Re: Using SSL private key for cookie's HMAC

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Simon,

I'm curious too. Assuming you use the private key properly, are there any
risks associated with using the private key for purposes other than SSL.
Could the SSL private key be safely used as a "master key" for encrypting
and signing other things on the web server?

I suspect the reasons to use a separate key are for better key management.
You'll want to change keys periodically and it might just be easier if you
don't have to change the site's SSL cert as well.  So I think it's an
interesting idea, but it's probably just as easy to have a separate key for
purposes other than SSL.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: "Simon Zuckerbraun" <szucker () sst-pr-1 com>
To: <webappsec () securityfocus com>
Sent: Friday, August 27, 2004 12:42 AM
Subject: Using SSL private key for cookie's HMAC


> I'm pondering a design question regarding a web application that is to
> operate over SSL. We want to include an HMAC in our cookies to prevent
> tampering. To produce an HMAC, the server must be configured with a
> private key.
>
> Since the website operates with SSL, the server already *has* a private
> key available: the private key of its SSL certificate. Is there any harm
> in using this same private key for producing the HMACs as well?
>
> Thanks,
> Simon