3

I am creating software tokens for future request authentication, and I want to use an HMAC for the token to make them tamper-resistant. To ensure I can check the HMAC later I need a secret, persistent key. Is there a security concern in using a private RSA key as the HMAC key? If not, what would the best values be from the key? This link says:

The security of RSA derives from the fact that, given the public key { e, n }, it is computationally infeasible to calculate d, either directly or by factoring n into p and q. Therefore, any part of the key related to d, p, or q must be kept secret.

I would expect it to be the private exponent (D) then, but I am not sure if some other combination of values would offer strong security (like P,Q, and D concatenated).

Edit: clarification

The reason I am asking about the RSA private key is the HMAC key needs to be stored so that the HMAC can be validated by the server on future requests. An RSA private key is an easy to manage, persistent value. I am not using the public key, or performing any aspect of public key crypto. I need a way to securely manage the HMAC key, and I am wondering if there are any good reasons not to use an RSA Private Key for this purpose.

Kyeotic
  • 133
  • 7
  • Would the RSA "public" key also be kept secret? $;$ –  Apr 02 '14 at 23:00
  • Effectively. The Certificate will be on the server, but it will not be used for anything else. – Kyeotic Apr 02 '14 at 23:03
  • The Certificate is not important for my question. $:$ Whether or not the public key will be used for anything else is also not important for my question $:$ Would the RSA "public" key be known to anyone else? $\hspace{.48 in}$ –  Apr 02 '14 at 23:09
  • I realize I'm not answering your question, but I am not sure what I am missing. Is there some other way to know the public key than to look at the certificate? I believe the answer to your question is no, nobody else know's the public key. – Kyeotic Apr 02 '14 at 23:11
  • 1
    Why not simply use a symmetric key? Also, the RSA public exponent isn't directly suitable use for an HMAC key, since an HMAC key needs to be something like 256 bits (e.g., for SHA-256) whereas $d$ will be around 4,096 bits. – Stephen Touset Apr 02 '14 at 23:12
  • @Stephen : $;;;$ I'm guessing that Tyrsius already has the key-pair for some reason. $:$ Otherwise, the proposal is silly in addition to possibly being insecure. $;;;;;;$ –  Apr 02 '14 at 23:15
  • @StephenTouset See my edit – Kyeotic Apr 02 '14 at 23:16
  • The other way to know the public key is it being sent on its own, such as when the channel is authenticated in some other manner. $;$ –  Apr 02 '14 at 23:19
  • @RickyDemer Are you taking about using it for Https/SSL? – Kyeotic Apr 02 '14 at 23:22
  • No, although Https/SSL using a different key-pair would be an example of a channel that is authenticated in some other manner. $;$ –  Apr 02 '14 at 23:24
  • Ok. I'm not sure what channel authentication you are talking about, but the public key will not be used for anything, at all. The only way I know of to access the public key would be to view the certificate on the machine as a user with the rights to do so. The only people with such access will be IT. – Kyeotic Apr 02 '14 at 23:25
  • One possible reason, that would of course be decisive, is if whatever you're coding in won't let you use an RSA private key as an HMAC key. $:$ Have you checked that? $;;;;$ –  Apr 02 '14 at 23:31
  • Yes. It works just fine. – Kyeotic Apr 02 '14 at 23:31

2 Answers2

2

The reason I am asking about the RSA private key is the HMAC key needs to be stored so that the HMAC can be validated by the server on future requests. An RSA private key is an easy to manage, persistent value.

You seem to be under the misguided and mistaken belief that an RSA key is somehow easier to manage and persist than a symmetric key.

I am wondering if there are any good reasons not to use an RSA Private Key for this purpose.

RSA private keys were not designed or intended for this purpose, and there seems to be no legitimate reason why you would actually want to do it. Use primitives for the purposes they were designed. Don't try to be clever. And don't invent your own crypto.

