diff options
author | Nick Mathewson <nickm@torproject.org> | 2009-09-23 11:45:54 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2009-10-15 15:17:13 -0400 |
commit | bd0685765dd84550ea0c71c230d8d18c739d8b34 (patch) | |
tree | 7d2de73499f296586b73df44f0031d4a049fb590 /proposals/162-consensus-flavors.txt | |
parent | 275900768aaaa3fbeb7d646b2fe196b7ae4a4a50 (diff) | |
download | torspec-bd0685765dd84550ea0c71c230d8d18c739d8b34.tar.gz torspec-bd0685765dd84550ea0c71c230d8d18c739d8b34.zip |
Revise proposal 162: SHA256(x), not SHA256(SHA256(x))
The point of doing SHA256 twice is, generally, is to prevent message
extension attacks where an attacker who knows H(A) can calculate
H(A|B). But for attaching a signature to a document, the attacker
already _knows_ A, so trying to keep them from calculating H(A|B) is
pointless.
Diffstat (limited to 'proposals/162-consensus-flavors.txt')
-rw-r--r-- | proposals/162-consensus-flavors.txt | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/proposals/162-consensus-flavors.txt b/proposals/162-consensus-flavors.txt index 56a0b0e..e257205 100644 --- a/proposals/162-consensus-flavors.txt +++ b/proposals/162-consensus-flavors.txt @@ -148,11 +148,10 @@ Spec modifications: 4.1. The "sha256" signature format. The 'SHA256' signature format for directory objects is defined as - the RSA signature of the OAEP+-padded SHA256 digest of the SHA256 - digest of the item to be signed. When checking signatures, - the signature MUST be treated as valid if the signature material - begins with SHA256(SHA256(document)); this allows us to add other - data later. + the RSA signature of the OAEP+-padded SHA256 digest of the item to + be signed. When checking signatures, the signature MUST be treated + as valid if the signature material begins with SHA256(document); + this allows us to add other data later. Considerations: |