Bug 1563749 (CVE-2018-5382) - CVE-2018-5382 bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions
Summary: CVE-2018-5382 bouncycastle: BKS-V1 keystore files vulnerable to trivial hash ...
Alias: CVE-2018-5382
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1564247 1564248
Blocks: 1563752 2076448
TreeView+ depends on / blocked
Reported: 2018-04-04 15:21 UTC by Andrej Nemec
Modified: 2022-04-20 12:47 UTC (History)
57 users (show)

Fixed In Version: bouncycastle 1.47
Doc Type: If docs needed, set a value
Doc Text:
A flaw involving a risky cryptographic algorithm was found in Bouncycastle. BKS-V1 contained a design flaw resulting from using the SHA-1 hash function, as it contains a 16-bit MAC key size and a 160-bit SHA-1 hash function. This flaw allows an attacker to brute force the password due to the trivial hash collisions, resulting in a loss of confidentiality and integrity.
Clone Of:
Last Closed: 2019-06-10 10:19:38 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 0 None None None 2018-10-16 15:22:46 UTC

Description Andrej Nemec 2018-04-04 15:21:21 UTC
Affected versions of the package are vulnerable to Hash Collision due to an error in the BKS version 1 keystore files.

BKS is a keystore format, designed to function similarly to a Sun/Oracle JKS keystore. BKS files can contain public keys, private keys and certificates, and they rely on a password-based encryption to provide confidentiality and integrity protections to the keystore contents.

The first version of a BKS file (aka BKS-V1) contained a design flaw when determining the key size used to protect the keystore data. It used the SHA-1 hash function, which is 160 bits in length. In a RFC7292-compliant cryptographic algorithm, the MAC key size should be the same size as the hash function being used, meaning that the MAC key size should be 160 bits long for BKS files.

However, Bouncy Castle BKS-V1 files uses only 16 bits for the MAC key size. Regardless of the complexity of the password, ghe BKS-V1 file will have merely 65,536 different encryption keys. An attacker may bruteforce this password in a matter of seconds by testing all 65K values.



Comment 3 Andrej Nemec 2018-05-14 15:51:47 UTC

Red Hat Product Security has rated this issue as having security impact of Low. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 4 Doran Moppert 2018-05-28 06:33:56 UTC
Note that per the cert advisory, bouncycastle 1.49 re-introduced the legacy signature format as an option, calling it "BKS-1".  Version 1.49 and newer should avoid using this form for keystore verification.

Comment 5 Tomas Hoger 2018-06-18 13:11:30 UTC
This flaw affected BKS (Bouncy Castle keystore) version 1.  It was fixed in Bouncy Castle version 1.47.  However, as the fix implies a change to the keystore format, the new format is referred to as BKS version 2.  The support for BKS version 1 was re-introduced again in Bouncy Castle version 1.49 (most likely because of backwards (in)compatibility concerns), however BKS version 2 remains the default.  Applications using Bouncy Castle 1.49 or later may be affected if the explicitly request the use of BKS-V1 keystore format would still be affected by this issue.

Relevant entries form the Bouncy Castle release notes:


The default MAC for a BKS key store was 2 bytes, this has been upgraded to 20 bytes.

A new KeyStore type, BKS-V1, has been added for people needing to create key stores compatible with earlier versions of Bouncy Castle.

Comment 11 errata-xmlrpc 2018-10-16 15:22:06 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 12 Joshua Padman 2019-05-23 10:16:01 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 14 Jonathan Christison 2020-05-19 09:23:22 UTC
AMQ-ST ships with a version of bouncycastle that contains the functionality to create a BKS-V1 keystore, however there is nothing in AMQ-ST that utilises this vulnerable keystore format.

Note You need to log in before you can comment on or make changes to this bug.