Problems with private keyring?

[Florian Weimer]

Taral <taral@taral.net> writes:

> > The verification already takes place in Z/nZ, so we can have the best
> > of both worlds.
> 
> Yes, but the problem is that if signature generation takes place in Z/pZ
> x Z/qZ and an error occurs during the process, it is possible to
> accidentally expose the private key material. Doing (m^e mod n) directly
> with modular exponentiation is more secure in this respect.

Well, verify the signature unconditionally (using the standard method,
i.e. in Z/nZ) after it has been computed.  If the the signature
doesn't verify, signal an error and abort the signature process.

(This is implemented in recent versions of PGP 2.6.3(i)n and the
RUS-CERT patch for GnuPG.)

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898