nCipher Advisory #14: Presence of flaws in firmware security Mar 09 2006 12:26AM
nCipher Support (technotifications us ncipher com)
Hash: SHA1

nCipher Security Advisory No. 14
Presence of flaws in firmware security


nCipher is publishing three advisories numbered 12, 13 and 14
simultaneously. You are advised to review all three before taking
any remedial action.


During a major code review carried out for a recent release, nCipher
discovered some undesirable features in the nCore code base.

While none of these features could lead to the accidental exposure of key
material, if discovered by a skilled cryptographer, they open lines of attack
which enable key values to be determined with less effort than would be
expected if the only attack were breaking a key by exhaustive search.

All attacks require detailed knowledge of the nCipher code base, making it
extremely unlikely that any attacker would be able to take advantage of
these features.

nCipher is making available updated firmware to fix this potential

Use of some keys may be affected by the upgrade, nCipher has written a
utility that can detect these keys in a Security World. nCipher recommends
that you run this utility before making the upgrade.


1. Cause
- --------

During the development of the module firmware, various options were included
for testing purposes. Although these options provide no special access to
key material, they do allow generation of keys with reduced security

All these options should have been removed from the code prior to proper
release. The presence of these options opens up certain cryptographic
possibilities, the details of which are not published here.

2. Impact
- ---------

If an attacker is able to construct messages of the correct form to exploit
these issues, they can possibly obtain extra information about keys, which
leads to them being able to mount attacks which would lead to them
discovering the key value with less effort than would be expected if they
had to resort to an exhaustive search.

All keys are vulnerable to these attacks.

nCipher has issued new firmware which prevents these attacks.

In most cases you can upgrade to the new fixed firmware without noticing any
changes. However, if you have keys of a certain special form you may find
that they may not be usable after an upgrade to fixed firmware.

nCipher supplies the fixed firmware with a tool that examines public keys in
an nCipher Security World to determine whether the Security World contains
any keys of this type.

If you use a Security World to store keys, nCipher recommends you run the
tool before upgrading. If the tool finds affected keys, or if you do not
use a Security World, contact nCipher support for detailed advice.
Worldwide contact information is at the bottom of this advisory.

3. Who is *Not* Affected
- ------------------------

The following products are not affected by this advisory, or
by advisories 12 or 13:

Any nCipher module supplied with or upgraded to V10 firmware 2.22.6
or later.

Any module supplied as part of a keyAuthority bundle - all modules
supplied with keyAuthority are supplied with firmware revision
2.22.6 or later.

Any nFast Ultra or nForce Ultra module - as these either have no
nCipher key management or have are supplied with firmware revision
2.22.6 or layer.

Any nCipher MiniHSM or MiniHSM PCI as these are supplied with firmware
revision 2.22.6 or later

Any acceleration only module, that is all nFast modules except nFast-KM
or nFast-CA modules which are key management modules.

Any nForce or nShield module used purely for acceleration - though nCipher
recommends upgrading firmware in order to prevent the issue becoming
relevant if these modules are used for key management in the future.

Any nToken. nTokens only have sufficient functionality to authorize the
communication between the host and netHSM; this vulnerability does not enable
an attacker to steal any application or Security World infrastructural keys
from an nToken.

The pdfProof client plug-in software is not affected although any
bundled DSE200s *are* affected.

4. Who *Is* Affected
- --------------------

All customers not excluded by one of the clauses in Section 3 above
and using any of the following nCipher product lines are affected:

- nShield PCI or SCSI
- nForce PCI or SCSI
- netHSM
- payShield PCI, SCSI and net
- SecureDB
- DSE200 Document Sealing Engine (including those bundled with pdfProof)
- Time Source Master Clock (TSMC)
- Any product bundle or developer kit containing one or more of the
above products

5. How To Tell If You Are Affected
- ----------------------------------

Appliances secured by nCipher:

Contact your appliance vendor.


Ensure all modules are in operational mode. Run the enquiry program
(C:\nfast\bin\enquiry or /opt/nfast/bin/enquiry) and examine the output.

For each module, make the following checks:

1. Ensure the `mode' field reads `operational'.
If you are unsure how to place a module into Operational mode,
consult your user documentation.

