Smart Cards/Advisories
From openSUSE
Contents |
Smart card security advisories that may require smart card update
In a difference to most standard security fixes, fixing smart card software may be insufficient, if the security incident affects your smart cards.
This page lists these incidents and its advisories.
Fix of weak RSA key created by pkcs11-tool
OpenSC Security Advisory [07-May-2009] CVE-2009-1603
Potentially affected RSA certificates: Certificates created by pkcs11-tool from opensc-0.11.7 using third party pkcs#11 library. It never appeared in openSUSE or SLE, but it was present in the openSUSE Factory and Build Service security:chipcard between March and May 2009
OpenSC includes a tool for testing its PKCS#11 module called pkcs11-tool. This command line tool includes the ability to ask the PKCS#11 module to generate an RSA key pair. In opensc-0.11.7 the tool used default to a key size of 768 bits and a public exponent of 1. Encrypting with such a key would leave the message as plain text.
OpenSC 0.11.7 itself is secure, only if combined with some vendor pkcs#11 modules the problem may come up and the tool will really generate RSA keys with publicExponent 1 instead of 65537.
If you use pkcs11-tool to generate key pair, three conditions are required to experience this error:
1) a smart card that accepts publicExponent of 1
2) a PKCS#11 library that accepts publicExponent of 1
3) a tool that sets publicExponent of 1
OpenSC 0.11.7 contains pkcs11-tool which can be used to create rsa keys and contains a bug thus fullfilling condition 3. OpenSC pkcs#11 library is secure, thus condition 2 is not fullfilled. Only if some vendors pkcs#11 library is used condition 2 is fullfilled. Also the card needs to fullfill condition 1.
If pkcs11-tool is used with the PKCS#11 module included in OpenSC, there is no security issue, as OpenSC PKCS#11 module ignores any public exponent passed to it. Only when pkcs11-tool is used with other third party PKCS#11 Modules the problem comes up.
If you use a third party PKCS#11 module with pkcs11-tool you can use openssl with engine_pkcs11 to create a certificate signing request and then use openssl to analyze that csr, for example:
openssl req -in req.pem -noout -text
...
Exponent: 1 (0x1)
...
Would show the problem. You need to create a new certificate to fix this problem.
Fix of unrestricted access to PIN protected private data objects
OpenSC Security Advisory [26-Feb-2009] CVE-2009-0368
Cards potentially affected: All cards except Oberthur initialized before the security update of SLES <= 11 and openSUSE <= 11.1
If you are using PIN protected private data objects on smart cards, you should update all your cards.
RSA keys, national eID cards and other cards initialised by other software are not affected by this problem. Only blank cards initialised with OpenSC are affected by this problem.
If you are using PIN protected private data objects on smart cards other than Oberthur, and you are initializing these cards using opensc, please read carefully this advisory. Otherwise you can skip it.
Your smart cards initialised with OpenSC are affected by a security vulnerability. All drivers that support PIN protected private data objects except Oberthur driver were affected by a problem, that may cause unrestricted access to these objects.
Security update only improved creating new private data objects. Cards already initialised with such private data objects need to be modified to repair the access control conditions on such cards. One way to do that is to erase the card and re-initialise it, but doing this you would loose all content on the card, including RSA private keys. An alternative is to download the private data object(s) to your PC, delete them on the card, and store them once more on the card with the new, fixed version of OpenSC. This procedure has been tested with success on some cards, but no guaranty of any kind can be given.
WARNING! Only follow this procedure if you know what you are doing.
WARNING! This could damage your card or erase all data on it! No warranty of any kind, you are on your own!
Testing your card:
To create a file with a secret:
echo "This is my secret data" > secret-file
To initialise a blank card:
pkcs15-init --create-pkcs15 --use-default-transport-keys \
--profile pkcs15+onepin --pin 123456 --puk 78907890
To write a private data object to the card:
pkcs11-tool --label "my secret" --type data --write-object secret-file \
--private --login --pin 123456
To see all objects on the card:
pkcs15-tool --dump
This will list the data object, including the path it is stored, e.g.:
"Path: 3f0050154701"
To access such an object with low level tools:
opensc-explorer cd 5015 get 4701
New versions of OpenSC will not allow this to succeed. For older versions the file name is usually 4601 for the first data object (private or not), and it is never protected, thus you can download the content with the get command.
After testing you can erase a card with this command:
pkcs15-init --erase-card --use-default-transport-keys
WARNING AGAIN! Only follow the procedure above if you know what you are doing. This could damage your card or erase all data on it! No warranty of any kind, you are on your own!
Fix of Siemens CardOS M4 initialization with improper access rights
OpenSC Security Advisory [27-Aug-2008] CVE-2008-2235
Cards potentially affected: Cards initialized by OpenSC before the security update of SLES <= 10 and openSUSE <= 11.0 and cards initialized with installer packages SCA and SCB
Users of other smart cards and usb crypto tokens are not affected. Users of Siemens CardOS M4 based smart cards and crypto tokens are not affected, if the card was initialized with some software other than OpenSC.
OpenSC initialized smart cards with Siemens CardOS M4 card operating system without proper access right: the ADMIN file control information in the 5015 directory on the smart card was left to 00 (all access allowed).
Users will need to run "pkcs15-tool -T -U" to test (-T) and update (-U) the security settings on their card.
The new version of OpenSC implements a simple way to verify if a card is affected or not:
pkcs15-tool
has now two new options:
--test-update, -T Test if the card needs a security update
--update, -U Update the card with a security update
Running
pkcs15-tool -T
will either show
fci is up-to-date, card is fine
or
fci is out-of-date, card is vulnerable
If the card is vulnerable, please update the security setting using:
pkcs15-tool -T -U
this will show:
fci is out-of-date, card is vulnerable security update applied with success.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 12:27, 18 May 2009. This page has been accessed 173 times.
