[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'

On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg <iang@xxxxxxxxxxxxxxx> wrote:
> On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
>> Then how about specifying something like this for the RSA-signed part
>> (in place of the SHA1):
>>    [fixed string] 8 bytes
>>    [SHA512 signature] 32 bytes
>> Where the fixed sting could be something like "HSNONTOR", and we can
>> reserve other strings for later if we actually do want to support RSA
>> signatures over SHA512.
> What kind of signature padding is done by the signature using the HS key
> today?  I would be less wary if the *plaintext* (pre-hash) started with
> the above fixed string, and then some sensible padding mode (e.g., OAEP(+?))
> was put on top of it.

I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for
RSA encryption.
tor-dev mailing list