RSA signature verification in gpg-agent?
gniibe at fsij.org
Tue Sep 22 03:45:09 CEST 2015
I'd like to discuss RSA signature verification by gpg-agent.
Especially, for signature generated by smartcard.
The context is Florian Weimer' paper, Factoring RSA Keys With TLS
Perfect Forward Secrecy.
In libgcrypt, we had a following commit.
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 31 23:13:27 2015 +0200
rsa: Add verify after sign to avoid Lenstra's CRT attack.
* cipher/rsa.c (rsa_sign): Check the CRT.
Failures in the computation of the CRT (e.g. due faulty hardware) can
lead to a leak of the private key. The standard precaution against
this is to verify the signature after signing. GnuPG does this itself
and even has an option to disable this. However, the low performance
impact of this extra precaution suggest that it should always be done
and Libgcrypt is the right place here. For decryption is not done
because the application will detect the failure due to garbled
plaintext and in any case no key derived material will be send to the
Signed-off-by: Werner Koch <wk at gnupg.org>
In gnupg/g10/sign.c, we have following code after generating
/* Check that the signature verification worked and nothing is
* fooling us e.g. by a bug in the signature create code or by
* deliberately introduced faults. Because Libgcrypt 1.7 does this
* for RSA internally there is no need to do it here again. */
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* Libgcrypt >= 1.7 */
&& !is_RSA (pksk->pubkey_algo)
#endif /* Libgcrypt >= 1.7 */
I wonder if it should be done in gpg-agent, since signing can be done
for ssh and gpgsm as well.
Besides, I think that it would be good for gpg-agent to check
signature for smartcard, too. Well, it only protects against possible
attack with gpg-agent, though.
Note that Gnuk doesn't verify signature after generating, currently.
It should be done by the smartcard implementation itself if we want to
protect correctly, but there are existing implementations, too.
Thus, I think that it might make sense for gpg-agent to verigy RSA
signature generated by smartcard, before returning it to user.
More information about the Gnupg-devel