On 11/5/2012 1:37 AM, Jeffrey Walton wrote:
On Sun, Nov 4, 2012 at 7:15 PM, <jb-open...@wisemo.com> wrote:
On 02-11-2012 21:46, Jeffrey Walton wrote:
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
(continuing TOFU posting to keep the thread somewhat consistent)
Given some of the mathematical restrictions on parameters needed to
keep DSA and ECDSA safe from attackers, I don't think using the same
private key for ECDSA and ECDH is a good/safe idea.
However I am not a genius cryptanalyst, so I cannot guarantee that
this is really dangerous, it is just a somewhat educated guess.
Not at all - its good advice. Its called Key Separation, and its
covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I
usually see folks trying to use the same key for signing and
encryption. This is a slight twist in that they want to do signing and
agreement.
The HAC is available for free online at http://cacr.uwaterloo.ca/hac/.
I am aware of the general principle, but that is not my point at all.
My point is that the very specific math of DSA signatures may enable
specific attacks if the same key pair is used as a static DH key.
Information on this possibility (or its absence) is obscured by replies
like yours (and by similar general statements in official Government
materials from NIST etc.).
My apologies. I was not aware I was obscuring results. It was not my intention.
The OpenSSL list is a good list, but its OpenSSL implementation
oriented. As such, its not the best place to ask number theoretic
questions. To get your question answered, I would encourage you to ask
on an appropriate list; or visit a university and talk to someone in
the math department or teaching cryptography. (I still keep in touch
with my former crypto instructor, so I would simply send an email).
As far as I know, there are three such lists. First you can ask on
Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see
David Wagner patrolling sic.crypt on occasion. Both of these lists
will require you to wade though copious amounts of spam.
Third, you can try Jack Llyod's Cryptography mailing list at
http://lists.randombit.net/mailman/listinfo. Jack is the author of
Botan, and a lot of first class crypto folks are active on his list,
such as Jon Callas and Peter Guttman.
I have omitted a number of influential and helpful folks, so please
don't take offense if I did not name your favorite cryptographer. For
what its worth, I don't think this is a conspiracy or a concerted
effort to suppress your knowledge.
It is not as much my question as an uncertain basis for my reply to
an OpenSSL user about why his OpenSSL related software seems to
prevent him from doing this possibly dangerous thing. As I would
probably not try to do that myself anyway, I am not that interested
in the mathematical proving or disproving of the actual existence
of the risk. It was simply a caveat emptor attached to my advice.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
