<<< Date Index >>>     <<< Thread Index >>>

nCipher Advisory #14: Presence of flaws in firmware security



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 nCipher Security Advisory No. 14
              Presence of flaws in firmware security
              --------------------------------------

Note
====

nCipher is publishing three advisories numbered 12, 13 and 14
simultaneously.  You are advised to review all three before taking
any remedial action.


SUMMARY
=======

During a major code review carried out for a recent release, nCipher
discovered some undesirable features in the nCore code base.

While none of these features could lead to the accidental exposure of key
material, if discovered by a skilled cryptographer, they open lines of attack
which enable key values to be determined with less effort than would be
expected if the only attack were breaking a key by exhaustive search.

All attacks require detailed knowledge of the nCipher code base, making it
extremely unlikely that any attacker would be able to take advantage of 
these features.

nCipher is making available updated firmware to fix this potential
vulnerability.

Use of some keys may be affected by the upgrade, nCipher has written a 
utility that can detect these keys in a Security World. nCipher recommends 
that you run this utility before making the upgrade.


ISSUE DESCRIPTION 
=================

1. Cause 
- --------

During the development of the module firmware, various options were included
for testing purposes. Although these options provide no special access to
key material, they do allow generation of keys with reduced security 
properties.

All these options should have been removed from the code prior to proper
release.  The presence of these options opens up certain cryptographic
possibilities, the details of which are not published here.


2. Impact 
- ---------

If an attacker is able to construct messages of the correct form to exploit 
these issues, they can possibly obtain extra information about keys, which 
leads to them being able to mount attacks which would lead to them 
discovering the key value with less effort than would be expected if they 
had to resort to an exhaustive search.

All keys are vulnerable to these attacks.

nCipher has issued new firmware which prevents these attacks. 

In most cases you can upgrade to the new fixed firmware without noticing any 
changes. However, if you have keys of a certain special form you may find
that they may not be usable after an upgrade to fixed firmware. 

nCipher supplies the fixed firmware with a tool that examines public keys in
an nCipher Security World to determine whether the Security World contains 
any keys of this type.

If you use a Security World to store keys, nCipher recommends you run the 
tool before upgrading. If the tool finds affected keys, or if you do not 
use a Security World, contact nCipher support for detailed advice. 
Worldwide contact information is at the bottom of this advisory.


3. Who is *Not* Affected 
- ------------------------

The following products are not affected by this advisory, or 
by advisories 12 or 13:

Any nCipher module supplied with or upgraded to V10 firmware 2.22.6
or later. 

Any module supplied as part of a keyAuthority bundle - all modules
supplied with keyAuthority are supplied with firmware revision
2.22.6 or later.

Any nFast Ultra or nForce Ultra module - as these either have no
nCipher key management or have are supplied with firmware revision
2.22.6 or layer.

Any nCipher MiniHSM or MiniHSM PCI as these are supplied with firmware
revision 2.22.6 or later

Any acceleration only module, that is all nFast modules except nFast-KM
or nFast-CA modules which are key management modules. 

Any nForce or nShield module used purely for acceleration - though nCipher 
recommends upgrading firmware in order to prevent the issue becoming 
relevant if these modules are used for key management in the future.

Any nToken. nTokens only have sufficient functionality to authorize the 
communication between the host and netHSM; this vulnerability does not enable 
an attacker to steal any application or Security World infrastructural keys 
from an nToken.

The pdfProof client plug-in software is not affected although any
bundled DSE200s *are* affected.

4. Who *Is* Affected 
- --------------------

All customers not excluded by one of the clauses in Section 3 above
and using any of the following nCipher product lines are affected:

  - nShield PCI or SCSI
  - nForce PCI or SCSI
  - netHSM
  - payShield PCI, SCSI and net
  - SecureDB
  - DSE200 Document Sealing Engine (including those bundled with pdfProof)
  - Time Source Master Clock (TSMC)
  - Any product bundle or developer kit containing one or more of the 
    above products


5. How To Tell If You Are Affected 
- ----------------------------------

   Appliances secured by nCipher:
   ------------------------------

Contact your appliance vendor.

   PCI and SCSI HSMs:
   ------------------

Ensure all modules are in operational mode. Run the enquiry program
(C:\nfast\bin\enquiry or /opt/nfast/bin/enquiry) and examine the output.

For each module, make the following checks:

1. Ensure the `mode' field reads `operational'.
   If you are unsure how to place a module into Operational mode, 
   consult your user documentation.

2. Examine the `version' field.  The relevant part of the enquiry
   output will appear similar to this:

        Module #1:
         enquiry reply flags  none
         enquiry reply level  Six
         serial number        XXXX-XXXX-XXXX
         mode                 operational
         version                    2.22.6
...
        
  If the first number in the version field is 2 and the second number greater
  than or equal to 22, such as what you see above with 2.22.6, then that
  module is *NOT* affected.

  If the version is one of: 1.54.28, 1.70.2, 1.77.100, 2.12.9, or 2.18.15
  the module has already been upgraded with the fix for this advisory and 
  is *NOT* affected:
    
  Otherwise, that module *IS* affected.


