<<< Date Index >>>     <<< Thread Index >>>

nCipher Advisory #12: Insecure Generation of Diffie-Hellman keys



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 nCipher Security Advisory No. 12
            Insecure Generation of Diffie-Hellman keys
            ------------------------------------------

Note
====

nCipher is publishing three advisories numbered 12, 13, and 14
simultaneously.  You are advised to review all three before taking
any remedial action.


SUMMARY
=======

In some circumstances, Diffie-Hellman keys generated by an HSM may
be less secure than previously thought.  An attack which recovers
a vulnerable private key is (for typical parameters), expensive but 
possible.

Keys subject to this vulnerability should be replaced.  In addition,
a firmware upgrade is available which removes the root cause of the 
generation of vulnerable keys; alternatively an upgrade to the 
key generation software provides a (verifiable) workaround.


ISSUE DESCRIPTION
=================

1. Cause
- --------

When an HSM generates a set of Diffie-Hellman group parameters -
specifically when generating a DHPrivate/DHPublic keypair where the
'DiscreteLogGroup' parameters are not passed in - it may choose
random parameters with undesirable properties.  These properties
enable an algorithmic attack to recover the private key with
significantly less effort than by brute force, given the ability
to make Diffie-Hellman queries using the key.

The details of the attack are not published here.

In most situations, Diffie-Hellman keys will be generated using
group parameters fixed in advance (communicating parties must use
keys with identical group parameters for the algorithm to succeed).
Where these parameters are fixed to known 'good' values, the attack
will not succeed.  The 'Oakley' groups published in RFC2412 and
RFC3526 are suitable good values.

2. Impact
- ---------

An attacker who has access to an HSM containing a loaded and vulnerable 
Diffie-Hellman private key can, with significant probability, extract 
information which enables the private key value to be discovered.  
If successful, previous and future communications established using 
this key can be deciphered.  No particular privilege, beyond the 
ability to make chosen queries and retrieve the results, is required 
to mount the attack.

Keys subject to this vulnerability cannot be 'fixed' and must be
discarded and replaced.

3. Who Is *Not* Affected
- ------------------------

The following are not affected by this advisory, or by advisories 13 or 14:

 - Any nCipher hardware module supplied with or upgraded to V10
   firmware 2.22.6.

 - Any nFast or nForce Ultra module - as these either have no nCipher
   key management or have modules with fixed firmware.

 - miniHSM PCI or any other product utilizing the miniHSM  - as these
   are supplied with firmware revision 2.22.6 or later.

 - Any nToken.

 - Any acceleration only module -  that is,  all nFast modules except 
   nFast-KM or nFast-CA modules which are key management modules. 

The following are not affected by this advisory or by advisory 13 but
may be affected by advisory 14:

 - Any nCipher hardware module supplied with or upgraded to V9
   firmware 2.12.x

 - The standard APIs:

  * PKCS#11

 - The applications and products:

  * Apache
  * Entrust Authority
  * IBM HTTP Server, Application Server, Tivoli Access Manager
  * Microsoft IIS, CA, ISA
  * SunONE Webserver (formerly called iPlanet)
  * PayShield
  * SecureDB
  * DSE200 Document Sealing Engine
  * Time Source Master Clock (TSMC)
  * pdfProof

The following Standard APIs are not affected by this advisory if you use 
versions from nCipher Software CD versions v9.0 and later. No version of 
these APIs was affected by advisory 13, but all are vulnerable to 
advisory 14:

  * MSCAPI
  * CHIL
  * JCE
  * OpenSSL
  

You are *not* affected by advisory 12 if:

  * your application does not use Diffie-Hellman keys

  * your application uses only the Oakley groups to generate DH keys

  * your application uses ephemeral Diffie-Hellman keys.  (Since
    such keys are not retained after their initial use, there is
    no opportunity to mount the attack.)

  * your DH keys were generated by the generatekey utility or the
    MSCAPI provider from nCipher software CD versions v9.0 or
    higher.
     
- - however, in these cases, refer also to advisories 13 and 14.

