nCipher Advisory #12: Insecure Generation of Diffie-Hellman keys
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
nCipher Security Advisory No. 12
Insecure Generation of Diffie-Hellman keys
------------------------------------------
Note
====
nCipher is publishing three advisories numbered 12, 13, and 14
simultaneously. You are advised to review all three before taking
any remedial action.
SUMMARY
=======
In some circumstances, Diffie-Hellman keys generated by an HSM may
be less secure than previously thought. An attack which recovers
a vulnerable private key is (for typical parameters), expensive but
possible.
Keys subject to this vulnerability should be replaced. In addition,
a firmware upgrade is available which removes the root cause of the
generation of vulnerable keys; alternatively an upgrade to the
key generation software provides a (verifiable) workaround.
ISSUE DESCRIPTION
=================
1. Cause
- --------
When an HSM generates a set of Diffie-Hellman group parameters -
specifically when generating a DHPrivate/DHPublic keypair where the
'DiscreteLogGroup' parameters are not passed in - it may choose
random parameters with undesirable properties. These properties
enable an algorithmic attack to recover the private key with
significantly less effort than by brute force, given the ability
to make Diffie-Hellman queries using the key.
The details of the attack are not published here.
In most situations, Diffie-Hellman keys will be generated using
group parameters fixed in advance (communicating parties must use
keys with identical group parameters for the algorithm to succeed).
Where these parameters are fixed to known 'good' values, the attack
will not succeed. The 'Oakley' groups published in RFC2412 and
RFC3526 are suitable good values.
2. Impact
- ---------
An attacker who has access to an HSM containing a loaded and vulnerable
Diffie-Hellman private key can, with significant probability, extract
information which enables the private key value to be discovered.
If successful, previous and future communications established using
this key can be deciphered. No particular privilege, beyond the
ability to make chosen queries and retrieve the results, is required
to mount the attack.
Keys subject to this vulnerability cannot be 'fixed' and must be
discarded and replaced.
3. Who Is *Not* Affected
- ------------------------
The following are not affected by this advisory, or by advisories 13 or 14:
- Any nCipher hardware module supplied with or upgraded to V10
firmware 2.22.6.
- Any nFast or nForce Ultra module - as these either have no nCipher
key management or have modules with fixed firmware.
- miniHSM PCI or any other product utilizing the miniHSM - as these
are supplied with firmware revision 2.22.6 or later.
- Any nToken.
- Any acceleration only module - that is, all nFast modules except
nFast-KM or nFast-CA modules which are key management modules.
The following are not affected by this advisory or by advisory 13 but
may be affected by advisory 14:
- Any nCipher hardware module supplied with or upgraded to V9
firmware 2.12.x
- The standard APIs:
* PKCS#11
- The applications and products:
* Apache
* Entrust Authority
* IBM HTTP Server, Application Server, Tivoli Access Manager
* Microsoft IIS, CA, ISA
* SunONE Webserver (formerly called iPlanet)
* PayShield
* SecureDB
* DSE200 Document Sealing Engine
* Time Source Master Clock (TSMC)
* pdfProof
The following Standard APIs are not affected by this advisory if you use
versions from nCipher Software CD versions v9.0 and later. No version of
these APIs was affected by advisory 13, but all are vulnerable to
advisory 14:
* MSCAPI
* CHIL
* JCE
* OpenSSL
You are *not* affected by advisory 12 if:
* your application does not use Diffie-Hellman keys
* your application uses only the Oakley groups to generate DH keys
* your application uses ephemeral Diffie-Hellman keys. (Since
such keys are not retained after their initial use, there is
no opportunity to mount the attack.)
* your DH keys were generated by the generatekey utility or the
MSCAPI provider from nCipher software CD versions v9.0 or
higher.
- - however, in these cases, refer also to advisories 13 and 14.
4. Who May Be Affected
- ----------------------
You may be affected if:
* Diffie-Hellman keys were generated using the 'generatekey'
utility, the MSCAPI or JCECSP provider, or via CHIL
from nCipher software CD versions *before* v9.0
* Diffie-Hellman keys were generated by an application which
uses the nCore API directly
Applications that use CBC-MAC are also affected by advisory 13.
