Title: IBM CCA 3DES Exporter Key Generation Weakness
Severity: MODERATE
Description:
The IBM 4758 is a secure cryptographic co-processor supporting the IBM Common Cryptographic Architecture (CCA) software. It is designed to be extremely physically secure. This type of hardware is commonly used by banks to support secure transactions between ATM machines and branches. These transactions are normally encrypted using the 3DES algorithm and a shared secret key.
The CCA library includes functionality to export secret 3DES keys if they are encrypted with an additional 3DES exporter key. A design flaw in the CCA library allows a 3DES exporter key to be generated from two keys with only single DES levels of security. As a result of this, a trusted user of the system who is able to crack single DES keys may be able to leverage this knowledge to create a known 3DES exporter key, and compromise secret 3DES keys stored within the device.
A detailed technique to accomplish this has been published. An explanation of it requires some knowledge about the functionality provided by the CCA, and the various types of keys supported.
The CCA is designed to allow a DES (or a 3DES) key to be inserted into the system without immediately revealing the value of that key. To facilitate this, the key is broken down into two 'key parts', which may be combined with XOR to give the value of the key. Normally, the key parts will be held by two trusted users of the system, and independantly inserted into the secure hardware before being combined. The key value may not be obtained without the cooperation of both trusted parties.
The CCA also allows the extraction of a DES (or a 3DES) key from the secure hardware. In this case, an additional 'extractor' key is required. If a secure key is encrypted by an extractor key of equal or greater strength, it may be extracted from the system. Only a user with an extractor key of known value will be able to learn the value of a key from the system using this mechanism.
Finally, the CCA supports a 'replicate key'. This is a 3DES key with both DES components equal, and may be used to interoperate with legacy devices which only support single DES encryption. For more details on this, consult any document describing the 3DES algorithm. Although a replicate key is a 3DES key, it is important to realize it only provides security equivalent to single DES.
The vulnerability in the CCA is that a 3DES exporter key may be created from a 3DES replicate key part and a 3DES key part. The 3DES key part may consist of known values, and the 3DES replicate key is only as secure as single DES. As a result, a brute force attack capable of breaking single DES may be used to compromise the replicate key, and lead to disclosure of the 3DES exporter key. This immediately leads to the revelation of any secret key stored in the secure hardware device.
It is possible that earlier versions of the CCA are also vulnerable to this attack, and that variants of the attack requiring different local access permissions exist.
Affected Products:
- IBM Common Cryptographic Architecture 2.40.0
References:
- IBM: Product Summary - IBM PCI Cryptographic Coprocessor
- Mike Bond and Richard Clayton: Extracting a 3DES key from an IBM 4758
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
