emmanuel_
asked on
why a user of a public key system must use separate key pairs for digital signature and identification?
Is the following Answer correct ?
Answer:
If Bob wants to use a public key system he needs separate key pairs for digital signature and identification or the system is insecure. If one key pair is used for digital signature and identification an attacker can pretend they want a check on identity. The attacker can send a random number for Bob to encrypt with his private key that is generated by computing the hash of the document, when Bob encrypts this with his private key he is in fact signing the document.
(IMHO digital signature does provide identification, we do not need to use another key pair).
Answer:
If Bob wants to use a public key system he needs separate key pairs for digital signature and identification or the system is insecure. If one key pair is used for digital signature and identification an attacker can pretend they want a check on identity. The attacker can send a random number for Bob to encrypt with his private key that is generated by computing the hash of the document, when Bob encrypts this with his private key he is in fact signing the document.
(IMHO digital signature does provide identification, we do not need to use another key pair).
ASKER
(This question come up at in the exam at the University and the above answer was the Official one).
Do you think that both the answer and the question are correct? yes/no
I will highly appreciate if you could comment your answer more, maybe with striking example(s) (that wil act as an objective proof for me that the answer of the Uni is or is not correct).
Thank you very much in advance.
{Please do take you time. I want a crystal clear answer cause I have been thinking about this topic for a long time (I have concluded that " digital signature does provide identification and we do not need to use another key pair"). I want to write them a letter but before that I must be 100% sure -with your help- for what I am writing}.
Do you think that both the answer and the question are correct? yes/no
I will highly appreciate if you could comment your answer more, maybe with striking example(s) (that wil act as an objective proof for me that the answer of the Uni is or is not correct).
Thank you very much in advance.
{Please do take you time. I want a crystal clear answer cause I have been thinking about this topic for a long time (I have concluded that " digital signature does provide identification and we do not need to use another key pair"). I want to write them a letter but before that I must be 100% sure -with your help- for what I am writing}.
I aggree with provided question and answer. Read the link below.
http://theworld.com/~dtd/sign_encrypt/sign_encrypt7.html
Suggested scenario is described in chapter 1.1
http://theworld.com/~dtd/sign_encrypt/sign_encrypt7.html
Suggested scenario is described in chapter 1.1
Also that's a good source of PKI weaknesses: http://theworld.com/~cme/html/spki.html#dsig
Nopius, I don't see what the S&E vs. E&S problem (see your link chapter 1.1) has to do with the question,
could you please enlighten me.
could you please enlighten me.
Ok. May be not everyting from that URLs clarify the question, I've started from that links and found papers, mention 'single signature' problem, but with the words.
Let's start from the top. What is the difference between identification and signing?
emmanuel_ says 'IMHO digital signature does provide identification, we do not need to use another key pair'. That's correct.
BUT. The question was about 'signing' vs. 'identification'.
From that point I see:
- signing as 'public message signing' for identifying you as a writer (as an origin of that message);
- identification as 'identification against some private service' for authenticating you as a legatime user of that service.
Do you see the difference? If yes, I proceed.
Now look to cryptography from human's point of view. Where digital signature means exactly the same as your, man, signature.
Anyone may ask you to sign anything.
Suppose now, you are using the same signature (the same private key file) for every public message.
Some one writes you: 'hey, I don't beleave it's you, please sign that "BC123..." (1024 bit message follows ) message, so I could check if it's you' . Now you are signing that message without any mind and send it back.
Do you see security flaw now? If no, I proceed.
That was attacker, who asked you to sing that message. It's him, who was asked to sign exactly the same message by the private server, so the server could identify it's you. And he will respond to that server with exactly the same answer, so server will think it's you, who has signed that challenge.
I know, there are different authentication schemes, but this schema is also possible.
Some of these schemas also include random numbers inside that encrypted message, which I need to decrypt and increment, then encrypt and send back.
But now we are talking about signing as a mean to provide identification, not about encryption as a mean to provide privacy :-)
I hope now it's clear.
Let's start from the top. What is the difference between identification and signing?
emmanuel_ says 'IMHO digital signature does provide identification, we do not need to use another key pair'. That's correct.
BUT. The question was about 'signing' vs. 'identification'.
From that point I see:
- signing as 'public message signing' for identifying you as a writer (as an origin of that message);
- identification as 'identification against some private service' for authenticating you as a legatime user of that service.
Do you see the difference? If yes, I proceed.
Now look to cryptography from human's point of view. Where digital signature means exactly the same as your, man, signature.
Anyone may ask you to sign anything.
Suppose now, you are using the same signature (the same private key file) for every public message.
Some one writes you: 'hey, I don't beleave it's you, please sign that "BC123..." (1024 bit message follows ) message, so I could check if it's you' . Now you are signing that message without any mind and send it back.
Do you see security flaw now? If no, I proceed.
