Using the Same RSA Key Pair for Encryption and Signing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using the Same RSA Key Pair for Encryption and Signing

Jim Wong
I’ve read several articles on the web whether it is safe to use the same RSA Key Pair for encryption and signing and haven’t found anything that shows there’s an algorithmic flaw.  One article mentioned potential attacks that would allow the forging of a signature but didn’t appear to have any actual example.  The argument that seemed to have merit was the management of keys if you want to expire the keys.  One article mentioned that if the key is stolen then the attacker has access to both decryption and forging signatures.
 
In any case, I read in the FIPS example document that they don’t recommend using the same RSA keys for encryption and signing and was looking for their reasoning from the BouncyCastle authors just out of curiosity.
Thanks,
James Wong
Reply | Threaded
Open this post in threaded view
|

RE: Using the Same RSA Key Pair for Encryption and Signing

Edward Ned Harvey (bouncycastle)
> From: Jim [mailto:[hidden email]]
>
> In any case, I read in the FIPS example document that they don’t
> recommend using the same RSA keys for encryption and signing

Generally speaking, in crypto you be careful. If something hasn't been well studied, you assume the worst. Yes you can use the same key for encrypting and signing, but everyone will tell you not to. There's always a better alternative.
Reply | Threaded
Open this post in threaded view
|

Re: Using the Same RSA Key Pair for Encryption and Signing

Matti Aarnio
On 18.11.2016 14:23, Edward Ned Harvey (bouncycastle) wrote:
>> From: Jim [mailto:[hidden email]]
>>
>> In any case, I read in the FIPS example document that they don’t
>> recommend using the same RSA keys for encryption and signing
> Generally speaking, in crypto you be careful. If something hasn't been well studied, you assume the worst. Yes you can use the same key for encrypting and signing, but everyone will tell you not to. There's always a better alternative.


With RSA using original public exponent 3, signing and encrypting a
non-padded message is dangerous.
That setup did reveal the original message rather easily (bad for
encrypting), and for signature it is easy to fake too.

With exponent 0x010001 (65537) and standard padding mechanisms the
danger is lesser.




smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using the Same RSA Key Pair for Encryption and Signing

David Hook

For what it's worth FIPS PUB 186-4 actually doesn't just say no signing
or encryption together, it also says don't mix signing algorithms. I
think the issue here is that there are attacks (theoretical and
sometimes real) based on the padding used for signatures. There are
exceptions in other FIPS standards to allow for things like PKCS#10,
however the reasoning behind this restriction is if you've been mixing
key use and one of the avenues of use suddenly turns out to be easy to
compromise, you'll lose everything. Myself, I'd find the prospect of
that rather depressing...

Regards,

David

On 19/11/16 02:39, Matti Aarnio wrote:

> On 18.11.2016 14:23, Edward Ned Harvey (bouncycastle) wrote:
>>> From: Jim [mailto:[hidden email]]
>>>
>>> In any case, I read in the FIPS example document that they don’t
>>> recommend using the same RSA keys for encryption and signing
>> Generally speaking, in crypto you be careful. If something hasn't been well studied, you assume the worst. Yes you can use the same key for encrypting and signing, but everyone will tell you not to. There's always a better alternative.
>
> With RSA using original public exponent 3, signing and encrypting a
> non-padded message is dangerous.
> That setup did reveal the original message rather easily (bad for
> encrypting), and for signature it is easy to fake too.
>
> With exponent 0x010001 (65537) and standard padding mechanisms the
> danger is lesser.
>
>
>