Security Advisories

nCipher Security Advisories are published both as web HTML documents and as OpenPGP-signed text. The public key and fingerprint may be downloaded below.

2008

There are no security advisories at this time.

2007

There are no advisories for this year.

2006

SA#14: Presence of flaws in firmware security
During a major code review carried out for a recent release, nCipher discovered some undesirable features in the nCore code base. While none of these features could lead to the accidental exposure of key material, if discovered by a skilled cryptographer, they open lines of attack which enable key values to be determined with less effort than would be expected if the only attack were breaking a key by exhaustive search. All attacks require detailed knowledge of the nCipher code base, making it extremely unlikely that any attacker would be able to take advantage of these features. nCipher is making available updated firmware to fix this potential vulnerability. Use of some keys may be affected by the upgrade, nCipher has written a utility that can detect these keys in a Security World. nCipher recommends that you run this utility before making the upgrade.

SA#13: CBC-MAC IV misleading programming interface
Application programmers using the nCore API to calculate and verify CBC MACs may have accidentally implemented a MAC protocol which fails to detect certain modifications to messages it is supposed to protect.

SA#12: Insecure Generation of Diffie-Hellman keys
In some circumstances, Diffie-Hellman keys generated by an HSM may be less secure than previously thought. An attack which recovers a vulnerable private key is (for typical parameters), expensive but possible. Keys subject to this vulnerability should be replaced. In addition, a firmware upgrade is available which removes the root cause of the generation of vulnerable keys; alternatively an upgrade to the key generation software provides a (verifiable) workaround.

2005

SA#11: CHIL random cache not cleared when forking
When programs use CHIL's HWCryptoHook_RandomBytes function in a program that forks, this function may produce the same random data in all child processes for a short time.

2004

SA#10: Pass phrases are exposed in netHSM log files
Pass phrases entered by means of the nCipher netHSM front panel, either using the built in thumbwheel or using a directly attached keyboard, are exposed in the netHSM system log. Under certain circumstances this information is also available to the remote filesystem machine. This issue is fixed in the latest netHSM firmware release.

SA#09: Host-side attackers can access secret data
On certain models and firmware combinations, an attacker who is able to issue commands to an HSM (eg, by having use or control of the host to which it is connected) may be able to access secret data stored in the module, including critical application keys. Modules with vulnerable firmware versions should be upgraded.

2003

SA#08: payShield library may verify bad requests
When a command is issued to the payShield SPP library it may return Status_OK regardless of what the real reply status was.

SA#07: Unexpected duplicates of imported software based keys
When either the command line utility generatekey or the KeySafe graphical application is used to import a software based key into an nCipher nShield or nForce hardware security module, the key is successfully imported. However copies of the original key file are incorrectly left on the host file system.

2002

SA#06: Access control defects in PKCS#11 keys
As a function of internal QA testing, nCipher has identified that, under certain unusual circumstances, keys created by the nCipher PKCS#11 library, which should be secure, may be exportable from the hardware security module in plaintext or equivalent, or have other defects in their access control.

SA#05: C_Verify validates incorrect symmetric signatures
When C_Verify is called on a symmetric signature, the nCipher PKCS#11 cryptographic library always returns CKR_OK, which indicates a valid signature, even if the signature is invalid.

SA#04: Console Java applications can leak passphrases on Windows
In certain circumstances, Java applications using the standard nCipher ConsoleCallBack class on Windows NT/2000 can be made to leak smart card passphrases to the current user's shell. One version of the nCipher command line utility 'TrustedCodeTool', as supplied to CodeSafe customers, is also affected by this problem.

SA#03: Important Security Advisory for Windows 2000 Users
In certain circumstances, the nCipher MSCAPI CSP Install Wizard support software on Windows 2000 will set the nCipher CSP key generation behavior incorrectly. Despite the user requesting Operator Card Set protection for keys (`cardset protected keys') that are generated using the nCipher CSP, a software error might result in keys being protected by the module alone. The undocumented command line utility `domesticinstall.exe' is also affected by this problem.

SA#02: SNMP Vulnerabilities
SNMP agents supplied by nCipher, as well as those required to run other nCipher SNMP support software, could be vulnerable to buffer overflow attacks including denial of service and privilege elevation.

2000

SA#01: Operator Cards unexpectedly recoverable
In certain circumstances, the nCipher security world initialization software enables the Operator Card Set recovery feature, even when the user requested that recovery be disabled.

nCipher Development PGP Key

Fingerprint