-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nCipher Security Advisory No. 11 CHIL random cache not cleared when forking ------------------------------------------ SUMMARY ======= When programs use CHIL's HWCryptoHook_RandomBytes function in a program that forks, this function may produce the same random data in all child processes for a short time. nCipher's customers often use CHIL to integrate nCipher hardware with OpenSSL. ISSUE DESCRIPTION ================= 1. Problem - ---------- The HWCryptoHook_RandomBytes function is provided by CHIL (Cryptographic Hardware Interface Library) for programs to obtain random bytes from an nCipher hardware module. This function sends the GenerateRandom command to the module and caches up to 3072 bytes of output for future calls to the same function. If a program calls this function and then forks, each child process will inherit the same randomness cache. Until they exhaust this cache and call the GenerateRandom command again, they will each run through the same sequence of random bytes. 2. Impact - --------- The issue only affects host-side software. Web servers such as Apache which use CHIL to generate random data via OpenSSL, may generate duplicate SSL session IDs for a short period following the creation of new child processes. This is unlikely to help an attacker compromise an SSL session, but may cause SSL handshakes to fail since the server will choose the wrong session keys. Other forking applications using CHIL to generate random data may find that the child processes use the same randomness cache, and the impact will depend upon the use they make of this data. If keys are generated on the host in forked child processes then these keys may be affected. 3. Who Is *Not* Affected - ------------------------ You are not affected if you do *not* use CHIL (either directly or via OpenSSL). Applications using the nCipher key management patch to OpenSSL 0.9.4, 0.9.5, or 0.9.6 (non-engine) are *not* affected, since the patch does not use CHIL for random number generation. Single-process applications are *not* affected. Multi-threaded applications which do not fork or do not use CHIL in the forked child process are *not* affected. Use of GNU Privacy Guard with the nCipher-supplied CHIL patch is *not* affected. Customers using nCipher installation media with one of the following CD version numbers are *not* affected: - 8.31 for Sun Solaris - 8.32 for any platform other than Microsoft Windows - 9.xx for any value of xx - 10.xx for any value of xx This version number can be found on the printed side of nCipher CD media. 4. Who May Be Affected - ---------------------- Any application which uses CHIL, either directly or via OpenSSL, and which forks and generates random data using CHIL in both parent and child processes is affected. OpenSSL 0.9.6-ENGINE and 0.9.7 use CHIL for random number generation (via RAND_bytes or RAND_pseudo_bytes) if the "chil" engine is selected. Thus, the Apache web server with mod_ssl may generate duplicate SSL session ids from different child processes if it is using an ENGINE-enabled version of OpenSSL and is configured with "SSLCryptoDevice chil". 5. How To Tell If You Are Affected - ---------------------------------- Run the following command on each existing installation: Microsoft Windows: "c:\opt\nfast\bin\ncversions" Other platforms: "/opt/nfast/bin/ncversions | grep hwcrhk" Review the output for any lines that begin "hwcrhk": - If no lines mention hwcrhk, or the version string is 1.9.7 or greater, the version of software installed already includes a fix for this defect. No further action is required on this installation. The exception to this is where an application has been statically linked to the nCipher CHIL library. Such applications may log the version of the CHIL library that they use to an application specific place. If in doubt, or for further information, please contact your application vendor. - If any such lines exist with a version string less that 1.9.7 the version of the CHIL library is susceptible to the defect described by this advisory. If you are using a susceptible version of the CHIL library with Apache and mod_ssl (with "SSLCryptoDevice chil" in the Apache configuration file), and using the "prefork" model you are likely to be affected. If you have a susceptible version of the CHIL library, but are unsure whether your installation is affected, please contact nCipher support for advice. REMEDIES ======== Customers with affected installations should either implement a work-around or upgrade to version of the CHIL library that does not contain this defect: 1. Work-around - -------------- There is a work-around to this problem, but it is more intrusive than using the new library. The work-around is to discard the contents of the randomness cache before it is first used by a newly forked application process. The CHIL randomness cache contains 3072 bytes, so a request for 3072 bytes of random data immediately after forking each child process will exhaust the cache and guarantee a fresh call to the GenerateRandom command. 2. Recommended Course Of Action - ------------------------------- All customers with susceptible version of the CHIL library are advised to update their nCipher installation at the earliest opportunity and, if necessary, re-link their applications with the fixed library. Upgrading the installed software may also be easier in some circumstances than the detailed analysis required to determine whether a particular application is affected. At the time of writing, nCipher media with the following versions contain versions of the CHIL library that do not suffer from this defect: - 9.01 - 9.04 - 10.xx media to be released shortly End users using applications linked against the static CHIL (libhwcrhk) library should contact their application vendor for an updated application. SOFTWARE DISTRIBUTION AND REFERENCES ==================================== You can obtain copies of this advisory, and supporting documentation, from the nCipher updates site: http://www.ncipher.com/support/advisories/ Due to export control regulations, we are unable to make software updates generally available on the nCipher web site. Please contact nCipher Support to obtain updated software. Updated software is available now for the following platforms: Windows, Solaris, Linux, AIX, HP-UX Updated software will be made available on other platforms upon request. The new software does not affect FIPS validation. NCIPHER SUPPORT =============== nCipher customers who require updated software, support or further information regarding this problem should contact support@ncipher.com. nCipher support can also be reached by telephone: Customers in the USA or Canada: +1 877 994 4008 Customers in all other countries: +44 1223 723666 Customers in all other countries outside of the USA and Canada can call the USA number in the event that they receive the advisory outside of UK support hours (08:00 - 16:30 GMT). Further Information =================== General information about nCipher products: http://www.ncipher.com/ nCipher Developer's Guide and nCipher Developer's Reference http://www.ncipher.com/documentation.html If you would like to receive future security advisories from nCipher, please subscribe to the low volume nCipher security-announce mailing list. To do this, send a mail with the single word `subscribe' in the message body to: security-announce-request@ncipher.com. (c) nCipher Corporation Ltd. 2005 All trademarks acknowledged. nCipher and payShield are trade marks of nCipher Corporation Limited. $Id: advisory-chilrand.txt,v 1.10 2005/04/28 15:40:27 mknight Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQoCP8+/+6Nq6MPYJAQJxOgf8DZ4hlZnZPaYl5uEMGpny1Jl+YuhXfGX/ o5ItCWtqkqDG+5HWdmdNaI89nXmEAgXPuJA6mhW69sUmq6H/dE+LVPM6cd9GenV3 JYg7tfY7tJeAMt6dqbV1evYvc/s1oA1xCQsd3ls0TfHuZYt7IBfsAZ3kmT0UAfo3 22o5b8ILv34zP7paPkxF9Fgzj81Lg9xaqZ3CHWG8IeIrBE3aDa5nFAl/qeE9pY9i UmSJN9l02Khd8Os8T7MRLGTHW64Cpih3cG6C0oLbsC92I3viY835g5N+6YWoG6qU 8h3jKw8PYJOeH+RlcVdhS9Ldf6d+UweFHWM7BbdtyaSiF4N+Jsrpig== =+wYg -----END PGP SIGNATURE-----