[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec] branch main updated: rend-spec: Add a set of test vectors for hs-ntor.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [torspec] branch main updated: rend-spec: Add a set of test vectors for hs-ntor.
From: gitolite role via tor-commits <tor-commits@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 May 2023 18:40:38 +0000
Auto-submitted: auto-generated
Cc: gitolite role <git@xxxxxxxxxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 24 May 2023 14:40:48 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1684953645; bh=Jdo/qfH7jlCyKSKoafnmbRlurJJ5BaGr8V3CmunQp2Y=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=WwyAK8S13KfDcux6sJEmicwThJH9lXZDPPSzCh3fF2J4w1lmTK1A8G6Pmc4PG9soB w7D2m37ecFtpDbU+gkH0GPQC2vKdF1yHQ+IcpV/j+EvbHfTwvaO582aTpC6JqQ1a2h XkTYYTnJ0bXyLN5Ei7dHbrksIqQRayFWKYdARCkOLO7AFLohvKDXIyCLDfxjtoIYKO yvZfO6p//ShmiC4B/c7D3NEVtfFWFd7SFYUzWNBzx0gR5xE2LVQLacdotv3N8/mEFl ctIA+WaRXs0chVusSw97n/nXYpPRCjYhwX/rYyBByGyA5+nSuhfG5Q4ji/znmeLULd yCRWoRE1EhoVw==
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Reply-to: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main
in repository torspec.

The following commit(s) were added to refs/heads/main by this push:
     new eeb208d  rend-spec: Add a set of test vectors for hs-ntor.
     new a1cd058  Merge branch 'tor-gitlab/mr/133'
eeb208d is described below

commit eeb208d5777b395412968317095ef82159e82403
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
AuthorDate: Thu May 18 08:57:34 2023 -0400

    rend-spec: Add a set of test vectors for hs-ntor.
    
