[NEWS] C_Verify Validates Incorrect Symmetric Signatures

From: support@securiteam.com
Date: 08/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 21 Aug 2002 19:11:07 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  C_Verify Validates Incorrect Symmetric Signatures
------------------------------------------------------------------------

SUMMARY

When C_Verify is called on a symmetric signature, the nCipher PKCS#11
cryptographic library always returns CKR_OK, which indicates a valid
signature, even if the signature is invalid.

DETAILS

Background:
nCipher supplies a cryptographic library that is compatible with the RSA
Laboratories PKCS#11 Cryptographic Token Interface Standard.

As well as standard PKCS#11 message signing algorithms, in which a message
is signed with a private key and verified with a public key, the nCipher
PKCS#11 implementation also supports symmetric message signing (also
called a MAC, or Message Authentication Code), in which the message is
signed and verified by the same key.

Message signing algorithms ensure the integrity of messages. A message
signature should only verify correctly if the message to which it is
attached has not been tampered with.

If a signature is verified as correct when it is, in fact, invalid, it is
possible for an attacker to tamper with or forge messages intended for the
recipient.

Cause:
The code in the nCipher PKCS#11 library that deals with the C_Verify call
contains a mistake in the error-checking routine when used with a
symmetric verification key.

The software incorrectly returns CKR_OK after detecting an invalid
signature, when it should return CKR_SIGNATURE_INVALID.

Impact:
Any attempt at verifying a signature that was generated with a symmetric
key (i.e. a MAC) that would otherwise have failed with
CKR_SIGNATURE_INVALID instead returns with CKR_OK, incorrectly indicating
a valid signature.

As mentioned above, this enables attackers to tamper with or forge
messages intended for systems using the nCipher PKCS#11 library.

Who Is *Not* Affected:
You are *not* affected if:
 * You are using nCipher's nFast 75, nFast 150, nFast 300 or nFast 800
product you are not affected.

 * You are using nCipher's nForce (previously called nFast/KM) or nShield
(previously called nFast/CA) modules with any interface other than
nCipher's PKCS#11 library. For example the nCipher nCore, CHIL, BHAPI, JCE
and MSCAPI CSP interfaces are *not* affected.

 * You are using a PKCS#11 implementation not supplied by nCipher.

 * You are verifying only DSA and RSA signatures, as this bug only applies
to signatures using symmetric mechanisms.

 * You are using an application with the nCipher PKCS#11 library that does
not use symmetric signatures.

 * You are using iPlanet, as iPlanet performs all symmetric cryptography
operations internally.

Who May Be Affected:
The bug has been in all versions of the nCipher PKCS#11 implementation
since symmetric message signing mechanisms were introduced, in the latter
part of 1998. All versions of the library since version 1.2.0 are
affected.

The MAC is a common protocol operation; it is used by SSLv2, SSH and IPSEC
amongst others.

 * Web servers *may* be affected (except iPlanet; see above)

 * IPSEC users *may* be affected.

How To Tell If You Are Affected:
a) Turn on nCipher PKCS#11 library debugging by setting CKNFAST_DEBUG=9
and CKNFAST_DEBUGFILE= in your environment.

b) Run your application and check that the log file is produced.

c) Search for occurrences of C_VerifyInit in the log file.

The application is affected if these calls are made with any of the
following mechanisms:

    CKM_DES_MAC
    CKM_DES_MAC_GENERAL
    CKM_DES3_MAC
    CKM_DES3_MAC_GENERAL
    CKM_CAST5_MAC
    CKM_CAST5_MAC_GENERAL
    CKM_CAST128_MAC
    CKM_CAST128_MAC_GENERAL

Remedy:
 * If you do *not* fall into one of the `Not Affected' categories in
section 3, you should check whether you are affected, as described in
section 5.

 * If you *are* affected, or aren't able to confirm that you are not
affected, we recommend that you upgrade to the fixed version of the
nCipher-supplied PKCS#11 library as soon as possible - see below.

 * If you are not affected you need do nothing, although you may choose to
upgrade your nCipher-supplied PKCS#11 library in any case.

To ensure that the remedy is complete, nCipher have fully reviewed the
software and tested it for similar errors; no further issues have been
found.

Software distribution and references:
You can obtain copies of this advisory, and supporting documentation, from
the nCipher updates site: <http://www.ncipher.com/support/advisories/>
http://www.ncipher.com/support/advisories/

We regret that due to export control regulations, we are unable to make
the software updates themselves available on the web site. Contact nCipher
Support for details on obtaining the updated software.

Updated software is available now for the following platforms: Windows,
Linux, AIX, Solaris, HP-UX

It will be made available for other platforms as soon as possible. Please
contact nCipher support, so that we can inform you when the fix is
available for your platform.

NCipher Support:
nCipher customers who require updated software, support or further
information regarding this problem should contact support@ncipher.com.

nCipher support can also be reached by telephone:
     Customers in the USA or Canada: +1 781 994 8004
     Customers in all other countries: +44 1223 723675

ADDITIONAL INFORMATION

The information has been provided by
<mailto:technotifications@us.ncipher.com> nCipher Support.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages