diff options
-rw-r--r-- | doc/tor-spec.txt | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/doc/tor-spec.txt b/doc/tor-spec.txt index 88237f0ab..4c515f419 100644 --- a/doc/tor-spec.txt +++ b/doc/tor-spec.txt @@ -31,8 +31,9 @@ TODO: (very soon) Unless otherwise specified, all symmetric ciphers are AES in counter mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA - with 1024-bit keys and exponents of 65537, or DH with the safe prime - from rfc2409, section 6.2, whose hex representation is: + with 1024-bit keys and exponents of 65537, or DH where the generator + is 2 and the modulus is the safe prime from rfc2409, section 6.2, + whose hex representation is: "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" @@ -43,7 +44,7 @@ TODO: (very soon) All "hashes" are 20-byte SHA1 cryptographic digests. When we refer to "the hash of a public key", we mean the SHA1 hash of the - ASN.1 encoding of an RSA public key (as specified in PKCS.1). + DER encoding of an ASN.1 RSA public key (as specified in PKCS.1). 1. System overview @@ -71,9 +72,9 @@ TODO: (very soon) least 128 bits, and digests of at least 160 bits. An OP or OR always sends a two-certificate chain, consisting of a - self-signed certificate containing the OR's identity key, and a second - certificate using a short-term connection key. The commonName of the - second certificate is the OR's nickname, and the commonName of the first + certificate using a short-term connection key and a second, self- + signed certificate containing the OR's identity key. The commonName of the + first certificate is the OR's nickname, and the commonName of the second certificate is the OR's nickname, followed by a space and the string "<identity>". @@ -164,13 +165,14 @@ TODO: (very soon) The payload for a CREATE cell is an 'onion skin', which consists of the first step of the DH handshake data (also known as g^x). - The data is encrypted to Bob's PK as follows: Suppose Bob's PK is - L octets long. If the data to be encrypted is shorter than L-42, - then it is encrypted directly (with OAEP padding). If the data is at - least as long as L-42, then a randomly generated 16-byte symmetric - key is prepended to the data, after which the first L-16-42 bytes - of the data are encrypted with Bob's PK; and the rest of the data is - encrypted with the symmetric key. + The data is encrypted to Bob's PK as follows: Suppose Bob's PK + modulus is L octets long. If the data to be encrypted is shorter + than L-42, then it is encrypted directly (with OAEP padding: see + ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf). If the + data is at least as long as L-42, then a randomly generated 16-byte + symmetric key is prepended to the data, after which the first L-16-42 + bytes of the data are encrypted with Bob's PK; and the rest of the + data is encrypted with the symmetric key. So in this case, the onion skin on the wire looks like: RSA-encrypted: @@ -265,7 +267,7 @@ TODO: (very soon) router's exit policy does not exclude all pending streams that need a circuit. - 2. Choose a chain of (N-1) chain of N onion routers + 2. Choose a chain of (N-1) onion routers (R_1...R_N-1) to constitute the path, such that no router appears in the path twice. |