3

I have a chat system where multiple clients communicate securely using Libsodium authenticated encryption. Every client have their own 32 byte key pair. If two clients want to communicate they first share their public key out of band and then use e.g. crypto_box_easy for encryption.

I want to create a service that allows a client to vouch for another clients public key using signing.

However, public-key-signatures using Libsodium requires 64 byte signing keys and for practical matters I would like to not introduce a second key pair.

So I was thinking if it was cryptographically sane to use crypto_box_easy to sign stuff by encrypting to a public known key pair? Following pseudocode exemplifies how this would work when Alice wants to vouch for Charlie and Bob reads the message.

On Alice's client:

message = "trust: \"pkCharlie\""
message_hash = secureHash(message)
ciphertext = crypto_box_easy(message_hash, nonce, skAlice, pkPublic)

Alice can now store the message, nonce and ciphertext somewhere public and Bob can later read it and verify its authenticity and integrity

message = "trust: \"pkCharlie\""
message_hash = secureHash(message)
decrypted_message_hash=crypto_box_open_easy(ciphertext, nonce, pkBob, skPublic)
if ( message_hash == decrypted_message_hash ) return true;

Is this approach safe or am I missing something critical?

tobalr
  • 131
  • 1
  • 3
    crypto_box isn't for signing/won't provide equivalent properties to signing and doesn't provide sender authentication, as explained here. You can convert Ed25519 keys to X25519 keys to reuse keys, but this isn't recommended and should be avoided unless you have serious bandwidth/storage restrictions. – samuel-lucas6 Mar 07 '23 at 10:56
  • @samuel-lucas6 That comment works perfectly fine as a short answer for me as well... crypto-box sits somewhere between an algorithm / scheme and a protocol. It's more of a good practice way of encrypting at the application layer. Could be made part of a protocol, but it isn't one. – Maarten Bodewes Mar 07 '23 at 18:55
  • 1
    @samuel-lucas6 thank you for explaining how this does not work. I have read through the sources you have mentioned and in my head it boils down to: Don't be lazy. Add that second key pair for signing—it is the least complex path going forward. – tobalr Mar 09 '23 at 07:12
  • 1
    @MaartenBodewes Not good practice enough though as it lacks sender authentication and doesn't use a regular KDF. @ tobalr Good man. – samuel-lucas6 Mar 09 '23 at 18:31

0 Answers0