[tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'
iang at cs.uwaterloo.ca
Mon Dec 1 14:30:32 UTC 2014
On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
> Then how about specifying something like this for the RSA-signed part
> (in place of the SHA1):
> [fixed string] 8 bytes
> [SHA512 signature] 32 bytes
> Where the fixed sting could be something like "HSNONTOR", and we can
> reserve other strings for later if we actually do want to support RSA
> signatures over SHA512.
What kind of signature padding is done by the signature using the HS key
today? I would be less wary if the *plaintext* (pre-hash) started with
the above fixed string, and then some sensible padding mode (e.g., OAEP(+?))
was put on top of it.
More information about the tor-dev