Using RSA key for signing and for decrypting

[Ben Laurie]

Roger Dingledine wrote:

> I'm getting around to putting signatures on the directories, now.
> Fortunately, the source distribution already comes with a 'dirservers'
> file, which includes the public key of each directory server.
> 
> This public key is used in handshaking between onion routers and others,
> to verify that they are who they should be. (Stuff is encrypted under
> the public key, and then they confirm that they could learn it.)
> 
> So we're all set: we'll just use this key for signing directories too.
> 
> Except I have some vague memory that using the same key for both signing
> and crypting is a bad idea. In the interests of simplicity, I'd rather
> avoid putting in a second key; can somebody confirm for me that I should,
> or can I get away with using the same key?

One problem is that the signature is E_k(H(M)) and decryption is
E_k(D_k(M)), where E_k() is encryption with the private key, D_k() is
decryption with the private key (== encryption with the public key). So,
if an attacker can persaude you to give them the "decryption" of H(M)
(purporting it to be D_k(M') of course), then you just signed M by
mistake :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff