Re: [TLS] Security of using same cert for TLS client and server

Sat, 28 Jan 2023 00:36:05 -0800 

Thanks Ilari for that very fast and detailed answer. I a made a PR to 
RFC8446bis to suggest adding “A node MAY use the same certificate as both 
server and client certificate.”, I don’t know if there should be more 
restrictions. The real practical problems seem to be cross-protocol attacks on 
the application layer where TLS is used for several application layer protocols.

Cheers,
John

From: TLS <[email protected]> on behalf of Ilari Liusvaara 
<[email protected]>
Date: Friday, 27 January 2023 at 19:53
To: [email protected] <[email protected]>
Subject: Re: [TLS] Security of using same cert for TLS client and server
On Fri, Jan 27, 2023 at 06:01:04PM +0000, John Mattsson wrote:
> Hi,
>
> - Using the same signature key or PSK for TLS and another protocol is
>   obviously unsecure in the worst case. But probably practically
>   secure in many cases even if nobody has proved it.

Well, looking at the signatures:

- TLS 1.2 client signatures start with 0x01 (client hello message
  type).
- TLS 1.2 server signatures are messy, as the first 32 octets are
  from client (client random)!
- TLS 1.3 signatures start with 0x20 (explicit padding).
- JOSE signatures start with 0x65 (base64url of '{').
- COSE signatures start with 0x84 or 0x85 (Countersignatures can
  also start with 0x86); (Array of 4, 5 or 6 elements).
- X.509 signatures (S/MIME, PKIX, etc...) typically start with 0x30
  (SEQUENCE type).
- SSH pubkey signatures start with 0x00 (session id is <16MB).
- SSH hostkey signatures are a bit messy, as those seem to be over a
  raw hash.
- SSH signatures start with 0x53 (explicit magic).


So looks like none of those can interact badly with others, except
for TLS 1.2 server signatures and SSH hostkey signatures (and even
those probably don't interact badly in practice)


> - Did any of the formal analysis prove that using the same key for
>   TLS client and server is secure? It is quite common that the same
>   node is a TLS server and client.

For TLS 1.3, it is secure (the signatures have context). For TLS 1.2,
things are more complicated (but it is probably still secure).



-Ilari

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to