[tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'

Ian Goldberg iang at cs.uwaterloo.ca
Mon Dec 1 14:30:32 UTC 2014


On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
> Then how about specifying something like this for the RSA-signed part
> (in place of the SHA1):
>    [fixed string] 8 bytes
>    [SHA512 signature] 32 bytes
> 
> Where the fixed sting could be something like "HSNONTOR", and we can
> reserve other strings for later if we actually do want to support RSA
> signatures over SHA512.

What kind of signature padding is done by the signature using the HS key
today?  I would be less wary if the *plaintext* (pre-hash) started with
the above fixed string, and then some sensible padding mode (e.g., OAEP(+?))
was put on top of it.

   - Ian


More information about the tor-dev mailing list