nCipher Advisory #4: Console Java apps can leak passphrases on Windows

[nCipher Support <support () ncipher com>]

             nCipher[TM] Security Advisory No. 4             
Console Java applications can leak passphrases on Windows
=========================================================

SUMMARY
=======

In certain circumstances, Java[TM] applications using the standard
nCipher ConsoleCallBack class on Windows NT/2000 can be made to leak
smart card passphrases to the current user's shell.

One version of the nCipher command line utility `TrustedCodeTool',
as supplied to CodeSafe[TM] customers, is also affected by this problem.

BACKGROUND
==========

1. Smart cards and passphrases
------------------------------

The master secrets for a Security World are protected by the Administrator
Card Set; application keys can be protected either by the master secrets
(`module protection'), or by further smart cards known as Operator
Card Sets.

Each card can be further protected by a passphrase, which must be
provided before the secret share on the card can be read. In such cases,
the authorization becomes two-factor: `something you have' plus `something
you know'.


2. kmjava and the ConsoleCallBack
---------------------------------

nCipher's suite of development kits under the CipherTools[TM] and CodeSafe
brand names include Java support.  In particular, the `kmjava' component
provides a Java interface to the Security World, and is further used by
the nCipher JCE CSP and CodeSafe/J.

Java programs using the Security World are required to provide a
callback object which is responsible for interacting with the user
during operations which require the loading of a set of smart cards.
kmjava includes the class `com.ncipher.km.nfkm.ConsoleCallBack' which
performs such interactions, and example code demonstrating its use.


ISSUE DESCRIPTION
=================

1. Cause
--------

One of the functions performed by the ConsoleCallBack is the reading of
a passphrase from the user, when the user wishes to load a smart card
which is protected by a passphrase.

The mechanism employed to read this passphrase turns out to be
incompatible with version 1.4.0 of the Java Runtime Environment on Windows
platforms. A passphrase prompt appears as expected, but the calling
program does not resume after the user has entered their passphrase.
If the user subsequently assumes the application has hung and presses
Control-C in an attempt to kill it, their command shell receives the
user's passphrase as if they had typed it there.

2. Impact
---------

A site running Java software on Windows which makes use of the
ConsoleCallBack will find it ceases to work and potentially leaks
passphrases, in the manner described above, if they upgrade from a
previous version of the Java 2 Platform to v1.4.0.

If the user's command shell supports history tracking, the history file
will also contain the entered passphrase if it has been leaked in the 
manner described.

Note that this issue only affects the host the ConsoleCallBack is running
on, and not the HSM.  The security of the HSM is unaffected. However,
an attacker who is able to gain control of sufficient smart cards having
observed their passphrases could gain unauthorized access to application
keys, especially if the smart cards in question form an Administrator
Card Set.

3. Who May Be Affected
----------------------

This problem affects users: 

* that are using nForce or nShield modules, and

* running software which makes use of the ConsoleCallBack, and

* running under version 1.4.0 of the Java Runtime Environment on the
Windows operating system, and

* only in circumstances where this software requires to read passphrases
from the console in order to load a cardset.

This includes users of the Java version of nCipher's `TrustedCodeTool', as
supplied to many CodeSafe customers and end-users.

This problem does not affect KeySafe, nor the original Trusted Code Tool
(`trustedcodetool.exe', as supplied to some early CodeSafe customers)
nor its latest revision (`tct2.exe', currently under limited release).


4. How To Tell If You Are Affected
----------------------------------

It is usually possible to determine the installed version(s) of the Java
Runtime Environment by consulting the `Add/Remove Programs' Control
Panel. At the time of writing, the only known affected versions are
`1.4.0' and `1.4.0_01'; earlier versions are *not* affected.

Be aware that it is possible to install multiple versions of the JRE
on a system, and that certain applications may make use of different
installed versions. If you are in any doubt as to which versions of the
JRE are used by an application, please contact your application vendor.