   DSE 200 and TSMC:
   -----------------

All releases of DSE 200 and TSMC are vulnerable to these attacks.


   Network-attached HSMs:
   ----------------------

Using the rotary selector and the soft keys on the front panel, select
"HSM" from the main menu, then "HSM Information," and then "Display details"
(this should appear as 2-2-1 in the top corner of the panel).

Rotate the knob until the [module #1] section of the enquiry output is
located.  Navigate down to the module's "version" number, which  appear
similar to this:

        Module #1:
         enquiry reply flags  none
         enquiry reply level  Six
         serial number        XXXX-XXXX-XXXX
         mode                 operational
         version                    2.22.6
...

If the first number in the version field is 2 and the second number greater
than or equal to 22, such as what you see above with 2.22.6, then that
module is *NOT* affected.

If the version is 2.12.9 or 2.18.15, the module has already been upgraded 
with the fix for this advisory and is *NOT* affected:

Otherwise, that module *IS* affected.


REMEDY 
- ------

Upgrade the firmware in your nCipher module to a version that fixes these
issues. A detailed table of firmware versions is included in the release
notes accompanying the firmware and checking tool.

nCipher has fixed these issues in the V10 firmware release.

While nCipher recommends that you install the latest firmware, which has
several new features, nCipher realizes that some customers may want to have
the smallest impact on their installation.

nCipher has therefore applied the fix to several different releases allowing
customers to select a version close to their currently installed firmware.

TSMC and DSE200 customers who have installed their own security world 
should upgrade firmware. Users without TSA backup will need to create
new TSA keys and have them certified.

DSE200 customers who are still using the nCipher owned security world should
contact nCipher support as they may need to upgrade their software so that
they can create their own security world. These users will need to create and 
certify new keys.

nCipher *strongly* recommends that all customers upgrade their HSMs to fixed 
firmware.

nCipher does not recommend the upgrade of nTokens at this time, but is making 
a firmware upgrade for nTokens available for the benefit of those customers 
who wish to upgrade their nTokens.

If you upgrade your nToken, you must upgrade to the V9 or V10 host software
 - if you have not done so already - to ensure that their upgraded nToken is 
correctly identified by the hardserver process.


SOFTWARE DISTRIBUTION AND REFERENCES 
====================================

You can obtain copies of this advisory, and supporting documentation, from 
the nCipher updates site:

    http://www.ncipher.com/support/advisories/

Due to export control regulations, we are unable to make software updates
generally available on the nCipher web site. Please contact nCipher Support
to obtain updated software.

Updated firmware is available for all nFast/CA, nFast/KM, nForce, nShield 
and netHSM modules as well as payShield, DSE and TSMC products.

The new firmware has been validated by NIST and CSE and will be added to 
the appropriate FIPS 140-1 and FIPS 140-2 certificates simultaneously 
with this advisory.

It is therefore possible to upgrade firmware to a version covered by the 
same FIPS 140 certificate, thereby maintaining the validation status of 
the module.


NCIPHER SUPPORT 
===============

nCipher customers who require updated software, support or further 
information regarding this problem should contact support@xxxxxxxxxxxx

nCipher support can also be reached by telephone:

    Customers in the USA or Canada:   +1 877 994 4008
    Customers in all other countries: +44 1223 723666

Customers in all other countries outside of the USA and Canada can call the
USA number in the event that they receive the advisory outside of UK support
hours (08:00 - 16:30 GMT).


Further Information 
===================

General information about nCipher products:
     http://www.ncipher.com/

nCipher documentation set:
    http://www.ncipher.com/documentation/index.html

If you would like to receive future security advisories from nCipher, please
subscribe to the low volume nCipher security-announce mailing list. To do
this, send a mail with the single word `subscribe' in the message body to:
security-announce-request@xxxxxxxxxxxx

(c) nCipher Corporation Ltd.  2005

All trademarks acknowledged.
nCipher and payShield are trade marks of nCipher Corporation Limited.

$Id: advisory14.txt,v 1.15 2006/02/02 09:24:28 marcus Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQ+NrJO/+6Nq6MPYJAQJwcAf/SNaF1FPUEfIJhiS1qNzW8yXs1bnITr0a
u2qOkt2B31Ehi/IYGUgmjaRUia9Ug2hx8Nvc8UQQx3/OmorCy4vW44cb1gV0eCOk
aQ/58/63IQ9YlYqXvrktO5eVCPJQDHBrtdm/zdLhJpNETySxSPeKj4R0jFkQl+85
smuAceNH6yQVqbpttk9LzIukHn54yIhRU24Wl3oVr2I+ms5hqLo3wS6+f2KFEig6
4h1RDf+Y2m+k1vaQD0mKoWMLvFQc+M/9STvJKpyoctPmGWgQbj+j1+JQ77lv/tJl
RCyZzZBg8K68hprALF1SlAeVi9d/1RK2Y0fieHEntm0GjtpmSVtXuw==
=aTX/
-----END PGP SIGNATURE-----