Why does GPG/PGP by default use different keys for signing/encryption?
If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.
pub 2048R/XXXXXXXX created: 2013-02-09 expires: 2014-02-09 usage: SC
sec 2048R/XXXXXXXX 2013-02-09 [expires: 2014-02-09]
sub 2048R/ZZZZZZZZ created: 2013-02-09 expires: 2014-02-09 usage: E
ssb 2048R/ZZZZZZZZ 2013-02-09 [expires: 2014-02-09]
(Output combined from gpg --list-keys
and gpg --list-secret-keys
)
It's also recommended to not use your master key for regular signing (of mails/data), but to create another signing-only sub-key and remove/backup your master key to a safe and offline location only to be used for key-signing.
This makes sense as most encryption endpoints are laptops/phones or other always-online, mobile devices which put your private keys at risk of theft or loss. With a securely stored master key, you can always revoke such lost sub-keys and never loose your key signatures.
So while the master-key <-> sub-key separation is clear to me, I don't understand why there is this emphasis on separating signing and encryption keys (even if they are both sub-keys). Can somebody explain why this is necessary or at least what the advantage is from a security or practical perspective?
Technically it's entirely feasible and supported by GnuPG to create a signing AND encrypting sub-key.
pub 2048R/YYYYYYYY created: 2013-08-13 expires: 2014-08-13 usage: SCEA
sub 2048R/VVVVVVVV created: 2013-08-13 expires: 2014-08-13 usage: SEA
In the United Kingdom, the Regulation of Investigatory Powers Act 2000 says
49 (9) A notice under this section shall not require the disclosure of any key which—
(a) is intended to be used for the purpose only of generating electronic signatures; and
(b) has not in fact been used for any other purpose.
…which means that the UK government may, in some circumstances, be able to compel you to hand over your decryption key (if you're a resident) but they're not allowed to impersonate you with your signing key.
I don’t know specifically why GPG/PGP does what it does, but one possible motivation for this sort of thing is disaster recovery. You might want to give a copy of your encryption private key to a very close, trusted friend, so, if your house is hit by a meteorite, you can still read your old messages that are saved in the cloud. (Similarly, you might be required to give your encryption key1 to your boss, so he can read your email after you leave.)
But there’s no reason for anybody else
to have a copy of your signing key pair.
________________
1 “you might be required to give your encryption key” to somebody
— see TEV’s answer.
The simple answer is that the more you use a key the more information you leak about the key.
A signing key is used by you to authenticate that you trust a key, and by inference the owner, but more importantly that your communications come from you. This is called non-repudiation.
For argument sake let's say using a key 10000 times means you leak all the information needed for somebody to reconstruct that key. Using one key >9999 times would mean that somebody else could potentially impersonate you and convey your trusted signature to an evil third party's key or document causing all your trusted network to believe this party is you or the document comes from you.
However if you are also encrypting with that same key the threshold is more quickly reached.
To avoid that potential annoyance a second key is created, which is used only for encryption/decryption, which is only used to encrypt data as you. Once this key has been used 9999 times you can expire this key without losing all the trust you handed out with your valid signing key. You rekey, generate a new encryption key, and sign it with you signing key to show that this is a trusted encryption key which everybody can verify.
EDIT:
On re-reading what I wrote above and the GNU Privacy Handbook, my conclusion is that and sub
is a private keypub
must be a public key. @GnP this answer:
"The keyword pub identifies the public master signing key, and the keyword sub identifies a public subordinate key.
"
If you create a new GPG key, you'll by default get a signing-only master key pair and an encryption-only sub-key pair.
Messages can be:
- unsigned and unencrypted
- signed and unencrypted
- unsigned and encrypted
- signed and encrypted
and there are uses for each of those cases, depending on what you are trying to accomplish with signing and encryption.
If by signing you are establishing identity/endorsement, and by encrypting you are making messages private, being able to encrypt but not sign gives you the ability to send a private message that isn't necessarily associated with your identity or endorsed by you. You would want separate keys in this case.