WebApp Sec mailing list archives

Re: Using SSL private key for cookie's HMAC

From: Adam Shostack <adam () homeport org>
Date: Sun, 5 Sep 2004 19:56:02 -0400

On Tue, Aug 31, 2004 at 09:37:48AM -0400, Jeff Williams wrote:
| Simon,
| 
| I'm curious too. Assuming you use the private key properly, are there any
| risks associated with using the private key for purposes other than SSL.
| Could the SSL private key be safely used as a "master key" for encrypting
| and signing other things on the web server?

No.

| Kelsey, Schneier, and Wagner did a paper:
| Protocol Interactions and the Chosen Protocol Attack
| 
| J. Kelsey, B. Schneier, and D. Wagner
| 
| Security Protocols, 5th International Workshop April 1997 Proceedings,
| Springer-Verlag, 1998, pp. 91-104.
| 
| ABSTRACT: There are many cases in the literature in which reuse of the
| same key material for different functions can open up security
| holes. In this paper, we discuss such interactions between protocols,
| and present a new attack, called the chosen protocol attack, in which
| an attacker may write a new protocol using the same key material as a
| target protocol, which is individually very strong, but which
| interacts with the target protocol in a security-relevant way. We
| finish with a brief discussion of design principles to resist this
| class of attack.
| 
| http://www.schneier.com/paper-chosen-protocol.html

(Ok, to be more accurate, it depends on what the other things are.
But keys are cheap.  Why spend the time analyzing the problem when you
can just generate another one?  Certs are cheap too, if you go to
someone other than Verisign.  Even Verisign certs are cheaper than a
cryptographer by a long margin.

And incidentally, is there a reason to use a self-designed
authentication scheme over hmac?  With all the recent hash-function
attacks, I'd want to use hmac over a raw hash of some text.

Adam


| To: <webappsec () securityfocus com>
| Sent: Friday, August 27, 2004 12:42 AM
| Subject: Using SSL private key for cookie's HMAC
| 
| 
| > I'm pondering a design question regarding a web application that is to
| > operate over SSL. We want to include an HMAC in our cookies to prevent
| > tampering. To produce an HMAC, the server must be configured with a
| > private key.
| >
| > Since the website operates with SSL, the server already *has* a private
| > key available: the private key of its SSL certificate. Is there any harm
| > in using this same private key for producing the HMACs as well?
| >
| > Thanks,
| > Simon
|

Current thread:

Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
    - Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
    - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
    - Webserver problems John Fisher (Sep 09)
    - RE: Webserver problems Dinis Cruz (Sep 10)
    - Re: Webserver problems Mike Kalinovich (Sep 11)
- RE: Using SSL private key for cookie's HMAC Michael Silk (Sep 05)