[Cryptography] Posting the keys/certs for: Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Sep 30 02:06:41 EDT 2016
Kristian Gjøsteen <kristian.gjosteen at math.ntnu.no> writes:
>These keys aren’t weak, they are invalid. The parameters used are not
>according to the standard.
>
>Verifying the parameters is somewhat expensive (should be about the same cost
>as generating a signature, and half the cost of verifying a signature). It is
>not immediately obvious that it makes sense to verify these parameters all the
>time in a TLS context.
Given that the keys Ron posted were as follows:
P: 00:90:df:c4:88:8f:91:41:57:b9:b0:9d:9f:8d:53:
ce:3b:ac:8e:f9:59:7a:47:08:c7:3d:6f:ab:45:e2:
0b:3e:6f:da:a8:d0:08:7a:9f:f0:bb:19:9b:c8:60:
d1:af:91:81:03:bf:2c:f2:dd:0e:09:fc:db:4a:1d:
ab:a6:99:17:f5:a2:f4:0c:b1:2c:5e:f4:9d:21:2d:
9c:0b:4f:b6:f0:b0:0c:a0:87:36:b3:f0:ff:cc:a1:
d8:a3:32:8b:cb:b6:e0:3a:a5:a0:8f:ad:43:9f:fc:
f6:de:28:18:da:af:86:80:c2:6e:63:95:0a:4e:0f:
9b:00:09:1a:b6:74:34:ce:a9
Q: 00:d7:14:b8:0b:1d:52:ff:da:64:7b:ba:c7:20:00:
98:f9:fc:4c:b2:4b
G: 1 (0x1)
I think a check for validity is pretty trivial. Or at least detecting an
obviously-invalid key like this is pretty trivial.
Before everyone bashes OpenSSL, remember that until a year or two back Mozilla
would happily accept RSA keys with e = 1, and AFAIK Windows still does, it's a
by-design, documented means of bypassing FIPS 140.
Peter.
More information about the cryptography
mailing list