Reported May 13, 2002, by nCipher.
· Cryptographic keys generated by nCipher’s MSCAPI CSP Install Wizard 5.50
When a user creates an Operator Card Set with the Install Wizard, the nCipher CSP key generation behaves as the user requests. If the user selects Cardset Protect from the Install Wizard but doesn't create a new Operator Card Set, the wizard incorrectly sets up the nCipher CSPs to use module protection for all keys that the user subsequently creates. If this vulnerability affects the user, any application key that the nCipher CSP generates will be incorrectly protected by the module alone, rather than by a combination of the Operator Card Set and module. An attacker who gains control of any nCipher module that has been programmed into the key's security world can gain unauthorized access to this key, because the nCipher module doesn't require any further smart-card authorization.
Discovered by nCipher.