nCipher MSCAPI CSP Install Wizard support software weak key generation

mscapi-csp-key-generation (9076) The risk level is classified as LowLow Risk

Description:

The Install Wizard in nCipher MSCAPI CSP key generator running on Windows 2000 systems causes incorrect keys to be generated. If a user selects cardset protection in the Installation Wizard without creating a new Operator Card Set, keys would be generated to use module protection instead of Operator card protection. This vulnerability could result in weaker than anticipated security on the system.


Consequences:

Configuration

Remedy:

Refer to nCipher Security Advisory #3: MSCAPI CSP Install Wizard for remedy information. See References.

References:

  • BugTraq Mailing List, Mon May 13 2002 - 10:44:29 CDT: nCipher Security Advisory #3: MSCAPI CSP Install Wizard.
  • nCipher Web site: nCipher.
  • BID-4729: nCipher MSCAPI CSP Install Wizard Incorrect Key Generation Vulnerability
  • CVE-2002-0939: The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator Card Set protected keys when the user requests them but does not generate the Operator Card Set, which results in a lower protection level than specified by the user (module protection only).
  • OSVDB ID: 14873: nCipher MSCAPI CSP Install Wizard Operator Card Set Issue

Platforms Affected:

  • nCipher nCipher MSCAPI CSP 5.50

Reported:

May 13, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page