Authorization Vulnerability in nCipher MSCAPI CSP Install Wizard 5.50

Reported May 13, 2002, bynCipher.

VERSION AFFECTED

·        Cryptographic keys generated by nCipher’s MSCAPI CSPInstall Wizard 5.50

DESCRIPTION

Whena user creates an Operator Card Set with the Install Wizard, the nCipher CSP keygeneration behaves as the user requests. If the user selects Cardset Protectfrom the Install Wizard but doesn't create a new Operator Card Set, the wizardincorrectly sets up the nCipher CSPs to use module protection for all keys thatthe user subsequently creates. If thisvulnerability affects the user, any application key that the nCipher CSPgenerates will be incorrectly protected by the module alone, rather than by acombination of the Operator Card Set and module. An attacker who gains controlof any nCipher module that has been programmed into the key's security world cangain unauthorized access to this key, because the nCipher module doesn't requireany further smart-card authorization.

VENDOR RESPONSE

Thevendor, nCipher, has released an advisorythat recommends the corrective action a user should take.

CREDIT
Discovered by nCipher.