On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg iang@cs.uwaterloo.ca wrote:
On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
Then how about specifying something like this for the RSA-signed part (in place of the SHA1): [fixed string] 8 bytes [SHA512 signature] 32 bytes
Where the fixed sting could be something like "HSNONTOR", and we can reserve other strings for later if we actually do want to support RSA signatures over SHA512.
What kind of signature padding is done by the signature using the HS key today? I would be less wary if the *plaintext* (pre-hash) started with the above fixed string, and then some sensible padding mode (e.g., OAEP(+?)) was put on top of it.
I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for RSA encryption.