4. Who May Be Affected
- ----------------------

You may be affected if:

   * Diffie-Hellman keys were generated using the 'generatekey'
     utility, the MSCAPI or JCECSP provider, or via CHIL 
     from nCipher software CD versions *before* v9.0
     
   * Diffie-Hellman keys were generated by an application which
     uses the nCore API directly

Applications that use CBC-MAC are also affected by advisory 13.

5. How To Tell If You Are Affected
- ----------------------------------

The 'nfkmverify' utility supplied on versions v9.0 or later of the
software CD can check whether generated Diffie-Hellman keys may be
subject to this vulnerability.

Running

  C:\nfast\bin\nfkmverify <appname> <ident>    (Windows)

or

  /opt/nfast/bin/nfkmverify <appname> <ident>  (Unix)


for each Diffie-Hellman key identified by <appname> and <ident>.
If a key is, or may be, vulnerable to this problem, it will produce
a message similar to one of the following:

  Module-generated discrete log group -- may be weak

  DH log group is not of known good form ((p - 1)/2 not prime)

  DH log group `g' is bad (too small, or not of order (p - 1)/2)

  DH key uses unsupported Sophie-Germain discrete log group

Note that the checks performed by nfkmverify may identify a key as
'bad' when, for some other reason, it is not subject to this problem.
However, it will never identify a vulnerable key as 'good'.  Please
contact nCipher Support for advice if you are unsure.

REMEDY
======

Keys subject to this problem must be discarded and replaced with
freshly-generated keys which are not vulnerable.  Such keys can be
generated by either of the following:

   * Any software which uses an nCipher HSM upgraded to version 2.22.6 
     or higher firmware.  This firmware is supplied on nCipher support 
     CDs v10.x and higher.

   * The generatekey utility, the MSCAPI or JCECSP provider from nCipher
     software CD version v9.0 or later.

SOFTWARE DISTRIBUTION AND REFERENCES
====================================

You can obtain copies of this advisory and supporting documentation
from the nCipher updates site:

    http://www.ncipher.com/support/advisories/

Due to export control regulations, we are unable to make software
updates generally available on the nCipher web site.  Please contact
nCipher Support to obtain updated software.

The 2.22.6 firmware has been submitted to NIST for FIPS 140-2
validation with a compliant report but is yet to receive formal
approval.

NCIPHER SUPPORT
===============

nCipher customers who require updated software, support or further
information regarding this problem should contact support@xxxxxxxxxxxx

nCipher support can also be reached by telephone:

    Customers in the USA or Canada:   +1 877 994 4008
    Customers in all other countries: +44 1223 723666

Customers in all other countries outside of the USA and Canada can
call the USA number in the event that they receive the advisory
outside of UK support hours (08:00 - 16:30 GMT).

FURTHER INFORMATION
===================

General information about nCipher products:
    http://www.ncipher.com/

nCipher Developer's Guide and nCipher Developer's Reference
    http://www.ncipher.com/documentation.html

If you would like to receive future security advisories from nCipher,
please subscribe to the low volume nCipher security-announce mailing
list.  To do this, send a mail with the single word `subscribe' in
the message body to: security-announce-request@xxxxxxxxxxxx

(c) nCipher Corporation Ltd.  2005

    All trademarks acknowledged.  nCipher and payShield are trade
    marks of nCipher Corporation Limited.

$Id: advisory12.txt,v 1.13 2006/01/24 17:29:16 mknight Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQ+NrEu/+6Nq6MPYJAQKgbAf/TsH2YxgvZVvFnP/9WDeuLSJMOxNPfb9Y
VhmRjkKJQBfbqqYvIc2uSM0PGnAFKmQaZYg8tIdVb4HpzQV7V/Q4U3wA3tUz/068
hdLD6ULqVorO57yD2vrZTlRjMHpkx46zmwgpLHyZsr77zonk5E/2sPcLWF68ItKc
DujZQf12pGf+wrUHf2glKXxU6PrAlwIkIA36yBsr5hnBZF3GSjND0x4sBAJYkKDf
QrA3W0OLLgeAQT+fPD6JJPiFDLnowpugovqwmlyqwOP2kWjcIYwOWrPHNcfy0QTL
D3Cel+qA0p0Hzwp3SkSh0UJ6zx9x+U3pxgZhHpHWIq/7SK1tTmhF1Q==
=VfYL
-----END PGP SIGNATURE-----