SA#05: C_Verify validates incorrect symmetric signatures

This advisory also available as PGP-signed plaintext.

August 2002

Summary

When C_Verify is called on a symmetric signature, the nCipher PKCS#11 cryptographic library always returns CKR_OK, which indicates a valid signature, even if the signature is invalid.

Background

nCipher supplies a cryptographic library that is compatible with the RSA Laboratories PKCS#11 Cryptographic Token Interface Standard.

As well as standard PKCS#11 message signing algorithms, in which a message is signed with a private key and verified with a public key, the nCipher PKCS#11 implementation also supports symmetric message signing (also called a MAC, or Message Authentication Code), in which the message is signed and verified by the same key.

Message signing algorithms ensure the integrity of messages. A message signature should only verify correctly if the message to which it is attached has not been tampered with.

If a signature is verified as correct when it is, in fact, invalid, it is possible for an attacker to tamper with or forge messages intended for the recipient.

Issue Description

1. Cause

The code in the nCipher PKCS#11 library that deals with the C_Verify call contains a mistake in the error-checking routine when used with a symmetric verification key.

The software incorrectly returns CKR_OK after detecting an invalid signature, when it should return CKR_SIGNATURE_INVALID.

2. Impact

Any attempt at verifying a signature that was generated with a symmetric key (i.e. a MAC) that would otherwise have failed with CKR_SIGNATURE_INVALID instead returns with CKR_OK, incorrectly indicating a valid signature.

As mentioned above, this enables attackers to tamper with or forge messages intended for systems using the nCipher PKCS#11 library.

3. Who May Be Affected

You are *not* affected if:

• You are using nCipher's nFast 75, nFast 150, nFast 300 or nFast 800 product you are not affected.
• You are using nCipher's nForce (previously called nFast/KM) or nShield (previously called nFast/CA) modules with any interface other than nCipher's PKCS#11 library. For example the nCipher nCore, CHIL, BHAPI, JCE and MSCAPI CSP interfaces are *not* affected.
• You are using a PKCS#11 implementation not supplied by nCipher.
• You areverifying only DSA and RSA signatures, as this bug
  only applies to signatures using symmetric mechanisms.
• You are using an application with the nCipher PKCS#11 library that does not use symmetric signatures.
• You are using iPlanet, as iPlanet performs all symmetric cryptography operations internally.

4. Who May Be Affected

The bug has been in all versions of the nCipher PKCS#11 implementation since symmetric message signing mechanisms were introduced, in the latter part of 1998. All versions of the library since version 1.2.0 are affected.

The MAC is a fairly common protocol operation; it is used by SSLv2, SSH and IPSEC amongst others.

• Web servers *may* be affected (except iPlanet; see above)
• IPSEC users *may* be affected.

5. How To Tell If You Are Affected

a) Turn on nCipher PKCS#11 library debugging by setting CKNFAST_DEBUG=9 and CKNFAST_DEBUGFILE= in your environment.

b) Run your application and check that the log file is produced.

c) Search for occurrences of C_VerifyInit in the logfile.

The application is affected if these calls are made with any of the following mechanisms:

CKM_DES_MAC
CKM_DES_MAC_GENERAL
CKM_DES3_MAC
CKM_DES3_MAC_GENERAL
CKM_CAST5_MAC
CKM_CAST5_MAC_GENERAL
CKM_CAST128_MAC
CKM_CAST128_MAC_GENERAL

Remedy

• If you do *not* fall into one of the `Not Affected' categories in section 3, you should check whether you are affected, as described in section 5.
• If you *are* affected, or aren't able to confirm that you are not affected, we recommend that you upgrade to the fixed version of the nCipher-supplied PKCS#11 library as soon as possible - see below.
• If you are not affected you need do nothing, although you may choose to upgrade your nCipher-supplied PKCS#11 library in any case.

To ensure that the remedy is complete, nCipher have fully reviewed the software and tested it for similar errors; no further issues have been found.

Software Distribution and References

You can obtain copies of this advisory, and supporting documentation, from the nCipher updates site:

http://www.ncipher.com/support/advisories/

We regret that due to export control regulations, we are unable to make the software updates themselves available on the web site. Contact nCipher Support for details on obtaining the updated software.

Updated software is available now for the following platforms:

Windows, Linux, AIX, Solaris, HP-UX

It will be made available for other platforms as soon as possible. Please contact nCipher support, so that we can inform you when the fix is available for your platform.

nCipher Support

nCipher customers who require support or further information regarding this problem should contact support@ncipher.com.

nCipher support can also be reached by telephone:

Customers in the USA or Canada: +1 781 994 8004
Customers in all other countries: +44 1223 723675

Further information

General information about nCipher products:
http://www.ncipher.com/

nCipher Developer's Guide and nCipher Developer's Reference
http://www.ncipher.com/documentation.html

If you would like to receive future security advisories from nCipher please subscribe to the low volume nCipher security-announce mailing list by sending a message with the single word 'subscribe' in the body to security-announce-request@ncipher.com.

© nCipher Corporation Ltd. 2002

All trademarks acknowledged.

$Id: advisory5.txt,v 1.24 2002/08/19 07:57:03 mknight Exp $