Reported May 13, 2002, by nCipher.
VERSION AFFECTED
· Cryptographic keys generated by nCipher’s MSCAPI CSP Install Wizard 5.50
DESCRIPTION
When
a user creates an Operator Card Set with the Install Wizard, the nCipher CSP key
generation behaves as the user requests. If the user selects Cardset Protect
from the Install Wizard but doesn't create a new Operator Card Set, the wizard
incorrectly sets up the nCipher CSPs to use module protection for all keys that
the user subsequently creates. If this
vulnerability affects the user, any application key that the nCipher CSP
generates will be incorrectly protected by the module alone, rather than by a
combination of the Operator Card Set and module. An attacker who gains control
of any nCipher module that has been programmed into the key's security world can
gain unauthorized access to this key, because the nCipher module doesn't require
any further smart-card authorization.
VENDOR RESPONSE
The vendor, nCipher, has released an advisory that recommends the corrective action a user should take.
CREDIT
Discovered by nCipher.