LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

Why should you never use the same key pair for both encryption and signing?

Mixing the two roles lets an attacker abuse one operation to undermine the other — so best practice is separate key pairs for separate purposes.

Even though RSA can do both, reusing one key pair is dangerous because:

  • The two uses have different lifecycles and policies (e.g. you may want to escrow/backup an encryption key for data recovery, but a signing key must never be copied or its non-repudiation is destroyed).
  • Certain protocol interactions let an attacker present a chosen value to be "decrypted" or "signed" and use the result to attack the other function (chosen-ciphertext / chosen-message style abuse).

Tip: One key, one job. This is also why X.509 certificates carry a keyUsage field — it explicitly states whether a key is for digitalSignature, keyEncipherment, etc.

From Quiz: ISF / Intercepting & Proxy Tools | Updated: May 31, 2026