Stephen Touset
  • 11,002
  • 1
  • 38
  • 53
  • 1
    I am definitely under the belief that RSA keys are easier to manage. What methods would you recommend for securing a symmetric key that make it easier? – Kyeotic Apr 02 '14 at 23:29
  • 1
    Let me flip the question around. By what mechanism do you intend to "secure" your RSA key, and why does that mechanism not apply to a symmetric key? Keep in mind that the former is a 256-byte or 512-byte string, and the latter is a 16-byte or 32-byte string. – Stephen Touset Apr 02 '14 at 23:32
  • 2
    The RSA key will be in the server's certificate store, which is secured by the OS's user system. I don't know of a way to put a symmetric key there, so it would have to be in either a file or a database. It would have to be a file not part of the app deployment, which in my opinion makes it harder to manage. Putting in the database doesn't result in any more permission work (since the app account needs to access the cert, too), but it means either the DB schema has to not touch it, or it has to go in its own database. All of those options are more work than the standard certificate store. – Kyeotic Apr 02 '14 at 23:37
  • What operating system? As Rick states in another comment, at the very worst, you could encode a symmetric secret into an PEM/ASN.1/DER file and store it in the certificate store. – Stephen Touset Apr 03 '14 at 06:22
  • 1
    Windows. I am not opposed to doing that, though I will have to figure out how. – Kyeotic Apr 03 '14 at 06:34
  • Can you not use Windows.Security.Credentials.PasswordVault? – Stephen Touset Apr 03 '14 at 17:55
  • Multiple services will need access to the key – Kyeotic Apr 03 '14 at 18:07
2

If you truly can't be dissuaded from 'using' an RSA key for HMAC, be sure to derive a strong symmetric key using HKDF with a salt and some associated data.

I have a suggestion for you based on your comment to Stephen's answer. If all you need to do is store the symmetric key in the key/cert store, why not encode some generated symmetric key in the format (PEM/ASN.1/DER/etc.) expected by the cert store and use application-layer code to read it in and use it as an HMAC key? You could even use some junk data/padding if there's a length problem.

EDIT in response to comment: I mean use the RSA private key as the input to a key derivation function like HKDF.

Community
  • 1
pg1989
  • 4,636
  • 23
  • 42
  • 1
    I don't want to give the impression that I can't be dissuaded, it's just that all the negative responses have lacked a reason that its a bad idea. "Not for that purpose" isn't a reason not to do it. I'm not sure what the first part of your answer means. Do you mean the HMAC should produce a symmetric key, or that the RSA key should be a HKDF key? – Kyeotic Apr 03 '14 at 01:05
  • A reason not to do it would be something like: the HMAC product of an RSA Key would make it possible to derive the RSA Key, or the HMAC product of [Some other source] is harder to crack. Something that makes some other method better, instead of just more common. – Kyeotic Apr 03 '14 at 01:07
  • 4
    RSA private exponents are not uniformly distributed, which means the security arguments $\hspace{.92 in}$ for HMAC would not apply to using those as keys. $;$ –  Apr 03 '14 at 01:23
  • I'm not sure what you mean by that. What security arguments? – Kyeotic Apr 03 '14 at 01:50
  • Slightly what is probably the original one; mainly this more recent one. $;$ –  Apr 03 '14 at 02:09
  • Forgive me, I can only skim those as the language and symbols are over my head. Please correct me if I am wrong, but you are saying that by using RSA private keys the HMAC product (token signature) is weaker than one made with a uniformly distributed key, such that an attacker could feasibly produce a valid token signature without the RSA key. – Kyeotic Apr 03 '14 at 02:26
  • I'm saying that it's more likely that there's some sort of non-trivial attack against that than against (uniform-key) HMAC. $:$ If you nonetheless do that, then you should either use HKDF as described in this answer or take the middle bits, since I would expect the bias to be mainly in the high and low order bits. $;;;;$ –  Apr 03 '14 at 03:30
  • I know I am pushing here, so thank you for your patience, but what sort of attack? An attack that would reveal the message (since I am not encrypting the message, this would be of no value as it could not be used to generate a signature for a different message), or an attack that would reveal the HMAC key? – Kyeotic Apr 03 '14 at 06:00
  • 1
    What sort of attack is somewhat beyond the point. The problem is that the security proof no longer holds. Without a security proof involving non-uniform keys, the best we can say is that the security is undefined. – Stephen Touset Apr 03 '14 at 06:23
  • Forgive me if this seems overly harsh but if you really are only able to 'skim' those papers because they are 'over your head' then you should not be writing cryptography code. Is there any way you can hand this off to somebody in your company who might have more experience with crypto? – pg1989 Apr 03 '14 at 19:46