[Cryptography] [messaging] "Keybase Attack" on RSA signatures

Tony Arcieri bascule at gmail.com
Wed Sep 10 00:15:17 EDT 2014

On Tue, Sep 9, 2014 at 8:43 PM, Dennis E. Hamilton <dennis.hamilton at acm.org>

> Now, if you could forge a message such that it verifies with an existing
> affixed signature, and the message is even intelligible, that would be a
> remarkable action against public-key technology.

The strength of the signature comes from the key. In the case of Keybase,
we don't know we have the right key, and are trying to use the signature to
determine that.

As I've discovered from this thread, the dual-share key-share attack is
able to produce a keypair such that an existing digital signature will
verify under it. If we can confuse the victim into verifying a signature
under an attacker-controlled key, the signature will appear valid even
though it was produced under a different key.

This is necessary but not sufficient for an attack against Keybase however,
since the message being signed contains the key fingerprint, which I wasn't
aware of at the time I started this thread.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140909/5e774af9/attachment.html>

More information about the cryptography mailing list