nCipher MSCAPI CSP安装向导不正确密钥生成漏洞-一一网

漏洞信息详情

nCipher MSCAPI CSP安装向导不正确密钥生成漏洞

CNNVD编号：CNNVD-200210-204

危害等级：中危
CVE编号：
CVE-2002-0940
漏洞类型：

配置错误
发布时间：

2002-10-04
威胁类型：

本地
更新时间：

2005-10-20
厂商：

ncipher
漏洞来源：
Published in nCiph…

漏洞简介

nCipher MSCAPI CSP 5.50和5.54版本的domesticinstall.exe存在漏洞。当用户请求它们但不产生Operator Card Set时，它们不使用Operator Card Set保护密钥，该漏洞通过用户（只限于块保护）可导致比明确指定更低级的保护。

漏洞公告

The following fix information has been provided by nCipher:
1. Users who have NOT already created a key with the wrong protection
———————————————————————
In order to force MSCAPI applications to generate cardset protected keys
a file `wizardfix.reg’ should be created containing the following text:
———— CUT HERE ————–
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\Cryptography]
“UseModuleKeys”=dword:0000000
———— CUT HERE ————–
This file can then be run by the user to change the appropriate registry
entry that determines the behavior of key generation using the nCipher
CSP.
Alternatively, the user can edit the registry value specified above
directly using `regedit’.
The registry setting must be reset using either of the above methods
after each invocation of the affected nCipher CSP Install Wizard.
2. Users who have already created a key which is erroneously module
protected
——————————————————————-
Users who have already generated keys which were intended to be cardset
protected, but due to this error are not, are advised to apply the above
registry fix and generate new keys. nCipher recommends against
converting existing module-protected keys to cardset-protected status,
since it is extremely difficult to do this in a way that increases
security.
nCipher customers are advised to contact nCipher at support@ncipher.com for information on receiving patches and updates which address this issue.