On Mon, Dec 1, 2014 at 9:30 AM, Ian Goldberg <[email protected]> wrote: > On Mon, Dec 01, 2014 at 09:14:03AM -0500, Nick Mathewson wrote: >> Then how about specifying something like this for the RSA-signed part >> (in place of the SHA1): >> [fixed string] 8 bytes >> [SHA512 signature] 32 bytes >> >> Where the fixed sting could be something like "HSNONTOR", and we can >> reserve other strings for later if we actually do want to support RSA >> signatures over SHA512. > > What kind of signature padding is done by the signature using the HS key > today? I would be less wary if the *plaintext* (pre-hash) started with > the above fixed string, and then some sensible padding mode (e.g., OAEP(+?)) > was put on top of it.
I believe Tor still uses PKCS1 padding for RSA signatures and OAEP for RSA encryption. _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
