the first L-16-42 bytes of the data are encrypted with
- Bob's PK; and the rest of the data is encrypted with the symmetric key.
+ The hybrid encryption to Bob's PK works just like the hybrid
+ encryption in CREATE cells (see main spec). Thus the payload of the
+ RELAY_INTRODUCE1 cell on the wire will contain 20+42+16+20+20+128=246
+ bytes.
1.9. Introduction: From the Introduction Point to Bob's OP
diff --git a/doc/tor-spec.txt b/doc/tor-spec.txt
index 7c0297429..5536ef000 100644
--- a/doc/tor-spec.txt
+++ b/doc/tor-spec.txt
@@ -98,7 +98,7 @@ TODO: (very soon)
proxies is a fixed-width "cell". Each cell contains the following
fields:
- CircID [2 bytes]
+ CircID [2 bytes]
Command [1 byte]
Payload (padded with 0 bytes) [509 bytes]
[Total size: 512 bytes]
@@ -146,23 +146,29 @@ TODO: (very soon)
which instructs the last node in the circuit to send a CREATE cell
to extend the circuit.
- The payload for a CREATE cell is an 'onion skin', consisting of:
- RSA-encrypted data [128 bytes]
- Symmetrically-encrypted data [16 bytes]
+ The payload for a CREATE cell is an 'onion skin', which consists
+ of the first step of the DH handshake data (also known as g^x).
- The RSA-encrypted portion contains:
- Symmetric key [16 bytes]
- First part of DH data (g^x) [112 bytes]
- The symmetrically encrypted portion contains:
- Second part of DH data (g^x) [16 bytes]
+ The data is encrypted to Bob's PK as follows: Suppose Bob's PK is
+ L octets long. If the data to be encrypted is shorter than L-42,
+ then it is encrypted directly (with OAEP padding). If the data is at
+ least as long as L-42, then a randomly generated 16-byte symmetric
+ key is prepended to the data, after which the first L-16-42 bytes
+ of the data are encrypted with Bob's PK; and the rest of the data is
+ encrypted with the symmetric key.
- The two parts of DH data, once decrypted and concatenated, form
- g^x as calculated by the client.
+ So in this case, the onion skin on the wire looks like:
+ RSA-encrypted:
+ OAEP padding [42 bytes]
+ Symmetric key [16 bytes]
+ First part of g^x [70 bytes]
+ Symmetrically encrypted:
+ Second part of g^x [58 bytes]
The relay payload for an EXTEND relay cell consists of:
Address [4 bytes]
Port [2 bytes]
- Onion skin [144 bytes]
+ Onion skin [186 bytes]
The port and address field denote the IPV4 address and port of the
next onion router in the circuit.