Why does GPG/PGP by default use different keys for signing/encryption?

gnupg public-key-encryption pgp

If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.

pub  2048R/XXXXXXXX  created: 2013-02-09  expires: 2014-02-09  usage: SC  
sec  2048R/XXXXXXXX           2013-02-09 [expires: 2014-02-09]

sub  2048R/ZZZZZZZZ  created: 2013-02-09  expires: 2014-02-09  usage: E
ssb  2048R/ZZZZZZZZ           2013-02-09 [expires: 2014-02-09]

(Output combined from gpg --list-keys and gpg --list-secret-keys)

It's also recommended to not use your master key for regular signing (of mails/data), but to create another signing-only sub-key and remove/backup your master key to a safe and offline location only to be used for key-signing.

This makes sense as most encryption endpoints are laptops/phones or other always-online, mobile devices which put your private keys at risk of theft or loss. With a securely stored master key, you can always revoke such lost sub-keys and never loose your key signatures.

So while the master-key <-> sub-key separation is clear to me, I don't understand why there is this emphasis on separating signing and encryption keys (even if they are both sub-keys). Can somebody explain why this is necessary or at least what the advantage is from a security or practical perspective?

Technically it's entirely feasible and supported by GnuPG to create a signing AND encrypting sub-key.

pub  2048R/YYYYYYYY  created: 2013-08-13  expires: 2014-08-13  usage: SCEA
sub  2048R/VVVVVVVV  created: 2013-08-13  expires: 2014-08-13  usage: SEA

In the United Kingdom, the Regulation of Investigatory Powers Act 2000 says

49 (9) A notice under this section shall not require the disclosure of any key which—

(a) is intended to be used for the purpose only of generating electronic signatures; and

(b) has not in fact been used for any other purpose.

…which means that the UK government may, in some circumstances, be able to compel you to hand over your decryption key (if you're a resident) but they're not allowed to impersonate you with your signing key.


I don’t know specifically why GPG/PGP does what it does, but one possible motivation for this sort of thing is disaster recovery.  You might want to give a copy of your encryption private key to a very close, trusted friend, so, if your house is hit by a meteorite, you can still read your old messages that are saved in the cloud.  (Similarly, you might be required to give your encryption key1 to your boss, so he can read your email after you leave.)

But there’s no reason for anybody else to have a copy of your signing key pair.
________________
1 “you might be required to give your encryption key” to somebody — see TEV’s answer.


The simple answer is that the more you use a key the more information you leak about the key.

A signing key is used by you to authenticate that you trust a key, and by inference the owner, but more importantly that your communications come from you. This is called non-repudiation.

For argument sake let's say using a key 10000 times means you leak all the information needed for somebody to reconstruct that key. Using one key >9999 times would mean that somebody else could potentially impersonate you and convey your trusted signature to an evil third party's key or document causing all your trusted network to believe this party is you or the document comes from you.

However if you are also encrypting with that same key the threshold is more quickly reached.

To avoid that potential annoyance a second key is created, which is used only for encryption/decryption, which is only used to encrypt data as you. Once this key has been used 9999 times you can expire this key without losing all the trust you handed out with your valid signing key. You rekey, generate a new encryption key, and sign it with you signing key to show that this is a trusted encryption key which everybody can verify.

EDIT:

On re-reading what I wrote above and the GNU Privacy Handbook, my conclusion is that sub is a private key and pub must be a public key. @GnP this answer:

"The keyword pub identifies the public master signing key, and the keyword sub identifies a public subordinate key."


If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.

Messages can be:

  • unsigned and unencrypted
  • signed and unencrypted
  • unsigned and encrypted
  • signed and encrypted

and there are uses for each of those cases, depending on what you are trying to accomplish with signing and encryption.

If by signing you are establishing identity/endorsement, and by encrypting you are making messages private, being able to encrypt but not sign gives you the ability to send a private message that isn't necessarily associated with your identity or endorsed by you. You would want separate keys in this case.

Related

Can't Sync Windows 10 Clock to The Internet
Task Manager shows 100% disk usage at just 0.5Mbps
The Inevitable Windows Slow Down
Where exactly are the apps shortcuts in the Windows 8 Start Screen stored?
How to completely uninstall a package (including all extra files that came with it) using yum (or rpm)?
Can we use JSch for SSH key-based communication?
How to update existing object in Core Data?
How to perform union on two DataFrames with different amounts of columns in spark?
What does Python's socket.recv() return for non-blocking sockets if no data is received until a timeout occurs?
Difference between Return and Break statements
How to run Scrapy from within a Python script
Is a Java array of primitives stored in stack or heap?