On Fri, Jan 27, 2023 at 06:01:04PM +0000, John Mattsson wrote:
> Hi,
>
> - Using the same signature key or PSK for TLS and another protocol is
> obviously unsecure in the worst case. But probably practically
> secure in many cases even if nobody has proved it.
Well, looking at the signatures:
- TLS 1.2 client signatures start with 0x01 (client hello message
type).
- TLS 1.2 server signatures are messy, as the first 32 octets are
from client (client random)!
- TLS 1.3 signatures start with 0x20 (explicit padding).
- JOSE signatures start with 0x65 (base64url of '{').
- COSE signatures start with 0x84 or 0x85 (Countersignatures can
also start with 0x86); (Array of 4, 5 or 6 elements).
- X.509 signatures (S/MIME, PKIX, etc...) typically start with 0x30
(SEQUENCE type).
- SSH pubkey signatures start with 0x00 (session id is <16MB).
- SSH hostkey signatures are a bit messy, as those seem to be over a
raw hash.
- SSH signatures start with 0x53 (explicit magic).
So looks like none of those can interact badly with others, except
for TLS 1.2 server signatures and SSH hostkey signatures (and even
those probably don't interact badly in practice)
> - Did any of the formal analysis prove that using the same key for
> TLS client and server is secure? It is quite common that the same
> node is a TLS server and client.
For TLS 1.3, it is secure (the signatures have context). For TLS 1.2,
things are more complicated (but it is probably still secure).
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
