[tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'
Nick Mathewson
nickm at freehaven.net
Mon Dec 1 14:59:57 UTC 2014
On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg <iang at cs.uwaterloo.ca> wrote:
> On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
>> Then how about specifying something like this for the RSA-signed part
>> (in place of the SHA1):
>> [fixed string] 8 bytes
>> [SHA512 signature] 32 bytes
>>
>> Where the fixed sting could be something like "HSNONTOR", and we can
>> reserve other strings for later if we actually do want to support RSA
>> signatures over SHA512.
>
> What kind of signature padding is done by the signature using the HS key
> today? I would be less wary if the *plaintext* (pre-hash) started with
> the above fixed string, and then some sensible padding mode (e.g., OAEP(+?))
> was put on top of it.
I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for
RSA encryption.
More information about the tor-dev
mailing list