==================================================================== CERT-Renater Note d'Information No. 2018/VULN107 _____________________________________________________________________ DATE : 20/03/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Legion of the Bouncy Castle. ===================================================================== https://www.kb.cert.org/vuls/id/306792 _____________________________________________________________________ Vulnerability Note VU#306792 Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions Original Release date: 19 mars 2018 | Last revised: 19 mars 2018 Overview Bouncy Castle BKS version 1 keystore files use an HMAC that is only 16 bits long, which can allow an attacker to crack a BKS-V1 keystore file in seconds. Description Bouncy Castle is a cryptographic library for C# and Java applications, including Android applications. BKS is a keystore format, which is designed to function similarly to a Sun/Oracle JKS keystore. BKS files can contain public keys, including certificates, as well as private keys. BKS files rely on password-based encryption to provide confidentiality and integrity protections to the keystore contents. The first version of a BKS file contains a design flaw in the determination of the key size used to protect the data inside of the keystore. A SHA-1 hash function, which is 160 bits in length, is used in the BKS HMAC code. In a RFC7292-compliant cryptographic algorithm, the MAC key size is the same size as the hash function being used. This means that the MAC key size should be 160 bits long for BKS files. However, the Bouncy Castle code for version 1 BKS files uses only 16 bits for the MAC key size. This means that regardless of password complexity, a BKS version 1 file can only have 65,536 different encryption keys. A valid password for a keystore can be bruteforced by attempting each of these key values, which can take only seconds. Starting with Bouncy Castle 1.47, which was released on March 30, 2012, the BKS keystore format was updated to version 2, which uses a 160-bit MAC. Starting with Bouncy Castle 1.49, optional support for the original keystore format was reintroduced, as "BKS-V1." Impact A BKS file that was created with Bouncy Castle 1.46 or earlier, or 1.49 or later as the "BKS-V1" format will have insufficient protection against bruteforce cracking. An attacker with access to such a keystore file can crack the password in seconds, which will allow access to the keystore contents. Solution Do not rely on version 1 BKS keystore files BKS version 1 keystore files are not cryptographically sound. Any private keys that reside in BKS-V1 keystores should be considered compromised if any attacker has had access to the keystore file. These private keys should be regenerated, and stored in a more robust keystore format. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Legion of the Bouncy Castle Affected 08 Mar 2018 19 Mar 2018 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 3,6 AV:L/AC:L/Au:N/C:P/I:P/A:N Temporal 3,0 E:F/RL:OF/RC:C Environmental 3,0 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND References https://insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html https://www.bouncycastle.org/releasenotes.html https://cryptosense.com/blog/bouncycastle-keystore-security/ https://tools.ietf.org/html/rfc7292#appendix-A Credit This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann. Other Information CVE IDs: CVE-2018-5382 Date Public: 20 mars 2012 Date First Published: 19 mars 2018 Date Last Updated: 19 mars 2018 Document Revision: 12 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================