New snapshot

Pete Chown Pete.Chown at skygate.co.uk
Sat Nov 18 01:39:56 EST 2000


Gert Doering wrote:

> Could anyone send me a pointer where to read up why [encrypting and
> signing with the same key] is "bad"?

Firstly you are restricted to RSA or ElGamal keys, because DSA keys
can't easily be used for encryption.  No one uses ElGamal much, so
essentially you have to use RSA for everything.  This may or may not
matter depending on your application.

Secondly, with RSA, signing and decrypting are the same operation.  So
if someone can get you to decrypt an arbitrary message and disclose
the results, you can be made to sign arbitrary messages too.  You
normally wouldn't sign arbitrary messages, but if you did the attack
would work that way round as well -- you could be tricked into
decrypting something without realising.

There are various ways round these attacks, but in many ways the
simplest is just to use different keys.

> I've seen that a few people have separate PGP keys for "sign"
> and "crypt", but didn't understnad that either.

That is really for a different reason.  It means that you can replace
your confidentiality key regularly while keeping the signing key the
same.  This means that you get a long-lived signing key which can
participate in the web of trust.  At the same time you have a
short-lived encryption key, so less damage is done if it is
compromised.

-- 
Pete





More information about the openssh-unix-dev mailing list