Score:1

Is it safe to sign message with a TLS private key?

br flag

I want to sign all of the HTML and JavaScript from my site with the site's TLS private key.

(The hex signature will be preceded with a <!-- comment which is valid for both HTML and JavaScript, and attached to the end of the text files.)

This is so that end users can prove that malicious JavaScript came from us, and so gain confidence that we would never do so.

Are there any security problems when using this the same private key for both TLS encryption and application-level signing?

real-or-random avatar
th flag
What kind of private key is it? Is it an ECDSA key? I hope so. ;) Or is it an RSA key?
DannyNiu avatar
vu flag
I think your usecase can be covered with [subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) don't you think?
Zac67 avatar
vu flag
If the server is compromised so that malicious code can be injected, the server's private key for SSL is likely compromised as well.
Maarten Bodewes avatar
in flag
I'm wondering how the signature is going to be checked. How to handle the key management is the trick, and it is also where possible issues lie - especially you haven't indicated how the corresponding public key is going to be trusted. If the key management is handled properly then it *could possibly* add a bit of security. If the key is compromised then both the signature for TLS authentication and HTML signing will become compromised, but that's OK if they are used for about the same purpose.
Score:2
by flag

You could sign the files using the server TLS private key for sure. Then on the client side, you could retrieve the TLS certificate used for the HTTPS link using some code e.g. with OpenSSL as I wrote here, and verify the signature.

But is it worth it? In security, reinventing the wheel is not very safe. The algorithm you would come with is likely to be broken.

Ensuring data is not tampered between the server and the client is already what TLS does - in an audited way. If some attacker is able to tamper your files on the server, it is also possible that he/she would be able to add its own certificate. So your whole signature process would become pointless.

I would stick to rely on TLS, and use a separate certificate if you really need to validate a file content. I would use the TLS private key only for TLS/HTTPS, not anything else.

Score:1
cn flag
Vic

The term tls private key is ambiguous. The PRF generates from the negotiated premaster secret a whole bunch of different keys depending on the selected cipher suite. May be you mean the private key from the certificate used for the server authentication. In this case you must analyse whether the attacker can influence the content you respond and sign. In some scenarios this can empower him to generate the correct signature of the manipulated message without the knowledge of the private key.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.