Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Revise proposal 162: SHA256(x), not SHA256(SHA256(x))

The point of doing SHA256 twice is, generally, is to prevent message
extension attacks where an attacker who knows H(A) can calculate
H(A|B).  But for attaching a signature to a document, the attacker
already _knows_ A, so trying to keep them from calculating H(A|B) is
pointless.
Nick Mathewson 16 years ago
parent
3471057486
commit
0bce0161dd
1 changed files with 4 additions and 5 deletions
Split View Show Diff Stats
  1. 4 5
      doc/spec/proposals/162-consensus-flavors.txt

+ 4 - 5
doc/spec/proposals/162-consensus-flavors.txt
View File 

@@ -148,11 +148,10 @@ Spec modifications:
 
     4.1. The "sha256" signature format.
 
 
     The 'SHA256' signature format for directory objects is defined as
 
-    the RSA signature of the OAEP+-padded SHA256 digest of the SHA256
 
-    digest of the item to be signed.  When checking signatures,
 
-    the signature MUST be treated as valid if the signature material
 
-    begins with SHA256(SHA256(document)); this allows us to add other
 
-    data later.
 
+    the RSA signature of the OAEP+-padded SHA256 digest of the item to
 
+    be signed.  When checking signatures, the signature MUST be treated
 
+    as valid if the signature material begins with SHA256(document);
 
+    this allows us to add other data later.
 
 
 Considerations: