On Tue, Sep 27, 2016 at 5:21 AM, Georgi Guninski <guninski@guninski.com> wrote:
Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
I have two distinct DSA keys k_1 and k_2, p_i are distinct 1024 bit primes and q_i are 160 bit primes (easily can be made larger). The other parameters of the keys are distinct, counting congruences.
On openssl 1.0.1t they produce exactly the same signature on a file:
If you are able to generate colliding signatures for a target (chosen) key, this may amount to an impersonation attack, depending on the exact origin authentication checks -- which may be considered even worse than a repudiation issue. If what you can do is to generate two new key pairs, where the signatures made by first can be verified as signed by the second (or viceversa), then this provides plausible deniability, and the possibility to repudiate any valid signature made by any of the affected signing keys. Alfonso