@ -287,7 +287,7 @@ For simplicity and to avoid getting too technical, we have not included these de
[[ecdh]]
[[ecdh_explained]]
.Elliptic Curve Diffie–Hellman (ECDH) Explained
.Elliptic Curve Diffie–Hellman Explained
****
((("ECDH (Elliptic Curve Diffie–Hellman)")))((("Elliptic Curve Diffie–Hellman (ECDH)")))Assume Alice's private key is _a_ and Bob's private key is _b_. Using the elliptic curve, Alice and Bob each multiply their private key by the generator point _G_ to produce their public keys _A_ and _B_, respectively:
@ -416,12 +416,12 @@ At each hop, the hop payload appears at the beginning of the onion payload, foll
[TIP]
====
The onion payload is 1,300 bytes. Each hop payload is 65 bytes or less (padded to 65 bytes if less). So the total onion payload can fit 20 hop payloads (1300 = 20 x 65). The maximum onion routed path is therefore 20 hops.
The onion payload is 1,300 bytes. Each hop payload is 65 bytes or less (padded to 65 bytes if less). So the total onion payload can fit 20 hop payloads (1300 = 20 × 65). The maximum onion routed path is therefore 20 hops.
====
As each layer is "peeled off," more filler data (essentially junk) is added at the end of the onion payload so the next hop gets an onion of the same size and is once again the "first hop" in the onion.
The onion size is 1,366 bytes, structured as shown in <<onion_packet>>.
The onion size is 1,366 bytes, structured as shown in <<onion_packet>>:
1 byte:: A version byte
33 bytes:: A compressed public session key (<<session_key>>) from which the per-hop shared secret (<<shared_secret>>) can be generated without revealing Alice's identity
@ -480,7 +480,7 @@ The inner HMAC is then revealed during the inverse of the "shift and encrypt" ro
((("onion routing","wrapping hop payloads", id="ix_10_onion_routing-asciidoc12", range="startofrange")))As a reminder, the onion is wrapped by starting at the end of the path from Dina, the final node or recipient. Then the path is built in reverse all the way back to the sender, Alice.
Alice starts with an empty 1,300-byte field, the fixed-length _onion payload_. Then, Alice fills the onion payload with a pseudorandom byte stream "filler" that is generated from the ++pad++ key.
Alice starts with an empty 1,300-byte field, the fixed-length _onion payload_. Then, she fills the onion payload with a pseudorandom byte stream "filler" that is generated from the ++pad++ key.
This is shown in <<onion_payload_filler>>.
@ -586,10 +586,6 @@ In <<bob_onion_wrapping>> we see the steps used to wrap Bob's hop payload in the
All right, by now this is easy!
[[bob_onion_wrapping]]
.Wrapping the onion for Bob
image::images/mtln_1021.png[]
Start with the onion payload (obfuscated) containing Chan's and Dina's hop payloads.
Obtain the session key for this hop dervied from the blinding factor generated by the prior hop.
@ -600,6 +596,10 @@ Obfuscate the whole thing XOR with the ++rho++ key from the Alice-Bob shared sec
Calculate the outer HMAC and stick it on the end of Bob's hop payload.(((range="endofrange", startref="ix_10_onion_routing-asciidoc12")))
[[bob_onion_wrapping]]
.Wrapping the onion for Bob
image::images/mtln_1021.png[]
==== The Final Onion Packet
@ -775,7 +775,7 @@ Chan repeats the exact same process as Bob:
2. Chan generates the Alice-Chan shared key and the ++mu++ subkey.
3. Chan verifies the onion packet HMAC, then extracts the 1,300-byte onion payload
3. Chan verifies the onion packet HMAC, then extracts the 1,300-byte onion pass:[<span class="keep-together">payload</span>].
4. Chan extends the onion payload by 1,300 extra bytes, filling it with zeroes.
kristen@oreilly.com
3 years ago