5. How To Tell If You Are Affected
- ----------------------------------
The 'nfkmverify' utility supplied on versions v9.0 or later of the
software CD can check whether generated Diffie-Hellman keys may be
subject to this vulnerability.
Running
C:\nfast\bin\nfkmverify <appname> <ident> (Windows)
or
/opt/nfast/bin/nfkmverify <appname> <ident> (Unix)
for each Diffie-Hellman key identified by <appname> and <ident>.
If a key is, or may be, vulnerable to this problem, it will produce
a message similar to one of the following:
Module-generated discrete log group -- may be weak
DH log group is not of known good form ((p - 1)/2 not prime)
DH log group `g' is bad (too small, or not of order (p - 1)/2)
DH key uses unsupported Sophie-Germain discrete log group
Note that the checks performed by nfkmverify may identify a key as
'bad' when, for some other reason, it is not subject to this problem.
However, it will never identify a vulnerable key as 'good'. Please
contact nCipher Support for advice if you are unsure.
REMEDY
======
Keys subject to this problem must be discarded and replaced with
freshly-generated keys which are not vulnerable. Such keys can be
generated by either of the following:
* Any software which uses an nCipher HSM upgraded to version 2.22.6
or higher firmware. This firmware is supplied on nCipher support
CDs v10.x and higher.
* The generatekey utility, the MSCAPI or JCECSP provider from nCipher
software CD version v9.0 or later.
SOFTWARE DISTRIBUTION AND REFERENCES
====================================
You can obtain copies of this advisory and supporting documentation
from the nCipher updates site:
http://www.ncipher.com/support/advisories/
Due to export control regulations, we are unable to make software
updates generally available on the nCipher web site. Please contact
nCipher Support to obtain updated software.
The 2.22.6 firmware has been submitted to NIST for FIPS 140-2
validation with a compliant report but is yet to receive formal
approval.
NCIPHER SUPPORT
===============
nCipher customers who require updated software, support or further
information regarding this problem should contact support@xxxxxxxxxxxx
nCipher support can also be reached by telephone:
Customers in the USA or Canada: +1 877 994 4008
Customers in all other countries: +44 1223 723666
Customers in all other countries outside of the USA and Canada can
call the USA number in the event that they receive the advisory
outside of UK support hours (08:00 - 16:30 GMT).
FURTHER INFORMATION
===================
General information about nCipher products:
http://www.ncipher.com/
nCipher Developer's Guide and nCipher Developer's Reference
http://www.ncipher.com/documentation.html
If you would like to receive future security advisories from nCipher,
please subscribe to the low volume nCipher security-announce mailing
list. To do this, send a mail with the single word `subscribe' in
the message body to: security-announce-request@xxxxxxxxxxxx
(c) nCipher Corporation Ltd. 2005
All trademarks acknowledged. nCipher and payShield are trade
marks of nCipher Corporation Limited.
$Id: advisory12.txt,v 1.13 2006/01/24 17:29:16 mknight Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQ+NrEu/+6Nq6MPYJAQKgbAf/TsH2YxgvZVvFnP/9WDeuLSJMOxNPfb9Y
VhmRjkKJQBfbqqYvIc2uSM0PGnAFKmQaZYg8tIdVb4HpzQV7V/Q4U3wA3tUz/068
hdLD6ULqVorO57yD2vrZTlRjMHpkx46zmwgpLHyZsr77zonk5E/2sPcLWF68ItKc
DujZQf12pGf+wrUHf2glKXxU6PrAlwIkIA36yBsr5hnBZF3GSjND0x4sBAJYkKDf
QrA3W0OLLgeAQT+fPD6JJPiFDLnowpugovqwmlyqwOP2kWjcIYwOWrPHNcfy0QTL
D3Cel+qA0p0Hzwp3SkSh0UJ6zx9x+U3pxgZhHpHWIq/7SK1tTmhF1Q==
=VfYL
-----END PGP SIGNATURE-----