That was attacker, who asked you to sing that message. It's him, who was asked to sign exactly the same message by the private server, so the server could identify it's you. And he will respond to that server with exactly the same answer, so server will think it's you, who has signed that challenge.
I know, there are different authentication schemes, but this schema is also possible.
Some of these schemas also include random numbers inside that encrypted message, which I need to decrypt and increment, then encrypt and send back.
But now we are talking about signing as a mean to provide identification, not about encryption as a mean to provide privacy :-)
I hope now it's clear.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> When you sign a message you think your signature is used for your identification.
no
hence
> But you didn't grasp the whole picture.
I guess I got the picture ;-)
> .. I know you are paranoid in security,
yes ;-)
> You don't think about disclosure of private data (your private key) when are signing a message
what's the problem here? If I sign something, there is no disclosure of *my* privat key.
If you're talking about the example described in your link, that's something different, comparable to phishing.
> But you may be asked to sign some message (not yours) just for your 'identification' .
ok, I need to trap into that phish ..
> That's the reason why you should use one private/public key pair for public messages (emails) signing and encrypting. And the other for authentication against some private services (suppose for SSL authentication on corporate Web site).
hmm, what has this to do with the phishing trap (see above)? Signing my own data (message, whatever) is different than signing data given to me.
I guess this difference is the "missing picture" you impute to me.
Hope this (paranoid) discussion helps the questioner too.
no
hence
> But you didn't grasp the whole picture.
I guess I got the picture ;-)
> .. I know you are paranoid in security,
yes ;-)
> You don't think about disclosure of private data (your private key) when are signing a message
what's the problem here? If I sign something, there is no disclosure of *my* privat key.
If you're talking about the example described in your link, that's something different, comparable to phishing.
> But you may be asked to sign some message (not yours) just for your 'identification' .
ok, I need to trap into that phish ..
> That's the reason why you should use one private/public key pair for public messages (emails) signing and encrypting. And the other for authentication against some private services (suppose for SSL authentication on corporate Web site).
hmm, what has this to do with the phishing trap (see above)? Signing my own data (message, whatever) is different than signing data given to me.
I guess this difference is the "missing picture" you impute to me.
Hope this (paranoid) discussion helps the questioner too.
ASKER
(Thanks for your postings).
Please follow the link :http://www.e-greenstar.com/SSL/SSL-how.htm
and read paragraphs:
1-USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION
2-BUT WAIT, THER'S MORE
3-GETTING CLOSER
how do you link this with Nopius' last comment (05/18/2006 04:13PM PDT).
I will appreciate your answer (but please focus one the main question - see top).
Thanks in advance for your expertise and patience.
Please follow the link :http://www.e-greenstar.com/SSL/SSL-how.htm
and read paragraphs:
1-USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION
2-BUT WAIT, THER'S MORE
3-GETTING CLOSER
how do you link this with Nopius' last comment (05/18/2006 04:13PM PDT).
I will appreciate your answer (but please focus one the main question - see top).
Thanks in advance for your expertise and patience.
emmanuel, from your link:
> Unless you know exactly what you are encrypting,
that's exacrly what was discussed before: don't trap into phishing
In such cases you have to use different keys. Or better: a unique onetime-key for encrypring unknown messages.
Back to the link (SSL), with SSL you don't have this dragon, just the the doc to the end, then tell us what your problem is.
> Unless you know exactly what you are encrypting,
that's exacrly what was discussed before: don't trap into phishing
In such cases you have to use different keys. Or better: a unique onetime-key for encrypring unknown messages.
Back to the link (SSL), with SSL you don't have this dragon, just the the doc to the end, then tell us what your problem is.
ahoffman, I agree, may be it's a kind of phishing.
The difference is:
- with phishing you dislclose your account id/password to an attacker
- with signing/encrypting you don't disclose your private key
May be as a result of that difference everybody are afraid of suspisious internet links posted by email, and dont' hesitate when encrypting and signing public messages :-)
emmanuel, what about your link, it's a classic man-in-the-middle attack.
It's not what I'm talking about. For definition of the man-in-the-middle attack, read http://en.wikipedia.org/wiki/Man_in_the_middle_attack
The difference is:
- with phishing you dislclose your account id/password to an attacker
- with signing/encrypting you don't disclose your private key
May be as a result of that difference everybody are afraid of suspisious internet links posted by email, and dont' hesitate when encrypting and signing public messages :-)
emmanuel, what about your link, it's a classic man-in-the-middle attack.
It's not what I'm talking about. For definition of the man-in-the-middle attack, read http://en.wikipedia.org/wiki/Man_in_the_middle_attack
There is no way to prevent such brute force attacks, hence it doesn't matter if you use two key pairs or signature and identification or just one 'cause such a brute force attack can be run against the identification system too.
It's just a matter of time and resources ...