Problems with private keyring?
Florian Weimer
Florian.Weimer at RUS.Uni-Stuttgart.DE
Fri Mar 23 19:33:08 CET 2001
Taral <taral at taral.net> writes:
> > The verification already takes place in Z/nZ, so we can have the best
> > of both worlds.
>
> Yes, but the problem is that if signature generation takes place in Z/pZ
> x Z/qZ and an error occurs during the process, it is possible to
> accidentally expose the private key material. Doing (m^e mod n) directly
> with modular exponentiation is more secure in this respect.
Well, verify the signature unconditionally (using the standard method,
i.e. in Z/nZ) after it has been computed. If the the signature
doesn't verify, signal an error and abort the signature process.
(This is implemented in recent versions of PGP 2.6.3(i)n and the
RUS-CERT patch for GnuPG.)
--
Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
More information about the Gnupg-devel
mailing list