Lets's say I have a cipher-module / cryptography-service that signs a hash of some unknown payload.
What are the possible attacks that I would need to guard against in this context (primarily assuming RSA algorithm but it could also be EC-DSA algorithm)?
With regard to the RSA, to guard against chosen cipher-text attacks as noted here have come-up with the following scheme.
- Client calculates SHA-256 hash of payload.
- Client sends hash to server for timestamping.
- Server receives hash, generates a nonce.
- Server concatenates nonce (server-generated-random) and the hash (client-input) and calculates hash on the concatenated string.
- Server signs the hash that it calculated and returns the signature and the nonce back to client.
What I'd like to know is -
- Is the above a standard approach for this type of usecase?
- Is there a better scheme than plain concatenation? I
- Guess RSA OAEP / PSS schemes are intended to guard against such attacks for RSA but I am more inclined towards the above since its independent of the algorithm (RSA/DSA). Am I correct in this assumption?
