[messaging] "Keybase Attack" on RSA signatures

Tony Arcieri bascule at gmail.com
Tue Sep 9 14:24:31 PDT 2014

Keybase attempts to bind user identities on social media to their PGP keys
by having users publish an RSA signature under an unknown key, which
Keybase refers to as a "proof". The (allegedly) signed message contains a
link to their Keybase identity, but contains no information about their
public key fingerprint.

After clicking on the link in the message we're taken to the Keybase web
site where their alleged public key is listed. We are then asked to verify
this key is authentic by checking if the digital signature in the original
message verifies.

However, is this actually secure? Or more specifically:

Can we produce an RSA keypair such that an existing digital signature will
verify under it if we control both the private and public key?

For the purposes of this problem, let's say it doesn't even need to be a
good / secure RSA key, just one that the "proof" signature verifies under.

I'd also note that, if someone does have a solution to this problem, it
would probably be good to responsibly disclose to Keybase ;)

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/cd1931b0/attachment.html>

More information about the Messaging mailing list