5

Alice wants to send an encrypted message to Bob, but she also wants to connect to Carol's server. Are there any dangers associated with using the same RSA key for both PGP and SSH (other than a lack of anonymity)?

christianbundy
  • 313
  • 2
  • 8
  • 1
    Alice doesn't encrypt a message to Bob with her own key; she uses Bob's. If Bob's encryption key and Alice's SSH key are the same, I'd say there's definitely a problem. – cpast Mar 19 '15 at 22:30
  • possible duplicate of [Why should one not use the same asymmetric key for encryption as they do for signing?](http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig) – cpast Mar 19 '15 at 22:31
  • See this same question on the crypto site. https://crypto.stackexchange.com/questions/12090/using-the-same-rsa-keypair-to-sign-and-encrypt – Jason Coyne Jul 12 '15 at 13:54
  • @cpast Please assume that she's signing her message with her key. – christianbundy Mar 24 '20 at 14:38

2 Answers2

5

In a PGP setup, encryption occurs with the recipient's public key. In SSH authentication, this is (internally) a signature with the client's private key. If Alice sends a message to Bob and also connects to Carol's server, then Alice will use Bob's public key to encrypt, and here own private key (from a distinct key pair) to sign. No problem here.

A trickier case is when Bob wants to both receive encrypted messages from Alice, and connect to Carol's SSH server. In that case, Bob uses his private key to decrypt incoming messages (from Alice), and also to sign things sent by Carol (the authentication challenge within the SSH handshake). Using the same private key for two distinct algorithms is, generally speaking, a bad idea, because possible interactions between the two usages are a poorly explored area. Also, normally want to keep a backup of any encryption key, and not keep a backup of any authentication/signature key (see this), so making the two keys the same means that you are doing things suboptimally.

For that matter, a normal PGP setup already entails having several key pairs (a "master key" that can revoke the sub-keys, and sub-keys for encryption and signatures). Having an extra one for SSH should be no hardship.

(Not counting the fact that PGP implementations like GnuPG, and SSH implementations like OpenSSH, have distinct formats for encoding keys, so using the same key for both would need some effort.)

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
1

The real question is whether you're using a signing/authentication GPG subkey as your SSH key, or an encryption one. The former is fine, the latter is not: an RSA key must never be used to both encrypt and sign! (Authentication uses digital signatures.)

  • Shouldn't the private key I use to decrypt messages sent to me, be the same as the key that I use to sign messages (So that others can use the same public key for both purposes?) – Jason Coyne Jul 12 '15 at 13:45
  • It partially depends on the encryption algorithm in use, but with RSA, the answer is no: doing this risks revealing the private key. (Have a look at the RSA math to see why.) However, software packages like GPG manage this for you. The public key that you publish is actually a signing key, and GPG automatically generates a another key (the "encryption subkey"), signed by your primary key, that it does data encryption with. – Justin King-Lacroix Jul 12 '15 at 13:50