    These were generated using a patched Tor with extra logging info.
    I've used them to validate (and find bugs in) the arti hs-ntor
    implementation. (See arti!1189.)
---
 rend-spec-v3.txt | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index 4a12343..53880db 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -2723,3 +2723,95 @@ Appendix F. Two methods for managing revision counters.
     Similarly, implementations SHOULD NOT let the revision counter
     increase forever without resetting it -- doing so links the service
     across changes in the blinded public key.
+
+Appendix G. Text vectors
+
+  G.1. Test vectors for hs-ntor / NTOR-WITH-EXTRA-DATA
+
+    Here is a set of test values for the hs-ntor handshake, called
+    [NTOR-WITH-EXTRA-DATA] in this document.  They were generated by
+    instrumenting Tor's code to dump the values for an INTRODUCE/RENDEZVOUS
+    handshake, and then by running that code on a Chutney network.
+
+    We assume an onion service with:
+
+      KP_hs_ipd_sid = 34E171E4358E501BFF21ED907E96AC6B
+                      FEF697C779D040BBAF49ACC30FC5D21F
+      KP_hss_ntor   = 8E5127A40E83AABF6493E41F142B6EE3
+                      604B85A3961CD7E38D247239AFF71979
+      KS_hss_ntor   = A0ED5DBF94EEB2EDB3B514E4CF6ABFF6
+                      022051CC5F103391F1970A3FCD15296A
+      N_hs_subcred  = 0085D26A9DEBA252263BF0231AEAC59B
+                      17CA11BAD8A218238AD6487CBAD68B57
+
+    The client wants to make in INTRODUCE request.  It generates
+    the following header (everything before the ENCRYPTED portion)
+    of its INTRODUCE1 cell:
+
+      H = 000000000000000000000000000000000000000002002034E171E4358E501BFF
+          21ED907E96AC6BFEF697C779D040BBAF49ACC30FC5D21F00
+
+    It generates the following plaintext body to encrypt.  (This
+    is the "decrypted plaintext body" from [PROCESS_INTRO2].
+
+      P = 6BD364C12638DD5C3BE23D76ACA05B04E6CE932C0101000100200DE6130E4FCA
+          C4EDDA24E21220CC3EADAE403EF6B7D11C8273AC71908DE565450300067F0000
+          0113890214F823C4F8CC085C792E0AEE0283FE00AD7520B37D0320728D5DF39B
+          7B7077A0118A900FF4456C382F0041300ACF9C58E51C392795EF870000000000
+          0000000000000000000000000000000000000000000000000000000000000000
+          000000000000000000000000000000000000000000000000000000000000
+
+    The client now begins the hs-ntor handshake.  It generates
+    a curve25519 keypair:
+
+      x = 60B4D6BF5234DCF87A4E9D7487BDF3F4
+          A69B6729835E825CA29089CFDDA1E341
+      X = BF04348B46D09AED726F1D66C618FDEA
+          1DE58E8CB8B89738D7356A0C59111D5D
+
+    Then it calculates:
+
+      ENC_KEY = 9B8917BA3D05F3130DACCE5300C3DC27
+                F6D012912F1C733036F822D0ED238706
+      MAC_KEY = FC4058DA59D4DF61E7B40985D122F502
+                FD59336BC21C30CAF5E7F0D4A2C38FD5
+
+    With these, it encrypts the plaintext body P with ENC_KEY, getting
+    an encrypted value C.  It computes MAC(MAC_KEY, H | X | C),
+    getting a MAC value M.  It then assembles the final INTRODUCE1
+    body as H | X | C | M:
+
+      000000000000000000000000000000000000000002002034E171E4358E501BFF
+      21ED907E96AC6BFEF697C779D040BBAF49ACC30FC5D21F00BF04348B46D09AED
+      726F1D66C618FDEA1DE58E8CB8B89738D7356A0C59111D5DADBECCCB38E37830
+      4DCC179D3D9E437B452AF5702CED2CCFEC085BC02C4C175FA446525C1B9D5530
+      563C362FDFFB802DAB8CD9EBC7A5EE17DA62E37DEEB0EB187FBB48C63298B0E8
+      3F391B7566F42ADC97C46BA7588278273A44CE96BC68FFDAE31EF5F0913B9A9C
+      7E0F173DBC0BDDCD4ACB4C4600980A7DDD9EAEC6E7F3FA3FC37CD95E5B8BFB3E
+      35717012B78B4930569F895CB349A07538E42309C993223AEA77EF8AEA64F25D
+      DEE97DA623F1AEC0A47F150002150455845C385E5606E41A9A199E7111D54EF2
+      D1A51B7554D8B3692D85AC587FB9E69DF990EFB776D8
+
+   Later the service receives that body in an INTRODUCE2 cell.  It
+   processes it according to the hs-ntor handshake, and recovers
+   the client's plaintext P.  To continue the hs-ntor handshake,
+   the service chooses a curve25519 keypair:
+
+      y = 68CB5188CA0CD7924250404FAB54EE13
+          92D3D2B9C049A2E446513875952F8F55
+      Y = 8FBE0DB4D4A9C7FF46701E3E0EE7FD05
+          CD28BE4F302460ADDEEC9E93354EE700
+
+   From this and the client's input, it computes:
+
+      AUTH_INPUT_MAC = 4A92E8437B8424D5E5EC279245D5C72B
+                       25A0327ACF6DAF902079FCB643D8B208
+      NTOR_KEY_SEED  = 4D0C72FE8AFF35559D95ECC18EB5A368
+                       83402B28CDFD48C8A530A5A3D7D578DB
+
+   The service sends back Y | AUTH_INPUT_MAC in its RENDEZVOUS1 cell
+   body.  From these, the client finishes the handshake, validates
+   AUTH_INPUT_MAC, and computes the same NTOR_KEY_SEED.
+
+   Now that both parties have the same NTOR_KEY_SEED, they can derive
+   the shared key material they will use for their circuit.

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor] 74/77: hs_pow: swap out some comments
Next by Author: [tor-commits] [pluggable-transports/snowflake] branch main updated (f723cf5 -> 88608ad)
Previous by thread: [tor-commits] [torspec] 03/03: Merge branch 'tor-gitlab/mr/134'
Next by thread: [tor-commits] [torspec] branch main updated (a1cd058 -> 51e2149)
Index(es):
- Author
- Thread