Bouncy Castle let down by inadequate protection of BKS-V1 keystore files
Bouncy Castle let down by inadequate protection of BKS-V1 keystore files

The BKS version 1 keystore files for Bouncy Castle, a collection of cryptographic APIs for C# and Java applications, reportedly contain a weak hash-based message authentication code (HMAC) that can be cracked by hackers in seconds using hash collision attacks.

In a vulnerability advisory published yesterday, the CERT Coordination Center (CERT/CC) at US Carnegie Mellon University's Software Engineering Institute reports that the Bouncy Castle code for version 1 BKS files uses only 16 bits for the MAC key size instead of the recommended 160 bits. BKS is a format for keystore repositories that contain various security certificates.

“This means that regardless of password complexity, a BKS version 1 file can only have 65,536 different encryption keys. A valid password for a keystore can be brute forced by attempting each of these key values, which can take only seconds,” the advisory explains.

BKS-VA files that were created with Bouncy castle 1.46 or earlier or 1.49 or later are susceptible to cracking; therefore, users are advised not to rely on version 1 BKS keystore files. The vulnerability was discovered by Will Dormann of the CERT/CC.