0

Say that I have generated an RSA keypair, which I intend to publish only for use with RSA-KEM; I can see that this is provisioned for:

The intended application for the key MAY be indicated in the key usage certificate extension (see RFC 5280, Section 4.2.1.3). If the keyUsage extension is present in a certificate that conveys an RSA public key with the id-rsa-kem object identifier as discussed above, then the key usage extension MUST contain the following value:

keyEncipherment

dataEncipherment SHOULD NOT be present. That is, a key intended to be employed only with the RSA-KEM Key Transport Algorithm SHOULD NOT also be employed for data encryption or for authentication such as in signatures.

and that this provision exists for a good reason (emphasis added):

Generally, good cryptographic practice employs a given RSA key pair in only one scheme. This practice avoids the risk that vulnerability in one scheme may compromise the security of the other, and may be essential to maintain provable security. While RSA public keys have often been employed for multiple purposes such as key transport and digital signature without any known bad interactions, for increased security assurance, such combined use of an RSA key pair is NOT RECOMMENDED in the future (unless the different schemes are specifically designed to be used together).

Accordingly, an RSA key pair used for the RSA-KEM Key Transport Algorithm SHOULD NOT also be used for digital signatures. (Indeed, the Accredited Standards Committee X9 (ASC X9) requires such a separation between key establishment key pairs and digital signature key pairs.) Continuing this principle of key separation, a key pair used for the RSA-KEM Key Transport Algorithm SHOULD NOT be used with other key establishment schemes, or for data encryption, or with more than one set of underlying algorithm components.

My question, then, is: is there a "proper" way to self-sign one of these certificates?

Would it be usual or appropriate to certify the KEM keypair using your signature keypair, which can safely terminate the trust chain by signing itself?

Or are X.509, CMS, PKCS#12, and RSA-KEM just so obscure outside of enterprise (non-self-signed) PKI contexts that the best-practice here has never been established?

Improve this question
3
  • The question is doubly pressing in the case of post-quantum "KEM-first" algorithms like Classic McEliece, which don't even have "obvious" signature schemes available. (For example, cross-using a KEM keypair for a "3rd-party" signature scheme might be more obviously disturbing than "mere" RSA re-use.) Commented Dec 5, 2023 at 20:12
  • Related: even with "regular" (non-KEM) RSA encryption, this problem still exists, and is "worked around" by simply hacking away at the keyUsage to make it work superuser.com/q/1451895/165335 Commented Dec 5, 2023 at 20:38
  • If you're trusting the key as-is (i.e. verifying its SPKI SHA256 against another channel), it might be semantically correct to use a 0-octet null-with-null signature, i.e. unsigned... though I don't think any tooling supports this at the moment. Commented Jan 11, 2024 at 19:40

1 Answer 1

Reset to default
0

It looks like maybe this is an open question / the answer is "no, there is no best practice, for now; you simply can't sign with a key that doesn't support signing."

See IETF Internet-Draft draft-ietf-lamps-rfc4210bis-07, §5.2.8, which was updated in June of 2023:

On the other hand, if the certification request is for a key pair that does not support signing (i.e., a request for an encryption or KEM certificate), then the proof-of-possession of the private decryption key may be demonstrated in one of three ways

The methods it goes on to describe are all inherently non-self-signed:

  1. The CA signs the certificate, only after actually inspecting the encryptee's private key to convince itself the key is actually possessed by the requestor.

  2. The CA signs the certificate, but doesn't send it back in the clear; instead, it first encrypts it with the encryptee's public key; this physically ensures that the requestor can only obtain the certificate if he actually possesses the private key.

  3. The CA signs the certificate, only after engaging in a more complex (interactive) challenge-response protocol to convince itself the private key is actually possessed by the requestor.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.