Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

With RSA encryption, should I use the same certificate to sign and encrypt a message?

If I want to sign and encrypt a message using an X509 certificate, is there any reason not to use the same certificate for encryption and signing?

Update: Looking back, I think that this must be the most hair-brained question I ever asked on SO. I'm sorry.

like image 542
Vivian River Avatar asked May 20 '10 18:05

Vivian River


People also ask

Why is it a bad idea to use the same RSA key pair for both signing and encryption?

Keys get compromised. Protocols using RSA sometimes use it in ways that are very brittle. Using the same key for both encryption and signature can exacerbates weaknesses. RSA has a history of weaknesses, not in the mathematical algorithm itself (once you use proper padding), but in the way it's implemented.

What is the difference between signing certificate and encryption certificate?

Home / Knowledge Center / What is the difference between signature and encryption? Encryption is used to encode sensitive information in an email or document. The signer uses his private key to sign the document. The private key is used by the receiver to decrypt the encrypted data in email or documents.

Why do encryption and signing require two different keys?

The reason for using separate key pairs for signing and encryption is to spread the risk: If someone recovers the private encryption key, he/she can decrypt documents that were encrypted using the public encryption key but can't use it to also sign documents and vice versa.

How do you sign a message with RSA?

RSA Digital Signatures To sign a message m, just apply the RSA function with the private key to produce a signature s; to verify, apply the RSA function with the public key to the signature, and check that the result equals the expected message. That's the textbook description of RSA signatures.


2 Answers

The sender uses his own private key to sign a message. The message is encrypted with the recipient public key. A certificate contains a public key. Presumably, the sender public key (corresponding to the sender private key used for signing the message) is also represented in a certificate.

The recipient uses his own private key (corresponding to the public key in his certificate) to decrypt the incoming message. The recipient uses the sender public key (from the sender certificate) to verify the signature.

That being said, you may envision a generic scenario where everybody can send and receive email. Therefore, everyone has a key pair (with public part in a certificate) which is used to encrypt and decrypt emails (Bob's public key is used to encrypt emails sent to Bob, and Bob uses the corresponding private key to decrypt them, i.e. to read the emails). Also, everyone has a key pair for signatures (Bob uses his private key to sign the messages that he sends, Alice uses Bob's public key to verify the signatures purportedly computed by Bob). The question is then: will Bob have two key pairs (one for encryption/decryption, and one for signature/verification), or only one key pair which is used for both jobs ?

It so happens that the RSA public encryption algorithm and the RSA signature algorithm can use the same kind of key, called (quite logically) "RSA keys". So this is doable, and actually it happens quite often.

However, generally speaking, signature keys and encryption keys have distinct life cycles and management procedures. In a business context, the direction keeps in a safe a copy of all private keys used for encryption, because losing an encryption key means losing data. And employees can become "unavailable" (employee is fired, employee retires, employee is hit by a bus...). Conversely, when a signature key is lost, previously emitted signatures are still valid and verifiable, so one simply has to create a new key pair to be able to produce other signatures. Besides, digital signatures may get a strong legal status only if there is no copy of the key in a safe somewhere. So the general advice is to keep encryption and signature keys separate. Using the same key for both is an approximation which may have unwanted side-effects (such as data loss or lack of legal value). Depending on the context, this may or may not be a problem.

like image 187
Thomas Pornin Avatar answered Oct 06 '22 23:10

Thomas Pornin


An X509 certificate contains a public key. To encrypt, you use the recipient's public key presumably obtained from their certificate. To sign, you use your private key, presumably from a secure store. The recipient verifies the signature using your public key, presumably from your certificate. Those are the basics.

like image 23
President James K. Polk Avatar answered Oct 06 '22 23:10

President James K. Polk