[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Specification for 'How to Safely Sign a statement with a .onion key'

On Mon, Dec 01, 2014 at 09:59:57AM -0500, Nick Mathewson wrote:
> On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg <iang@xxxxxxxxxxxxxxx> wrote:
> > On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote:
> >> Then how about specifying something like this for the RSA-signed part
> >> (in place of the SHA1):
> >>    [fixed string] 8 bytes
> >>    [SHA512 signature] 32 bytes
> >>
> >> Where the fixed sting could be something like "HSNONTOR", and we can
> >> reserve other strings for later if we actually do want to support RSA
> >> signatures over SHA512.
> >
> > What kind of signature padding is done by the signature using the HS key
> > today?  I would be less wary if the *plaintext* (pre-hash) started with
> > the above fixed string, and then some sensible padding mode (e.g., OAEP(+?))
> > was put on top of it.
> I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for
> RSA encryption.

If you can restrict the set of values that the input to the hash can
start with (for the "real" usage of the key), then signing messages
starting with other fixed strings should be fine.  (I think Douglas
Stebila's CCS paper last month talks about something similar, in the
context of ssh's and TLS's reuse of signing key material across
ciphersuites.)  It also avoids the problem the above proposal has of
making the verification nonstandard.

   - Ian
tor-dev mailing list