Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?

John Newman jnn at synfin.org
Tue Sep 27 10:39:00 PDT 2016


On Tue, Sep 27, 2016 at 12:21:52PM +0300, Georgi Guninski wrote:
> Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
> 
> I have two distinct DSA keys k_1 and k_2, p_i are distinct 1024 bit
> primes and q_i are 160 bit primes (easily can be made larger).
> The other parameters of the keys are distinct, counting congruences.
> 
> On openssl 1.0.1t they produce exactly the same signature on a file:
> 
> $ openssl dgst -sha1 -verify key1.pub -signature file.txt.sig file.txt ; openssl dgst -sha1 -verify key2.pub -signature file.txt.sig file.txt
> Verified OK
> Verified OK
> 
> In addition I created with them two valid self signed x509 certificates.
> 
> The key owners can claim the other one made the signature,
> which appears crypto repudiation issue.
> 
> How to try the signatures in other scenarios?
> 
> Is this known?
> 
> Is this theoretical weakness in openessl 1.0.1t?
> 
> Is this a bug at all?

I tried this using two randomly generated DSA key pairs and couldn't
reproduce your results.  I got exactly what I would've expected -

$ openssl dgst -sha1 -verify keyrandom.pub -signature test.sig test
Verified OK 
$ openssl dgst -sha1 -verify keyrandom2.pub -signature test.sig test 
Verification Failure

You sure your original DSA keys are unique??

This was openssl 1.0.2 on FreeBSD 10.


John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20160927/afc56d44/attachment-0002.sig>


More information about the cypherpunks mailing list