[Cryptography] Posting the keys/certs for: Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?

Ron Garret ron at flownet.com
Thu Sep 29 12:18:08 EDT 2016


On Sep 29, 2016, at 12:56 AM, Georgi Guninski <guninski at guninski.com> wrote:

> On Wed, Sep 28, 2016 at 10:44:30PM -0700, Ron Garret wrote:
>> 
>> On Sep 28, 2016, at 9:32 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> 
>>> Ron Garret <ron at flownet.com> writes:
>>> 
>>>> In this case the fix is trivial: add a line of code that rejects any key 
>>>> whose multiplicative order is too small.
>>> 
>>> Isn't this a bit like saying that the fix for Linux kernel bugs is also
>>> trivial: Wherever there's a kernel bug, add a line of code that fixes it.
>>> 
>>> (Evaluating multiplicative orders, from a quick look at Bach & Shallit's
>>> "Algorithmic Number Theory", isn't exactly a one-liner).
>> 
> 
> Exactly, especially when there are other subtleties in the openssl
> mess…

Like what?  (Let me be clear what I mean here: I don’t dispute that openssl is a mess.  What I’m asking is: what “other subtleties" are relevant to these weak DSA keys?)

>> Not everything requires bringing out the big number theoretic guns.  Here is one of the keys in question:
>> 
>> Private-Key: (1024 bit)
>> pub:  1 (0x1)
>> G:    1 (0x1)
> 
> So what contradicts this?

I don’t understand this question.

> It works fine on latest openssl :)

Sure, this is a bug in openssl.  But there are two possible bugs here:

Possible bug #1 is that openssl does not detect weak DSA keys.  This is clearly the case.  But I would say that this is not a particularly serious problem, and it’s not particularly hard to fix (assuming anyone actually cares).

Possible bug #2 is that openssl actually *generates* weak DSA keys.  That would be a much more serious problem.  But AFAICT there is no evidence for this.  The provenance of these keys is not known.  The most likely explanation for the existence of these keys is that someone designed them.  The fact that it is possible to create weak DSA keys is not news.

> Would you comment on key4 and key5?

The problem with those keys is not quite as obvious as it was in the first case, but it’s still pretty obvious.  It makes a nice little puzzle to figure it out.

rg



More information about the cryptography mailing list