RSA signature verification in gpg-agent?

NIIBE Yutaka gniibe at
Tue Sep 22 03:45:09 CEST 2015


I'd like to discuss RSA signature verification by gpg-agent.
Especially, for signature generated by smartcard.

The context is Florian Weimer' paper, Factoring RSA Keys With TLS
Perfect Forward Secrecy.

In libgcrypt, we had a following commit.

commit c17f84bd02d7ee93845e92e20f6ddba814961588
Author: Werner Koch <wk at>
Date:   Mon Aug 31 23:13:27 2015 +0200

    rsa: Add verify after sign to avoid Lenstra's CRT attack.

    * cipher/rsa.c (rsa_sign): Check the CRT.

    Failures in the computation of the CRT (e.g. due faulty hardware) can
    lead to a leak of the private key.  The standard precaution against
    this is to verify the signature after signing.  GnuPG does this itself
    and even has an option to disable this.  However, the low performance
    impact of this extra precaution suggest that it should always be done
    and Libgcrypt is the right place here.  For decryption is not done
    because the application will detect the failure due to garbled
    plaintext and in any case no key derived material will be send to the

    Signed-off-by: Werner Koch <wk at>

In gnupg/g10/sign.c, we have following code after generating

  /* Check that the signature verification worked and nothing is
   * fooling us e.g. by a bug in the signature create code or by
   * deliberately introduced faults.  Because Libgcrypt 1.7 does this
   * for RSA internally there is no need to do it here again.  */
  if (!err
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* Libgcrypt >= 1.7 */
        && !is_RSA (pksk->pubkey_algo)
#endif /* Libgcrypt >= 1.7 */

I wonder if it should be done in gpg-agent, since signing can be done
for ssh and gpgsm as well.

Besides, I think that it would be good for gpg-agent to check
signature for smartcard, too.  Well, it only protects against possible
attack with gpg-agent, though.

Note that Gnuk doesn't verify signature after generating, currently.
It should be done by the smartcard implementation itself if we want to
protect correctly, but there are existing implementations, too.

Thus, I think that it might make sense for gpg-agent to verigy RSA
signature generated by smartcard, before returning it to user.

Any thoughts?

More information about the Gnupg-devel mailing list