Skip to content

KH reuse; ESTABLISH_INTRO HANDSHAKE_AUTH MAC lacks distinguishing string

   The HANDSHAKE_AUTH field contains the MAC of all earlier fields in
   the cell using as its key the shared per-circuit material ("KH")
   generated during the circuit extension protocol; see tor-spec.txt
   section 5.2, "Setting circuit keys". It prevents replays of
   ESTABLISH_INTRO cells.

Ie there is no distinguishing string that might distinguish other uses of KH. I looked for other uses of KH and it seems to appear only in CREATED/EXTENDED.

Overall, the use of KH seems a bit odd. The specs aren't clear on what its type and usage are. If it's a MAC key, it ought not to be sent in plaintext. If it's a nonce, using it as a MAC key is odd. This situation is a hazard which might introduce confusion/reuse weaknesses when the protocol is extended in future.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information