Use of same key for different operations should not be encouraged

Issue #740 resolved
Brian Campbell created an issue

Several places in the Connect suite [1] have language that says the jwk/x509_url can also be used for encryption keys, if the jwk/x509_encryption_url isn't provided or registered.

I suggest we drop this fallback option and explicitly require encryption keys to be provided or registered when encryption is used. Two main reasons for this:

1) While I imagine the fallback approach was intended as a simplification, it actually makes most implementations more complicated as they need to support two ways of finding the keys. A wise man recently said, "having two ways to do something almost always hurts interop and always makes implementations bigger" [2]. I wholeheartedly agree and say Connect should have only one way.

2) More importantly, using the same key for signing and encryption is terribly insecure. I'm no cryptographer but am told this concern is no longer just theoretical and will point out that the W3C XML SEC folks recently published some best practices including an explicit recommendation to use distinct keys for different operations [3] citing signature forgery as a potential consequence of ignoring the recommendation.

Yes, Connect does recommend against it (to varying levels) but signature forgery is really bad. Despite the few SHOULDs suggesting that separate keys be used, just having the option of dual use is tacitly approving of it at some level. Let's just get rid of that.

[1] These 3 at least and maybe more:

[2] and that man was our very own Mike Jones

[3] XML Signature Best Practice 27: Signers: When encrypting and signing use distinct keys

Comments (9)

  1. John Bradley

    It is a fight against common practice in SAML people don't regularly use separate keys.

    I made a point of making them separable. I would be OK with requiring both be specified.

    I would also prefer to do that with the JWK key use rather than in Connect. The issue with that is that we don't yet have a similar mechanism for x5u.

    If we had a single place to look with key use attributes would that make you happier as an implementer.

    I agree that you should never use the same kay for two different algs. The loophole is that for RSA pkcs 1.5 it is the same alg for signing and encrypting. So people take the short cut that sort of works for those two. If you are using RSA with PSS and OAEP then you defiantly need separate keys to avoid some possible pain.

  2. Brian Campbell reporter

    Yes, a single place to look that utilized a required (but maybe default to singing) key use attribute per key would be good.

  3. Michael Jones

    We agreed not to allow the same key be used. It's fine for the URLs to point to the same JWK Set. It is RECOMMENDED to use the "use" parameter to distinguish between the multiple keys if they are in the same place.

  4. Log in to comment