Re: SSL, Apache 2 and RSA key sizes
- From: Mike Amling <nospam@xxxxxxxxxx>
- Date: 29 Aug 2006 16:40:24 EDT
Peter Fairbrother wrote:
Mike Amling wrote:
Peter Fairbrother wrote:Jason wrote:Note that this is not a threat if you use proper padding schemes.
Peter Fairbrother wrote:2) If the same key is used for encryption and signing it is possible for anSometimes servers use RSA key-exchange keys only once and then discardWhy is it bad to use the same RSA key for both encryption and signing?
them,
signing each new RSA key-exchange key with their RSA signature key, but not
often. They will typically reuse the same RSA key-exchange key a lot,
sometimes even using the same RSA key for both key-exchange and signature
functions (bad).
attacker to get you to decrypt a message by getting you to sign something -
signing X is exactly the same as decrypting X - and vice versa, he can get
you to sign something by getting you to decrypt it.
Even OEAP might not protect against the second attack scenario. You aren't
signing there, just decrypting - you would not add padding in order to
decrypt. If it's already padded ...
OAEP "decryption" calls for returning "FAILED" and nothing else if the result of C**d mod N is not correctly OAEP padded.
And suppose a client does not use proper padding. Do you refuse a connection
and the business involved just because of that? No, SSL/TLS reverts to the
latest version compatible with both server and client's versions, which may
be a quite early version. A version rollback attack is quite possible, and
in fact the TLS v1 rollback attack detection mechanism doesn't (and can't)
work if the client is malicious and crafty.
Don't get me started on what's wrong with SSL.
I am not terribly familiar with SSL/TLS in all it's various embodiments -
but I don't remember proper padding, eg OAEP, being specified anywhere as a
SHALL/must, especially in the early SSL versions. Not saying it isn't, but I
don't remember it. Iirc there was something about PKCS#1 padding in SSL v2,
but that isn't hugely relevant - it may complicate some attacks, but not
beyond use.
Yes, not to mention SSL's smiling support of 40- and 56-bit encryption. "Use SSL" may be good advice to a newbie, but many sci.crypt posters, including you, know too much not to see its flaws.
I'm in favor of SSL server keys being used for SSL and nothing else.
Also, it may easily be a business requirement to have backups of all
encryption keys, to prevent loss of access to encrypted files.
Unlikely in ssl transactions, and there would be no cause to store the raw
link data.
If the protected material includes credit card details it may even be a
business requirement _not_ to have it available in future. There may also be
some legal privacy reasons for not having the data available, especially in
the EU.
Ergo, since signing keys are more useful if they're long term, another reason to separate the encryption keys and the signing keys.
And how many US companies eg delete emails after 3 months for
anti-disclosure reasons? They would want that deletion to be secure.
But a business should not have copies of its employees signing keys, to make
sure each employee can be held responsible for everything he signs.
I don't see the relevance?
It's another reason to keep encryption and signing keys separate.
--Mike Amling
.
- Follow-Ups:
- Re: SSL, Apache 2 and RSA key sizes
- From: Mike Amling
- Re: SSL, Apache 2 and RSA key sizes
- References:
- Re: SSL, Apache 2 and RSA key sizes
- From: Jason
- Re: SSL, Apache 2 and RSA key sizes
- From: Peter Fairbrother
- Re: SSL, Apache 2 and RSA key sizes
- From: Mike Amling
- Re: SSL, Apache 2 and RSA key sizes
- From: Peter Fairbrother
- Re: SSL, Apache 2 and RSA key sizes
- Prev by Date: Re: RSA Signing Security?
- Next by Date: Re: SSL, Apache 2 and RSA key sizes
- Previous by thread: Re: SSL, Apache 2 and RSA key sizes
- Next by thread: Re: SSL, Apache 2 and RSA key sizes
- Index(es):
Relevant Pages
|
