8

I'm newbie to encryption.

In Public Key Cryptography we have pair of keys - one for encryption and one for decryption.

In case Alice wants Bob to send her secret message, she publishes her encryption key (it'll be called public key) and keeps decryption key in secret (it'll be called private key). Bob encrypts message with Alice public key and Alice uses her private key to decrypt Bob's message.

Till now I think we all agree.

Now let's see what happen with signatures. Alice wants to send Bob a message and sign it to prove Bob that the message owned by her Alice. Signatures are intended to solve authentication problem. With Public Key Cryptography, signature is encrypted digest (e.g. checksum) of message with Alice private key and decrypted by Bob with Alice public key. Since only Alice knows it's private key, Bob can be sure that the message is from Alice.

This how signature is explained here:

Some Asymmetric Algorithms (public key algorithms) such as RSA allow the process to work in the opposite direction as well: a message can be encrypted with a private key and decrypted with the corresponding public key. If the recipient wants to decrypt a message with Bob's public key he/she must know that the message has come from Bob because no one else has sender's private key. Digital signatures work this way.

What I'm confused is what is this private key Alice uses for encryption of signature? Thus for signature we use:

  1. The same set of keys, used to send secure messages from Bob to Alice, meaning the same private key used by Alice to decrypt message received from Bob can be used to encrypt digest of message, sent by Alice back to Bob or ...
  2. Additional pair of encryption/decryption keys used for signing Alice's messages, where Alice publish decryption key of the pair.
Nam G VU
  • 33,193
  • 69
  • 233
  • 372
dimba
  • 26,717
  • 34
  • 141
  • 196
  • See the answers here: http://stackoverflow.com/questions/5133246/what-is-the-purpose-of-using-separate-key-pairs-for-signing-and-encryption – Anders Lindahl Nov 13 '11 at 09:10
  • For RSA, encryption and decryption keys are functionally identical. We normally distinguish between public (encryption/verification) and private (decryption/signing) key. The public one is often a bit shorter, since one uses a small standard exponent. – Paŭlo Ebermann Nov 13 '11 at 15:08

2 Answers2

4

The explanation of signatures as "encrypt with private key" is wrong. Well, mostly. It is a traditional explanation of how RSA signatures work, but actually it does not match how RSA signatures really work, because there is such a thing as "padding", which is about transforming data elements into big integers and back. The details of the padding are of paramount importance for the security -- and you will not use the same padding for encryption and for signatures.

Also, the view of signatures as "encrypt with the private key" can work only on asymmetric algorithms which use a "trapdoor permutation", and many signature algorithms do not (e.g. DSA). So I suggest forgetting that explanation, it is, at best, confusing.

A signature algorithm is generated over a given message, using a private key. It is verified over a message and a public key; if the public key is the one corresponding to the private key used to generate the signature, the verification algorithm will say "ok" only if this is the same message (or, more precisely, it is supposed to be computationally unfeasible to find a distinct message which the verification algorithm will nonetheless accept). So signatures are a kind of "asymmetric" algorithm because they use a key pair, one being public and the other private.

There are a few key pair types (in practice, RSA key pairs) which can be used both for signatures and encryption (with, respectively, the RSA signature algorithm and the RSA encryption algorithm -- which are not the same algorithm, although they share the same mathematical core operation). You may technically use the same key pair for both; however, this is not recommended:

  • There might be implied weaknesses due to interactions between the algorithms. There have been few studies on that subject. Although the padding differences should prevent these, there is no proof.

  • Encryption keys and signature keys have distinct life cycles. See this answer for details (in short words: you want to backup the encryption private key, and not the signature private key, so they cannot be the same key).

  • If some serious weakness was found in RSA, you would want to replace your keys with keys for other algorithms, and there is no guarantee that the replacement encryption and signature algorithms would still be able to share the same key type.

Community
  • 1
  • 1
Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
  • Does it possible mathematically to use Diffie-Hellman also both for encryption and signature as well as RSA? – dimba Nov 14 '11 at 05:27
  • Diffie-Hellman is not an asymmetric encryption algorithm _per se_; it is a key exchange algorithm (it is like an asymmetric encryption with which you do not get to choose the data which is encrypted); but it is almost as good if you combine it with symmetric encryption (it is called [IES](http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme)). Mathematically, you could use the same key pair for both DSA and DH, but nobody does that (in the relevant standards, DSA keys and DH keys are tagged differently). – Thomas Pornin Nov 14 '11 at 12:35
2

You can have only one pair of keys and publish only one public key which can be used to encrypt messages sent to you and to check message signatures created by you. The setup can be more sophisticated with additional keys/subkeys for different purposes but it is not required.

wRAR
  • 25,009
  • 4
  • 84
  • 97
  • So, you mean that option 1 in question is possible? This means that messages can be encrypted/decrypted with the same private key and decrypted/encrypted by the same public key? – dimba Nov 13 '11 at 09:22
  • Yes, it is possible and it is used in the real life. – wRAR Nov 13 '11 at 09:34
  • @wRAR: But I think it's a really bad idea to use asymmetric keys in both encryption and signature scenarios. It's too easy to abuse the signature part as a "decryption oracle" for attackers that would like to decrypt messages. – emboss Nov 13 '11 at 13:45