• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

nCipher PKCS#11 Symmetric Message Signature Verification Vulnerability

nCipher produces a range of hardware and software security products which support a range of cryptographic operations. A vulnerability has been reported in the nCipher cryptographic library.

When messages signed with symmetric keys according to the RSA PKCS#11 specification are checked, invalid signatures may not be detected. The C_Verify function will return 'CKR_OK' regardless of the validity of the signature.

Applications which depend on this functionality may then fail to detect invalid signatures. Consequences of exploitation will be dependent on the product which uses the vulnerable library. It is likely that modification or injection of data in encrypted communications is possible.

This issue exists in versions 1.2.0 and later of the nCipher cryptographic library.