Seperate RSA subkeys for decryption and signing or one for both?

[Hubert Kario]

On Tuesday 04 of December 2012 14:14:34 Hauke Laging wrote:
> Am Di 04.12.2012, 13:19:11 schrieb Hubert Kario:
> > Keys can become "used up" so it entirely depends on how often you use it.
> > 
> > What I mean by that, is that any signing operation leaks some information
> > about the key used for signing (generally far less than few tens of a
> > bit).
> > If you have signed tens of thousands of documents with it, an attacker can
> > recover substantial portion of the key and speed up the key recovery.
> 
> I remembered having read something like that. But does this refer to signing
> only? Are decryption keys not affected by that? The advantage of separate
> subkeys would be then that the non-used up key could keep active longer.
> That may be an argument against signing emails by default ;-)  or at least
> for longer signature keys.

Leaking is caused by signing, if your using the same key for signing and 
encryption, then you can use the signatures to speed up the attack on 
encryption.

If you're encrypting with one key and signing with other then the encryption 
key doesn't need to be changed, as the encryption is done with public part 
anyway -- you don't leak any information that's not already avaiable to the 
attacker.

Signature keys should be changed regularly, every few hundred thousand 
signatures or so.

In typical business deployments you don't have users that send over three 
hundred signed e-mails a day, every day (including holidays), and the 
certificates are valid only for a year. So you don't go over the "few hundred 
thousand signatures" limit. It is something you should keep in mind when 
you're using GPG and send lot of e-mails, though -- it is easy to use the same 
key for many years...

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl