3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
30.7%
Bouncy Castle BKS version 1 keystore files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore.
Bouncy Castle is a cryptographic library for C# and Java applications, including Android applications. BKS is a keystore format, which is designed to function similarly to a Sun/Oracle JKS keystore. BKS files can contain public keys, including certificates, as well as private keys. BKS files rely on password-based encryption to provide confidentiality and integrity protections to the keystore contents.
The first version of a BKS file contains a design flaw in the determination of the key size used to protect the data inside of the keystore. A SHA-1 hash function, which is 160 bits in length, is used in the BKS HMAC code. In a RFC7292-compliant cryptographic algorithm, the MAC key size is the same size as the hash function being used. This means that the MAC key size should be 160 bits long for BKS files. However, the Bouncy Castle code for version 1 BKS files uses only 16 bits for the MAC key size. This means that regardless of password complexity, a BKS version 1 file can only have 65,536 different encryption keys. A valid password for a keystore can be bruteforced by attempting each of these key values, which can take only seconds.
Update March 21, 2018:
Keystore-level passwords (and associated keys) are used for keystore integrity verification only. Like JKS files, BKS files do not employ container-level encryption. This means that the metadata for BKS file contents is visible without needing to know a password at all. The actual private keys in a BKS file are protected as expected with the password that the author has specified.
Starting with Bouncy Castle 1.47, which was released on March 30, 2012, the BKS keystore format was updated to version 2, which uses a 160-bit MAC. Starting with Bouncy Castle 1.49, optional support for the original keystore format was reintroduced, as “BKS-V1.”
A BKS file that was created with Bouncy Castle 1.46 or earlier, or 1.49 or later as the “BKS-V1” format will have insufficient protection against bruteforce cracking. This may allow an attacker bypass BKS integrity checking.
Do not rely on version 1 BKS keystore files
BKS version 1 keystore files are not cryptographically sound. A more robust keystore format should be used instead.
306792
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 08, 2018 Updated: April 02, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Release: 1.47
Date: 2012, March 30
…
The default MAC for a BKS key store was 2 bytes, this has been upgraded to 20 bytes.
…
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23306792 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 2.1 | AV:L/AC:L/Au:N/C:N/I:P/A:N |
Temporal | 1.7 | E:F/RL:OF/RC:C |
Environmental | 1.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
CVE IDs: | CVE-2018-5382 |
---|---|
Date Public: | 2012-03-20 Date First Published: |
3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
30.7%