2. Examine the `version' field. The relevant part of the enquiry
output will appear similar to this:

Module #1:
enquiry reply flags none
enquiry reply level Six
serial number XXXX-XXXX-XXXX
mode operational
version 2.22.6

If the first number in the version field is 2 and the second number greater
than or equal to 22, such as what you see above with 2.22.6, then that
module is *NOT* affected.

If the version is one of: 1.54.28, 1.70.2, 1.77.100, 2.12.9, or 2.18.15
the module has already been upgraded with the fix for this advisory and
is *NOT* affected:

Otherwise, that module *IS* affected.

DSE 200 and TSMC:

All releases of DSE 200 and TSMC are vulnerable to these attacks.

Network-attached HSMs:

Using the rotary selector and the soft keys on the front panel, select
"HSM" from the main menu, then "HSM Information," and then "Display details"
(this should appear as 2-2-1 in the top corner of the panel).

Rotate the knob until the [module #1] section of the enquiry output is
located. Navigate down to the module's "version" number, which appear
similar to this:

Module #1:
enquiry reply flags none
enquiry reply level Six
serial number XXXX-XXXX-XXXX
mode operational
version 2.22.6

If the first number in the version field is 2 and the second number greater
than or equal to 22, such as what you see above with 2.22.6, then that
module is *NOT* affected.

If the version is 2.12.9 or 2.18.15, the module has already been upgraded
with the fix for this advisory and is *NOT* affected:

Otherwise, that module *IS* affected.

- ------

Upgrade the firmware in your nCipher module to a version that fixes these
issues. A detailed table of firmware versions is included in the release
notes accompanying the firmware and checking tool.

nCipher has fixed these issues in the V10 firmware release.

While nCipher recommends that you install the latest firmware, which has
several new features, nCipher realizes that some customers may want to have
the smallest impact on their installation.

nCipher has therefore applied the fix to several different releases allowing
customers to select a version close to their currently installed firmware.

TSMC and DSE200 customers who have installed their own security world
should upgrade firmware. Users without TSA backup will need to create
new TSA keys and have them certified.

DSE200 customers who are still using the nCipher owned security world should
contact nCipher support as they may need to upgrade their software so that
they can create their own security world. These users will need to create and
certify new keys.

nCipher *strongly* recommends that all customers upgrade their HSMs to fixed

nCipher does not recommend the upgrade of nTokens at this time, but is making
a firmware upgrade for nTokens available for the benefit of those customers
who wish to upgrade their nTokens.

If you upgrade your nToken, you must upgrade to the V9 or V10 host software
- if you have not done so already - to ensure that their upgraded nToken is
correctly identified by the hardserver process.


You can obtain copies of this advisory, and supporting documentation, from
the nCipher updates site:


Due to export control regulations, we are unable to make software updates
generally available on the nCipher web site. Please contact nCipher Support
to obtain updated software.

Updated firmware is available for all nFast/CA, nFast/KM, nForce, nShield
and netHSM modules as well as payShield, DSE and TSMC products.

The new firmware has been validated by NIST and CSE and will be added to
the appropriate FIPS 140-1 and FIPS 140-2 certificates simultaneously
with this advisory.

It is therefore possible to upgrade firmware to a version covered by the
same FIPS 140 certificate, thereby maintaining the validation status of
the module.


nCipher customers who require updated software, support or further
information regarding this problem should contact support (at) ncipher (dot) com. [email concealed]

nCipher support can also be reached by telephone:

Customers in the USA or Canada: +1 877 994 4008
Customers in all other countries: +44 1223 723666

Customers in all other countries outside of the USA and Canada can call the
USA number in the event that they receive the advisory outside of UK support
hours (08:00 - 16:30 GMT).

Further Information

General information about nCipher products:

nCipher documentation set:

If you would like to receive future security advisories from nCipher, please
subscribe to the low volume nCipher security-announce mailing list. To do
this, send a mail with the single word `subscribe' in the message body to:
security-announce-request (at) ncipher (dot) com. [email concealed]

(c) nCipher Corporation Ltd. 2005

All trademarks acknowledged.
nCipher and payShield are trade marks of nCipher Corporation Limited.

$Id: advisory14.txt,v 1.15 2006/02/02 09:24:28 marcus Exp $
Version: GnuPG v1.2.4 (GNU/Linux)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus