6

Would it be easier to hack a private key by having multiple encrypted and/or signed messages from the same person than having only encrypted or only signed messages?

Should I use one private key to encrypt and another to sign?

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
Nathan Parker
  • 267
  • 2
  • 9

3 Answers3

7

It is not feasible to crack a private key when having multiple encrypted/signed messages. Note that:

  • According to the OpenPGP standard, when encrypting a message the public key is only used to encrypt a random session symmetric key, which is then used to encrypt the message itself.

  • Generating a new key pair each time would involve redistributing your public key, which is actually the weak point in Public Key Infrastructures.

  • If your PGP key pair is DSA/ElGamal instead of RSA you already use a different key for signing (DSA) and for encrypting (ElGamal).

dr_
  • 5,109
  • 4
  • 20
  • 30
6

A few time ago I wrote an answer describing the Ebics protocol, a protocol allowing to use the same or different certificates for each purpose.

This answer shows some situations where having different certificates is required, however if you do not have such specific need (for example the signature and the encryption could be processed by different persons, or you may need several signatures for the same encrypted file, etc.), then there is no need to use different keys and you can safely use only one.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
5

With strong, modern crypto, there should not be any problems with using the same private key for both operations. In fact, the additional hassle of using multiple keys is (slightly) more likely to become a security concern (because of accidental misuse) than the crypto angle.

Niels2000
  • 201
  • 1
  • 5
  • In some cases you can create or modify keys to only be allowed for encryption or signing, thus preventing accidental misuse. – kasoban Sep 08 '15 at 14:20