On Mon, Dec 01, 2014 at 09:59:57AM -0500, Nick Mathewson wrote:
On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg iang@cs.uwaterloo.ca wrote:
On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
Then how about specifying something like this for the RSA-signed part (in place of the SHA1): [fixed string] 8 bytes [SHA512 signature] 32 bytes
Where the fixed sting could be something like "HSNONTOR", and we can reserve other strings for later if we actually do want to support RSA signatures over SHA512.
What kind of signature padding is done by the signature using the HS key today? I would be less wary if the *plaintext* (pre-hash) started with the above fixed string, and then some sensible padding mode (e.g., OAEP(+?)) was put on top of it.
I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for RSA encryption.
If you can restrict the set of values that the input to the hash can start with (for the "real" usage of the key), then signing messages starting with other fixed strings should be fine. (I think Douglas Stebila's CCS paper last month talks about something similar, in the context of ssh's and TLS's reuse of signing key material across ciphersuites.) It also avoids the problem the above proposal has of making the verification nonstandard.
- Ian