Re: SSL, Apache 2 and RSA key sizes

Jason wrote:

Peter Fairbrother wrote:
Sometimes servers use RSA key-exchange keys only once and then discard them,
signing each new RSA key-exchange key with their RSA signature key, but not
often. They will typically reuse the same RSA key-exchange key a lot,
sometimes even using the same RSA key for both key-exchange and signature
functions (bad).

Why is it bad to use the same RSA key for both encryption and signing?

There are several reasons, here are some in no particular order:

1) Suppose your secret encryption key is exposed or demanded by eg a Court
in order to decrypt some transactions - if it's also used for signatures it
means that your signature can be forged. You have to go through the
expensive and not-very-reliable procedures for revoking a signature key.

Incidently this is also a good reason for changing your RSA key-exchange key
often, or for using ephemeral DH keys - if you have deleted the earlier key
you won't have / be able to give up the encryption key, and there is no
motive other than an ability to forge, which a Court would not look kindly
on, for demanding a signature key.


2) If the same key is used for encryption and signing it is possible for an
attacker to get you to decrypt a message by getting you to sign something -
signing X is exactly the same as decrypting X - and vice versa, he can get
you to sign something by getting you to decrypt it.


3) There are some mathematical attacks based on the sort of trick above
which can recover bits of key.


4) In protocols the functions can interact in other funny ways.

A good implementation should make many of these attacks impossible, but
things break and don't always work like they should - and you do not know
what the other fellow's implementation does. Heck, most of the time you
don't even know how your owm implementation works! Better safe than sorry.


It is much safer to seperate the two functions.

In "Practical Cryptography" Schneier and Ferguson recommend using one
modulus with two different public exponents, 3 and 5, for signing and
encryption - but this does not protect against threats 1) and 3).

Far better to have the signature key simply sign the encryption key. A
certificated key will be a long chain of keys signed by other keys anyway,
one more in the chain adds very little overhead.


Or even better, use DH for key exchange.


--
Peter Fairbrother

.

Relevant Pages

  • Re: SSL, Apache 2 and RSA key sizes
    ... They will typically reuse the same RSA key-exchange key a lot, ... Why is it bad to use the same RSA key for both encryption and signing? ... you to sign something by getting you to decrypt it. ... Note that this is not a threat if you use proper padding schemes. ...
    (sci.crypt)
  • Re: SSL, Apache 2 and RSA key sizes
    ... They will typically reuse the same RSA key-exchange key a lot, ... Why is it bad to use the same RSA key for both encryption and signing? ... especially in the early SSL versions. ...
    (sci.crypt)
  • Re: SSL, Apache 2 and RSA key sizes
    ... signing each new RSA key-exchange key with their RSA signature key, ... They will typically reuse the same RSA key-exchange key a lot, ... Why is it bad to use the same RSA key for both encryption and signing? ... you to sign something by getting you to decrypt it. ...
    (sci.crypt)
  • Re: SSL, Apache 2 and RSA key sizes
    ... signing each new RSA key-exchange key with their RSA signature key, ... They will typically reuse the same RSA key-exchange key a lot, ...
    (sci.crypt)