Commit 2393c2ae authored by Roger Dingledine's avatar Roger Dingledine
Browse files

mention the digest seeds for circuit-level integrity checking

unused portions of relay payloads are nul-padded, not filled with
random bytes.


svn:r1791
parent 44defa4b
sw$Id$
$Id$
Tor Spec
......@@ -125,7 +125,8 @@ TODO: (very soon)
The payload is padded with 0 bytes.
PADDING cells are currently used to implement connection keepalive.
ORs and OPs send one another a PADDING cell every few minutes.
If there is no other traffic, ORs and OPs send one another a PADDING
cell every few minutes.
CREATE, CREATED, and DESTROY cells are used to manage circuits;
see section 4 below.
......@@ -192,16 +193,19 @@ TODO: (very soon)
servers can now calculate g^xy with ordinary DH. From the base key
material g^xy, they compute derivative key material as follows.
First, the server represents g^xy as a big-endian unsigned integer.
Next, the server computes 60 bytes of key data as K = SHA1(g^xy |
[00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02]) where "00" is a single
octet whose value is zero, [01] is a single octet whose value is
one, etc. The first 20 bytes of K form KH, the next 16 bytes of K
form Kf, and the next 16 bytes of K form Kb.
Next, the server computes 100 bytes of key data as K = SHA1(g^xy |
[00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is
a single octet whose value is zero, [01] is a single octet whose
value is one, etc. The first 20 bytes of K form KH, bytes 21-40 form
the forward digest Df, 41-60 form the backward digest Db, 61-76 form
Kf, and 77-92 form Kb.
KH is used in the handshake response to demonstrate knowledge of the
computed shared key. Kf is used to encrypt the stream of data going
from the OP to the OR, and Kb is used to encrypt the stream of data
going from the OR to the OP.
computed shared key. Df is used to seed the integrity-checking hash
for the stream of data going from the OP to the OR, and Db seeds the
integrity-checking hash for the data stream from the OR to the OP. Kf
is used to encrypt the stream of data going from the OP to the OR, and
Kb is used to encrypt the stream of data going from the OR to the OP.
4.3. Creating circuits
......@@ -232,10 +236,9 @@ TODO: (very soon)
To extend the circuit by a single onion router R_M, the OP performs
these steps:
1. Create an onion skin, encrypting the RSA-encrypted part with
R's public key.
1. Create an onion skin, encrypted to R_M's public key.
2. Encrypt and send the onion skin in a relay EXTEND cell along
2. Send the onion skin in a relay EXTEND cell along
the circuit (see section 5).
3. When a relay EXTENDED cell is received, verify KH, and
......@@ -341,7 +344,7 @@ TODO: (very soon)
The payload of each unencrypted RELAY cell consists of:
Relay command [1 byte]
'Recognized' [2 bytes]
StreamID [2 bytes]
StreamID [2 bytes]
Digest [4 bytes]
Length [2 bytes]
Data [498 bytes]
......@@ -358,10 +361,12 @@ TODO: (very soon)
9 -- RELAY_TRUNCATED
10 -- RELAY_DROP
The 'Recognized' field in any unencrypted relay payload is always set
to zero; the 'digest' field is computed as the first four bytes of a
SHA-1 digest of the rest of the RELAY cell's payload, taken with the
digest field set to zero.
The 'Recognized' field in any unencrypted relay payload is always
set to zero; the 'digest' field is computed as the first four bytes
of the running SHA-1 digest of all the bytes that have travelled
over this circuit, seeded from Df or Db respectively (obtained in
section 4.2 above), and including this RELAY cell's entire payload
(taken with the digest field set to zero).
When the 'recognized' field of a RELAY cell is zero, and the digest
is correct, the cell is considered "recognized" for the purposes of
......@@ -373,8 +378,8 @@ TODO: (very soon)
stream use a StreamID of zero.
The 'Length' field of a relay cell contains the number of bytes in
the relay payload which contain real payload data. The remainder of
the payload is padded with random bytes.
the relay payload which contain real payload data. The remainder of
the payload is padded with NUL bytes.
5.2. Opening streams and transferring data
......@@ -390,6 +395,7 @@ TODO: (very soon)
dotted-quad format; and where PORT is encoded in decimal.
[What is the [00] for? -NM]
[It's so the payload is easy to parse out with string funcs -RD]
Upon receiving this cell, the exit node resolves the address as
necessary, and opens a new TCP connection to the target port. If the
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment