Problems with private keyring?

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Fri Mar 23 19:33:08 CET 2001

Taral <taral at> writes:

> > The verification already takes place in Z/nZ, so we can have the best
> > of both worlds.
> Yes, but the problem is that if signature generation takes place in Z/pZ
> x Z/qZ and an error occurs during the process, it is possible to
> accidentally expose the private key material. Doing (m^e mod n) directly
> with modular exponentiation is more secure in this respect.

Well, verify the signature unconditionally (using the standard method,
i.e. in Z/nZ) after it has been computed.  If the the signature
doesn't verify, signal an error and abort the signature process.

(This is implemented in recent versions of PGP 2.6.3(i)n and the
RUS-CERT patch for GnuPG.)

Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart 
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

More information about the Gnupg-devel mailing list