nCipher Advisory #5: C_Verify validates incorrect symmetric signatures

[nCipher Support <technotifications () us ncipher com>]

                 nCipher Security Advisory No. 5
        C_Verify validates incorrect symmetric signatures
        -------------------------------------------------

SUMMARY
-------

When C_Verify is called on a symmetric signature, the nCipher PKCS#11 
cryptographic library always returns CKR_OK, which indicates a valid
signature, even if the signature is invalid.


BACKGROUND
----------

nCipher supplies a cryptographic library that is compatible with the
RSA Laboratories PKCS#11 Cryptographic Token Interface Standard.

As well as standard PKCS#11 message signing algorithms, in which a
message is signed with a private key and verified with a public
key, the nCipher PKCS#11 implementation also supports symmetric
message signing (also called a MAC, or Message Authentication Code),
in which the message is signed and verified by the same key.

Message signing algorithms ensure the integrity of messages.  A message
signature should only verify correctly if the message to which it is
attached has not been tampered with.

If a signature is verified as correct when it is, in fact, invalid, it
is possible for an attacker to tamper with or forge messages intended
for the recipient.


ISSUE DESCRIPTION
-----------------

1. Cause
--------

The code in the nCipher PKCS#11 library that deals with the C_Verify
call contains a mistake in the error-checking routine when used with 
a symmetric verification key.

The software incorrectly returns CKR_OK after detecting an invalid
signature, when it should return CKR_SIGNATURE_INVALID.


2. Impact
---------

Any attempt at verifying a signature that was generated with a
symmetric key (i.e.  a MAC) that would otherwise have failed with
CKR_SIGNATURE_INVALID instead returns with CKR_OK, incorrectly 
indicating a valid signature.

As mentioned above, this enables attackers to tamper with or forge
messages intended for systems using the nCipher PKCS#11 library.


3. Who Is *Not* Affected
------------------------

You are *not* affected if:

* You are using nCipher's nFast 75, nFast 150, nFast 300 or
  nFast 800 product you are not affected.

* You are using nCipher's nForce (previously called nFast/KM) or
  nShield (previously called nFast/CA) modules with any interface
  other than nCipher's PKCS#11 library.  For example the nCipher
  nCore, CHIL, BHAPI, JCE and MSCAPI CSP interfaces are *not*
  affected.

* You are using a PKCS#11 implementation not supplied by nCipher.

* You are verifying only DSA and RSA signatures, as this bug
  only applies to signatures using symmetric mechanisms.

* You are using an application with the nCipher PKCS#11 library
  that does not use symmetric signatures.

* You are using iPlanet, as iPlanet performs all symmetric cryptography
  operations internally.


4. Who May Be Affected
----------------------

The bug has been in all versions of the nCipher PKCS#11 implementation
since symmetric message signing mechanisms were introduced, in the latter
part of 1998.  All versions of the library since version 1.2.0 are
affected.

The MAC is a fairly common protocol operation; it is used by SSLv2,
SSH and IPSEC amongst others.

* Web servers *may* be affected (except iPlanet; see above)

* IPSEC users *may* be affected.


5. How To Tell If You Are Affected
----------------------------------

a) Turn on nCipher PKCS#11 library debugging by setting CKNFAST_DEBUG=9
   and CKNFAST_DEBUGFILE=<name of debug file> in your environment.

b) Run your application and check that the log file is produced.

c) Search for occurrences of C_VerifyInit in the logfile. 

The application is affected if these calls are made with any of the
following mechanisms:

    CKM_DES_MAC
    CKM_DES_MAC_GENERAL
    CKM_DES3_MAC
    CKM_DES3_MAC_GENERAL
    CKM_CAST5_MAC
    CKM_CAST5_MAC_GENERAL
    CKM_CAST128_MAC
    CKM_CAST128_MAC_GENERAL


REMEDY
------

* If you do *not* fall into one of the `Not Affected' categories in
  section 3, you should check whether you are affected, as described
  in section 5.

* If you *are* affected, or aren't able to confirm that you are not
  affected, we recommend that you upgrade to the fixed version of the
  nCipher-supplied PKCS#11 library as soon as possible - see below.

* If you are not affected you need do nothing, although you may choose
  to upgrade your nCipher-supplied PKCS#11 library in any case.

To ensure that the remedy is complete, nCipher have fully reviewed
the software and tested it for similar errors; no further issues
have been found.


SOFTWARE DISTRIBUTION AND REFERENCES
------------------------------------

You can obtain copies of this advisory, and supporting documentation,
from the nCipher updates site:

    http://www.ncipher.com/support/advisories/

We regret that due to export control regulations, we are unable to
make the software updates themselves available on the web site.
Contact nCipher Support for details on obtaining the updated software.

Updated software is available now for the following platforms:

    Windows, Linux, AIX, Solaris, HP-UX

It will be made available for other platforms as soon as possible.
Please contact nCipher support, so that we can inform you when the
fix is available for your platform.


NCIPHER SUPPORT
---------------

nCipher customers who require updated software, support or further
information regarding this problem should contact support () ncipher com.

nCipher support can also be reached by telephone:

    Customers in the USA or Canada:   +1 781 994 8004
    Customers in all other countries: +44 1223 723675


Further Information
-------------------

General information about nCipher products:
    http://www.ncipher.com/

nCipher Developer's Guide and nCipher Developer's Reference
    http://www.ncipher.com/documentation.html

If you would like to receive future security advisories from nCipher
please subscribe to the low volume nCipher security-announce mailing
list by sending a message with the single word 'subscribe' in the
body to security-announce-request () ncipher com.


(c) nCipher Corporation Ltd.  2002

    All trademarks acknowledged.

$Id: advisory5.txt,v 1.24 2002/08/19 07:57:03 mknight Exp $