[Cryptography] Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
Viktor Dukhovni
cryptography at dukhovni.org
Wed Sep 28 02:41:35 EDT 2016
> On Sep 27, 2016, at 5:20 AM, Georgi Guninski <guninski at guninski.com> wrote:
>
> Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
>
> I have two distinct DSA keys k_1 and k_2, p_i are distinct 1024 bit
> primes and q_i are 160 bit primes (easily can be made larger).
> The other parameters of the keys are distinct, counting congruences.
>
> On openssl 1.0.1t they produce exactly the same signature on a file:
>
> $ openssl dgst -sha1 -verify key1.pub -signature file.txt.sig file.txt ; openssl dgst -sha1 -verify key2.pub -signature file.txt.sig file.txt
> Verified OK
> Verified OK
>
> In addition I created with them two valid self signed x509 certificates.
>
> The key owners can claim the other one made the signature,
> which appears crypto repudiation issue.
>
> How to try the signatures in other scenarios?
>
> Is this known?
>
> Is this theoretical weakness in openessl 1.0.1t?
>
> Is this a bug at all?
That depends... Does this only happen with 1.0.1t or with any other releases?
Do the 1.0.1t signatures appear valid with 0.9.8? 1.0.0? 1.0.2? ...
How easily are you able to create more inputs for which both keys yield the
same signature? Are you at liberty to post the PEM files for the two public
keys, the input file and the signature file?
If key "A" is able to produce signatures that validate as signed by "B"
that's a potential problem, though somewhat less so if "2nd pre-image"
keys are not feasible, and all one can do is generate a pair of keys
that can generate colliding signatures. If only the latter, then it
may still be difficult to forge someone else's signature...
--
Viktor.
More information about the cryptography
mailing list