AW: Does the use of the same key for encryption and signature pos e a security threat?

[Dittmann Werner <we...@siemens.com>]

Christof, Sanjesh,
 
for encryption its also simple:
 
Sender (S) signs a message using a X.509 certificate. To do so it uses
its private key. The sender also attaches the certificate to the message.
 
Receiver (R) verifies the message, to do so it uses the public key contained
in the attached certificate.
 
R wants to encrypt the response to S: R uses the public key of S's certificate
to encrypt a symmetric (random) session key. R also signes the message,
behaves like S before (attaches its Certificate)
 
S receives the encrypted message, decodes to session key using its private
key, decrypts the data, verifies R's signature, ....
 
and so on .... ad infinitum ....
 
The Axis handlers of WSS4J contain a special mode that supports this behavior
in such a way that the public key of the certificate used to sign a message is
automatically used to encrypt the session key. See the documentation
of  USE_REQ_SIG_CERT  in WSDoAllConstants.
 
Regards,
Werner
-----Ursprüngliche Nachricht-----
Von: Sanjesh Pathak [mailto:sanjesh@soapknox.com] 
Gesendet: Freitag, 28. Mai 2004 14:58
An: fx-dev@ws.apache.org
Betreff: FW: Does the use of the same key for encryption and signature pose a security threat?


Hi Christof,
 
As far as I know there is a no mathematical reason for it except that you don't want the private key to be picked up by a third party. If you use the same private key for encryption and signature then both sender and receiver have to have the same private key. In that case one party has to send the other party private key, which is not a good idea.
 
As you rightly pointed out, the signature part is straight forward. The receiver uses the public key sent with the message to verify. There is no prior exchange required. In case of encryption the receiver has to provide the sender it's public key before hand for encryption. The only way I see that can be done right now is to provide the public key offline.
 
I hope I haven't misread your point.
 
Sanjesh
 
 
-----Original Message-----
From: Christof Soehngen [mailto:Christof.Soehngen@SYRACOM.DE] 
Sent: Friday, May 28, 2004 3:38 AM
To: fx-dev@ws.apache.org
Subject: Does the use of the same key for encryption and signature pose a security threat?
 
I was told lately not to use the same (private) key for both encryption and signature. This would create a security leak for cryptographic attacks.
 
As far as I could find out, it is a problem of key management, you want to keep the encryption key as long as possible, so you can always decrypt (even after a long time), but you want to minimize the time a private key exists after it becomes invalid, so noone can abuse it.
 
Does anyone know a mathematical reason besides the key management issue?
 
Problem is, regarding the WS scenario, it would not be sufficient for a client to send the (public part of the) key, the message was signed with, to the server. The server would also need a different public key for encryption. This would make further efforts necessary.
 
Regards,
Christof Soehngen