On Tue, Jun 14, 2005 at 12:14:54AM -1000, coco coco wrote:
> My apologies if this is not really an openssl question. Just want to get
> some ideas from the gurus here.
>
> There is this company (a so-called partner) which has hired an external
> security consultant to oversee the security of a project which makes use of
> crypto quite heavily. The security consultant didn't do anything else,
> except coming up with a scheme that requires that every key must have two
> certificates, one certificate used for encryption and the other used for
> signature. The key and certificates are stored in a USB token. The reason
> from the so-called security consultant was that it is more secure this way.
> And he got the backup from the CEO (well, the CEO brought him in).
>
> We called it bullshit, and were having a hot debate, most people (the
> technical people) are opposed to that, saying that there is nothing secure
> about this scheme. If you want to separate the signature key from the
> encryption key, you should have 2 keys, and not one key with 2
> certificates. This does not make any sense.
>
You'll get more substantive support on cryptography@metzdowd.com
(subscribe via [EMAIL PROTECTED]), but your analysis is correct.
There are a number of attacks on RSA keys that are used to both sign and
encrypt (attacker) chosen data. While these attacks can be avoided by
not directly signing chosen data (rather only signing locally randomly
generated session keys or hashes of data), it is indeed a sound practice
to use separate keys when possible, but separate signing and encryption
certificates for a single public/private key pair are nonsense.
The right answer is two separate key pairs, with separate certs with
correct usage bits to enforce the key purpose.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
