Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: nCipher Support (technotifications_at_us.ncipher.com)
Date: Mon Aug 19 2002 - 11:20:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                     nCipher Security Advisory No. 5
            C_Verify validates incorrect symmetric signatures


    When C_Verify is called on a symmetric signature, the nCipher PKCS#11
    cryptographic library always returns CKR_OK, which indicates a valid
    signature, even if the signature is invalid.


    nCipher supplies a cryptographic library that is compatible with the
    RSA Laboratories PKCS#11 Cryptographic Token Interface Standard.

    As well as standard PKCS#11 message signing algorithms, in which a
    message is signed with a private key and verified with a public
    key, the nCipher PKCS#11 implementation also supports symmetric
    message signing (also called a MAC, or Message Authentication Code),
    in which the message is signed and verified by the same key.

    Message signing algorithms ensure the integrity of messages. A message
    signature should only verify correctly if the message to which it is
    attached has not been tampered with.

    If a signature is verified as correct when it is, in fact, invalid, it
    is possible for an attacker to tamper with or forge messages intended
    for the recipient.


    1. Cause

    The code in the nCipher PKCS#11 library that deals with the C_Verify
    call contains a mistake in the error-checking routine when used with
    a symmetric verification key.

    The software incorrectly returns CKR_OK after detecting an invalid
    signature, when it should return CKR_SIGNATURE_INVALID.

    2. Impact

    Any attempt at verifying a signature that was generated with a
    symmetric key (i.e. a MAC) that would otherwise have failed with
    CKR_SIGNATURE_INVALID instead returns with CKR_OK, incorrectly
    indicating a valid signature.

    As mentioned above, this enables attackers to tamper with or forge
    messages intended for systems using the nCipher PKCS#11 library.

    3. Who Is *Not* Affected

    You are *not* affected if:

    * You are using nCipher's nFast 75, nFast 150, nFast 300 or
      nFast 800 product you are not affected.

    * You are using nCipher's nForce (previously called nFast/KM) or
      nShield (previously called nFast/CA) modules with any interface
      other than nCipher's PKCS#11 library. For example the nCipher
      nCore, CHIL, BHAPI, JCE and MSCAPI CSP interfaces are *not*

    * You are using a PKCS#11 implementation not supplied by nCipher.

    * You are verifying only DSA and RSA signatures, as this bug
      only applies to signatures using symmetric mechanisms.

    * You are using an application with the nCipher PKCS#11 library
      that does not use symmetric signatures.

    * You are using iPlanet, as iPlanet performs all symmetric cryptography
      operations internally.

    4. Who May Be Affected

    The bug has been in all versions of the nCipher PKCS#11 implementation
    since symmetric message signing mechanisms were introduced, in the latter
    part of 1998. All versions of the library since version 1.2.0 are

    The MAC is a fairly common protocol operation; it is used by SSLv2,
    SSH and IPSEC amongst others.

    * Web servers *may* be affected (except iPlanet; see above)

    * IPSEC users *may* be affected.

    5. How To Tell If You Are Affected

    a) Turn on nCipher PKCS#11 library debugging by setting CKNFAST_DEBUG=9
       and CKNFAST_DEBUGFILE=<name of debug file> in your environment.

    b) Run your application and check that the log file is produced.

    c) Search for occurrences of C_VerifyInit in the logfile.

    The application is affected if these calls are made with any of the
    following mechanisms:



    * If you do *not* fall into one of the `Not Affected' categories in
      section 3, you should check whether you are affected, as described
      in section 5.

    * If you *are* affected, or aren't able to confirm that you are not
      affected, we recommend that you upgrade to the fixed version of the
      nCipher-supplied PKCS#11 library as soon as possible - see below.

    * If you are not affected you need do nothing, although you may choose
      to upgrade your nCipher-supplied PKCS#11 library in any case.

    To ensure that the remedy is complete, nCipher have fully reviewed
    the software and tested it for similar errors; no further issues
    have been found.


    You can obtain copies of this advisory, and supporting documentation,
    from the nCipher updates site:


    We regret that due to export control regulations, we are unable to
    make the software updates themselves available on the web site.
    Contact nCipher Support for details on obtaining the updated software.

    Updated software is available now for the following platforms:

        Windows, Linux, AIX, Solaris, HP-UX

    It will be made available for other platforms as soon as possible.
    Please contact nCipher support, so that we can inform you when the
    fix is available for your platform.


    nCipher customers who require updated software, support or further
    information regarding this problem should contact supportncipher.com.

    nCipher support can also be reached by telephone:

        Customers in the USA or Canada: +1 781 994 8004
        Customers in all other countries: +44 1223 723675

    Further Information

    General information about nCipher products:

    nCipher Developer's Guide and nCipher Developer's Reference

    If you would like to receive future security advisories from nCipher
    please subscribe to the low volume nCipher security-announce mailing
    list by sending a message with the single word 'subscribe' in the
    body to security-announce-requestncipher.com.

    (c) nCipher Corporation Ltd. 2002

        All trademarks acknowledged.

    $Id: advisory5.txt,v 1.24 2002/08/19 07:57:03 mknight Exp $