Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
Alfonso De Gregorio
alfonso.degregorio at gmail.com
Wed Sep 28 03:40:57 PDT 2016
On Tue, Sep 27, 2016 at 5:21 AM, Georgi Guninski <guninski at guninski.com> wrote:
> Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
>
> I have two distinct DSA keys k_1 and k_2, p_i are distinct 1024 bit
> primes and q_i are 160 bit primes (easily can be made larger).
> The other parameters of the keys are distinct, counting congruences.
>
> On openssl 1.0.1t they produce exactly the same signature on a file:
If you are able to generate colliding signatures for a target (chosen) key,
this may amount to an impersonation attack, depending on the exact
origin authentication checks -- which may be considered even worse
than a repudiation issue.
If what you can do is to generate two new key pairs, where the
signatures made by first can be verified as signed by the second (or
viceversa), then this provides plausible deniability, and the
possibility to repudiate any valid signature made by any of the
affected signing keys.
Alfonso
More information about the cypherpunks
mailing list