To determine if you have kmjava installed, examine your system
for the presence of `c:\nfast\lib\versions\kmjava-atv.txt' (or
`lib\versions\kmjava-atv.txt' within the install directory if you have
installed the nCipher software to a non-default location). If this file
is present, so is kmjava; otherwise, you are not affected.

If the smart cards to be read by the application are not protected by
passphrases, you are not affected.


5. Vendor-specific notes
------------------------

* nCipher

The java version of the `TrustedCodeTool', as supplied to many CodeSafe
customers and end-users, is affected by this issue. If you have an early
version of CodeSafe which included `trustedcodetool.exe', or a very
recent version which contains `tct2.exe', you are *not* affected.

A software update is in development and will be made available via
nCipher Support in due course.

* Others

To determine whether a third-party application makes use of the
ConsoleCallBack, please contact the application vendor. (As a general
rule, if an application never requires to load smart cards, or is
completely GUI-based, it is unlikely to be affected. Certain applications
do not support the use of passphrases on smart cards, and are similarly
not affected.)


REMEDY
======

1. Users who are NOT running an affected version of the JRE
-----------------------------------------------------------

We advise users to not upgrade their installation of the Java Runtime
Environment to version 1.4.0 until revised versions of kmjava and
supporting components are available, or if advised by their application
vendor(s) that it is safe to do so.

2. Users who ARE running an affected version of the JRE
-------------------------------------------------------

We advise users who are running a potentially affected application on
an affected version of the JRE to revert to an earlier version of the
JRE if their application supports it.

If the application and site security policy allow, it may be reasonable
to remove passphrase protection from the smart cards to be loaded.
Otherwise, please contact the application vendor for advice.

3. CodeSafe users
-----------------

We advise users of the nCipher Java `TrustedCodeTool' not to operate it
with JRE version 1.4.0 if the cardset(s) to be loaded are protected by
passphrases.  (It remains supported under JRE versions 1.2.x and 1.3.x.)

It is safe to use the TCT if the smart cards to be loaded are not
passphrase protected, or if the passphrase protection is removed (provided
your site security policy allows this).

A software update is in development and will be made available via
nCipher Support in due course.

4. Users who have inadvertently leaked smart card passphrases
-------------------------------------------------------------

We recommend users change any leaked passphrase(s) at once.  Please
refer to the section entitled `Changing a pass phrase' in the nForce
or nShield User Guide, and any documentation to this effect provided by
your application vendor, if applicable.

We further advise users to determine how many passphrases have been
leaked and consider whether this may have compromised the security of
their keys and the impact this may have on their security assumptions.


SECURITY USAGE NOTES
====================

It is generally good practice to employ multiple-factor authorization in
security systems.

A passphrase-protected smart card combines the requirement for "something
you have" with "something you know", provided the passphrase is difficult
to guess. (If written down, this becomes "two things you have".)

The Security World concept does not mandate the use of passphrases; we
recommend that Security Officers formulate an appropriate authorization
policy based on the individual circumstances of their site.


SOFTWARE DISTRIBUTION AND REFERENCES
====================================

You can obtain copies of this advisory, patch kits (when available)
for all nCipher supported platforms, and supporting documentation,
from the nCipher updates site:

    http://www.ncipher.com/support/advisories/

Further information
-------------------

General information about nCipher products:
    http://www.ncipher.com/

nCipher Developer's Guide and nCipher Developer's Reference
    http://www.ncipher.com/documentation.html

nCipher Support
---------------

nCipher customers who require support or further information regarding
this problem should contact support () ncipher com.


(c) nCipher Corporation Ltd. 2002

 All trademarks acknowledged.  Java and all Java-based marks are
 trademarks or registered trademarks of Sun Microsystems, Inc. in the
 U.S. and other countries.

$Id: advisory4.txt,v 1.6 2002/06/14 14:30:46 ryounger Exp $